There’s an answer to pandemic-related scams

It didn’t take long for the COVID-19 pandemic to put down roots before scammers quickly adjusted and looked for ways to exploit people as they adjust to new behaviors like working from home and having more time to kill due to upended social lives.

And they found them, OneSpan security evangelist and director of security solutions Will LaSala said. A provider of digital identity and anti-fraud solutions, OneSpan offers risk-based adaptive authentication and digital identity verification from a cloud-based platform.

“Fraud never slowed down,” Mr. LaSala began.

He’s not kidding. Phishing attacks have risen nearly seven-fold since the pandemic’s onset, and account takeover attacks have surged 72 per cent. Americans have lost more than $77 million to fraudsters who target relief money such as stimulus checks and unemployment benefits.

Luckily, the industry was gearing up for regulatory needs before the pandemic and were implementing stronger authentication practices so they were somewhat prepared.

Phishers quickly shifted tactics, Mr. LaSala explained. They targeted pandemic-related behavior shifts. Account takeover attacks exploded because everybody went digital at the same time.

“Looking back on all of this, what I’ve seen is when everybody went digital all at once, a lot of banks thought they were fully prepared but weren’t quite there yet,” Mr. LaSala said.

Sudden branch closures meant questions now had to be answered online, with banks essentially becoming help desks.

Banks had to quickly react, Mr. LaSala said. They had to make things as easy as possible, but removed many walls previously in place.

“That was interesting to me because security shouldn’t be seen as a wall, it should be seen as helping people.”

While the bar was lowered so customers could more easily interact with the bank, that bar was also lowered for account takeover actors and that caused phishing attacks to explode.

Financial institutions looked to shore up efforts behind the scenes by improving risk analytics, Mr. LaSala said, as they looked to improve the user experience.

Across various sectors the sentiment seems to be the pandemic didn’t drastically change behaviors as it accelerated ones already shifting. Mr. LaSala said the big banks especially had projects in place involving more risk analytics and advanced biometrics, especially on mobile devices.

“They already had these projects,” Mr. LaSala said. “They were kind of put on hold during COVID while they adjusted to everything but I am seeing a resurgence of these projects.

“I don’t things are necessarily different than they were before COVID but they are more accelerated.”

There is risk should a company rush into a solution, Mr. LaSala said. Before the pandemic, there was a tendency for institutions to look for “one size fits all solutions” where everyone gets SMS messages and one-time passwords. The pandemic exposed the flaws in that system, as all of a sudden you had significant populations of people needing help who were not digitally savvy.

Better to implement the right solution at the right time, Mr. LaSala said. Evaluate that risk in real time and use artificial intelligence to make big pictures of that risk. When you find risk, deploy a solution commensurate to that level of risk. Balance checks pose a different level of risk than adding a payee for example. Use facial recognition for the payee but not the balance check. Don’t swat the fly with an uzi. 

“Get away from the static rules you are using today and go to more dynamic rules,” Mr. LaSala said.

Hackers quickly saw where things were headed once the shutdown hit.

“People were bored in their house and we saw hackers preying on that,” Mr. LaSala said.

Hackers would place games on social media where people answered 10 questions about themselves. People would answer and the hackers would harvest that information for their phishing campaigns. There are now an estimated 15 BILLION credentials available on the dark web, Mr. LaSala said.

Stop me if you’ve heard this refrain but banks are siloed organizations, with each department developing their own solutions. That causes fractures on the back end, Mr. LaSala said. How do you quickly produce a user activity report when you have multiple unique systems?

“We’ve been advocating for the banks to bring that all together,” Mr. LaSala said. “I think technology previously might not have been ready for real-time fraud but it is now and banks should be bringing it all under one silo.”

Running all the processes across one system is more secure and provides better insights, he added.

When a company sustains an attack they add a new rule to their rules system. How do you add a rule for the next attack? What will that attack even look like? If the attack comes in across multiple offerings, how do you ensure it is quickly picked up?

Hackers may set up a few accounts on a consumer site and a few on the corporate arm, all based on synthetic identities developed from that dark web information. Look closer and there are patterns, ones which can be picked up by machine learning and AI systems.

A proper system can notice an issue after three or four attacks, making detection almost instantaneous, Mr. LaSala said. A transaction, especially a mobile one, comes with plenty of associated data including geolocation, IP address and device type. 

“If you have a good risk analytics system in the back end, when they hit the phishing site that data now transforms into being from one location and you can very quickly from AI pick out those patterns,” Mr. LaSala explained.

A proper security regimen is a complicated matter, as banks have to contend with the unique traits of each type of device in the marketplace, Mr. LaSala said. One edition has facial recognition, the updated one has fingerprint ID. Each change, each new device, has to be incorporated.

Biometrics are improving, Mr. LaSala said. Voice has made great strides and the ability to incorporate how one swipes their phone and even how they hold it can be used in security measures.

“Gathering that data and providing that data along with the transaction details to your risk engine, that’s really the silver bullet.”