ESET Chief Security Evangelist Tony Anscombe sat down with us to share his insights on how to avoid falling prey to online fraud.
Are you aware of some of the most common tactics that con artists can use to steal your data, identity and money? The digital era has opened new ways for scammers to take aim at potential victims; in many cases, fraudsters can gather a range of details about unsuspecting netizens before hitting them with targeted attacks.
Online scams take various forms and become increasingly sophisticated, but being vigilant and knowledgeable about the threats will go a long way towards staying safe. To mark Fraud Prevention Month, which began in Canada this week, we talked to Tony about what people and businesses across the world can do to avoid falling victim to fraud.
Hi Tony, thank you for joining us. This week marks the start of Fraud Prevention Month, reminding both citizens and businesses of the importance of protecting themselves against fraud. The first question imposes itself: how important is individual action to prevent fraud?
Businesses and citizens lead busy lives and it is very easy to keep items that may not immediately affect us towards the bottom of the to-do list. Fraud is potentially one of those items, we may appreciate it can happen but unless it’s happening to us at this moment in time then we can often be guilty of delaying preventative action. While this is understandable, it should not be the case. If fraud makes an appearance as an issue it will dominate time and effort at the expense of everything else we should be doing.
Preventative measures may not be as onerous to implement as you first think, and the benefits of keeping yourself out of the fraud victim statistics will for certain keep a very stressful issue at bay. For example, preventative measures against identity theft may take 3-5 hours, but recovering from identity theft can take anywhere between 100-200 hours over a six-month period.
And for businesses the risk is compounded; fraud may affect the daily operations of the business and if it requires public disclosure can lead to loss of reputation and potentially create a distrust atmosphere with customers.
Having an action plan to prevent fraud either as a business or a citizen should be a priority on the to-do list; it’s time well spent. Don’t wait to be a victim.
According to ESET Cybersecurity Barometer 2018 for Canada, banking fraud and identity theft are Canadians’ top concerns when it comes to cybersecurity. What steps should we take to protect ourselves against these crimes?
Banking fraud and identity theft are intrinsically linked, as you would expect. Here are some tips on what should be the beginning of your plan to protect your identity.
- When asked for personal information, either online of offline, always consider whether the requester actually needs the information.
- Don’t overshare personal information on social media.
- Register with credit agencies and create alerts warning you when someone is accessing your credit file.
- Consider locking or freezing your credit file to stop access by any third party, it’s relatively simple to do and to unlock when you may need it.
- And do all of the above for your kids too, don’t let someone steal their identity before they even start using it themselves.
- Check bank and financial statements on a frequent basis and be on the lookout for any strange or unknown transactions.
- Open physical mail in a timely fashion, banks and authorities use the regular mail system to alert you to changes or access to some online activities to ensure they were carried out by you.
- Protect your mobile phone account against SIM swapping, make sure your phone account requires a PIN code or password to issue a new SIM card.
- Use strong passwords or passphrases to secure your accounts, and keep each account secured with a unique password or passphrase.
- When possible switch on multi factor authentication to secure your accounts, either using SMS or a dedicated app to authenticate logins and transactions. A dedicated app is recommended as it provides greater protection if you become a victim of SIM swapping.
- Register for online social security and tax filing, even if you don’t intend using the online systems. Securing your account will stop someone registering as you.
- Secure devices with security software and make sure it’s kept up to date.
The same study also revealed that three quarters of respondents were targeted by phishing attacks, through email or via phone (voice phishing, aka vishing). What advice would you give to users who want to protect themselves against falling for these scams?
Many of the above apply to businesses as well, securing a company bank account requires the same identifiers of the person as accessing a personal account. Businesses should adopt frequent awareness education with employees to ensure they understand what to look for to avoid fraud and scams that may affect the company. For example, protecting against phishing for login credentials and business email compromise attacks can be thwarted through education and awareness of how these social engineering attacks take place. Some core tips are:
- Check the spelling of the web address/URL in email links before you click on then. Most email clients allow you to see the address by hovering the mouse over the clickable area, without clicking. If the address does not look right, then don’t click on it.
- If you have clicked a link then be vigilant when you get to the website, if it does not look right or seems different to normal then don’t enter any information.
- Don’t click links in emails that take you to login pages, for example I never click links in messages from my bank, I always type the address manually into the browser and access my bank directly.
- If you don’t recognize the email or find the attachment suspicious, don’t open or download it.
And criminals do not only utilize electronic means. A recent example of a deepfake audio attack against a UK company shows how criminals are using sophisticated AI technology to attack businesses. Always validate the request using communication mechanisms that are trusted.
The FBI’s 2018 Internet Crime Report demonstrated the growing threat of Business Email Compromise (BEC) attacks, commonly known as CEO fraud, with losses almost doubling between 2017 and 2018. Do you think awareness trainings are efficient measures for organizations to protect themselves from these scams?
Yes, as mentioned previously, I believe employee awareness and education is important. Awareness trainings are an excellent engagement and education tool that gives employees advice not only how to recognize these attacks in the workplace but also offline. The Verizon 2019 Data Breach Investigations Report shows a decline in clicking a phishing test email by employees from 4% to 3% year on year. While this is a controlled test phishing email, it demonstrates that the education on identifying fake emails is working.
RELATED READING: Can you spot the phish? Take Google’s test
What is your forecast for future fraud trends and, more importantly, for steps to take in order to prevent fraud?
As the example above demonstrates, criminals will adopt sophisticated technology and techniques to carry out their malicious activities. As more personal data becomes available through breaches or other means then phishing email will become more targeted taking on the form of spear-phishing emails with enhanced personalization. The language and mistakes made in these malicious campaigns will become harder to spot as the technology available to create them improves.
Identity theft is a growing issue which I don’t expect to decrease anytime soon, taking the steps highlighted in earlier are essential in proactively protecting against it.
And review your protection plan frequently, this is not a do-once-and-forget task!
Would you have a final piece of advice for our readers who are worried about fraud, but may not be sure what their next step(s) should be?
Firstly, don’t worry. There are numerous organizations that can help proactively, such as the advice we give here. Fraud costs financial institutions millions of dollars every year and they have expert teams on hand to both help you prevent it happening and to help you recover from it. Governments around the world also provide excellent guidance on staying safe online and avoiding fraud. The most important advice I can give is: don’t think it will not happen to me; make a plan today and act on it.