cfotechoutlook

The Quintessential Technology Source for Corporate Financial Professionals

Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
9Aug-Sept 2018as well as the principals. For small structures, awareness concerns all employees who have access to the company's means of payment. While the "prevention ­ awareness" combination does contribute to limiting certain attempts at rudimentary or gross fraud, it is not sufficient to detect more sophisticated attacks built on fictitious data architectures designed to instill confidence in the target and deceive them. It is then necessary to imagine and build high frequency active digital shields capable of detecting fraud attempts and alerting the target in real time before making the fraudulent transfer. In this case, Artificial Intelligence is the best approach to effectively combat fake president frauds, suppliers and money transfers.AI applied to email analysis, with natural language processing (NLP) and machine learning techniques, can analyze message content and detect patterns characteristic of a fraud attempt. Typically, the attacker tends to usurp the identity of an authority to obtain a transfer. They then exploit all the cognitive biases and human vulnerabilities to establish a context of trust, urgency and discretion that will lead their target to respond positively to their inquiries and money transfer requests. For the attacker, designing an effective attack remains a complex activity that often takes time in order to develop a credible scenario. They must first identify their targets using social engineering techniques. They may need to establish initial professional contact by telephone or e-mail with the target company to obtain information that will be used during the next stages of their operation. This involves identifying within the company the employee who is authorized to make transfers and studying their digital habits, possibly by taking control of their mailbox after retrieving their identifiers. Then the attacker must identify a favorable business context, an invoice being processed with a supplier, or imagine a confidential subsidy decided by the general manager or the President of the company.The chosen scenario must be compatible with the target's psychological profile and the company's activity. To establish trust, the attacker often bases their fraud attempt on a fictitious, credible, non-adversarial data architecture, imitating at best that of a legitimate interlocutor. It can be a supplier's fake website, a client's company, a central administration or a supervisory authority. In many cases of successful attacks with fake transfer orders, the victim visited the fake site without suspecting that they were evolving on a fictitious structure. At this point, artificial intelligence can bring a lot in terms of alerts. Most of the fictitious sites used in these `presidential scams' had anomalies that could easily be detected by an automated system. It is necessary to generalize this detection of anomalies to data and metadata transmitted in e-mails, as well as to html links pointing to imitation websites, by crossing and comparing all the analyzed data. The solutions currently under development combine several techniques: rule engines, NLP, machine learning, decision trees. The period and schedule selected by the attacker are often decisive criteria in the success of the operation. They will tend to choose a period of leave during which the workforce is reduced or at the end of the day when the employees are tired. Generally speaking, it is important to highlight the increasing power and complexity of the fictitious data architectures used during fake transfer order campaigns. The odds are that future attacks will use all the power of AI to build credible fake digital environments that combine text, image and sound. The latest advances in AI now make it possible to produce fictitious videos and false speeches from a machine learning component that are difficult to detect with the naked eye. By combining all these approaches, the attacker will be able to create a fictional immersive space, creating confidence among their target. Only the AI can give the alert and reveal the trap! It is necessary to generalize this detection of anomalies to data and metadata transmitted in e-mails, as well as to html links pointing to imitation websites, by crossing and comparing all the analyzed dataThierry Berthier
< Page 8 | Page 10 >