Category: Fraud

It’s possible to cancel other people’s voter registrations:

On Friday, four days after Georgia Democrats began warning that bad actors could abuse the state’s new online portal for canceling voter registrations, the Secretary of State’s Office acknowledged to ProPublica that it had identified multiple such attempts…

…the portal suffered at least two security glitches that briefly exposed voters’ dates of birth, the last four digits of their Social Security numbers and their full driver’s license numbers—the exact information needed to cancel others’ voter registrations.

I get that this is a hard problem to solve. We want the portal to be easy for people to use—even non-tech-savvy people—and hard for fraudsters to abuse, and it turns out to be impossible to do both without an overarching digital identity infrastructure. But Georgia is making it easy to abuse.

EDITED TO ADD (8/14): There was another issue with the portal, making it easy to request cancellation of any Georgian’s registration. The elections director said that cancellations submitted this way wouldn’t have been processed because they didn’t have all the necessary information, which I guess is probably true, but it shows just how sloppy the coding is.

Some scholars are inflating their reference counts by sneaking them into metadata:

Citations of scientific work abide by a standardized referencing system: Each reference explicitly mentions at least the title, authors’ names, publication year, journal or conference name, and page numbers of the cited publication. These details are stored as metadata, not visible in the article’s text directly, but assigned to a digital object identifier, or DOI—a unique identifier for each scientific publication.

References in a scientific publication allow authors to justify methodological choices or present the results of past studies, highlighting the iterative and collaborative nature of science.

However, we found through a chance encounter that some unscrupulous actors have added extra references, invisible in the text but present in the articles’ metadata, when they submitted the articles to scientific databases. The result? Citation counts for certain researchers or journals have skyrocketed, even though these references were not cited by the authors in their articles.

[…]

In the journals published by Technoscience Academy, at least 9% of recorded references were “sneaked references.” These additional references were only in the metadata, distorting citation counts and giving certain authors an unfair advantage. Some legitimate references were also lost, meaning they were not present in the metadata.

In addition, when analyzing the sneaked references, we found that they highly benefited some researchers. For example, a single researcher who was associated with Technoscience Academy benefited from more than 3,000 additional illegitimate citations. Some journals from the same publisher benefited from a couple hundred additional sneaked citations.

Be careful what you’re measuring, because that’s what you’ll get. Make sure it’s what you actually want.

Execs at a health tech startup are sentenced to jail after a massive ad fraud, and a school is shaken after teachers are targeted via TikTok. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Execs at a health tech startup are sentenced to jail after a massive ad fraud, and a school is shaken after teachers are targeted via TikTok. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Memcyco Inc., a provider of digital trust technology designed to protect companies and their customers from digital impersonation fraud, released its inaugural 2024 State of Digital Impersonation Fraud Resilience report. Notably, Memcyco’s research indicates that the majority of companies do not have adequate solutions to counter digital impersonation fraud and that most only learn about attacks from their customers.

More than half of all respondents (53%) said their existing cybersecurity solutions do not effectively address website impersonation attacks, and 41% said their existing solutions only protect them and their customers “partially.” Just 6% of brands claimed to have a solution that effectively addresses these attacks, despite 87% of companies recognizing website impersonation as a major issue and 69% admitting to having had these attacks carried out against their own website.

Fake websites dupe users into sharing their login credentials on unauthorized pages, leaving them vulnerable to account takeover (ATO) attacks. This growing problem has earned cybercriminals an astonishing $1 billion+ in 2023 alone, according to data from the U.S. Federal Trade Commission. That’s more than three times the amount reported stolen in 2020. 

The report found that 72% of companies have a monitoring system to detect fake versions of their website, but still, 66% said that they primarily only learn about digital impersonation attacks when they are flagged by customers. 37% of respondents learn about such attacks as a result of “brand shaming” by impacted customers on social media.

The inability to adequately protect against digital impersonation fraud raises questions about companies’ responsibility to reimburse their customers for any losses stemming from scams. 48% of survey respondents are aware that upcoming regulations are likely to enforce customer reimbursements, making effective protection against digital impersonation fraud a ‘must-have’ for avoiding revenue loss.

“One of the most alarming takeaways from the report is that website impersonation scams are growing because cybercriminals rely on companies having limited visibility into these kinds of attacks,” said Israel Mazin, Chairman and CEO of Memcyco. “This creates a glaring blindspot in cybersecurity — the inability of companies to protect their customers online.”

