ZapFraud fights back at email scammers, phishers
By Rodika Tollefson, ThirdCertainty
As social engineering becomes easier thanks to social media, data breaches and automation tactics, scammers are shifting to more targeted, higher-yield scams. And they’re becoming savvier at crafting their messages as well as avoiding detection through spam filters.
ZapFraud, a startup officially launched in May that offers online scam blocking services, is hoping that technology that fights email scams eventually will become as ubiquitous as anti-virus software is for detecting malware.
The company believes scams will continue to escalate as more data is breached, and is positioning itself as a leader in fighting online scammers.
“ZapFraud has at least a two-year lead time over anyone else, not only with intellectual property and data research, but also patents,” says Frank Caruana, the company’s chief revenue officer. “We’re solving a problem that nobody else seems to be solving, and we’re doing it in a unique way.”
Shift to targeted scams
Markus Jakobsson, founder of ZapFraud, started his career in the late ’90s researching how hackers could use computers to deceive people, including by spoofing brand names.
Jakobsson, who has a doctorate in cryptography, realized that social engineering and spoofing could be used together to steal people’s credentials.
That concept of phishing was new then, but by the time Jacobsson’s research was published in 2005, phishing had become a growing problem. The Anti-Phishing Working Group reported this May that there were at least 123,972 unique phishing attacks in 2014, the largest number since 2009.
“This is a tremendous threat—whether against individuals and their trust of the infrastructure, or against society and its institutions,” Jakobsson says.
The FBI’s Internet Crime Complaint Center averages nearly 300,000 fraud incidents a year, but estimates that only about 10 percent of victims actually report being scammed.
Security & Privacy News Roundup: Stay informed of key patterns and trends
Jakobsson says that although many people are embarrassed to talk about being victimized, both consumers and organizations are starting to realize the risks they’re exposed to and are looking for ways to defend themselves.
“The more databases get breached, the more personal consumer data ends up with scammers,” he says. “Which helps them launch targeted scam attacks against people—with an estimated 10 times the yield of nontargeted attacks.”
In 2011, Cisco Systems, a technology company that designs, manufactures, and sells networking equipment, noted a shift in cybercrime models: An overall 80 percent decline in spam attacks as cyber criminals focused more on targeted and spear phishing scams. They were starting to use more personalized tools for better victim “conversion.”
Bill Leddy, chief architect at ZapFraud, says in the past three months there has been an even more prominent shift. He says email providers are getting better at capturing high-volume spam, so the bad guys are adapting.
“We believe we’re at an inflection point where the previous mass scams are now going to transition over to these targeted scams, and you’re going to get scammers with a much higher rate of return than in the past,” he says.
This new breed of bad actors has come a long way, often simply changing links to point unwitting recipients to a scam site.
ZapFraud filters through emails, scanning for known scam storylines and variations, as well as other data. Known scams are automatically flagged while other categories get additional scrutiny.
The company also has a free service. Anyone can forward a suspicious email to email@example.com and receive an autoresponder within minutes that reports whether the message is a scam, a safe or a suspicious email.
The free autoresponder is both a public service and a way for ZapFraud to build its scam database for better-automated detection. Leddy says since the free service doesn’t automatically scan and filter incoming emails, many people are still willing to pay.
The company is talking to potential partners such as credit-risk and fraud-protection vendors interested in offering ZapFraud as a value-added or integrated solution to their own clients.
“The companies we’re talking to are always looking for innovative ways to give value to customers,” Caruana says. “In the security space, that’s not always easy to do because you don’t have many new opportunities for innovative ways to give value to customers.”
Positioned to grow
Jakobsson was compelled to find an anti-scam solution when he learned that a relative was a victim of repeated email scams.
He launched ZapFraud in 2013. After two years of R&D, last fall the team had a breakthrough in its algorithm that took the accuracy rate to 99 percent and a low level of false positives, according to Leddy.
ZapFraud likely won’t have a shortage of customers. As credit card security improves through chip and pin technology, and online authentication improves, scammers have to find new ways to troll for victims.
Caruana notes that many companies focus on security and authentication but forget about the biggest vulnerability, the human link.
“The bad guys are finding ways to not override the security but to find a loophole and are getting the consumer to participate in their own security demise,” he says.
More on emerging best practices
3 steps for figuring out if your business is secure
5 steps to secure cryptography keys, digital certificates
6 steps for stopping hacks via a contractor or supplier