Organisations are operating in an environment where they are increasingly exposing their digital assets to the public. The conduits for this are wide ranging from email to mobile apps to social media networks such as Facebook.

There have been plenty of recent examples that highlight how businesses must learn to combat this growing menace. British Airways suffered a recent attack where a data breach affected 380,000 transactions.

Another incident involved Ticketmaster, where after a hack attack 35 of digital bank Monzo’s customers complained of fraudulent transactions on their credits cards, having used their cards with the ticket sales company.

Recently, credit monitoring service Equifax were fined £500,000 by the UK’s Information Commissioners Office. This was after a compromise of data which effected 15 million UK citizens, globally 146 million records from the company were also stolen in a major data breach last year.

Cyber security company Mimecast conducted an email security risk assessment, where 142 million emails were inspected. All of the emails progressed through organisations email security vendors.

Overall Mimecast discovered 203,000 malicious links, alongside 13,176 dangerous file types, 15,656 malware attachments, and 41,605 impersonation attacks slipping through previously undetected.

Steve Malone, Mimecast’s director of security product management, said: “Email remains a pressing threat to every organisations’ overall cyber security posture for the simple reasons of scale and frequency.”

“That’s then further exacerbated by the fact employees can become complacent to the numerous threats that could be lying in wait, from simple phishing to targeted impersonation attacks, and ransomware hiding in common attachments.”

Research carried out by solutions provider Kroll, revealed that an eye-watering 88% of cyberattacks in the UK over a two-year period was caused by human error.

The most frequent error was sending information to the wrong party via email majority of the time. “Unfortunately, traditional security awareness programmes have often failed to improve employees’ security skills and training has been more of tick-box approach to compliance,” added Malone.

Mimecast’s own State of Email Security Report found that 80% of companies are not confident of their employees’ ability to fend off ransomware. Alarmingly only 11% said that they continually upgraded employees’ training to spot cyberattacks. The current conditions ask questions of what businesses and cyber security firms intend to do next to reduce the cyberattack risk. For example, many software vendors employ security researchers to ensure that systems are kept secure, through responsible disclosure schemes.

RiskIQ, a cyber resilience company based in San Francisco, recently analysed the date breaches experienced by British Airways. And identified credit card skimming group Magecart as the culprit, as they were for the Ticketmaster data infringement.

Fabien Libeau, vice president of RiskIQ for EMEA, explained: “RiskIQ operates on the open Internet to provide organisations with an ‘outside-in’ view of threats and vulnerabilities, that complement their existing security investments in perimeter defence and endpoint protection.”

Libeau also reflected that the company is seeking to drive the debate forward over the potential threats that organisations face from the internet. “We do that in a variety of ways; directly with arge organisations, through involvement in industry bodies and through our regular content such as blogs, where we highlight the latest threat actor trends and tactics,” he enthused.

There are regulations that are in force that compels businesses to brush up on their cyber security competence. Across the European Union there is the directive of security and information systems.

The regulation is aimed at operators of essential services and digital service providers, who are required to secure their network and information systems. Appropriate measures must be taken to minimise the effect of security breaches, and to consider the latest potential system risks. The directive targeted sectors that rely heavily on information and communications technology.

Specifically, energy, transport, health, water, and digital infrastructure. Additionally, in 2016 the EU General Data Protection Regulation was agreed and enforced upon.

The legislation is designed to harmonise data privacy laws across Europe, empower all EU citizens’ data privacy, and reshape the way that organisations view and approach data privacy.

It is hoped that in the future it will be increasingly recognised that cyber security should be a central pillar throughout an organisation, as opposed to a background or “add on” issue.

Regulations at EU level bring to light just what national governments could do in collaboration with cyber security firms and companies.

It’s a potential partnership that could see governments providing incentives for innovation to conquer the threat of data breaches.

Although Steve Malone of Mimecast opined: “Cyber security experts are better able to analyse new threats and build appropriate defensive technologies, while appreciating the reality of how these tools are deployed within a variety of organisations.”

There is a long way to go, as the British Airways and Ticketmaster incidents prove that there is still a lot to think about, before the date breach issue is solved.

The post Threat-proofing businesses today–should employees be more cautious? appeared first on International Finance.

