Latest Post Related Post

Phishing attacks have become more sophisticated and personal. We are all busy with life – work, family, commute, and dinner plans, along with keeping up on the latest news cycle. Virtually anyone could be inclined to quickly click on a link stating there is an issue with their recent order. But there's more to phishing attacks than just baiting businesses and consumers. During a recent #ExperianLive event, Mike Gross, Head of Global Identity and Fraud Product Innovation, discussed what businesses can do to protect themselves and their customers. ​ Q: You say that phishers would make good digital marketers. What do you mean by that? Mike: Like a great marketer, a good phisher understands people and their tendencies; they know how to get people to take action on their message. Take my most recent “almost phishing" incident. During the holidays, I received an email from a top online retailer stating there was a “problem with my recent order." I knew that any delay would jeopardize my holiday gift delivery. I was just about to click the “Login" button and then stopped. Thankfully, I double-checked the sender and it wasn't my favorite shopping site after all – just a really good fake email from a "phishy" sender. Like a digital marketer, phishers understand how to specifically target the things that people care about. This is why phishing attempts focused around the holidays, tax season, natural disasters, and hot news topics are often so successful. Q: Are phishers counting on the relationship and roles people have in an organization? Mike: Yes. That's the whole nature behind one of the biggest phishing attacks over the past several years – business email compromises. As a phisher, I'm sending you an email that looks like I work with you, say a vendor with a message that reads, “I changed the account that you use to pay me; please update your payment to this new account." If there is urgency behind it, it is taken seriously – for example, to avoid being late on paying a vendor. Human nature is being helpful and reacting, especially in this fast-paced, hyper-connected world – and that's why these scams continue to work. Q: What other phishing trends are you seeing? Mike: They've evolved over time. Take the simple phishing email; it's not so simple anymore. Nowadays, attacks are personalized to both the business and specific person – and phishers are taking advantage of automation and targeting tools so they can get the most reward for their effort. “Smishing" is variant of phishing focused on the phone channel, where attackers target victims with an SMS-based attack; you've probably seen them. You get a text and link from what you think is your friend saying something like “Check out this funny video!" But it isn't legitimate; it's a fraudster that is spoofing your friend's phone number. Then there is “vishing" which is a voice-based attack. This is where a fraudster pretends to be someone they're not (like a consumer's financial institution) and tries to obtain personal information or take over an existing account. Q: Wow! Phishing fraud is sophisticated. What has led to that? Mike: We've seen a tremendous leap in technology used. There is a great example of that last year with a U.K. bank. Their customers expect that if there is an out-of-place transaction, the bank will call them. In this particular vishing scheme, vishers used compromised accountholder usernames and passwords to log into customer accounts and set up money transfers. Knowing that this would alert accountholders to the attempted transfer using the SMS one-time passcode, phishers called legitimate customers, impersonated the bank, and stated that since the customer was a recent fraud attack victim, the bank needed confirmation that they were the accountholder. The vishers told customers they would receive a passcode. While the customer confirmed the code, the vishers submitted the fraudulent transfer. Q: What trends and techniques are you seeing? Mike: Two of the big trends we're seeing is around Artificial Intelligence (AI), machine learning, and SMS to find victims. A big part of phishing is what we call “spear phishing." This targets individuals with access to an organization's financial accounts or internal systems. Another term is “whaling" which targets a specific high-profile individual. The phishers are no longer just sending out blanket lottery scam and Nigerian prince emails with misspellings to millions of people. It's very focused – and phishers can easily do this using machine learning and AI. Q: Do you notice any seasonality, or spikes in phishing based on a certain time of year? Mike: The holidays are one because so many people go to their favorite shopping sites and buy items that are completely out of pattern based on what they usually do online. Another good example is tax season. We saw phishers impersonate top tax and financial management software providers, allowing consumers to “quickly and easily submit their tax forms online." What's worse is that phishers use the knowledge you have about phishing against you. Things like “How do you protect yourself? Click on this link to learn more" or “Click this link to download software and protect your devices." Also, fraudsters pay attention to the news, so whether it's a natural disaster or the cathedral fire that happened in Paris last April, phishers see those as opportunities to prey on victims simply trying to donate to a worthy cause. Q: What advice do you have for businesses and consumers to protect themselves against phishing attacks? Mike: My advice for businesses is to focus on technology and training. Strong technology solutions must be in place at all businesses to block phishing emails that are coming from suspicious sites – and for the most part, large organizations do a great job of that. Smaller businesses can also take advantage of technology solutions from their internet providers. Businesses can implement web blocking software for less secure Internet sites and filter what types of content employees can have access to on business devices. A lot of companies hire outside consultants to talk about the different types of phishing attacks with employees. These are helpful, but the key is to not allow training to become static because attackers evolve so quickly. Both businesses and consumers can use the email filtering option that is available through nearly every email provider. Don't click on any attachments that even remotely look suspicious – especially if they've been texted to you from someone you either don't know or the message appears out of character for someone you know. Q: What activities is your group taking on that will help businesses and their customers fight phishing attacks? Mike: There are several things we're doing that impact businesses and consumers offline and digitally. We help businesses recognize their customers and authenticate them, whether that's helping customers with a new bank account, enabling easy checkout at a favorite retailer app, or protecting account logins. 99% of people trying to access accounts are the legitimate account holder; it's that 1% though that causes a lot of friction for good customers. So, we're trying to make it easier for those consumers to quickly pass through all of the controls so authentication is easier. That translates into consumer loyalty for brands. Q: And that's what it's really all about? Mike: It is. We help businesses recognize their customers and also ensure that they are catching fraudsters on the back end. But we also strive to make that recognition or user experience as seamless as possible, with the right scrutiny for the risk level of that business. Mike Gross leads product innovation strategy for Global Identity and Fraud at Experian. Check out the entire podcast and video on how to protect your business from phishing here.

