Webinar: The next generation of fraud is here: Are you ready?

October 2024

- Hello everyone. Thank you for joining us today. We're really excited to have you here for a timely discussion on the growing sophistication of cyber and financial fraud. The threats we face are evolving faster than ever with fraudsters, leveraging advanced technologies like ai, DeepFakes, and mobile device hacking. But alongside these challenges, there are also incredible innovations in the way we defend against these threats. Today we're going to dig deep into some of the most pressing concerns facing organizations like yours and explore how we can better stay ahead of cyber criminals. We're going to cover a lot today from AI driven attacks and DeepFakes to advanced defense strategies like multifactor authentication and identity centric fraud models. I'm confident you'll walk away with actionable that can help safeguard your organization. Before we dive in, I'd like to introduce our panelists who bring a wealth of knowledge and experience from their respective fields. First, we have Jillian Burner, cybersecurity Advisor at the Cybersecurity and Infrastructure Security Agency or CISA. Jillian brings a unique perspective from her work on the front lines of national security, focusing on protecting critical infrastructure and helping organizations navigate the complex world of cyber threats. Next we have Michael Gerfin, supervisory special agent with the FBI. Michael has extensive experience tracking and combating cybercriminals. He'll share invaluable insights on how fraudsters are operating today and the challenges law enforcement faces in staying one step ahead of them. And finally, I'm Miguel Navarro, head of client identity verification and authentication at KeyBank, I'll be discussing how financial institutions like KeyBank are adapting to these new threats and evolving our fraud prevention strategies to better protect our clients. We'll start by diving into the evolving cyber and fraud landscape. We'll explore how cyber criminals are leveraging advanced techniques, collaborating in organized groups, and continuously adapting to new technologies to exploit vulnerabilities. From there, we'll move into next gen fraud tactics. These threats are rapidly growing and we'll break down real world examples of how they're being used to target individuals and organizations. After that, we'll focus on defensive strategies. This is where we'll highlight the technology training and other approaches organizations are using to better stay ahead of fraud. I'll also share key bank's commitment to fraud protection, or I'll talk about how we are evolving our identity verification and authentication processes to help protect our clients. Finally, we'll wrap with a q and a session. This will be your chance to ask our panelists any questions you may have and get expert advice on the challenges your organization might be facing. Now, let's talk about increasing sophistication. We're seeing in cyber and fraud tactics. Cyber criminals are using advanced techniques like AI driven attacks and DeepFakes to bypass traditional security measures that used to be effective. They're also working together in coordinated groups, which allows them to exploit system vulnerabilities more efficiently than ever before. What's even more concerning is their ability to continuously adapt as new technologies and countermeasures emerge. They're quick to adjust, making it harder for static defenses to keep up. This is why it's critical that our defense strategies evolve. Just as quickly, Jillian, from a national security perspective, how is CISA helping organizations stay ahead of these more sophisticated cyber tactics?

 

- Yeah, that's a great question. So cis a, a mission and and vision is really to collaborate with the public-private sector and provide guidance and best practices to understand and best mitigate the risks.

 

- So switching over to Michael, how is the FBI adopting its approach to track and combat these organized, coordinated groups of cyber criminals that are constantly evolving their strategies?

 

- Yeah, so part of the problem with these groups is that there is inherent anonymity with the internet, right? So we have people operating from half a world away able to victimize folks here in the United States. So we have that challenge of attribution and the, the difficulty on our side is we don't have complete visibility. So we need to have partnerships with both foreign law enforcement entities and our private sector partners. So we have institutions like the National C Cyber Forensic and Training Alliance that we work with, with financial sector, manufacturing, healthcare, and those partnerships kind of extend our visibility to enable investigations.

 

- As far as anonymity that you mentioned earlier, and regular folks typically associate this with VPNs. What are the other tools fraudsters are using?

 

- Yeah, so it, it used to be more challenging. So threat actors used to have to earn their ability to get at US infrastructure, right? So most people will block any communications coming from countries where you don't trust them, whether it's China, North Korea, whatever. Now with cloud infrastructure being so pervasive, they can stand up infrastructure in Azure or AWS and come at organizations through those portals. So you don't necessarily need the VPN aspect, but it's just so much easier for them to get resources that are directly accessing potential victims.

