Evolving cybersecurity approaches for the title, escrow and real estate industry were shared by Bruce Phillips, MyHome chief information security officer, as part of the first annual Williston Financial Group (WFG) Executive Summit.
The overarching message encouraged companies not to make scammers’ jobs easier and explained how even the most advanced security measures in existence can fall victim to fraud.
“Criminals are really good at what they do, but ’they’re criminals for a reason,” Phillips said. “They don’t like hard work. Don’t make the job easy for them. The identity of your users and you are the number one threat vector we are seeing today. Identity was used in the last six successful attacks. How do they get it? We all hear about phishing. It happens all the time. There are multiple types of phishing.
“Phishing, at its generic terms, is like cast-net phishing. I just throw a big net out and I see what I get and I don’t care if I get nothing. I don’t care what I get. I’m not looking for a specific type of fish. I just want to gather all the information I can.”
Phillips cited the common trend of fraudsters latching on to individuals’ usernames and passwords, encouraging professionals to switch up their online tags.
“Have you ever seen an email from a bank you don’t do business with that says your account has been shut down because we think it’s compromised?” he asked. “It says, ‘Click here,’ and we all go, ‘Yeah, no, I don’t even bank with that company.’ But somebody does, and if they get a 10 percent return on a 1 million user phish, they just got a whole lot of usernames and passwords that they can try everywhere, and they do try it everywhere. That’s the other trick. Don’t use the same password at more than one place because as soon as they get that password, they’re going to try it any place they can.”
Others on stage highlighted progress being made in adapting security measures to tactics used by bad faith actors but emphasized that getting or staying ahead of scammers will be a never-ending fight.
According to a survey sponsored by JP Morgan, more than 70 percent of organizations with over $1 billion in revenue were victims of payment fraud attacks, while two in three of those under $1 billion were also victims. Among all of those businesses, 71 percent of attacks fell under the label of business email compromise.
A recent report from Cleveland-based consulting firm Deloitte found that 91 percent of all cyberattacks begin with a phishing email.
Ransomware-as-a-Service (RaaS), a business model in which users pay to launch pre-developed ransomware attacks, was also touched on at the WFG Executive Summit.
RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. They are readily available on the dark web, where they are advertised in the same way that goods are advertised on legitimate outlets.
A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate software-as-a-service providers. The price of RaaS kits ranges from $40 per month to several thousand dollars.
According to the presentation, the hacker group Black Cat has the highest rate of return for initial access brokerage. They also pay out 80 to 90 percent of what they earn back to the individual who provided them initial access.
Phillips said in-house exercises at WFG businesses go a long way in keeping employees abreast of latest tactics used by scammers.
“As a matter of fact, at WFG every month I try to crack every employee’s password,” he said. “We take one hour, that’s all, and we do it on a MacBook Pro, not even a special system to do it, and we crack passwords every time. Now why do I talk about this? The number one attack in the last year has been identity. Now, for years we’ve heard about identity theft, and identity theft meant I want to steal your information so I can open up a credit account in your name and I get the money or I want a credit card. That is still happening, right?
“You guys are the number one stop shop for identity theft of your consumers, and they still want that information. But the real thing they want is they want your username and password. We all know the last six companies (that have been attacked). Four of them were in this space. All six of them were breached by a stolen identity. Or they called up the help desk and said, ‘My password has expired, can you reset it for me?’”
Those sharing the stage with Phillips said downsizing of security engineering staff is leading more and more companies to expand their third- and fourth-party vendor footprint. They said that means security professionals, at third- and fourth-party providers as well as companies themselves, have to maintain a secure posture 100 percent of the time.
In conclusion, Phillips said it’s important to realize that the best cybersecurity measures imaginable are still trying to catch up to the criminals, but that technology coupled with human savvy can go a long way.
“Every one of these companies had really good information security programs,” he said while showing a list of companies that have experienced recent attacks. “They had really good privacy programs. They were all compliant with whatever regulations that they have to comply with. There are some names up here that we decided not to put on. You know all of them. You’ve known all of them. They all happened in the last six months. They all had really good security programs and massive security budgets. But it’s not when, it’s if it’s going to happen to you.”