According to Verizon’s Data Breach Investigations (DBIR) Report, business email compromise attacks have almost doubled across their incident data, accounting for 50% of incidents. This study looked at 16,312 security incidents, of which 5,199 were confirmed data breaches.
We tuned in to hear Will Gordy, Director of Workplace Collaboration and Customer Experience at Verizon, and Bryce McWhorter, Sr. Director Product, Research & Engineering at Pindrop, in charge of voice center authentication, on a recent webinar to learn more.
1 – How do hackers use various techniques to exfiltrate customer data and shut down operations?
One of every eight employees shares the requested information in a phishing attempt. Sixty percent of employees opened emails they were fully confident were safe. It doesn’t make things easier when socially engineered cyberattacks like phishing are nearly 80% effective.
One socially engineered trend is vishing (or voice phishing). Robert Sheldon on Tech Target describes vishing (voice or VoIP phishing) as “a type of cyber attack that uses voice and telephony technologies to trick targeted individuals into revealing sensitive data to unauthorized entities.” Fraudsters can use this technique to access private information like social security numbers, info on financial accounts, or even network information.
2 – Why do current systems need to evolve to catch fraudsters?
“The problem is that most call center representatives are not measured against the average time of calls, tickets resolved, or net promoter score,” Bryce revealed on the webinar. “They don’t get bonus points for catching fraudsters day in and day out.” Evolving the IVR measurement system could be a smart way to innovate in the future. Additionally, providing the right tools so reps can focus on the call and not catch a dupe could be ideal. Pindrop Trace Technology determines call risk in the IVR to prevent data theft, account mining, ATO, and omnichannel fraud.
If companies fail to innovate, it can lead to many companies feeling unconfident in their ability to handle fraud. Thirty-three percent of attendees at this week’s webinar said they were only somewhat confident in their company’s ability to handle fraud today.
3 – What are some ways to stop fraudsters?
According to Will, as found in the DBIR Verizon report, “in the incidents with loss, the calculated median more than doubled to $26,000, and the 95% range of losses expanded to sit between $1 and $2.25 million, putting that upper bound in scarier territory if you are a small business.” He continues, “the FBI did find that only 7% of the incidents had losses in this case, so it’s not all bad news.” Companies appear to be taking appropriate steps and measures to fight fraud in the future and are getting more savvy at doing so with the right technology.
Bryce says, “The first line of defense is through call centers.” Pindrop studies show that 30-40% of the time, fraudsters can get past the call questions. Another avenue is through the OTP or one-time passcodes. At Pindrop, 16 engineers and researchers are working on deepfake security specifically to ensure fraud is stopped before making it this far, but having systems set up to mitigate each of these techniques can make a big difference.
4 – What new fraud attack styles are you seeing?
On the webinar, there were a few types of fraud methods mentioned. Low and Slow attacks involve what appears to be legitimate traffic at a prolonged rate. Detecting this through network behavioral analysis can be critical. Another is group chats.
Pindrop services help in several ways by looking at the metadata and tone analysis, audio-based detections, and even STIR/SHAKEN Ingestion. Pindrop processes STIR/SHAKEN headers and incorporates the Attestation-related insights, when available, into our machine learning models to enhance call risk scoring. In short, they improve the call risk with intelligent sorting. It was also mentioned on the webinar that HLR (or Home Location Register) is frowned upon in the industry, because it can lead to SMS spoofing, cloning, etc. This database stores details on every cell phone number connected to the Global System for Mobile (GSM) Communications network worldwide.
Final Thoughts on Exploring the Evolving Cybersecurity Threats
Verizon’s new DBIR Report in 2023 has a wealth of information about the trends being seen in cybersecurity. Some notable stats found in the report are:
- 75% of all breaches in 2022 involved a human element
- 50% of social engineering attacks in 2022 involved pretexting, doubling YoY
- 49% of breaches by external actors used stolen credentials
“It’s growing increasingly important that agents are trained to get the next call and serve callers quickly and efficiently,” says Bryce. “Outsourcing functions to detect fraud and implementing automated tools and controls can make a big difference.”