 

- Let's take a look at some recent data from an alloy report that highlights the evolving landscape of cyber and fraud threats. 20% of respondents from banks, fintechs, and credit unions identified sophisticated fraud like identity theft as the leading cause of attempted fraud. 75% of these organizations plan to invest in identity risk solutions in the next year to address these growing threats. And what's particularly alarming is that 62% of fraud is most commonly occurring on mobile and online digital services areas where many businesses are still working to strengthen their defenses. Michael, given that so much fraud is happening through mobile and digital services, how is the FBI adapting its investigative approaches to track fraud in these channels? And what should organizations be doing to better protect themselves?

 

- Yeah, so again, outreach is a big thing here, right? We need to be proactive in engaging with potential victims. So making sure that people are aware of the types of incidents that should be reported, providing the information that allows us to actually do an investigation. And then since the FBI doesn't defend networks for a living, that's not what we do, but we wanna make sure that we're working with the telecom companies, the financial industries, everyone that has visibility on the threat so that we can enhance the information that we get from victims to better track the adversary.

 

- So, Jillian, how is CISA working to help organizations secure these channels and what steps are being taken to address the increasing sophistication of fraudsters?

 

- So really partnering with businesses and leveraging our partnerships and relationships that we built, and making sure that they understand some of the, the basic controls to put in place, such as multifactor authentication and even biometrics. Building out risk profiles and understanding behavioral analytics to securing the identities that they work with and and help reduce the, the risk of fraud.

 

- Yeah, and, and you know, a question for both of you. How many do you feel, or at least like, I'm not saying an official number here or anything, but do you feel that there are organizations that when attacked, they don't report just out of embarrassment?

 

- Yeah, and it, it definitely depends on the, the type of incident, right? So we'll see a pretty high level of reporting with business email compromise, for instance. Whereas ransomware tends to not be reported as much. So it definitely differs depending on the type of threat.

 

- As we look ahead into 2025, it's clear that cyber criminals are using increasingly sophisticated tactics to exploit organizations and individuals. Today we're going to focus on three of the most emerging threats we're seeing in the cybersecurity landscape. Artificial intelligence or ai, AI is enabling cyber criminals to launch more targeted automated attacks at a scale and speed we've never seen before. Deep fakes. These AI generated videos and audio are becoming powerful tools for fraudsters, enabling them to impersonate individuals in highly convincing ways, whether it's through financial fraud or social engineering attacks, mobile device hacking. With the rise of mobile banking and mobile first business strategies, mobile devices have become prime targets for cybercriminals looking to steal sensitive data or commit fraud. Now, how relevant and pervasive are these threats, and how are you seeing these impact businesses and organizations?

 

- So I think AI and, and DeepFakes allow cyber criminals to enhance their tactics. We're seeing a rise in phishing. Those phishing tactics are a lot more successful. They look more real. They use the proper nomenclature to target the individuals as well as DeepFakes to influence and persuade. So I think it's really taken the, the threat landscape to another level in terms of, of the, and the scale, in terms of the way the threat actors are able to, to conduct their attacks.

 

- Yeah, especially so even now with generative ai, the ability for adversaries to lower the bar on the number of resources that they need to execute these threats. So you have a threat actor in another country that needs to send a convincing fraud email. You no longer need an English linguist to make that for you. You can just pump it into a gen AI model, have it, spit it out, and then do that. And now you're also able to do it at scale because it's much easier to get access to,

 

- You know, and for AI and DeepFakes specifically, I know that the traditional means are no longer enough, right? So a lot of these things are five census can't even capture because it's that sophisticated. Would there be any advice that you'd like to give organizations or individuals to kind of create preventative measures, either in their lives or organizations that could be solved? Not necessarily only through tools, and if we're looking at process tools and people as the solution ingredients to an organization, is there anything that you'd like to add as to how we can combat these threats using maybe people and process and maybe just a little bit of education?

 

- Yeah, I mean, awareness is the first thing. Knowing that it's actually used and it's implemented. It's not something out of a science fiction novel. People are really using these technologies to attack people. So that piece is important. And that goes along with training and having conversations with employees and ma family members. And then after instituting that, having some mechanisms in place to do kind of that out of band verification. 'cause a lot of times people get engaged with something that is fraudulent and do not take the steps necessary to actually verify it in another way.

 

- Yeah, whether that's a code word or understanding, I think the awareness piece and understanding that validation piece on the backend a code word is something that we recommend a lot. So kind of taking it back to a simple step to combat some of these sophisticated threats.