The State of Digital Impersonation Fraud Resilience report was conducted together with Global Surveyz Research, based on the responses of 200 full-time employees ranging from Director to C-level executives at organizations in the security, fraud, digital, and web industries, operating transactional websites with traffic of more than 10,000 monthly visits.

Memcyco’s solution suite addresses the rising tide of website impersonation scams by using real-time alerts to secure end-users on every website visit and provides organizations with unparalleled insights into the scope and impact of all attacks on their sites. 

The full report can be found here.

About Memcyco

Memcyco offers a suite of AI-based, real-time digital risk protection solutions for combating website impersonation scams, protecting companies and their customers from the moment a fake site goes live until it is taken down. Memcyco’s groundbreaking external threat intelligence platform provides companies with complete visibility into the attack, attacker, and each individual victim, helping to prevent ATO fraud, ransomware attacks, and data breaches before they occur. Memcyco’s “nano defender” technology detects, protects, and responds to attacks as they unfold, securing tens of millions of customer accounts worldwide and reducing the negative impact of attacks on workload, compliance, customer churn, and reputation.

About Global Surveyz

Global Surveyz is a global research company that provides survey reports as-a-service, covering the whole process of creating an insightful and impactful B2B or B2C report for any target market. Global Surveyz was established in 2020 by Ramel Levin.

The post Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud appeared first on Cybersecurity Insiders.

[By Shai Gabay, CEO, Trustmi]

As if the list of things keeping CISOs up at night wasn’t long enough, cyberattacks on finance teams and business payment processes are now a priority because they are in the bullseye of bad actors.

According to a 2023 webcast poll from Deloitte Center for Controllership™, more than 48 percent of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. This puts CISOs on notice.

One reason for the growth of cyberattacks is that finance departments and their B2B payment processes are highly manual and, therefore, vulnerable. Additionally, finance teams continue to rely on disparate systems with siloed information, creating a lack of visibility across the entire payment workflow. That lethal combination results in growing blind spots and human errors. This challenge is compounded by understaffed finance teams that are stretched thin and overwhelmed by the sheer number of invoices and payments that teams must process regularly.

Add it all up, and identifying potential signs of business payment fraud is like looking for a needle in a haystack. Some top sources of struggle for CISOs include Business Email Compromise (BEC), vendor supply chain attacks, and cyber attackers’ who are cranking up their use of AI.

 

Here’s a look into each of these areas: 

 

Business Email Compromise (BEC): BEC attacks have existed for some time. The FBI began tracking BEC more than a decade ago. But today, the focus of these attacks is not just ransomware and data theft. They are targeting finance teams by impersonating legitimate vendors and sending fake invoices to companies. The goal of these efforts is to illicit financial gain. The 2022 FBI Internet Crime Report found the following:

  • The FBI found attackers are spoofing legitimate business phone numbers to confirm fraudulent banking details.

  • According to research from the FBI Internet Crime Complaint Center, $50B was lost on business email compromise between 2013-2022.

AI: Arguably, the most significant security challenge facing CISOs and the finance department stems from AI. In what seems like the blink of an eye, cybercriminals are using AI to create written, voice, and video communications so convincing that many human experts cannot separate the real from the fraudulent. This includes anything from a phishing campaign to chatbot conversations and video conference calls. 

In what may be the most recent high-profile example, earlier this year in Hong Kong, attackers used a deepfake of a CFO in a video conference to trick a finance employee into making a fraudulent $25 million wire transfer. More recently, an employee of the TV network owned by the Boston Red Sox was convicted of creating fraudulent invoices from a legitimate vendor. He was able to steal $500,000.  

Supply chain problems: Supply chain attacks have been around for some time with the most high-profile victim being SolarWinds. However, not all supply chain attacks are the same. Today, some attackers are exploiting a company’s vendor supply chain rather than attacking the software supply chain and installing malware. Vendor supply chains are extremely vulnerable  because third-party vendors lack the same levels of security as larger enterprises, making them easy to exploit. 

 

Once the vendor is integrated with the larger business, the fraudster acts by, for example, impersonating a vendor and changing their payment details to shift the payment to themselves. This is a threat that all companies must be wary of. According to research from the Cyentia Institute, the average organization has approximately ten third-party relationships, and 98% had at least one third-party partner who had suffered a breach. For larger businesses, the number of vendors can be in the hundreds of thousands, which means there’s an even larger risk that these enterprise organizations are working with third-party partners at risk of a security breach.