Tell me a bit about Emailage’s main business model
Emailage is a global fraud prevention and identity verification company which harnesses crowdsourced network intelligence to provide a predictive risk score based on an email address. Through key partnerships, proprietary data, and machine-learning technology, We build a multi-dimensional profile associated with a customer’s email address and renders a risk score for potential transactions. In turn, those organisations using our solution receive significant savings as a result of identifying and stopping fraudulent transactions.

How is Emailage tackling online fraud?
We are the world’s only fraud prevention solution that uses email metadata as a core factor to predict and prevent fraudulent purchases. We harness positive and negative signals associated with email addresses to help customers balance effective fraud detection with great customer experience. Companies across the globe use our predictive scoring on transactions of all types. Our network’s constant growth enables 90% of fraud detected to be driven by attributes coming from our proprietary algorithms.

Before our founding in 2012, companies relied on their own siloed technologies and databases to incorporate email addresses in their fraud tools. This consisted mostly of manual processes, one-to-one comparisons and maintenance of internal blacklists. In today’s fast-paced digital world, this becomes hard to sustain for many businesses, particularly for those at the smaller end of the scale.

However, Emailage has managed to change the entire fraud landscape by breaking these silos with unparalleled global coverage and a commitment to unite companies in the fight against fraud – one of our core mission statements.

Our unique technology allows us to use over 150 different datapoints to assess whether a transaction is being made from a genuine source. When a call is made to Emailage the data intelligence is summarized into an easy-to-digest risk score. The scores range from 1-999: 1 being the lowest risk, and 999 being the highest. We provide these scores to our customers, who then decide whether or not to authorise a transaction.

Emailage’s contributory consortium model database monitors for transaction velocity and criminal behaviours across the world. This gives us a multi-layered approach to assess an email address and provide a holistic view.

Since our launch we have mitigated over $1bn worth of fraudulent purchases for our customers – something we’re extremely proud of. What’s more, in such a short space of time, we’ve grown our client portfolio to include four of the six largest issuing banks, five of the top 10 eCommerce retailers, three of the five biggest global airlines, the top three computer manufacturers and the top five P2P money transfer companies. Additionally, many more are part of the network through partnerships with the five largest anti-fraud platforms.

Why is the company focused on the APAC region for expansion?
APAC is a focus for growth given the region’s rising rates of online fraud – as many as one in five APAC consumers have been victims of fraud, according to a recent report by Experian[1]. With this in mind, we’ve recently opened offices in Sydney and Singapore.

Expanding into the region means Emailage will be able to support more businesses in a diverse range of global markets, while further bolstering its customer support and product development operations. When it comes to fraud prevention, having the specific knowledge and expertise on the ground can add huge value to our customers – particularly in an environment where needs and challenges can be very bespoke to different companies.

We are based predominantly in Brazil, North America, and EMEA, with 107 staff members in seven offices across the globe.

What is the extent of risk that businesses face today due to online fraud?
Fraud is rarely conducted by a lone attacker, there’s often organised criminal groups working collectively to commit fraudulent activity. Collaborative movements span continents, and fraudsters will freely exchange strategies and share personal information over the dark web.

The funds raised from fraud often support other criminal gang activities such as: money laundering, drug trafficking, people trafficking and even terrorist financing. With this in mind, an attack on a business could actually be funding serious organised criminal activity across the globe.

Can you elaborate on the technology expertise required to deal with online fraud?
At Emailage, we believe in a scientific approach to risk assessment. This belief is made real with heavy investment in knowledge of risk management and modeling.

What’s more, collaboration plays a key role in our unique approach too. For instance, our predictive fraud risk score is powered by crowdsourced network intelligence – this providing the really powerful insight that sets us apart from other players in the market. As a result, our team of specialist fraud decision scientists have access to an immense hub of usable data and insight that they can put to effective use in the fight against fraud. Many of these scientists work on product improvement – ensuring we stay ahead of fraudsters whilst also meeting customer expectations – as well as working to improve our predictive fraud risk scoring.

To maximize effectiveness, our fraud decision scientists also put a lot of emphasis on working collaboratively with customers. There’s enormous value that can be gained by taking this approach. Firstly, it helps Emailage to establish a constant loop of feedback – allowing us to stay in-tune with the challenges and threats our customers are constantly faced with. What’s more, it allows our fraud decision scientists to get insights into trends in real time – this then being fed back into our pool of data. Secondly, it allows our customers to interface with Emailage’s experts and get the best practices support they need.

The end result of all of this is that our clients have the peace of mind that they are minimizing fraudulent transactions and can concentrate on doing what they do best – maintaining strong and secure operations whilst growing their business.

