Issuers and customers are well-informed about many cybersecurity risks around mobile, but even cyber-savvy consumers are falling victim to sophisticated social-driven phishing attacks that look and feel like a legitimate brand.
Here’s how it works: a customer posts a complaint about a system outage or glitch on a social social channel (frequently Twitter), a lurking fraudster posing as a customer care agent offers a link to click that sends the customer to a fraudulent phishing website. When the customer logs on with their information, their credentials and account information is harvested for further use in cybercrime.
What’s particularly traumatic about this type of attack for the victims is that they can be held responsible for account losses because they themselves willingly disclosed their credentials to a third party.
Would-be thieves have long used phishing schemes to capture credentials and personally identifiable information (PII), but impersonating a card issuer's customer care function on social media is a dangerous new twist that could indicate the beginning of a growing trend toward brand impersonation and account takeover crime originating from social channels.
It’s important to keep in mind the point of these attacks for the fraudsters are to acquire user credentials to take over customer accounts. The Auriemma Group reported in 2015 that account takeover fraud involving debit cards was up 280%, and in December 2016, NuData’s threat intelligence indicated that as much as 60% of new account creations were fraudulent compared to 39% in 2015. These findings add further weight to regulatory pressures on banks to improve cybersecurity, and may also lead to a further push for to assume responsibility for account takeover losses.
Clearly, better consumer education is imperative. Symantec reports that more than a third of U.S. consumers who share passwords have shared their online banking account passwords, and 55% of people use the same password everywhere. In addition to password education, we continue to warn consumers of social media dangers. Even with better password security, socially engineered scams are becoming so sophisticated that even the savviest of users can be fooled. LinkedIn encourages people to be careful of who they follow on social media, and it can be the case that many social media profiles are not actual people but bots designed to deceive and lure users to divulge personal data.
Usernames and passwords are a static, outmoded and an inherently vulnerable approach to security. Many institutions are moving to multiple-factor authentication methods, in particular, passive biometrics and behavioral analytics – a nuanced approach to authentication that constantly evaluates contextual information about customer interactions to continually, passively authenticate them in real-time with no pre-enrollment processes.
Passive biometric authentication can restore the customer’s trust in online channels while adding real security to the login process, without adding friction – a true win/win for everyone but the would-be fraudster.