 

Securing Finance with AI

If any of these threats have not impacted your business, it’s likely only a matter of time.  The best tool to have in your CISO tool belt is AI. More specifically, an AI system that can analyze vast amounts of data in real time and, in the process, continually improve fraud detection capabilities. Today, AI-based analysis systems can monitor and analyze all aspects of the process, from vendor interaction to payment. From there, these systems can provide real-time risk and trust scores, identify discrepancies or anomalies, send alerts for potentially fraudulent activities, and work seamlessly within the current process to ensure easy implementation.

 

Regarding the supply chain, AI can replace wildly outdated manual processes by efficiently managing and securing every vendor, whether you have 1 or 100,000.  And this includes fourth-party vendors as well. 

 

Look for solutions that can identify all vendors, provide complete visibility into their management, monitor vendor activities, track and control their permissions and access to internal systems, and enforce security practices. In addition to managing vendor profiles and changes to their payment information, it’s vital that your AI system can secure the entire supply chain lifecycle, including the initial onboarding process. This is necessary to provide full supply chain protection.

 

For today’s CISO, the threats never stop. As attackers expand their list of targets, security teams must be prepared to identify and mitigate each, whether a BEC, vendor supply chain attack, or AI-fueled deepfake swindle. The good news is that CISOs can fight fire with fire by tapping into AI to identify suspicious activity and stop it in its tracks, no matter which department is being targeted. 

 

Shai Gabay Bio

A visionary entrepreneur, Shai Gabay has always held a deep passion for cybersecurity and fintech, and over the course of his career, he has developed his expertise in both areas. Currently, Shai is a co-founder and the CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Prior to Trustmi, he was General Manager at Opera, VP of Product and Services at Cynet, CIO at Cyberbit and the CISO at Discount Bank.

 

Shai holds a Bachelor’s Degree from Shenkar College in software engineering, and also a Master’s degree in Business Administration and Management from Tel Aviv University.  Additionally, Shai was selected for the prestigious 1-year full scholarship executive excellence program at the Hoffman Kofman Foundation, a program tailored to outstanding alumni of IDF’s Elite Units. Through this program, he had the opportunity to study with prominent co-founders and leaders at renowned global tech companies and professors at elite universities.

 

The post The Latest Threat CISOs Cannot Afford to Ignore—Business Payment Fraud appeared first on Cybersecurity Insiders.

First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person.

The details are fascinating. And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.

It happened to Cory Doctorow.

EDITED TO ADD (2/23): More scams, these involving timeshares.

Selling miniature replicas to unsuspecting shoppers:

Online marketplaces sell tiny pink cowboy hats. They also sell miniature pencil sharpeners, palm-size kitchen utensils, scaled-down books and camping chairs so small they evoke the Stonehenge scene in “This Is Spinal Tap.” Many of the minuscule objects aren’t clearly advertised.

[…]

But there is no doubt some online sellers deliberately trick customers into buying smaller and often cheaper-to-produce items, Witcher said. Common tactics include displaying products against a white background rather than in room sets or on models, or photographing items with a perspective that makes them appear bigger than they really are. Dimensions can be hidden deep in the product description, or not included at all.

In those instances, the duped consumer “may say, well, it’s only $1, $2, maybe $3­—what’s the harm?” Witcher said. When the item arrives the shopper may be confused, amused or frustrated, but unlikely to complain or demand a refund.

“When you aggregate that to these companies who are selling hundreds of thousands, maybe millions of these items over time, that adds up to a nice chunk of change,” Witcher said. “It’s finding a loophole in how society works and making money off of it.”

Defrauding a lot of people out of a small amount each can be a very successful way of making money.

Interesting story:

Napoleon Gonzalez, of Etna, assumed the identity of his brother in 1965, a quarter century after his sibling’s death as an infant, and used the stolen identity to obtain Social Security benefits under both identities, multiple passports and state identification cards, law enforcement officials said.

[…]

A new investigation was launched in 2020 after facial identification software indicated Gonzalez’s face was on two state identification cards.

The facial recognition technology is used by the Maine Bureau of Motor Vehicles to ensure no one obtains multiple credentials or credentials under someone else’s name, said Emily Cook, spokesperson for the secretary of state’s office.