Deception is a technique favoured by financial scammers and attackers in Australia and the broader Asia-Pacific region because it is a convincing and often effective way to fleece people – and banks – of cash. But in this day and age, deception is not just for attackers, and cyber deception can just as easily deceive them. As a result, banks are adding deceptive technologies to their defensive arsenal to confuse their adversaries and ultimately thwart such targeted attacks.
The trend hasn’t gone unnoticed.
“Deception has been used for a long time in all adversary or opponent-opponent scenarios, so why shouldn’t we use it ourselves as organisations to create an active cyber defence?” an Attivo Networks executive told a financial security forum recently.
As a defence mechanism, deception is particularly useful for identifying insiders that may be helping external attackers – a typical scenario, according to KPMG.
“Many external fraud incidents originate with experienced criminal operatives working with internal sources who have a detailed working knowledge of bank systems, processes, and controls (and any control gaps or weaknesses),” the consultancy says.
In other words, by detecting an insider threat, banks could be preventing a larger, external-based scam or attack. And given that half of banks “recover less than 25 percent of fraud losses,” says KPMG, new technologies that can aid prevention are always welcome.
What is it about deception that works?
Deception works because it is hard to separate real from fake, and often when one finds out, it is too late to do anything but deal with the consequences. Common examples of deception employed against Australian bank account holders include phishing emails and other social engineering techniques.
Institutions in the Asia-Pacific region say social engineering is the second-most significant challenge they face when it comes to fraud risk, according to KPMG. Through the use of social engineering techniques, attackers try to deceive customers into handing over account details or transferring large sums of money.
In one case, a scammer tricked a victim of a “big four” bank out of $30,000. The scammer impersonated a bank employee and convinced the victim he was investigating suspicious transactions. The ruse led to the scammer taking over and draining the victim’s account. “At all times, the scammer kept convincing me that he was helping stop the thief while he was the thief,” the victim recalled.
In another case, the scammers deceived a customer into thinking he was aiding an internal fraud investigation into an Australian credit union employee. Credit union staff were aware of the deception and prevented a $20,000 loss.
Deception is often difficult for banks to spot and then to stop.
“From a bank’s perspective, the difficulty with detecting scams is that the customer is accessing their account, so access controls will not detect scams. [In addition], where scams are detected by banks prior to payment processing, banks are finding customers are so convinced of a scam’s legitimacy, they can still be adamant they want the payment processed despite the bank informing them that a payee is fraudulent,” says KPMG.
Many banks now have dedicated teams that work alongside internal fraud teams to address deceptive techniques and scams that criminals employ against their customers. But they still rely mostly on customers recognising deception and reporting it.
Turning attackers’ tactics against them
So we know deception can be extremely effective at exploiting human nature. Attackers, even the ones using automated tools, are all ultimately human, and defenders can similarly trick and manipulate them into making mistakes that reveal their presence.
Banks know this and are augmenting their cyber security capabilities with automated systems that use deception technology to target insider threats.
Deception technology uses traps, lures, and misdirections to fool bad actors that are in the network to trick them into engaging. Even the lightest engagement with these decoys triggers an alert that enables security teams to begin monitoring and recording the attackers’ behaviour, safely within a deception sandbox. The gathering of company-centric threat intelligence provides financial organisations with the means to better understand their adversary and collect the forensic evidence required to fortify defences and take actions against internal and external threat actors.
Organisations commonly use deception as a control for detecting insider threats because it is a very high fidelity alert backed with forensic evidence. When an employee touches something fake, security teams know that something is amiss, as no legitimate user should ever encounter traps and decoys in their day-to-day work.
Keeping internal bad actors busy investigating decoy traps and lures leaves them with less time and appetite to cause damage. Meanwhile, the organisation can safely observe their activities, gathering valuable intelligence on any loopholes that they need to close, and collecting enough evidence to take administrative actions to deter further malicious behaviour.
Jim Cook, ANZ regional director at Attivo Networks