 

- That's awesome. And one of the things I typically tell folks is, look for something dumb like DUM destination urgency or monetization. And yeah, the tactics you guys shared are, are truly helpful. Now let's dive deeper into the first of our three emerging threats. Artificial intelligence AI is being used in several ways to enhance cyber attacks, making them more sophisticated and difficult to stop. Here's a quick look at the major risks. Automated attacks AI can automate and scale attacks, allowing cyber criminals to launch more efficient attacks that are harder to detect Advanced social engineering. AI helps create highly personalized phishing attacks by analyzing massive data sets on potential targets. Vulnerability discovery AI can rapidly identify weaknesses in software, making it easier for attackers to exploit vulnerabilities. And lastly, evasion of security systems. AI helps malware evolve and avoid detection by traditional security systems. A question for you both. How is AI changing the nature of cyber attacks in 2024, and what are some of the most significant challenges organizations face in defending against AI powered threats?

 

- So I think some of the, the, the most challenging things that organizations are facing are understanding the threats and, and how AI is able to do the recon, understand the organization, understand the organizational structure, and really conduct those spear phishing attacks on key personnel within organizations to be very believable and with great success. Right? And that's, that's why they continue to do it. And so education and awareness, again, I think is, is step one organizations need to be aware of what's the threats that they're facing and then get that into the employee's hands and then go through some of those processes that Michael had referenced earlier in terms of the validation processes to understand how to combat the threats.

 

- Yeah, the mechanism of these breaches really hasn't changed so much in that they're still targeting the human element. So the human is gonna be the weakest link in any security piece of infrastructure, and they're leveraging AI to make those attacks more efficient.

 

- Yeah, and humans, let's call it humans being the weakest link. And you know, in larger organizations, let's look at, let's say training or human element as far as engagement goes. I feel that training the human element, you know, cannot just be a check the box mechanism that goes on into an organization. Are there any tactics that other organizations have done? You don't necessarily have to mention which organization, but tactics that other organizations have done that you've thought in your head, oh man, if only about five more organizations did this, it would actually create a difference.

 

- Yeah, for sure. So better identity management is a, is a huge one. So making sure that people are who they say they are. And then the, the phishing training needs to happen because legitimate credentials are the number one way that adversaries are getting into networks. So people are freely giving up their credentials because they're being fooled to log into something. And, you know, having, having robust authentication mechanisms is very important.

 

- And I'll just add role-based training to that. So I think it's really important that training is geared towards the role that the individual has and they understand the threats they may face. So in many organizations, executive assistants are, are large targets when it comes to spearfishing 'cause they folks understand that they have access to calendars and systems that leadership has may have access to as well. So doing some, not just from an IT perspective, but role-based training to understand what they may be targeted for and, and what the, the bad guys may be after and on what they do and the information that they do with every single day is really critical. That's awesome.

 

- Next, let's explore another emerging threat. DeepFakes and especially their role in social engineering. DeepFakes are highly realistic digital manipulations of audio, video, or images created using ai. And they're becoming increasingly powerful tools for fraudsters. They can be used for impersonation, making it seem like a trusted figure, skipping orders or sharing sensitive information. Deep fakes can also enhance phishing attacks, tricking people into believing they're hearing or seeing legitimate requests. Lastly, in the financial space, DeepFakes can be used for fraud, disinformation, and even blackmail as Candace Gerstner from the National Security Agency said, the tools and techniques for manipulating multimedia are not new, but the ease and scale with which cyber actors are using these techniques are organizations and their employees need to learn to recognize deepfake trade craft and techniques and have a plan in place to respond and minimize impact if they come under attack. Michael and Jillian, how are DeepFakes impacting organizations in 2024, and what are some of the best strategies for detecting and mitigating these types of social engineering attacks?

 

- Yeah, so the text-based attacks have definitely gotten more sophisticated and we've kind of always had this comfort with hearing someone's voice and saying, okay, that's legitimate, right? But now we are seeing attacks where individuals are either being impersonated or a fictitious entity is just being created and prerecorded messages are sent to, for instance, elder victims where there's a sense of urgency, they're being threatened with either maybe tax levies or some criminal conduct, and they feel that they have to respond immediately. Again, financial, financial theft is the goal here. So again, being aware of that threat that that's actually being done is the first step in kind of understanding how to combat it. And then going back to those kind of less technical solutions where you're doing out ofAnd verification code words is a fantastic example, especially thwarting a threat like the kidnappings that we see where people call up a little snippet of a voice will run, sounds like my kid sounds like my family member. And then the adversary comes on and starts demanding money. At that point, you would want to say, okay, well, is it really them? Try to maybe reach out to, to them on a separate communication channel to verify it. Those low tech mechanisms can be huge in trying to combat the high tech crime we're seeing.

