ZapFraud fights back at email scammers, phishers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rodi­ka Tollef­son, ThirdCertainty

As social engi­neer­ing becomes eas­i­er thanks to social media, data breach­es and automa­tion tac­tics, scam­mers are shift­ing to more tar­get­ed, high­er-yield scams. And they’re becom­ing savvi­er at craft­ing their mes­sages as well as avoid­ing detec­tion through spam filters.

ZapFraud, a start­up offi­cial­ly launched in May that offers online scam block­ing ser­vices, is hop­ing that tech­nol­o­gy that fights email scams even­tu­al­ly will become as ubiq­ui­tous as anti-virus soft­ware is for detect­ing malware.

The com­pa­ny believes scams will con­tin­ue to esca­late as more data is breached, and is posi­tion­ing itself as a leader in fight­ing online scammers.

Frank Caruana, ZapFraud chief revenue officer
Frank Caru­a­na, ZapFraud chief rev­enue officer

ZapFraud has at least a two-year lead time over any­one else, not only with intel­lec­tu­al prop­er­ty and data research, but also patents,” says Frank Caru­a­na, the company’s chief rev­enue offi­cer. “We’re solv­ing a prob­lem that nobody else seems to be solv­ing, and we’re doing it in a unique way.”

Shift to tar­get­ed scams

Markus Jakob­s­son, founder of ZapFraud, start­ed his career in the late ’90s research­ing how hack­ers could use com­put­ers to deceive peo­ple, includ­ing by spoof­ing brand names.

Jakob­s­son, who has a doc­tor­ate in cryp­tog­ra­phy, real­ized that social engi­neer­ing and spoof­ing could be used togeth­er to steal people’s credentials.

Markus Jakobsson, ZapFraud founder
Markus Jakob­s­son, ZapFraud founder

That con­cept of phish­ing was new then, but by the time Jacobsson’s research was pub­lished in 2005, phish­ing had become a grow­ing prob­lem. The Anti-Phish­ing Work­ing Group report­ed this May that there were at least 123,972 unique phish­ing attacks in 2014, the largest num­ber since 2009.

This is a tremen­dous threat—whether against indi­vid­u­als and their trust of the infra­struc­ture, or against soci­ety and its insti­tu­tions,” Jakob­s­son says.

The FBI’s Inter­net Crime Com­plaint Cen­ter aver­ages near­ly 300,000 fraud inci­dents a year, but esti­mates that only about 10 per­cent of vic­tims actu­al­ly report being scammed.

Secu­ri­ty & Pri­va­cy News Roundup: Stay informed of key pat­terns and trends

Jakob­s­son says that although many peo­ple are embar­rassed to talk about being vic­tim­ized, both con­sumers and orga­ni­za­tions are start­ing to real­ize the risks they’re exposed to and are look­ing for ways to defend themselves.

The more data­bas­es get breached, the more per­son­al con­sumer data ends up with scam­mers,” he says. “Which helps them launch tar­get­ed scam attacks against people—with an esti­mat­ed 10 times the yield of non­tar­get­ed attacks.”

In 2011, Cis­co Sys­tems, a tech­nol­o­gy com­pa­ny that designs, man­u­fac­tures, and sells net­work­ing equip­ment, not­ed a shift in cyber­crime mod­els: An over­all 80 per­cent decline in spam attacks as cyber crim­i­nals focused more on tar­get­ed and spear phish­ing scams. They were start­ing to use more per­son­al­ized tools for bet­ter vic­tim “con­ver­sion.”

Bill Leddy, ZapFraud, chief architect
Bill Led­dy, ZapFraud, chief architect

Bill Led­dy, chief archi­tect at ZapFraud, says in the past three months there has been an even more promi­nent shift. He says email providers are get­ting bet­ter at cap­tur­ing high-vol­ume spam, so the bad guys are adapting.

We believe we’re at an inflec­tion point where the pre­vi­ous mass scams are now going to tran­si­tion over to these tar­get­ed scams, and you’re going to get scam­mers with a much high­er rate of return than in the past,” he says.

This new breed of bad actors has come a long way, often sim­ply chang­ing links to point unwit­ting recip­i­ents to a scam site.

Val­ue proposition

ZapFraud fil­ters through emails, scan­ning for known scam sto­ry­lines and vari­a­tions, as well as oth­er data. Known scams are auto­mat­i­cal­ly flagged while oth­er cat­e­gories get addi­tion­al scrutiny.

The com­pa­ny also has a free ser­vice. Any­one can for­ward a sus­pi­cious email to and receive an autore­spon­der with­in min­utes that reports whether the mes­sage is a scam, a safe or a sus­pi­cious email.

The free autore­spon­der is both a pub­lic ser­vice and a way for ZapFraud to build its scam data­base for bet­ter-auto­mat­ed detec­tion. Led­dy says since the free ser­vice doesn’t auto­mat­i­cal­ly scan and fil­ter incom­ing emails, many peo­ple are still will­ing to pay.

The com­pa­ny is talk­ing to poten­tial part­ners such as cred­it-risk and fraud-pro­tec­tion ven­dors inter­est­ed in offer­ing ZapFraud as a val­ue-added or inte­grat­ed solu­tion to their own clients.

The com­pa­nies we’re talk­ing to are always look­ing for inno­v­a­tive ways to give val­ue to cus­tomers,” Caru­a­na says. “In the secu­ri­ty space, that’s not always easy to do because you don’t have many new oppor­tu­ni­ties for inno­v­a­tive ways to give val­ue to customers.”

Posi­tioned to grow

Jakob­s­son was com­pelled to find an anti-scam solu­tion when he learned that a rel­a­tive was a vic­tim of repeat­ed email scams.

He launched ZapFraud in 2013. After two years of R&D, last fall the team had a break­through in its algo­rithm that took the accu­ra­cy rate to 99 per­cent and a low lev­el of false pos­i­tives, accord­ing to Leddy.

ZapFraud like­ly won’t have a short­age of cus­tomers. As cred­it card secu­ri­ty improves through chip and pin tech­nol­o­gy, and online authen­ti­ca­tion improves, scam­mers have to find new ways to troll for victims.

Caru­a­na notes that many com­pa­nies focus on secu­ri­ty and authen­ti­ca­tion but for­get about the biggest vul­ner­a­bil­i­ty, the human link.

The bad guys are find­ing ways to not over­ride the secu­ri­ty but to find a loop­hole and are get­ting the con­sumer to par­tic­i­pate in their own secu­ri­ty demise,” he says.

More on emerg­ing best practices
3 steps for fig­ur­ing out if your busi­ness is secure
5 steps to secure cryp­tog­ra­phy keys, dig­i­tal certificates
6 steps for stop­ping hacks via a con­trac­tor or supplier

Posted in Cybersecurity, Data Security, News & Analysis