What is the biggest security lapse you see in the ecommerce sector today?
The biggest security lapse is a general lack of ability to perform robust digital identity validation in a way that doesn’t add friction to the customer experience. For example, Digital Transactions reported that 35% of the orders rejected by large retailers turned out to be legitimate – up from 25% in 2016.

As a result, it’s important to build a clear picture of who’s behind a transaction. Verifying only standard transaction data, such as name or address, means there are still lots of unexplored gaps in an organization’s visibility. There’s no way to tell if the person behind a transaction is actually a fraudster using stolen information.

The email address is perfect when it comes to verifying customer identity. For instance, an email is collected during every transaction and there is a lot of history attached to a single address that cannot be faked. This includes whether the email account is active and/or valid, the tenure and ownership of the address, and what its previous transactional behavior is. All of these factors are analyzed and assessed by Emailage when it comes to providing a risk score.

Online fraud is seldom done randomly – it’s usually an organized attack. How do you normally tackle the same?
The main result of sustained, methodical probing at scale is that fraudsters know exactly which companies are vulnerable to attacks, and how and when they should make their moves. Therefore, we believe that assessing fraud risk exposure, regardless of current fraud losses, is critical for companies doing business online.

For a fraudster, obtaining information is easy, but controlling the email address is an entirely different challenge, one much more likely to cause issues. Of course, they could use a customer’s real email, but the window of opportunity is far too narrow, as the consumer themselves will be alerted of the transaction and may be able to stop it before it even goes through. Similarly, staging an account takeover attack and impersonating the real customer is a complicated process, and cannot be employed at a level that’s scalable – this slashing potential profits right from the off. As a result, fraudsters use the most common method of tackling this issue: creating a fake email address. This process is free and easy, requiring almost no time at all to create an email that ‘appears’ to be real.

That’s why what we have created at Emailage is such a key differentiator in the risk assessment industry. We can cross-validate the email history and patterns of millions of emails, creating a clear picture of what a real email behaves like.

With access to a continuously evolving pool of data and insight, emails that lack salient pieces of information, or don’t quite add-up are easily identifiable to Emailage as being potentially fraudulent. As a result, this greatly enhances our hit rates in cases such as CNP, chargebacks, and synthetic ID fraud in a scalable manner.

It’s this scientific approach to fraud prevention that is the reason that we’ve become so trusted in the field in such a short space of time.

The post Phishing for trouble? This fraud prevention company can help appeared first on International Finance.

Many of these Fortune 500 companies have reported an increase in instances of fraud or attempted fraud through wire transfer payments. Several cyber threat factions have been engaging in a widespread Business Email Compromise (BEC) scams against Fortune 500 companies since autumn last year.

The threat groups have been successfully using BEC scams, which utilise credential harvesting, phishing and social engineering, to persuade account holders to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.

Delving deeper into the mechanism of cyber attacks is security expert Alan Levine:

• Despite having advanced cyber security technologies, Fortune 500 companies still face cyber threats. What are the types of threats they are seeing and how do they occur?

Business Email Compromise (BEC) is an attack vector that is seeing substantial growth; Trend Micro for example has predicted that impact from this particular form of phishing will increase by more than $9bn in 2018.

Companies in the Fortune 500 have reported a significant increase in instances of fraud or attempted fraud via wire transfer payments. Cyber threat groups have been successfully using BEC scams, which utilise credential harvesting, phishing and social engineering, to convince finance and accounts payable personnel to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.

It must be said, however, that although there has been a lot of focus on the risk to Fortune 500 companies from BEC, they are not by any means the only targets; all companies are at risk.

What is even more concerning is that attacks exploiting users may become more successful over the next decade. Wombat’s 2018 State of the Phish Report found that Millennials are less able to recognise phishing attacks than their older Baby Boomer colleagues.

• How do they resolve these threats?

To defend against BEC, individuals in financial roles need to be specifically trained to identify and fend off these scams, which are particularly tricky to avoid because they are set up over time, with cyber criminals researching their targets and then building trust via multiple channels (phone, email, and social media). There are specific things that Fortune 500 organisations can teach their end users to defend against the BEC threat:

• All employees should be made aware of the dangers of sharing too much on social media. Teach users that they can’t always trust the legitimacy of their social contacts.
• Ask users not to give out company-internal information — like mobile phone numbers, vacation schedules, and job titles — when they receive unsolicited emails or phone calls. They need to understand that criminals can use seemingly innocuous data points against your organisation.
• Stress the need for users to verify all requests for wire transfers and highly sensitive data (like employee tax information). It’s a great idea to implement a ‘non-technical’ form of two-factor authentication with high-value targets, such as employees who can initiate wire transfers. For example, make it a policy that all such requests require voice-to-voice confirmation — via an established phone number — before financial transactions are facilitated.
  