 

- Yeah, I don't have too much more to add to that other than awareness again, what, what Michael had mentioned and the, the verification piece going to the source and verifying what I just learned or what I just heard, is this true and really trying to, to validate the information before making any steps or communicating any further with the individual.

 

- And Jillian, real quick, as far as disinformation, how is AI contributing to dis disinformation campaigns?

 

- So AI is being used to create deep fakes to create potential videos or recordings that appear to look like maybe prominent figures to, to create disinformation campaigns to persuade people and or influence individuals when one way or another. So they're becoming harder and harder to identify as being artificial intelligence or DeepFakes. So again, it's just awareness and understanding the platforms in which people are receiving information, and again, trying to validate the information that they see or hear through the authenticated source. So

 

- Our final deep dive today is into mobile device hacking, an area that has become a prime target for cyber criminals. Mobile devices are highly personal, but they're also vulnerable to a variety of attacks. Hackers use malware, phishing and man in the middle attacks to steal data. They exploit vulnerabilities in mobile operating systems and use social engineering to trick users into revealing sensitive information. A growing concern is sim swapping where hackers hijack phone numbers to intercept messages and access accounts. According to zimperium, 80% of phishing sites now target mobile devices end users are six to 10 times more likely to fall for SMS phishing attacks add to that 67% of remote workers, admittedly to not fully following corporate cybersecurity policies on their devices. And it's clear that mobile security is an urgent issue for organizations. So Jillian and Michael, how do you see this threat evolving?

 

- Mobile devices aren't going away, right? So they're very prevalent, prevalently used in both professional and personal life and a lot of crossover in between the two. The, the bad guys know that, so they are a prime target and hackers are exploiting the vulnerabilities that alarming rates. CSO really understands that and, and works with organizations to help build out mobile device device management solutions or encourage organizations to protect the mobile devices through MDM policies and solutions. And with that expanding attack surface, a lot of BYOD has has come into play and helping organizations understand how to protect that infrastructure is really important.

 

- Yeah, mobile devices are a great attack vector. Part of it is that we have a close attachment with them. They're so intimate, they're always with us. We kind of almost feel like they're more secure because they never leave our side, right? We're very open to just scanning things with it. So we're at a restaurant and there's a QR code on the table. Yeah. Do we know that the restaurant put that QR code there? Well, it's probably the menu, but maybe it's not. So the mobile device is a great ingress piece for the threat actor. We see phishing schemes going across them, and the attack of the SMS multifactor piece has been huge. So these sim swapping attacks are also phone porting attacks where someone will port your phone to another provider, are everywhere. We're seeing it all the time. So the, the threat actors will use data that's stolen in data breaches and basically create your personality on another provider. So I have maybe your social security number, I have your date of birth, I have all the personal identifiable information that I need in order to open a communication account and I port your number over. And if I have your credentials from a phishing attempt, now I have everything I need to actually authenticate into your account. And if I get into a sensitive account where I can get to finances, then I have everything that I'm looking for,

 

- Right? And part of the client experience. So if we kind of step foot out of security and look at the client experience, there's always this mission, right, that we want our clients to be able to get to what they need in three taps or less. And there's this push on being able to access what you need immediately, which I do believe it causes some of organizations to then trip on certain things, which then allow for, for vulnerabilities like QR code scanning, et cetera. So are there advice, right, that you would give organizations in being able to balance client experience, allowing your clients to get to where they need yet doing it safely?

 

- I think that's always a challenge for organizations. I would just encourage security to be at the forefront of some of those discussions. A lot of times security is an afterthought and then perceived as a, a barrier or a a, a road bump to, to innovation and, and getting solutions into consumer's hands. So the sooner you bring in security, the better to work through some of those processes to to, to create those seamless experiences for the user.

 

- Yeah, users need to understand too that, that security is a trade off. So I'm gonna have, I need functionality, I need to be able to get my job done, but I also have to have some understanding that there are going to be layers of security that are necessary for me to do what I'm doing and do it safely. So every time an individual operates with a piece of IT infrastructure as part of their job, there's a risk there and we can't eliminate it. We've gotta try to mitigate it as much as we can.

