Combating identity deception with a people-centric approach
The concept of identity is dynamic – it changes all the time. For most of human history, a person's identity consisted of their name, their family relationships and where they lived. Identity had only three or four elements. In the last 100 years, additional elements were added to a person's identity when passports and other identity documents became widely used – closely followed by driver's licences, phone numbers and email addresses.
Identity deception and identity theft are not new – they occurred even in the days before modern computing. Criminals could obtain personal information such as credit card details, phone numbers, bank account numbers and addresses by stealing a wallet or a purse, overhearing a phone conversation, rummaging through rubbish bins, or picking up someone else's receipt. If the criminal had sufficient identity elements, they may be able to use identity deception to make purchases, open new accounts or take out loans.
Over the past 25 years, activity that was once carried out face-to-face has shifted to the Internet. This has led to an explosion of new identity elements as people and businesses interact with minimal physical engagement. The smallest and the largest commercial transactions have shifted online. Digital engagement is now the norm. New identity elements, including passwords, user IDs, email addresses, one-time passwords (OTPs), and biometrics such as fingerprints and facial recognition, create new opportunities for criminals.
Digital engagement leads to an explosion of identity elements
Digital engagement and the proliferation of identity elements makes it easier than ever for a bad actor to obtain one or more identity attributes and use these as a platform for stealing an identity or creating a synthetic identity.
Some identity elements can even be purchased on the dark web. Credit card numbers, passport numbers and driver's licence details can be purchased relatively easily, as can sets of user IDs, email addresses and passwords. A fake email address and spoofed domains can be used to deceive people into sharing identity details. Indeed phishing, commonly in the form of email fraud, is proving to be a very successful method for capturing credentials and other core identity elements. Additionally, the frequency and severity of cloud account compromise is on the rise, with an increasing number of organisations utilising Microsoft Office 365 and Google Workspace email to collaborate and communicate. This equips attackers with very powerful and convincing tools to gain a strong foothold inside organisations.
Taking a people-centric approach to combating identity deception
Proofpoint takes a people-centric approach to one of the biggest ways people identify themselves with: email. Email fraud and BEC (business email compromise) are top-of-mind threats for most CISOs and organisations, and with good reason. According to the Annual Cyber Threat Report published by The Australian Cyber Security Centre (ACSC), in 2021–22, the number of successful BEC reports declined slightly to 1514. However, self-reported losses in 2021–22 increased significantly to over $98 million. Nationally, the average loss per successful BEC increased to over $64,000.
Proofpoint has developed a framework to help CISOs to classify, identify and manage email fraud. The framework consists of three layers:
1. Identity: this refers to a person or an entity that the attacker is pretending to be. It can be an employee, a supplier or unknown. Each category can be further decomposed as required. For example, employees could consist of executives, field workers, administrators and so forth. This facet speaks to the impact to an organisation if the person is indeed compromised. In a zero-trust world, we cannot assume every successful login is legitimate.
2. Deception: this addresses the techniques and tactics used by email fraudsters. It consists of two categories: impersonation and compromise. Impersonation relates to techniques involving the manipulation of one or more message attributes (most commonly, the domain) to disguise the message origin. Compromise relates to gaining access to legitimate accounts and mailboxes, such as those belonging to trusted partners or senior executives. The recipient will have no reason to question the legitimacy of the email if it is received in the correct context.
3. Theme: this includes the common types of email fraud. They include invoice fraud, payroll redirects, extortion, lures and tasks, gift carding and advance fee fraud. The themes are the categories that Proofpoint believes are most relevant to those concerned with managing email fraud.
Ways of combating email-based identity deception
So, what can organisations do to manage the threat of email-based identity deception? Organisations need to place greater emphasis on mitigating identity-based threats using a range of controls. Specifically, they need:
- Visibility: organisations need visibility of their human attack surface - to understand which users are at the highest risk of attack and which suppliers are most likely to be compromised or impersonated. This is essential in all the places, and ways users work; whether in email, collaboration, or cloud applications.
- Detection: organisations need modern detection capabilities to detect and contain threats, both with and without a payload. These types of capabilities require artificial intelligence and machine learning features that can analyse potential threats and respond quickly if anomalous activity is detected across the entire attack chain - before, during, and after delivery.
- Policy: organisations need consistent policy enforcement across all cloud assets, with a particular focus on email accounts. Implementing DMARC, an email authentication policy, is the best tool and first step to preventing email fraud.
- Awareness: organisations need to implement greater security awareness and training to give people a better chance of recognising phishing attacks and email fraud. Users need to act as the strong line of defence because some attacks will reach them and not be detected. It needs to be easier for users to report suspicious messages and for security teams to analyse them quickly.
Rapid digitalisation is creating even more identity elements leading to more opportunities for attackers. Identity and data sprawl must be managed much more tightly. Organisations need to focus on ensuring their users understand their responsibility in reporting threats and managing their digital footprint. They need visibility across all the ways their people work, and essentially, organisations need to place more focus on judiciously using identity elements as evidence for potential account compromise.
Organisations also need to do everything they can to detect fraudulent emails and other forms of identity deception before they reach the inbox; with modern detection and response capabilities as well as adequate awareness training and education. Because, as always, people are at the core of a successful defence.