#ScamsAwarenessFortnight - Adopting a Zero Trust Mindset to Tackle Fraud

Organizations have faced a surge in cyber-threats during the COVID-19 pandemic, with malicious actors looking to take advantage of the economic uncertainties brought about by the crisis and the shift to remote working. One area in which this has manifested is scams, with tactics like business email compromise (BEC) and phishing rising substantially in the past 15 months. As well as targeting fewer protected staff members to targeting companies, fraudsters have been able to use the health, economic and social consequences of COVID-19 as effective lures. For example, fraudsters are capitalizing on government financial relief schemes to trick businesses into giving away sensitive information, including payment details.

As we enter this year’s Scams Awareness Fortnight, running from 14-27 June, the world is slowly emerging from the COVID-19 pandemic, largely thanks to the rapid development and rollout of vaccines. With life expected to return to some form of normality over the coming months in many countries, will this impact the types of scams businesses face, and what can they do to bolster their fraud defenses in this landscape?

Potential Shifts in Fraud Landscape

Fraudsters are renowned for their ability to quickly adapt to changing circumstances, an attribute that has been painfully evidenced during COVID-19. As societies open up and various activities that were prevented by lockdown restrictions become possible once again, it is safe to assume that scammers will respond in kind. Petter Nylander, CEO at Besedo, explained: “With the world beginning to open up and social activities, ticketed events and even holidays looking like a possibility once again this summer, fraudsters are continuously shifting and refining their scams. They will adapt to new behaviors, and online platforms need to adapt too.”

Another area we are likely to see fraudsters respond to is the changes in working practices that will continue to occur over the coming months. While many businesses are reopening their offices, it is expected that a large proportion of workers will only return on a part-time basis, continuing to work from home at least partially. According to Raj Samani, McAfee fellow and chief scientist at McAfee, this model potentially opens new avenues for fraudsters to strike. He outlined: “With many of us now splitting our professional lives between our homes and the office, cyber-criminals will be quick to adapt their tactics – creating a whole host of new scams which businesses must be aware of. The threat for businesses is also intensified by the fact that many employees are accessing work files and information across both corporate and personal devices.”

Ramses Gallego, international chief technology officer, at Micro Focus, concurred, adding: “Scams Awareness Fortnight is a great opportunity to highlight the additional challenges that businesses are now facing, particularly with the shift towards a hybrid workforce. A distributed workforce not only creates new attack vectors for cyber-criminals, but it also risks employees who are still adjusting to a changing workstyle falling victim to a clever scam.”

Additionally, organizations must remain mindful that fraudsters will continue to exploit the ongoing COVID-19 crisis. The rollout of COVID-19 vaccines, for example, is likely to be a particular target in this regard. Rory Duncan, security go to market leader UK at NTT Ltd., noted: “Following the events of the last year, we must do more than ever to protect people against scams. Cyber-criminals will continue to exploit significant global events such as the pandemic for their own malicious gain and, unfortunately, in many cases vulnerable individuals have been their target.”

As Nylander put it: “This year’s Scams Awareness Fortnight is a vital reminder of the ever-changing scam landscape and the importance of taking action now, as scammers’ methods grow more sophisticated by the day.”

Employee Awareness Training

Amid this landscape, organizations should be putting in place various measures to protect themselves from scams. This ultimately has to begin with educating workforces about detecting scam messages – whether email, text or other mediums, particularly those containing links, attachments or request that information be sent across. As such, engendering a skeptical, even zero trust, attitude to all communication received is a good starting point. “Many phishing emails are easily identifiable, with glaring errors like incorrect spelling or grammar and overly sensationalist language,” explained Duncan. “But this is not always the case. It’s important that people are wary of emails coming from an unknown source at all times. This especially applies to sources relaying information  – and possibly misinformation  – about any significant event. With this in mind, we recommend that users do not click on links in emails, but instead that they manually enter the address of the website they need.”

"It's important that people are wary of emails coming from an unknown source at all times"

There are a number of other steps employees can take to check the legitimacy of incoming messages, according to Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “If an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also,” he outlined. “Check the email sender address and not the display name. Check the email for spelling mistakes. Check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links. Also, check your personal details for accuracy. These simple tips will help employees avoid a potential cybersecurity nightmare for their organization.”

Samani noted that it is also critical that organizations promote a strong security culture throughout their workforce, ensuring there is an emphasis on practices like “reporting any suspicious activity, questioning whether a link is dodgy or thinking before accepting a stranger’s invitation to connect on LinkedIn.”

Technological Solutions

As well as awareness training, there are a growing number of technology solutions that organizations should employ to protect themselves from scams. Gallego stated: “Ultimately, it's about getting the balance between people, process and technology right – deploying suitable security solutions and processes as well as training staff on how scammers are most likely to target them. If both IT professionals and the wider employee-base remain vigilant against scams, organizations can improve their security posture and set themselves up for long-term success.”

First and foremost, in the view of Carson, they need to have “a good email spam filter that will help ensure such scams do not make it to the email inbox.”

Another key preventive measure may be to reduce reliance on usernames and passwords to access IT systems. This will make it much harder for fraudsters to employ one of their key methods of targeting organizations; credential theft. Brett Beranek, vice-president & general manager, security & biometrics line of business, Nuance Communications, believes the advances in biometrics technology offer a solution to this. “It is high time PINs and passwords are confined to the history books, so that technology – such as biometrics – can be more widely deployed in order to robustly safeguard customers,” he stated.

“Biometrics authenticates individuals immediately based on their unique characteristics – taking away the need to remember PINs, passwords and other knowledge-based credentials prone to being exploited by scammers and providing peace of mind, as well as security, for end-users.”

Zero Trust Mindset

Ultimately, organizations need to ensure that their awareness training and tools evolve around a zero trust mindset regarding scams, according to Samani. “One way to improve protection against cyber threats is to build an open, flexible architecture that can adapt as needed without the need for bolt-on security,” he said. “Businesses must also adopt a zero trust mindset that can help them to maintain control over access to the network and all instances within it, such as applications and data, and restrict them if necessary. By taking these measures, organizations can rest easy knowing they have taken the correct steps to protect themselves and their workforce from cyber-led scams.”

The growth in fraud targeting businesses since the start of COVID-19 has been palpable. At this year’s Scam Awareness Fortnight 2021, the world is gradually emerging from the pandemic, and this is likely to switch the focus of fraudsters, trends organizations need to stay on top of. Additionally, with accelerated digitization set to be one of the major legacies of COVID-19, the opportunities to launch scams will continue to proliferate, and businesses must put in place measures to defend against these. These will focus on people and technologies, built around a zero trust approach to all communications sent to the business and its employees.

What’s Hot on Infosecurity Magazine?