Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

5 Ways to Survive Scam Season — or Rather, Tax Season

Security pros need to look beyond user education to find and disarm fraudulent actors.

Joshua Goldfarb, Field CISO

February 7, 2023

4 Min Read
Photo from behind of a woman reading on a desktop computer a phishing email claiming she is entitled to a UK tax refund.
Source: Ron Bull via Alamy Stock Photo

The new year celebrations are behind us, and most of us have returned to our daily routines. This is as good a reminder as any that the spring scam season — or rather, tax season — is nearly here.

In all seriousness, the opening of the tax season most often brings with it a new crop of scams to defraud honest, hard-working people.

Of course, it is not just tax season that heralds scams. Nearly all big events, whether they are natural disasters, health crises, economic downturns, major sporting events, or otherwise, seem to bring with them their fair share of scams. Educating our end users as to the dangers of these scams and the potential for fraud losses is necessary but woefully insufficient.

But enterprises need to do even more to effectively combat scams. They need to protect their end users in ways that are not dependent on the end user themselves. Simply put, enterprises cannot rely solely on educating end users to reduce fraud losses.

Though there are undoubtedly numerous ways in which enterprises can combat scams, I'd like to discuss five techniques that enterprises can use to help avoid fraud losses resulting from scams.

1. Incorporating the User Layer

It may sound radical, but the first step to combatting scams is accepting that a certain percentage of them will succeed against end users. Only when enterprises embrace this idea can they begin to reduce fraud losses resulting from scams. If we assume that a certain number of end users will be scammers and/or fraudsters that have taken over or otherwise compromised a legitimate end user's account, that allows us to understand that we need to look at the user layer.

In other words, we need insight into user behavior, device information, and network/environment information in order to add important context and enrich our understanding of who might be interacting with our online application. We can look for unusual activity, suspicious behavioral patterns, and strange device, network, and environment information that might help us realize that it is not the legitimate user who is interacting with the application. That can tip us off to when a legitimate end user has fallen prey to a scam.

2. Reducing Noise

Say that an enterprise needs to look at 50, 100, or 200 suspicious events in a given day — including scam-related events. If those events are found in a work queue of 500 or 1,000 events, this is doable. If, on the other hand, those events are buried in a pile of noise and false positives numbering in the hundreds of thousands or even millions, this is considerably more challenging. Thus, an important component to combatting scams is to get them noticed in the first place.

In other words, it is important to significantly reduce the amount of noise and the volume of false positives that the fraud team needs to wrestle with on a daily basis.

3. Tightening Logic

Related to the above point, a key reason for overabundance of false positives is alert logic that is not tight enough or precise enough. By incorporating the user layer, more precise logic, and more analytically clever rules, enterprises can significantly reduce the volume of false positives and noise that they must contend with. Tightening alert logic is a very effective way to increase the chances that scams will be detected before significant fraud losses have been incurred.

4. Performing Post-Transaction Analysis

It is often the case that enterprises focus on real-time or near-real-time fraud detection and mitigation. This is, of course, extremely important and a noble goal. It would be naive, however, to believe that we are not overlooking or missing significant fraud losses that we are unable to detect in real time.

Analyzing data post-transaction — or "offline," if you will — allows us to identify suspicious or unusual activity that may be buried deep in the data. This allows us to identify reliable patterns, including around scams, that we can turn into real-time or near-real-time detection. This improves our fraud detection capabilities as a whole and helps us to reduce our risk of fraud losses.

5. Studying Behavioral Patterns

An important part of post-transaction analysis that is worth mentioning separately is the study of behavioral patterns. As alluded to above, as careful as scammers and fraudsters try to be, they often leave clues behind that can help us detect that it is them and not the legitimate end user interacting with the online application.

The subtler the clues, the more important it is to study behavioral patterns in depth. Doing so can facilitate the discovery of fraudster "tells" that we can then leverage to more accurately detect scams.

While end-user education is necessary to limiting scam-related fraud losses, it is not sufficient. To truly tackle the scam problem, enterprises must embrace a variety of approaches, some of them outside of the box of conventional wisdom. The investment is most often worth it, however, as it can yield results in the form of significantly reduced fraud losses.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights