© 2015 MarkMonitor Inc. All rights reserved.
Safeguarding Your Organization
from Social Engineering Attacks
Akino Chikada
Product Marketing, MarkMonitor
Online Banking Landscape
Social Engineering Attacks
Online Abuse Trends in the Banking Sector
Best Practices
Q&A
Agenda
Banks are increasing their investment in online channels
• Mobile is getting most of the attention
More than 50% of adults bank online in the USA
According to a recent study*, very successful phishing
campaigns will capture data from 45% of its visitors
• Least successful scams only scored information from 3% of its
visitors, but that still adds up!
Security is more critical today than ever before
*Engadget: “Google says the best phishing scams have a 45-percent success rate”
“Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild”, Google
Online Banking Landscape
What is Social Engineering?
• The psychological manipulation of people into divulging
confidential information
• It’s one of the top 3 security concerns for 2015*
Fraudsters typically leverage a multi-pronged approach
They are always looking into new ways to monetize
different types of credentials and data
*Source: 2015 Banking Priorities Study, CSI
Social Engineering Attacks
Fraudsters are continuously evolving their strategies
Social Engineering Life Cycle and Challenges Targeting Banks & Credit Unions
Domains
Social Media
Mobile Apps
Websites
Paid Search
Phishing
Malware
False Association
Impersonation
Loan Lead Generators
Reselling Resources
& Credentials
Deepening & Broadening
Data for Other Attacks
Hijacking Resources
5 | Confidential
Setup Social
Engineering Attack
Launch Social
Engineering Attack
Collect Credential
& Monetize
CHANNELS TACTICS MONETIZATION
Fraudulent Attacks at Domain Level
Problems:
Cybersquatting
Domain security
New gTLDs
Actively monitor and secure new gTLDs
Top 10 New gTLDs
Fraudulent Attacks via Websites
Problems:
Phishing / Malware sites
Loan Lead Generators
Impersonation
Bkbuster.com
Impersonating sites / loan lead generators can be fraudulent
Fraudulent Attacks via Paid Search
Problems:
Phishing Paid Search
Traffic Diversion
Loan Lead Generators
Links in Paid Search ad links to Phishing URLs:
hxxp://xxxxxgravamesonline.zip.net/
hxxp://xxxxxsistema.com.br/home/index.html
Paid search ads can be directing people to malicious websites
Fraudulent Attacks via Social Media
Problems:
Loan Lead Generators
Impersonation
#phishing
Links to phishing sites
Proactively monitor social media sites to minimize risks
Problems:
Phishing apps
Malware apps
Copy cat apps
Fraudulent Attacks via Mobile Apps
Secure mobile banking to protect your customers
Source: Trend Micro
Mobile Phishing by Industry
Fraudulent Attacks Hurt Your Business
Impacts your top and bottom lines
Damages Online
Channel
Customer distrust
Abandoned Internet channel
Diminished revenues and
higher costs
Increases
Costs
Incident fire-fighting
Fraud remediation
Customer service and
support
Weakens Customer
Relationships
Poor customer experience
Eroded brand loyalty
Customer defection to competitors
Solution
Social Engineering attacks can have a multi-pronged approach,
so it’s critical that you have visibility across all digital channels
Consider prevention, detection and mitigation strategy for each
channel so that you are protecting your customers
Have an appropriate enforcement strategy in place
• Brand enforcements
• SOC shutdowns
• Fraudcasting
Best Practices
What NOT to Do
Page 14 | Confidential
1 IGNORE THE ISSUE
Social Engineering and fraudulent attacks will not go away on its own
Be proactive now rather than trying to fix the damage later
2
3
DO IT MANUALLY
There are too many channels and venues to monitor manually
Manual approach is usually more costly and less effective in the long run
TREAT ALL ABUSES EQUALLY
Not all fraudulent attacks has the same impact
Prioritize abuse based on its impact on your business
What You Should Do
Page 15 | Confidential
1 BE PROACTIVE
Monitor and proactively protect your bank and your customers from
fraudulent attacks
2
3
LEVERAGE TECHNOLOGIES
Ensure you have a purpose-built technology to help you prevent, detect,
and mitigate fraudulent activities
DON’T JUST FOCUS ON THE EMAIL CHANNEL
Social engineering attacks are taking place across multiple digital
channels in different forms
Social
Media Email Websites Paid
Search
Mobile
Apps
Educate Your Customers Protect Your Customers from Online Scammers
Make your customers your allies
in fighting fraudulent activities
Setup an inbox so that customers
can easily forward any fraudulent
scams
Provide best practices and
proactively share latest social
engineering attacks so that your
customers know what they should
look out for
MARKMONITOR TRUSTED BRANDCASTING & FRAUDCASTING SYSTEM
Page 16 | Confidential
Key Take Aways
Brand-fraud related abuses can potentially be part of a more
elaborate social engineering attack
Fraudsters are continuously evolving their tactics, so have
preventative measures in place to minimize risks
Be prepared for the worst so that any stage of a fraud lifecycle,
you have a strategy to mitigate and shutdown a fraudster
Questions?
Thank You!
For information on MarkMonitor solutions, services and
complimentary educational events
• Contact us via email:
• Visit our website at:
www.markmonitor.com
• Contact us via phone:
US: 1 (800) 745 9229
Europe: +44 (0) 203 206 2220