Across the globe, fraud risks continue to grow and businesses continue to invest more to combat potential threats. According to Experian's 2019 Global Fraud and Identity Report, which was published this past January, more than half of businesses across the world have increased their fraud management budget in the past twelve months. I recently had the opportunity to discuss this very topic with Forbes.com. In the article I raised the issue of whether businesses are investing in the right places. Our research shows that businesses may sometimes be investing in the wrong capabilities or point solutions that are materially less effective than if they were to take a layered approach to fraud detection. To provide consumers with both security and convenient online experiences, companies must have a complete understanding by looking at the problem holistically. By layering multiple approaches such as digital risk assessments leveraging device intelligence, behavioural biometrics together with more traditional measures – businesses can focus their resources where it matters most – providing a safe yet convenient online environment for their customers. The Forbes article also looked at the issue of trust. The anonymous nature of digital interactions makes creating trusted and meaningful relationships with digital consumers difficult. Unlike face-to-face interactions where people rely on visual cues, and relationships developed over time, businesses must find other ways to quickly recognize their customers online and deliver personalized experiences. At Experian, we believe trust is extremely important. In fact, the report found that nearly eighty percent of consumers say the more transparent a business is about the use of their information, the greater trust they have in that business. And fifty-six percent of businesses plan to invest more in transparency-inspired programs such as educating consumers, communicating terms more concisely and helping consumers be in control of their data. There is no doubt about it, businesses who want to continue to thrive and lead in the digital economy will find ways to offer their customers both security and convenience whilst building trust with their audience. Learn more the state of fraud and how trust plays a role by downloading our 2019 report: Consumer trust: Building meaningful relationships online.  

We are delighted to announce our investment in bonify, a German fintech start-up dedicated to giving consumers better insights into their creditworthiness. bonify gives its 500,000 customers easy access to their creditworthiness and financial data, offering them a number of financial management tools to help analyse and optimise their financial situation. At Experian, we believe very deeply in the power of data to help improve people’s lives. That’s why we’re so excited by bonify’s continued goal to improve its users’ financial lives, and the steps it is taking to help people in Germany understand and benefit from their financial information. We are delighted to join a number of investors in supporting the growth of this innovative start-up. Charles Butterworth, Managing Director Experian UK, Ireland and EMEA​, said: "We are excited by the way bonify is helping people in Germany understand, engage with and improve their credit scores. We look forward to supporting the team as an investor and partner in their future growth.“ Founder and CEO of bonify, Dr. Gamal Moukabary​, said: “Experian's  investment shows that we are on the right track. It rewards our achievements and  our unique value proposition. Experian is an ideal investor and partner for us to  support the next growth phase. Our goal is to expand our operations into other  European countries.” Manuel Silva Martínez, Partner and Head of Investments, Santander  InnoVentures​, added: “We are delighted to welcome Experian  Ventures to bonify. Experian will add tremendous value and technical expertise to  bonify’s product roadmap. We are thrilled to support bonify as we accelerate growth and help more and more people across Germany and Europe with taking control of  their finances in a sound and responsible way.