Last week I had the opportunity to do a remote presentation with TrTec, Gurucul’s partner in Brazil. There were three speakers, covering different aspects of security in the Financial Services sector. Our part was on how Machine Learning, Artificial Intelligence, and Big Data combine to combat fraud in that space. It was an interesting format and a nice change of pace from the usual webinars we’ve all been doing during the pandemic.
What I hadn’t expected, was how timely doing a presentation on financial services fraud would be.
Case in point. The other day I got an email that went like this:
“Hi Mike,
I’m planning to surprise some of the staff with Gifts, Your confidentiality will be appreciated. However, I need you to get a purchase done, Email me once you get this.”
The “from” name and signature was our CEO, Saryu Nayyar, but it came from an unremarkable gmail address rather than her actual one. Between the message body and incorrect address, it was obvious this was a case of CEO Fraud. While it wasn’t one of the specific examples I’d used in my presentation, the timing was perfect.
Naturally, I responded “Sure, what do you need?” – and the game was afoot.
Let the Games Begin
To be fair, I found this particular phishing email in my spam folder, appropriately flagged with “This message seems dangerous.” The fact is the vast majority of email attacks like this are caught by spam filters and most users never see them. That’s how it should be, really. We should be able to depend on our defenses to silently do their jobs and keep us safe from malicious actors.
Here, the email system did exactly what it should do. Its machine learning algorithms have learned over time to identify spam, scams, and a range of related unwanted junk, and it effectively keeps said junk out of our inboxes. The only people who should see this kind of scam would be people like me – people who actively look for these things so we can see how the bad guys play their game.
But what about cases where the phishing email makes it through, or the “hook” comes from some other vector like a compromised website, or social media? What tools do we have to protect people who may not have taken a class on recognizing scams, let alone taught it?
Dealing with Social Engineering
The challenge with some of these phishing email scams is that they rely heavily on social engineering, which is a problem that doesn’t offer obvious technological solutions. The email I received above was generic enough that the spam filters identified it for what it was. But what if the scam artist had been more sophisticated and done their homework? They probably wouldn’t try and target someone who teaches defense against financial fraud, or maybe they would. This was a scammer after all. But doing their homework could have gotten them past conventional email filters.
Once they have their target on the hook, they can proceed to whatever their end game is. In this case, it was a classic Gift Card scam. But it could just as easily have been one aiming to gather credentials or direct me to a compromised web site where they could attack my browser. What all of these attacks have in common is that there are some recognizable behaviors, and those behaviors can be flagged.
Break Out of The Silos
| They probably wouldn’t try and target someone who teaches defense against financial fraud, or maybe they would. |
The major challenge to recognizing these phishing email attacks is that the systems that could otherwise identify them are in silos, which means there is no correlation between seemingly disparate events. A dodgy email by itself my not indicate a compromise, but when you combine that dodgy email, which itself has characteristics that show its true intent, with a recipient’s requests to questionable websites, or unusual remote access, or even odd expense reports, a pattern will emerge.
What makes identification possible is consolidating all of the previously siloed data into a single data lake, where an AI-based security analytics engine can parse through it all and draw the conclusions a human analyst might miss.
It’s not perfect. No security system is. But by using machine learning on the broadest possible dataset, you gain the best chance to identify malicious behavior before it can escalate from an attempted phishing email scam to a multi-million-dollar loss.
That’s what Gurucul does with our Unified Security and Risk Analytics platform. It brings all the data together and analyzes it in context.
While my personal example here was “only” for a couple thousand dollars in gift cards, phishing email scams like it have resulted in the loss of tens of thousands to millions of dollars. If the attacker uses the right hook on the right victim, the result can be painful.
Game Over
As for how my example ended. Well:
Combat Phishing Attacks Using Modern Machine Learning Algorithms
Want to know more about how Machine Learning can help mitigate the threat of phishing email attacks – even sophisticated, targeted, ones? Watch our on demand webinar and see how Gurucul’s Unified Security and Risk Analytics can help!