How hackers virtually pose as a recognizable brand to steal from your company and your customers.
Users are the weak link
We all think fraud is not going to happen to us; we know better than to enter personal information on the wrong site, right? But when it comes to phishing we have to tip our hats to the hackers and their remarkable photoshopping skills for faking emails and sites that look so genuine. Yes, perhaps we could tell a fake email or website from a real one if we looked at them side-by-side for a few minutes. But when we are standing on the bus with our phone, looking for a seat while texting our friend that we’ll be ten minutes late, then it’s not that easy. As users, we – way too often – choose to trust. A trust that phishing scammers take with them.
Phishing scams lure clients into clicking on a site that is infected with malware. They do this by sending an email disguised as a brand that the victim knows or may have already dealt with in the past. The message contains some urgent issue that, for example, requires the user to immediately log in to their account through the link provided. When the victim accesses the link and enters their personal information, the hackers are collecting it – and off it goes to the dark web in as little as few minutes or using it for fraud or identity theft.
To make matters worse, the use of emails as a way to contact customers is not only growing but also becoming more popular among customers. Adobe found that clients rate emails from retailers as the best source to find out about shopping deals during the holidays. When asked specifically about the best way to get offers on their mobile devices, 40% of consumers preferred email.
Phishing is not only a threat to retailers, but also to employees. A more targeted form of phishing, spear phishing, sends an email to specific users. Spear phishing attackers often use the internet and social media to build a better profile of the victim in order to create a more directed email. One form of spear phishing is to target someone in an organization and trick the employee into downloading malware to their computer so the hacker can steal the infected computer’s information. This is what recently happened with the Silence Trojan that affected at least ten banks.
We hate being the bearer of bad news but, as a company, there is not much you can do to prevent your customers from taking the phishing bait. Based on the Juniper Online Payment Fraud report, eCommerce merchants and financial institutions are set to spend $9.2 billion on fraud prevention by 2020 – and yet, not one of those billions of dollars can help control what your users do outside of your environment.
Sometimes it’s just too hard
Companies can train their customers to verify the links in an email before clicking; to call customer service if they are in doubt; to never give private information over email; to be suspicious if an email says, “Your transaction went wrong, click here to purchase your item again.” But the truth is that, when we are trying to make a purchase online while comparing reviews, reading the product specs, and replying to a text from your mom, then it’s not that easy.
The Black Friday and Cyber Monday weekend is set to be one of the biggest weekends of the year for eCommerce companies – last year it generated $3.5 billion, based on the 2016 Adobe Digital Insights Holiday Recap report. Shopping seasons are always preceded by emails from retailers with sales, deals, and promotions. Hackers use this time to do exactly the same, and they even make their phishing emails look complementary to your company’s real emails.
Look at the behavior
As an online company, you are facing fraudulent purchases made with stolen credentials every day; that’s just a fact. To avoid contributing to the ever-growing amount of money lost to fraud, you need to identify risk not only by looking at your customer’s static information but also looking at their behavior.
Hackers have outsmarted security measures that involve credentials, hard tokens, and one-time codes – to name a few – rendering the classic Risk-Based Authentication (RBA) outdated. RBA can no longer be based solely on static credentials and layers that verify physical data (device, location, and connection); RBA needs to be enhanced by layers that verify the user’s behavior – a topic we will cover during our next webinar on December 5th featuring Forrester. Passive biometrics is the layer that looks at how your users behave, which is something inherent to each of us and impossible to replicate by a third party.
Yes, there is little you can do about phishing itself, but combining RBA with passive behavioral biometrics, you won’t be fooled by the tons of stolen data flying around. This next-generation solution is continuously evolving and has already proven to give companies a headache-free Cyber Monday.
Related to this post: Presenting Your Safest Online Self
Want to learn more about biometric authentication? Download our co-sponsored Aite Group report, Biometrics: The Time Has Come.
Want to read more posts like this? See our full blog here.