 

- Yeah, and I know Jill and Michael, we were talking behind the scenes about security being a team sport. And I do believe that at least not for all organizations because not or all organizations would be able to, but I believe some should where they make security part of their squad, right? Or part of their development plan versus a check the box item at the beginning and at the end of software development. Yeah. Anyway, as we've explored the growing sophistication of cyber threats, it's clear that organizations need to stay ahead with effective defensive strategies. Our next focus is on how new technology and training are critical in fighting cyber threats and fraud. AI and machine learning are essential for real time threat detection, capable of analyzing vast amounts of data to identify risks faster than ever. Blockchain technology is becoming a key tool for secure transaction records, adding transparency and reducing fraud risks. And of course, advanced encryption protects data both at rest and in transit, ensuring that even intercepted data remains unreadable. But technology alone isn't enough. Continuous employee education and training is vital to maintaining a strong defense. Organizations need to conduct regular training programs on the latest fraud tactics such as phishing, social engineering, and deepfake scams, simulated attacks help employees practice real world scenarios, testing their readiness and response. And finally, security awareness campaigns are essential for keeping cybersecurity top of mind across the organization. Michael and Jillian, how are organizations leveraging new technology and training to defend against these increasingly sophisticated cyber threats? And what are some of the most effective practices you're seeing?

 

- Yeah, so as we've talked about before, data is one of the things that the threat actors are after and it helps facilitate other crime. So making sure that entities are employing some type of encryption on that data. And that goes across to all types of enclaves. So not just the data that's sitting your corporate database, but your mobile devices, your laptops, your tablets, phones, all of those need to have some type of security on them so that the data isn't being leaked out wherever. And doing the simulation attacks where, you know, we've discussed this before, but making sure that kind of real world attacks are being embodied in these simulations because you want people to, as you said, it shouldn't be the check the box thing, right? It should be challenging and difficult and every now and then they should fail. But I also think it's on organizations to make sure that folks are encouraged and not discouraged with that training. So if there's too much punishment or something associated with fouling those tests that can have an adverse effect on the employees, right? So we want them engaged in that type of training, being in those simulated environments, but also have an understanding and kind of a feedback mechanism so that they get better next time.

 

- Yeah, definitely. And I, I would add making it fun. So training and awareness, especially cybersecurity training. I think it, it very much could be a check the box. Yep. We do annual training. I mentioned role-based training is really important. Again, I think that keeps it interesting. Depending on the type of data and the job role you have within the organization, the training could be more relevant to to, to your job, which would hopefully garner more interest. And then I, when working with organizations, I always encourage them to be transparent about the results, whether it be phishing, post the results, post the stats, and, and have it be a normal part of a conversation that makes employees under, like they understand that you're paying attention to those numbers and it also gives them some skin in the game to, to, you know, if the goal is to increase the numbers, they know where you're at today, they know where the organization's at today and then they have a goal to get to as well.

 

- It's really interesting that you said make it fun too, because I think part of education, right, is retention.

 

- Sure. - I think a lot of folks do this whole, okay, we're gonna create this elaborate module or syllabus for you to do. And yes, it contains a lot of data, but it's so boring that you can't retain the information because it's really not just not that interesting until something bad happens and then everyone remembers to do it. And I do think that you definitely need to, as an organization really build up on what it is that you're trying to say, right? Or trying to teach and make sure that number one, it's in, I I call it like fun size bites that people can chew and noodle on and make sure that it's in a high retention material that, or at least the method of delivery of how you're teaching folks that the method of delivery has high retention. So they remember it a hundred percent. Yeah. Next we're going to dive into one of the most effective security measures available today. Multi-factor authentication or M-F-A-M-F-A is a crucial layer of defense that requires more than just a password to gain access. It provides enhanced security by drastically reducing the risk of unauthorized access. Even if one credential is compromised, MFA adds another layer that can stop an attacker increased user confidence because people know their accounts are protected by multiple verification steps, which helps build trust in the organization. And importantly, MFA has been shown to reduce fraud by helping prevent account takeovers, especially when combined with advanced authentication methods like biometrics. One of the ways KeyBank helps to protect client accounts is by implementing an MFA program for our business online banking population, we had 90% participation by clients who elected to have all users at their company utilize MFA on their mobile device, tablet and or laptop. As a result, we saw an immediate decline in corporate account takeover cases with this population. This helped drive home that implementing this was the right choice for our clients. Jillian and Michael, for an outside perspective, how are organizations effectively using multifactor authentication to protect against fraud? And what are some of the challenges or best practices you're seeing?

