How Identity Holds the Key to Protecting Financial Services from Phishing Scams
The global pandemic spurred a digital revolution that also introduced historic highs in new cyber threats. The most common method used by attackers to obtain compromised credentials was phishing attacks. In fact, according to the 2021 ForgeRock Consumer Identity Breach Report, unauthorized access continues to be the number one attack vector in Australia.
In Singapore, the country's banking systems saw phishing scams increase 20-fold in the first half of 2021 as cybercriminals raced to exploit the confusion and panic of the pandemic to trick victims into disclosing their banking credentials, personal identification numbers (PINs), and the like.
Such methods are designed to get the targeted user to act on emails, text messages (SMS), and other communications that typically contain a clickable link to malicious websites that impersonate legitimate ones. Other more sophisticated attack methods may involve the ability to exfiltrate information from a device or instruct the device to take certain actions without the victim's involvement or knowledge.
As the cost of breaches continues to rise, it's important for organizations to know where they may be vulnerable. You should avoid using services that have weak authentication, including those lacking strong multi-factor authentication (MFA) capabilities. Instead, look for services that apply Zero Trust as part of their access control, and use APIs that are protected by industry best practices as well as protocols such as FAPI (Financial Grade API) and OAuth2. Also avoid methods subject to social engineering such as contact centers. For valuable insights on how to strengthen your organization's security posture, download the report.
Protect your organization from becoming a statistic
An astounding 450% increase in breaches involving usernames and passwords underscores the need to adopt a strong digital identity and access management solution that offers passwordless authentication. It's often preferred by customers and gives companies a much better chance to reduce data exposure, while lowering their reputational and financial risk.
Because phishing often yields access to valid credentials, it's critical to be able to assess risk-related signals in real-time as they relate to a specific identity and its typical pattern of interactions with a service or resource. This analysis should include the ability to check for what device a request is coming from, the location the request is coming from, and other contextual signals that can be learned from the request. If the analysis indicates that something is out of the norm for a user, the requested access can be outright denied or challenged to require a stronger authentication or authorization method.
A challenge with some phishing scams is that they lure people with authentic-looking fraudulent sites or applications that convince people to enter second-factor credentials, such one-time passwords (OTPs), into a site or application the attacker controls. This is a risk that needs to be considered when out-of-band two-factor authentication (2FA) is used with SMS or email messaging.
How ForgeRock Can Help
ForgeRock helps organizations embrace continuous adaptive risk and trust (CARTA) and Zero Trust security strategies at scale. At the core of this capability is ForgeRock Intelligent Access, which helps companies design and personalize secure user journeys with an intuitive low-code/no-code orchestration platform. We make it easy for you offer usernameless and passwordless authentication, and provide customers with self-service account management so they're not waiting for you to re-set their forgotten password.
Our solution also includes essential services such as our policy engine and OAuth2 authorization, as well as multi-factor authentication (MFA) methods, including FIDO2/WebAuthentication and push notifications.
Adopting customer journey enhancements [like passwordless] can make a big difference. A leading bank in Australia relies on ForgeRock Intelligent Access to reduce fraud and risk while also delivering a more modern and secure user experience.