• Cyber security is of top concern in countries all around the globe. US Homeland Security Secretary Kirstjen Nielson has also mentioned that her agency is making election cyber security top priority in an attempt to prevent foreign interference in this year’s elections. What is your outlook on this scenario? How can we advance cyber security so elections are secured?

Good cybersecurity is not one thing; it is a combination of elements, involving people, processes, and technology. Every cyberattack has a source, a vector, and a target. We should assume that nation states are sometimes the source of cyberattacks aimed at election interference. Their targets are the digital systems used to input and calculate election results.
We can try our best to thwart attackers by strengthening the technical defences of digital election systems. But, foremost, we should understand the common vector for these – and most other – cyberattacks. Even one malicious email, sent to IT personnel who administer an election system, can result in the compromise of their computer and then, via the exploitation of these assets, the extended compromise of an entire election system. While we deploy technology to defend election systems and develop processes to support those defences, we must place greater value on the impact, good and bad, of the very people who are central to those defences.

Thus, we should focus our efforts on the vector: emails that launch an attack and facilitate every devastating thing that may follow. If IT administrators and, indeed, all users, are trained to identify and report potentially malicious emails, then the very start of attacks against election systems can be stopped. Addressing the email vectors for cyberattacks means training the people who receive, read, and react to those emails, so that they know what to do, and do it with diligence everytime.

• Do you think that better government intervention in cyber security will secure companies from cyber threats?

It is great to see the UK’s National Cyber Security Centre adopting a much more active posture in helping defend the UK from the range of cyber threats facing the country. Closer partnerships have now been formed with government, industry and law enforcement by prioritising cybersecurity. However, ultimately it isn’t solely through government intervention and enforcement that organisations will become secure; security has to form part of any business’s DNA and includes a mixture of people, process and technology. Cyber criminals will always identify and attack the weakest links; therefore, businesses should work together to create a virtual ‘fence’ to limit the potential attack surface and subsequent effectiveness of cyberattacks.

• What can be done differently to change the cyber security scenario all across the globe?

There’s no doubt that organisations are under a greater threat from cybercriminals than they’ve ever been, and this is unlikely to simply drop off. For example, Wombat Security’s ‘2018 State of the Phish Report’ found that 76% of organisations experienced phishing attacks in 2017. In addition, organisations are reporting more security impacts stemming from email-based social engineering.

There is no silver bullet when it comes to solving the challenge that cybercrime presents. However, a user who receives continuous cybersecurity training – and is therefore cyber-aware – is less likely to commit risky behaviours, and is more likely to spot and report suspicious activities. Don’t underestimate the power of educated users – effective training offers clear, measurable benefits for cyber risk reduction.

When strong technical defences are combined with an ‘army’ of knowledgeable users, organisations will prevent more successful attacks and chip away at the profitability of cybercrime, thus slowing its growth.

• Is there any way for companies to augment their cyber security to an extent that cyber threats won’t stand a chance to breach into advanced systems?

No system in the world is completely invulnerable to attack, but one of the most positive changes a company can make is to invest in its people. No company should rely on cyber security technologies alone. What’s needed is a layered approach that embraces a mixture of both technical safeguards and end user cybersecurity training and awareness.

Shockingly, according to the Online Trust Alliance’s (OTA) ‘Cyber Incident and Breach Trend Report’, 93% of cybersecurity incidents in 2017 could have been prevented by following basic security best practices, such as conducting phishing awareness training. With so much at stake financially and reputationally, organisations cannot afford to allow data breaches or damaging service outages to occur because of human error. Employees are a corporation’s last line of defence against cyberattacks, so they must be given the right skills and tools to effectively participate in the fight against cybercrime.

About Alan Levine

Alan Levine is a security advisor of Wombat Security with extensive global experience and has specialisation in all facets of cyber security, global data privacy with emphasis on European privacy provisions, Compliance, including SOX and related corporate compliance requirements.

The post Shielding Fortune 500 companies from cyberattacks appeared first on International Finance.