 

- So we very much consider multifactor authentication to be a basic security control and encourage everyone we work with to get that implemented. And we talk through the different types of multifactor authentication and what may work better with the organization depending on the level of access and the data that they work with. But it is very frequently a standard recommendation that we make when engaging and, and working with individuals. And I think to Michael's point earlier, from a user perspective, it's becoming more expected to use multifactor authentication from a consumer perspective when they are accessing any type of financial account or anything that has sensitive information behind it. And we highly encourage folks to use it on personal accounts as well when we do engagements with the public. So multifactor is, it gets you very far, it's not bulletproof, but it, it, it it is a huge step in the right direction in terms of adding security around accounts and, and reduces account compromise.

 

- Yeah, even just anecdotally, we've had recent incidents where accounts were compromised and there was zero MFA. So even a basic level of using MSMS second factor would have mitigated those attacks. Obviously we've talked about how SMS is not great because of the sim swapping threat and folks moving toward a more phish resistant as well. So people have token based ones where they're entering a code, you know, looking at getting a more sophisticated multifactor is the end goal. But I think understanding that any type of multifactor is really where you need to be and it should be expected right at this point as, as Jillian said.

 

- Yeah. And one of the things I've seen in different organizations is, especially within the silo rich organization, is that you have these pillars where they have data that's read only, there's no money in money out transactions. So they believe, hey, username, password is enough. I do believe that MFA should just be part of the standard now, right? I mean I think, you know, especially maybe things that you've seen across the different industries or things that you know about for those silo rich organizations that have fraudsters even though they believe, hey, this is read only data, there's no money in our money out transactions. But then they use that information to then interoperate across, you know, another silo that does have money in our money out. So yeah, like have you seen any tactics other organizations do to kind of combat this within their organization?

 

- Well, I would agree with, with your statement, multifactor should be used on any account regardless because the human element and the prevalent reuse of passwords,

 

- Right?

 

- So even though one account may not have sensitive information behind it, the user more than likely statistically speaking is gonna reuse that password somewhere else that does. So a multifactor should be a standard across the board, but yeah.

 

- Yeah, and you bring up a huge pet peeve of mine password reuse, which is a giant no-no, you should not be reusing passwords, especially across various sensitive accounts. They should be unique if you can't remember them, password manager is fine. You can do, you know, a double blind mechanism so that the password isn't necessarily stored in that password manager if you're using it. But then incorporating the second factor two, because like you said, while they might be using two factor on a part of the account, if you're not using it everywhere where data could be accessed in order to get access to that account, you're only as secure as the least secure entity, right? So it needs to be everywhere,

 

- Right? I do think that that also contributes to the ecosystem of, you know, folks essentially selling usernames and password by the bulk in the deep web and dark web ecosystem. And yeah, I do think that folks should be, again, the reuse of password just makes you kind of like cringe a little bit. Now let's talk about different defense models used in fraud prevention, identity centric versus transaction centric. First, let's define these approaches. Transaction centric models focus on monitoring and analyzing individual transactions to detect anomalies or prevent fraudulent activities. This method is effective in catching irregularities in specific transactions, but can miss broader patterns of fraud. On the other hand, identity centric models prioritize verifying the identity of users at every interaction point, ensuring that the person behind every transaction is legitimate. This approach provides a more comprehensive view of the user's behavior, making it harder for fraudsters to infiltrate systems undetected. The benefits of identity centric models are significant enhanced fraud detection by continuously verifying identities. These models are more effective at catching sophisticated fraud attempts that might bypass transaction level monitoring improved user experience. Since identity centric models focus on seamless authentication, legitimate users experience less friction while interacting with the system. Lastly, scalability, these models are more easily scalable as organizations grow handling larger user bases without compromising security. I'll ask the experts, how are organizations transitioning from transaction centric to identity centric fraud models? And what are some of the key benefits or challenges you've observed?

 

- Yeah, so definitely moving to identity centric is very beneficial because a lot of the fraud detection that we've been seeing is if you're going transaction based, if the adversary is knowledgeable of the behavior of the entity. So we'll see someone maybe compromise an email account, they'll understand how transactions are done within an organization or by that specific individual and they can kind of just insert something that makes sense from a transactional based standpoint. Whereas if I am focusing on the actual identity of the individual, and we've kind of talked about that throughout this entire conversation of how important it is to verify that someone is who they say they are. So organizations moving towards that would be hugely beneficial because we're focusing on validating the identity of the person that's doing the sensitive operation.

