Better data hygiene will help combat online fraud

Fraud specialists at London Tech Week discussing safe online engagement described a sobering environment. Currently hackers are using artificial intelligence (AI) to mine data to target organisations more effectively, while criminals can commit crimes in minutes. 

To combat fraud, the experts recommended behavioural change and the adoption of better data hygiene habits.

Speaking about the rise of sophisticated scams and fraud, Marc Carney, director, security business group at Microsoft UK, asked the audience if anyone still had a personal email account they made “when they were 15 years old”. As several people raised their hands, he revealed he changes his personal email “every year”.

As some attendees chuckled at what seemed like an overreaction to growing security concerns, Carney defended his position. While admitting it was “frustrating” to change his email every year, he said, it was more about “personal hygiene around your data”, such as not listing your actual birth date — or any other identifying information — in public online environments.

The panel, “The rise of sophisticated scams and fraud — Securing the future with emerging technology”, examined the evolving nature of cybercrime. This has been exacerbated by the speed and lower barrier to entry provided by artificial intelligence (AI) tools, such as deepfake impersonations, which have made scams more personalised and difficult to detect.

Moving faster

Jessica Higgs, a leader in product strategy at Moody’s Analytics, said while fraud and scams have existed for some time, it is the speed at which these crimes occur that is having an impact on how individuals and companies react.

According to Higgs, within “15 minutes” of a mobile phone being stolen, the password will have been changed and any banking apps on the phone hacked. In one example she gave, criminals took out a £20,000 bank loan, opened two separate bank accounts, purchased a luxury Swiss watch, and finally transferred all of these funds into a cryptocurrency exchange before anyone could “file a police report”. Once stolen funds are transferred to cryptocurrency “the money is gone”.

The end goal of most fraudsters is to convert whatever is stolen into money, said Higgs, which makes the financial services industry vulnerable because the product itself is the ultimate objective. However, the bar for criminals to clear is “much higher” than in other industries, since people monitor their accounts much more closely and frequently.

“Let’s put this into context,” Higgs said. “If you had your money stolen directly from your bank account because your bank account was hacked, what are the chances that you’d close that bank account very fast — as opposed to if your data were stolen from a company where you buy jeans, you might not even notice right away, you might even still buy a pair of jeans from them in six months. 

“I’m not making light of [the latter] hacks, but in terms of how we feel about where we safeguard our money, that bar is much higher.”

Scamming tools

In addition to speed, AI tools are making scams increasingly difficult to detect and protect against. Many organisations train their staff to look out for emails — and ‘outreach’ or personalised emails — that contain grammatical errors, spelling mistakes or dubious-looking embedded links, said Bella Thornely, lead at Accenture’s UKI Centre of Advanced AI.

“We’re starting to see AI, even Chat GPT, that is accessible to all consumers, being able to create phishing emails and scams that are very hard to decipher,” said Thornely, as well as “things like voice cloning”.

This increase in sophisticated scams is not targeted solely at the consumer market. Cyber attacks on organisations are also using more advanced technology to extract information and hold companies to ransom.

For example, in April, major UK retailer Marks & Spencer (M&S) became the victim of a cyber attack. Initially affecting its ‘click-and-collect’ and contactless payments, as well as its supply chain, the incident is continuing to disrupt M&S services into the summer. A social engineering attack at one of its external tech providers may be behind the attack, the UK’s Guardian reported.

Data mining

According to Carney at Microsoft UK, the increased speed and sophistication of these scams are aided by better access to data and the tools to mine that data driving better insights.

“We saw recently with the M&S hack, that was an aggregation of huge amounts of data, very targeted towards the CEO,” said Carney. “They knew huge amounts of information on the CEO, and they used it to execute at probably the worst time for the company, which was a bank holiday weekend.”

While scams aimed at consumers lean toward “making quick decisions, giving over data, giving over bank account details, and transferring money”, attacks aimed at companies employ a slightly different strategy, he added.

“The M&S hack used persistence and quietness to exploit aggregate data to give themselves elevated privileges. In the corporate world, [scams are] about reconnaissance; it’s about knowing your target very, very well and being able to execute with speed and pressure when you need to.”

People element

Despite the impact of technology, the “people” element shouldn’t be ignored when protecting against crime, said Accenture’s Thornely.

“It’s about changing the way people think; it’s the culture, it’s the education,” she added. “Fundamentally, a key part of it is going to be about education, because people need to understand what threats are out there and how to move on and how to test.”

Higgs at Moody’s Analytics agreed, saying that education needs to be implemented in context. “What we know from the data is that not every user or customer of a product is prone to being susceptible to the same scams,” she said — so it was important to send the right message to the right person at the right time. 

For example, she added, someone who runs a business that regularly transfers large sums of money internationally, or has extended family worldwide, would need warnings about the risks associated with sending large sums of money.

This context can be determined by AI behavioural analytics to analyse how customers interact with products and which warnings would be relevant to them.

Oversharing online

Meanwhile, Carney reminded the audience to be aware of how much personal data they already share online that could be of use to scammers. 

When people access online games or log onto social platforms such as Facebook or Instagram, for example, he said, “you are giving away your privacy for a level of convenience there as well, so be mindful of that”.