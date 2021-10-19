The fast, secure transfer of critical consumer data is the Holy Grail of digital business, but it has been heavily compromised in the maelstrom of a global pandemic. This is evidenced by a hike in online fraud, a traction that shows little sign of slowing, says Stefanie Ellis, pictured, AntiFraud Product & Marketing Director, at the anti-counterfeiting firm OpSec Security.

A surge in remote working and its heightened risk from insecure devices has been a gift for scammers exploiting both weak links in the security chain and public uncertainty, with heavy repercussions for an organization’s reputation and operational efficiency. Indeed, according to research from the Ponemon Institute, the average annual cost of a phishing scam in 2021 for a 9,600-employee organization is $14.8 million while in the UK, £2.3 billion was lost last year to online fraud, up by a third according to police unit Action Fraud.

For fraudsters, customer data is the prize; the account usernames and passwords and personal data from which bogus charges can be generated and funds extracted. While fake emails are the most pervasive means, the con can take many forms – either a call, link or text, all under the guise of a legitimate interface, posing as a known brand. Increasingly sophisticated and inventive, these scams often exploit the current zeitgeist and topical concerns. The fake marketplaces that started selling sanitization products at reduced prices during the Covid-19 pandemic were a case in point – sites which swiftly disappeared once the customer had paid up.

Similarly, financial fear and uncertainty from furloughed workers sparked a wave of attacks claiming to be a high street bank’s fraud department is a trend that continues at pace. Victims are told that their accounts have been illegally accessed, are redirected to fraudulent sites and then lured into disclosing confidential information, in extreme cases, unwittingly handing over their entire life savings.

While the pandemic’s peak may be over, the threats keep coming and the fraudsters are indiscriminate with their targets. While the mainstay remains webmail and payment providers, cyber criminals have expanded their prey to cover social media and to a lesser degree retail, logistics, travel cryptocurrency, cloud storage, file hosting and gaming companies. Meanwhile, as remote working remains an established way of working, it brings the additional threat of rogue employees, buoyed by less employer/office visibility, taking risks with the wealth of consumer intelligence they have at their disposal.

The complexity of the current operating environment demands a robust response as diverse and fast evolving attacks present themselves. Furthermore, businesses must manage the rising cyber threat in a post-Covid world while still delivering the ‘anywhere, anytime’ seamless transfer of information that the customer expects. It means negotiating a balance between stringent protection while avoiding the heavy-handed Fort Knox style security solutions now at odds with the hyper connectivity needed to serve more imaginative applications in complex environments.

Harnessing technology providers with expertise in brand protection with the means to identify anomalies and shut down fraudulent sites fast is one way of dealing with this growing problem. Here, data analysis and intelligence are the core tool with which to identify issues and get under the skin of an attack. Analysing a scammer’s infrastructure and using data from phish kits – the HTML package from which the phishing site is created – can expose clues and help identify the individual behind it. Meanwhile, the continual monitoring of content, hostnames or URLs to distinguish between normal and rogue activity should be the bedrock for risk management, and this is often best outsourced to experts who have the time and the know-how to approach this in the proactive, in-depth manner it should be. Doing so will allow them to intervene swiftly before an attack takes place. Making distinctions quickly and accurately becomes even more critical as devices, fuelled by cheaper access points, are more likely to operate in a way that can appear suspicious but are in fact normal business.

Once suspicious activity is confirmed, sharing it with a network of ISPs, domain registrars and email and hosting providers to block consumer access within minutes of detection and remove the content is the game-changer in stamping out a threat before any damage is done.

Critically, however, technology is only part of the solution, and a holistic approach to brand protection is a must for those organizations who are serious about maintaining their customers’ trust and loyalty. Education and human input must work in tandem, especially in instances where foul play can be harder to determine. The onus is also on the business to be clear in its communication as to what constitutes legitimate and illegitimate emails and instil a vigilance and awareness into the employee mindset, shifting away from the more passive state that makes them vulnerable to rogue communication.

Going on the offensive means covering all bases, a combination of data-driven insight and human vigilance to stay one step ahead of the scammers.