 

- CISA emphasizes the need for identity verification at every interaction, especially as attacks become more sophisticated and the fraudsters they attempt to bypass transactions, monitoring or mimicking legitimate users. We often hear the challenges of shifting to a identity centric model, which is, is understandable in the collaboration and coordination it requires through implementation of the various systems across the organ that the organization may have. But once in place it really does increase the security and reduce the friction of, of the end user as well.

 

- Right. And I do believe that, especially when it comes to the identity centric fraud models, it almost really reestablishes number one, the non gated process, right? Of authentication or identity verification. I feel like today a lot of organizations focus on what the status of trust or like what level of trust do I have with this client or customer coming in through the door and then never check it again later. Yeah. You know, and I do think that, you know, this needs to be a little bit more regular as to like how we look at identities that's going inside and outside our organizations. I do believe that when it comes to, and you know a quick analogy here, right? Like when a employee joins your organization, you don't just let them run to like the races and never check up on them again, right? Like, I mean, if we do this in our organizations where when someone comes in there's a monthly cadence or a weekly cadence or a quarterly cadence of something, you know, we should be doing that to our clients as well.

 

- Makes sense? Yeah.

 

- At KeyBank we're committed to helping our clients stay ahead of the curve when it comes to cybersecurity and fraud threats. Each quarter we publish our payments perspective newsletter, which provides the latest information, best practices, tools and expert insights on managing cyber risks and building cyber resilience. We also offer events like this webinar and regularly update our website with content to educate our clients on emerging scams that could impact their businesses to ensure we're always ready to assist with fraud prevention and detection. We continually upscale our team through annual compliance assessments and dedicated training sessions focused on fraud from a product standpoint. We offer a comprehensive suite of fraud protection services designed to fight both check and electronic payment fraud, giving you the tools to bank safely and confidently. I encourage everyone here today to connect with your key bank payments advisor or relationship manager to learn more about how we can help you protect your data and financial operations. This conversation has been incredible. I'd like to shift to q and a. We have time to answer a few questions submitted by registrants of this webinar. This first one is for Michael. What role does the FBI play in helping businesses recover from cyber attacks? What steps should companies take immediately after discovering they've been breached?

 

- Yeah, so I actually think the first step you should take is before you're breached and have a communication with law enforcement beforehand. If you have the resources to reach out and make that relationship, knowing who to call is important, and also establishing that relationship will allow law enforcement to get in touch with someone should they observe any activity that your organization needs to know about. So having being a little proactive there. But then we also have the internet crime complaint center@icthree.gov where individuals or organizations can go to submit a report on any type of online crime, and you can call the National Threat Operations Center of the FBI and you can call your local FBI field office. So those are mechanisms that you can use to get in touch with law enforcement and have a conversation about what happened and submit the report so that we can conduct an investigation.

 

- Jillian, this one is for you. CISA has been advocating for continuous education and cybersecurity. What specific training programs or simulated attack exercises would you recommend for companies looking to strengthen their defenses?

 

- Yeah, so we love to partner with organizations and offer any services that we can either from assessments and or tabletop exercises. So depending on the maturity of an organization and where they're at and the education resources they may have today, we, we do encourage leadership to, to create the time and resources available to their, not only their IT staff, but other staff as well in the organization to make training a priority. I think you hear a lot that, yeah, we'd love to do training, but we just don't have the resources, we don't have the time, so that starts at the top. So encouraging leadership to, to make that a priority is really important. Purple teaming is a great exercise if the resources are available to you, there's so much benefit from that from the, the red and blue teams getting together and, and finding things before the bad guys find 'em. That's, that's the ideal, right? But tabletop exercises are a really good start and we facilitate those at all different levels. It can help facilitate, we have some canned tabletop in a box scenarios that organizations can print out and take to get the conversation started, get the right people at the room to understand and just talk through what a really bad day might look like, and making sure incident response plans and, and are, are shored up and, and available.

 

- That makes a lot of sense. I figure, you know, before a boxer meets Mike Tyson, you'd hope that they've done their sparring sessions and trained for that fight.

 

- Yeah. - And I would imagine that organizations should be doing the same before they meet the Mike Tyson of fraud.

 

- Yeah, I think it's an eye-opening. I think a lot of people through tabletop exercises realize the role that they have. It's not an IT problem anymore, it's a business problem at that point. So those are very valuable conversations to have.

