Following up from RSA 2019: What’s the Role of Law Enforcement in Consumer Phishing Scams?
- 15 - March 2019
‘Trust’ was one of the topics on everyone’s lips at RSA 2019, and who should we trust more than our law enforcement agencies? Unfortunately, the growth of cybercrime, and the unknown nature of the latest attacks means that the FBI and other crime units are not always able to predict a hacker’s next moves.
The Limitations of Law Enforcement
Firstly, we need to understand what the risk is made up of. While attacks can come from any direction, the latest stats from Microsoft show that phishing scams are the biggest threat. There has been a 250% increase in phishing scams, while by comparison, malware is down by 34%. RSA 2019 highlighted how law enforcement cannot manage this growing attack landscape on its own.
Anne Connell, cybersecurity researcher at the Carnegie Institute discussed this risk when she spoke about the intelligence that scammers have on their targets. Not only are they able to replicate your domain and branding, the voice of your CEO or the language of your website, they also know how to stay under the radar and out of the reach of the law. For example, hackers know that above $25,000 is the amount that an attorney general will need to investigate. The attackers therefore target victims through multiple smaller requests. “Repeated attacks for smaller amounts, amount to something that they might not investigate,” Connell cautioned.
Stephen Cobb, senior security researcher was also disillusioned by the amount of support for victims who suffer from consumer phishing scams and cybercrime. In his blog on his RSA 2019 experience, he mentions that “the 9-1-1 service is not properly resourced to respond to reports of cybercrime. And while some parts of America do have coordinated law enforcement programs for dealing with cybercrime, there is no consistent coverage of this type across the country. Many cybercrime victims currently feel they have nowhere to turn for help.” The official government advice is to report any attack to the Internet Crime Complaint Center, but this is far from a solution that provides quick mitigation of growing threats, and involves businesses waiting for an attack without adequate protection.
This method also means that many victims will never report attacks, limiting the valuable information on attackers and crime that can be used to build better databases into hacker behavior. Cobb continues, “the current lack of cybercrime victim support clearly means we are missing a lot of useful and actionable data.”
A Collaborative Approach
Christopher Wray, director of the US FBI has been upfront and candid about the limitations of law enforcement, and spoke at RSA about how today’s cyber threat cannot be covered by any specific government agency. “It’s bigger than the government itself,” Wray said. “The scope, breadth, depth, sophistication and diversity of the threat we face now is unlike anything we’ve had in our lifetimes.”
Wray’s advice was to look for ways to create cooperation between different companies and agencies, from public to private sector, and between cyber-intelligence and law enforcement.
These existing relationships can help make a real difference to taking down a threat early, because “it’s not just prevention but in many cases it’s mitigation and that’s where speed really matters,” Wray elaborated.
At Segasec, we are proud to have used our perfect track record to build relationships with hosting providers, registrars and law enforcement agencies. In turn, we share the benefits of this trust with our customers. Our all in one intelligence and response is a totally managed solution, taking the risk of consumer phishing scams off your hands entirely. Rather than wait for a user to complain about being scammed, and reporting it to an anonymous website, Segasec acts ahead of time, catching the hackers (and any valuable information about their behavior) at the earliest stages, blocking the malicious content, and taking down the threat.
Worried about the growing risk of consumer phishing scams against your customers? Let’s schedule a demo.