In an era where technology and digital interactions have become a part of our daily lives, the potential for scams grows as well. According to AAG, phishing is the most common form of cybercrime with about 3.4 billion spam emails sent daily. This is also a concern in Singapore, with the number of scam and cybercrime cases increasing by 49.6% to 50,376 cases last year, according to the Singapore Police Force’s annual scams and cybercrime brief for 2023.
“Humans are the weakest link in the system. We’re trusting people and society needs us to trust one another,” says Tom Tovar, CEO and co-creator of Appdome, on why scams are still the most common form of cybercrime.
He adds: “In an efficient society, you need to have trust, social norms, and expectations about how we’re going to interact with each other. It shouldn’t be that hard to imagine someone who wants to do something nefarious to prey on that. And it’s easier to prey on that than it is to prey on systems.”
With the world going mobile and with more people using mobile apps, Tovar recognised that there was a gap in keeping the apps and their users secure as apps got more complex. This is why he decided to establish Appdome in 2011, which uses machine learning to generate security codes to match apps.
“If you’re a brand with a mobile app that consumers use, you need increasingly higher skilled labour to keep it safe. But you just can’t find those people as there’s a skill shortage. So my idea was to create a vending machine for mobile app defence. I wanted to create a technology platform that allowed a developer to choose what they needed and have a machine building for them. There are just certain things that machines are better at doing,” Tovar tells DigitalEdge.
Attacking the ‘humanity’ in the system
See also: Are bug bounty programmes the solution to rising cybersecurity threats in Southeast Asia?
Hackers, notes Tovar, mostly attack the “humanity” in the system or exploit the common mistakes people make when they’re building the systems.“[Scams are prevalent because] it’s easier to exploit the human input in a system than a machine’s output.
Large parts of the digital and mobile ecosystem are also unprotected, giving attackers an advantage,” he says, adding that most mobile applications, sadly, do not protect the data of their users.
He continues: “[Some apps] don’t protect your user credentials or the connection between the app and the back-end, which means [an] attacker has informational advantage.” For example, when an attacker calls to impersonate a trusted organisation and tells the victim their personal information like their home country and last four digits of their identification, it means the organisation did not effectively protect those customer information.
See also: Mitigating the risks of AI face-swapping fraud in financial services
The onus is on businesses
While most companies have issued messages to warn individual customers on the things to look out for or avoid, Tovar believes the duty to disrupt scams lies with the organisations themselves. It is beyond individual customers to fend off scammers even if they are aware and cautious.
“The level of sophistication of cyberattacks has outpaced an individual consumers’ ability. I don’t think individuals are equipped to determine the difference between what’s real or not. I think organisations have to step forward and do more,” he states.
He continues: “There are always things you can tell consumers like hang up a call that seems fishy [or] phone your bank [to verify]. But scams [are not limited to] phone calls. They are coordinated attacks on the device and they can intercept your call so you may not know that you’re still in the scam.
“The scam call you get is usually the last step on the social engineering aspect. They have gathered information on you using artificial intelligence (AI) or bots, and they’ve got malware on your device or keystrokes. All of these enable them to have a rich profile of who you are [even before] they call you.”
Organisations therefore must prevent scam attacks and intervene when such attacks happen. “Breaking the cycle of that attack is an important element to how you keep people safe,” he asserts.
Tovar applauds the Singapore government’s initiative to have companies take more responsibility for scam attacks. The Monetary Authority of Singapore and Infocomm Media Development Authority released a joint consultation paper to propose a shared responsibility framework for phishing scams. The framework assigns financial institutions and telecommunication companies relevant duties to mitigate phishing scams. These companies are also required to provide payouts to scam victims if they breach their duties.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
The framework will also focus on a defined set of phishing scams where consumers are deceived into revealing their account credentials to scammers. To this end, Tovar believes banks should protect the user and user experience in addition to protecting their data and network.
“Part of keeping users safe is that the defence has to be at the level of the consumers [and] not just in the network. There is still too much talk about protecting corporate data and network but not enough about the user and user experience. Changing the mindset from protecting the network to protecting brand promise and the user experience is a very big shift and calls for adding more defence in [the] mobile app instead of [the] network,” he adds.
Practical steps
Besides embracing things like Singapore’s shared responsibility framework, Tovar advises organisations to adopt technologies that make it easy for them to defend against scams.
Chief information security officers (CISOs) and cyber teams should also conduct data scanning to discover which files contain sensitive data and apply the appropriate cyber defence tools to protect those data. One of the best practices, in Tovar’s view, is that cyber defences should be data-driven and not community-driven. “The key is how quickly you can close the window of attack. You’re not going to stop all attacks but be preventative in all places. [You] need to remain agile so you can respond quickly to new things, [then] you’re going to do everyone a great service,” he says.
Additionally, organisations should also shift the economic outcomes for attackers, in which case, they will probably end up moving on to other places that are more lucrative. “I hope that organisations will make cybersecurity a bigger part of the conversation when they talk to their customers,” he concludes.