 

- Cool. Another one for Michael. As a business owner, I'm concerned about mobile device security. What are the best practices for securing mobile devices used by employees, especially in a hybrid or remote work environment?

 

- Yeah, so as a business owner, if you're providing a mobile device, it's probably best that that mobile device only be used for business purposes. So a lot of risk gets absorbed by the corporate entity if they're enabling individuals to do private things on a business device. So if you're looking at your social media or you're interacting with other entities via email, whatever, you increase the risk to that device and then also to the corporation. So I think, you know, locking down the apps that can be installed and users might not like it, but you know, the security of the organization needs to be taken into consideration. I think that's one of the, the things that you should be doing is locking down that device so they can't use it for personal use.

 

- Another one for Jillian. When transitioning to identity centric models or adding additional layers of authentication, what are the biggest challenges that organizations face and how can CISA assist in this shift?

 

- Yeah, so we do hear from organizations a lot that implementing MFA is a challenge for various reasons, depending on the sector that they're in, either education or even manufacturing. So we talk about mitigating controls quite a bit, but we also talk through implementing a multi-factor authentication in a way that works with the business. And it might be a physical aspect, so a PIV card, a Fido key, a dongle, which really is a really secure multifactor authentication that kind of gets you away from a little bit of the password space and more into maybe a passcode situation and can help increase the user experience and be somewhat of a compromise while still having really good security in terms of the implementation for the organization. So there's, just talking with IT leaders and having them understand some of their options is a lot of the guidance that we give.

 

- Another question I'm gonna toss in here. Do you folks have any favorite form of MFA?

 

- Go ahead.

 

- Yeah, I, I think any, any type of token based authentication where you're doing per session authentication, right? So any fish resistant MFA is, is gonna be good. There's a number of them, and as Jillian pointed out, some may or may not work for your organization. Finding one that works is great, but as long as you have something that's session based that can't be fished, I'm happy with it.

 

- I, I would say session based based is very important. Again, in conversations with the organizations, I hear, yes, we have multifactor authentication and they have, the users have to a multifactor in once a month and you know, so talking through the frequency in which the sessions should be short and the authentication should happen at every logon is really important. But I am a fan also of the physical tokens as well. So

 

- We have time for one more, which looks like one for me. How can we ensure that the identity centric fraud models being implemented will provide the right balance between security and user experience, particularly for high volume transactions? Interesting. Yeah, I'd, I'd say for this one, when it comes to building products services, I think you kind of need to look at it from soup to nuts. I think security needs to be part of every building block in your organization, in including delivery, you know, so I do think that when people are, you know, and again, they're like organizations that treat their security team almost like a plague and like kind of like stay away from them and only really deal with them when they have to. But I do believe that that mindset needs to shift. I believe that that mindset needs to go into teamwork, makes the dream work right, and that security is a team game and not, you know, a role that one person in your organization sees. So going down, you know, those are like the hats that they wear. I think everyone needs to wear that security hat, especially in today's emerging world of different threats. I think we need to start acting differently and I think that's step one. That's all the time we have for today's session. I want to thank Michael Gerfin and Jillian Burner for being here today, as well as their respective organizations, the FBI and CISA for their dedication to fighting cyber crime and fraud. For those in attendance, you will receive a recording of the session along with a copy of the presentation. If you have any questions about key bank's efforts and services to help you protect your business, please reach out to your payments advisor, relationship manager, or banker. With that, on behalf of KeyBank, thank you for joining us and have a great day.

Webinar Topics

Our expert speakers will share real case studies, effective defensive strategies, and practical tips to help stay ahead of cybercriminals.

  • How AI and deepfakes are used in cyberattacks.
  • New technologies and training methods for your company to help fight cybercrime.
  • Adopting identity-centric fraud prevention models your employees can use.

For more information visit key.com/cybersecurity.

Download presentation slides (PDF)

 

The information and recommendations contained here have been compiled from sources believed to be reliable and represent the best current opinion on the subject. No warranty, express or implied by KeyBank, is made as to the absolute correctness or sufficiency of the information contained. This is meant as general information only; particular situations may require additional actions. This document is designed to provide general information only and is not comprehensive, nor is it legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. KeyBank does not make any warranties regarding the results obtained from the use of this information.

Find an Expert

By Industry By Solution

Our Expertise

Business Expertise
Industry Expertise

Connect With Us

Find an Expert

By Industry By Solution

Our Expertise

Business Expertise
Industry Expertise