Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
November 29, 2021
Mindfulness and Phishing Resistance
How many emails do you receive in a day? 50? 150? 1,500?
Do you sometimes find yourself processing all those messages automatically, rapidly deleting as many as possible and trying to respond ASAP to items that are appear easy to get out of your box?
Maybe think about slowing down.
If you're reading this blog, you know that phishing is the main avenue for ransomware and account takeover attacks. You're familiar with most of the rules that can keep you safe from phishing: don't click through on emails from unknown senders, look at return addresses, watch out for a sense of urgency, et cetera.
You're adept at following those rules. Maybe you have aced your organization's phishing simulations. Not only the easy ones, like "Congrats. You are the employee of the month. Click here," but also the tricky messages with a direct relationship to your job content.
So now it's time to talk about the role of overconfidence—yours and mine—in our ability to identify phishing emails. That overconfidence could lead to a lack of attention.
I got to thinking about overconfidence after reading some reports of research projects that use phishing simulations to try to understand whether personality traits or demographics are associated with phishing susceptibility. I repeatedly saw words and phrases like "impulsive," "deficient self-regulation," "attention control," and "not paying attention."
Which led me to this experiment finding that training in mindfulness techniques reduced the likelihood that university students would fall for a mock phish. Students already trained to know the anti-phishing rules were divided in two groups. Half received additional training on the rules. Half received mindfulness training.
The mindfulness training took a step back from the specific phishing rules. "Mindfulness training cautioned individuals against quickly responding to e-mail requests and encouraged them to stop, consider what e-mails ask them to do, and then take appropriate action." It was about following a process, not following a rule. The authors point out that environmental awareness and an understanding of potential consequences in that environment are key aspects of mindfulness.
Is there a role for mindfulness in your organization's anti-phishing program? In May, my colleague Scarlett Heinbuch wrote about the impetus to hurry when encountering a payment problem at checkout. For phishers, a similar impetus to hurry creates opportunity. Before you click, pause—take a breath—exhale—take another breath. Only then should you decide whether or not it's safe to click.
November 15, 2021
Ransomware: You Are the First Line of Defense
Anecdotally, many of us have felt the profound impact of ransomware. My Atlanta Fed colleagues queued for gasoline in the aftermath of the Colonial pipeline breach in May. My friend's local government was unable to issue building permits or accept payments. Maybe your child's school canceled remote learning for a few days. Perhaps you lost treasured family photos and important financial records. For my part, I worried that a ransomware attack on the Martha's Vineyard Ferry would derail a planned visit to the island.
Now, from the Financial Crimes Enforcement Network (FinCEN) come the numbers to drive home the point. The growth in reported ransomware payments in the first half of this year is staggering:
- The number of ransomware-related Suspicious Activity Reports (SARs) for the first six months of 2021 (635) exceeds the total number of such reports for all 12 months of 2020 by 30 percent.
- The total value of suspected ransomware-related payments reported for the first six months of 2021 was $590 million, topping the total value for 2020 by 40 percent.
Back-of the-envelope extrapolation: the number of ransomware incidents reported on SARs for 2021 are on track to be something like two-and-a-half times the number of incidents reported in 2020. By value, FinCen concluded that "If current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined."
Preventing attacks of this magnitude and sophistication clearly requires coordinated action by governments across the globe.
But how about you?
The number one entry vector for these highly organized, technology-enabled, and wellfunded crimes is phishing. It's simple. It's not highly technical. It works. And it starts with you.
Each one of us represents the first line of defense. Remember: not every email is something you need to take action on. When you pay attention to an email sender's address and think twice before clicking on attached files, you are defending against ransomware. Don't underestimate your adversary: to make use of all the weapons at your disposal, read this tip sheet from the Cybersecurity and Infrastructure Security Agency (CISA).
October 25, 2021
Should We Throw in the Towel When It Comes to Data Breach Prevention?
Cybersecurity Awareness Month, observed in October, reminds us of a post we ran two years ago. We're rerunning it today because it is just as relevant now as it was then, and perhaps even more important. This year's Data Breach Investigations Report, for example, found that 85 percent of breaches involved a human element. As the Risk Forum has often said, the human element is the weakest link when it comes to cybersecurity. So the closing question posed by my colleague and the author of that post is as imperative today as organizations consider that human-caused breaches are inevitable: "What approach has your organization taken to adopting threat prevention and response preparedness?"
We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.
In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?
According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.
Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.
October is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map for small and midsize businesses.
While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?
August 2, 2021
Ransomware: To Pay or Not to Pay?
Ransomware attacks against high-profile corporate, educational, and governmental entities continue to make the news. What the media often overlook, however, are the continuing attacks against consumers' home networks and devices. Imagine your panic when you turn on your personal computer and you get a message demanding $500 in cybercurrency or gift cards for your tax, banking, investment management, family photo, and other important files that a criminal has encrypted. Do you pay or not?
Law enforcement and cybersecurity professionals almost all say "no.” A March 2021 report from a cybersecurity firm described a study of 15,000 consumer ransomware attacks in 2020 worldwide. In more than half of these attacks (56 percent), the victims paid the ransom—but only 17 percent of those making payment regained full access to their files. Adults 55 and older were the age group least likely to pay a ransom (11 percent), while the 35–44 age group, at 65 percent, were most likely to pay.
Arguments against payment are threefold:
- It encourages further attacks because the victim has already shown willingness to pay.
- It rewards criminal behavior and provides funds for additional attacks.
- It may not result in 100 percent recovery of files.
Those consumers making a ransomware payment do it because they hope the payment will restore their files faster and they'll soon resume normal use of their computer.
As this type of cybersecurity attack against consumers and business continues to increase, education about its process and the defenses that should be undertaken are critical. What is the best way to provide that? Let us know what you think.