If there are always users who will fall for phishing, how can it be prevented? We explain how security firms have been getting it wrong and how cutting edge technology is set to change that.
Phishing is when a user is shown a false website and asked to enter their username and password so that scammers gain their login details. The art to a good phishing scam comes in getting the user to that page.
In the early days – now
Online auction sites were major targets – thieves would aim to email users purporting to be them, which emails that looked very similar. User’s would be redirected to webpages requiring them to login and voila, their details had been stolen – thieves could move money or buy goods.
Because webmail such as Hotmail and Google was far less common, security efforts were made into software for the desktop PC. This third party security software, often sold with anti-virus packages back in the days of bundling a full PC system created a few problems for the marketplace.
Security companies started catching up with scammers – using SSL certificates and forming partnerships with the websites they were targeting to fairly accurately discern what was a ‘fake’ website and alerting the user.
This method of detecting fraud is a cat-and-mouse game, as thieves become more advanced, software has to catch up and become updated. In the industry this is called “end-point” software. Software updates are rarely a problem for consumers, but for businesses who have much larger bank balances and therefore a lot of money to lose – rolling out software updates to thousands of employees is a task that takes months.
Even though the web has moved on leaps and bounds, we are still left with a problem – the reliance on traditional, third party security software leaves a lot of users unprotected. Either they don’t know that they should be using security software or they can’t access the correct updates because their mobile devices don’t support third party web browser extensions or their company isn’t moving quickly enough.
The future of fraud detection is not to leave the full burden of trust on a simple string of text that the user remembers – there are too many ways for a password to be stolen.
Instead, the most forward thinking firms are looking to understand the nuances of their users, how they act normally – how fast the scroll, click, swipe their smart phone – this is behaviour analytics drives a biometric understanding of a websites users.
In the event that somebody’s user account is being used by another user, whether it’s been accessed by phishing, brute force or even a stolen laptop – the website will know that something is not right. The website has the power to recognise bad behaviours before they happen.