Personal data is under siege in the digital world, from deepfakes to exploiting human error, vulnerabilities and trust. In this VB Spotlight, security experts will dig into the current landscape, how to get ahead and stay ahead of cybercriminals and more.
What’s at stake when corporations don’t put strategies in place to protect their employees and customers? Everything, says Juan Rivera, senior solutions engineer at Telesign.
“From a regulatory standpoint, recently Meta was slapped with a $1.3 billion fine by the European Union for violating data privacy – and they were just used as an example for companies that cannot afford a $1.3 billion fine,” Rivera explains. “There’s financial loss, as well as potentially huge reputational loss when both customer and employee trust is damaged. Most companies don’t have the flexibility or luxury to manage these kinds of losses.”
In other words, it’s incredibly expensive on every side if corporations fail to put safety practices in place.
The fraud and identity theft landscape now
The most current cybercriminal schemes are not new at all — fraudsters have been using these tactics for years, but now they’re backed by generative AI. Phishing emails that trick victims into revealing login credentials or sensitive information are created with convincing ChatGPT scripts.
Data breaches that bypass safety checks are made possible by tricking generative AI into writing malicious code that reveals the chat history of active users, personally identifiable information like names, email addresses, payment addresses, and even the last four digits and expiration data of credit cards.
Criminals are also leveraging synthetic identities, similar to the way sales and marketing teams use data to create tailored user profiles in order to target the right prospects. With addresses, personal information and stolen credit cards, they can build new credit identities or log into an existing account with very real information.
On the password and credentials front, the pattern recognition abilities of AI can predict the passwords of users who have chosen fairly weak ones, while AI-powered chat bots and voice synthesis can impersonate individuals and organizations, such as a CEO reaching out to a low-level employee in a very convincing manner.
As AI becomes better at predicting human patterns, impersonating humans and sounding more like humans, it’ll be used more to trick both employees and consumers alike. These messages are convincing because they understand the behavior of specific people, and can predict how they’d act with their employees. And the danger is imminent, Rivera says.
“Statistically speaking, the chances of these events happening are 100 percent,” he explains. “They’re already happening. AI is raising the stakes, enabling fraudsters to scale up these attacks faster, better and more convincingly.”
Protecting and securing data and identities
There are both mandated security standards necessary to adhere to, required by law, but also a whole host of considerations that are simply just practical. That includes going beyond two-factor identification (2FA) because it’s no longer a strong enough standard — multi-factor authentication is necessary today. That means an additional layer beyond just a standard PIN code. It might be low friction and common enough today that users never balk, but it’s no longer enough. It could mean something more sophisticated, such as biometrics, or requiring additional information to validate your identity, like a piece of physical identification a user is in possession of — a document, a license, an ID and so on.
There are other advanced identification protocols that aren’t customer-facing, but live behind the scenes. For example, Telesign uses phone identity APIs to gain insight into a user that’s trying to create an account or log in to an existing account. It leverages telco data from a user’s provider to match the information a user is providing with information on record.
“It’s the ability to combine data points like phone number, email address, even the originating IP of the user profile, to tell you whether a user is suspicious,” Rivera explains. “These data points become a scorecard to measure the likelihood of a genuine access account or an attempt at fraud. Suspicious behavior triggers a response, and it’s low- to no-friction protection because it happens in milliseconds on the back end.”
With a low-friction approach at the top of the funnel, the approach to any suspicious actors or behavior can be reinforced with additional friction — requesting multi-factor identification, for example, such as an email to the address on record asking the consumer to call to validate a sign-in attempt.
Beyond tech: Why the human element is crucial
The technical side of security is the foundation of safety, but ongoing employee training and education around security best practices is absolutely critical to mitigate threats, Rivera says. This can include sharing with employees a suspicious email that’s come through and noting the features that give it away, or making sure passwords are changed frequently and software updates are applied diligently.
But security awareness needs to extend beyond businesses and employees; companies should engage with customers on a regular basis to raise knowledge and awareness. It not only adds another layer of safety, but it bolsters optics, Rivera points out, so that a company is now seen as caring for the customer base enough to continually educate them on evolving threats in the digital space.
“I don’t think we see this enough,” he says. “We don’t see the Amazons of the world reaching out on a regular basis and saying, ‘Hey, we understand that you’re shopping online more. We want to make sure you understand how to stay safe.’ We need to start making education an industry standard, because fraudsters don’t sleep.”