Real Time Website Protection for Security Leaders to Stop Push Button Scam Kits with Kate Cox

Episode Overview

​​Kate Cox serves as the Head of Business Development at Memcyco, a cybersecurity firm specializing in real-time detection and prevention of digital impersonation and phishing attacks. With a career spanning over a decade in the cybersecurity sector, Kate has developed a profound expertise in fraud detection, digital trust, and consumer protection. Her role at Memcyco involves spearheading strategic partnerships and driving initiatives that enhance the company’s mission to safeguard businesses and individuals from the escalating threats of online fraud. Based in London, Kate’s leadership has been instrumental in positioning Memcyco as a frontrunner in the cybersecurity landscape. ​

Beyond her corporate responsibilities, Kate is a prolific author and thought leader in the cybersecurity community. She has contributed extensively to Memcyco’s blog, addressing critical topics such as the distinctions between spoofing and phishing, the complexities of third-party fraud, and the intricacies of the threat intelligence lifecycle. Her articles, including “The 5 Biggest Phishing Attacks of 2024” and “The Sky High Dangers Of Impersonation Fraud In Airlines Websites,” provide in-depth analyses and actionable insights, reflecting her commitment to educating both businesses and consumers on emerging cyber threats.

Kate’s expertise is also recognized in the broader cybersecurity discourse. She was featured on the Data Protection Gumbo podcast, where she discussed the alarming rise of digital impersonation attacks and the role of artificial intelligence in enhancing the sophistication of scams. In this episode, Kate shared eye-opening statistics, real-world examples, and practical strategies to protect individuals and organizations from these growing threats. Her insights underscore the importance of proactive measures and continuous vigilance in the face of evolving cyber threats.

Episode Transcript

Kate Cox: The spoof site is is going live as soon as that customer is clicking on it. We’re telling you, this is the site. Here’s a screenshot of it. Here’s the domain. We’re immediately taking it down and requesting to take it down rather. Um, now the issue with the take downs and this is the window of exposure part of it. Obviously there’s already take down solutions. They’re already scanning so it can take hours, days, weeks, months sometimes depending on where that domain is registered to take down these fake websites in that time. How many consumers are clicking on that site?

Kevin Rosenquist: Hey there. Welcome to PayPd where we bring you conversations with the trailblazers shaping the future of payments and fintech. My name is Kevin Rosenquist. Thanks for listening. Today I’m excited to sit down with Kate Cox. Kate handles business development at Mexico, a company tackling one of the most pressing challenges in our digital world, protecting businesses and their customers from online impersonation and fraud. Kate and her team are on the cutting edge of real time threat detection, helping organizations safeguard their brands, their platforms and their users from increasingly sophisticated cyber threats. In this episode, we’ll break down how Memsql identifies fake websites the moment they go live and prevents account takeovers. And we discussed the importance of building digital trust in a world where security is everything. As she points out, we have to be part of this digital world, so we need to feel safe in it as well. Joining me from just outside of London, Kate Cox. So how common are fake versions of company websites and account takeovers today?

Kate Cox: Unfortunately incredibly common. I mean, for particularly, I would say for financial institutions, we can be talking thousands upon thousands of fake websites targeting these organizations, it is at least a daily occurrence, if not hourly. When we’re talking about some of the global brands that we interact with on a daily basis. They are pretty much being targeted constantly by fake websites that with the intention of harvesting consumer credentials to card details, um, and then those credentials being either utilized immediately for account takeovers or sold on the dark web, and then being used by fraudsters further down the line to carry out the account takeovers and even more fraudulent activities.

Speaker3: How do people get.

Kevin Rosenquist: The consumer to the fake website? Is it through like email campaigns and stuff?

Kate Cox: So yes, that’s kind of the difference between what is phishing and what is the spoofing, for example. So the phishing is the methodology. Are you receiving a text message, an email that’s directing you to a link to click on one of these fake websites, which is where the actual impersonation has has taken place off the fake website. So typically they would be the bad actors would be spoofing, cloning the original website, taking some elements of the original website to make it look legitimate. And then once that website is built and the domain registered, they’re utilizing the phishing campaign, sending out emails, text messages. Typically, when that’s come from some sort of data breach from a, you know, a previous data breach, those lists are available for bad actors to to go and start firing out these phishing campaigns to direct them to the fake websites.

Kevin Rosenquist: And then they’ll have like something that looks like an account login section. Is that kind of what. And then and then that’s when they take, they take your your login and then do they get in and get your information that way.

Kate Cox: Typically yes that’s what I mean. It’s I believe it kind of depends on the organization. So if you’re dealing with bank accounts, fake websites targeting bank accounts, Um, then it’s probably going to be a login page that’s being copied. That’s what we see. Typically, if you’re dealing with retail impersonations, e-commerce, it could be the payment page. If you’re dealing with, um, I’m sure we’ve all received them. The package delivery companies, um, some very well known brands out there that I’m sure we’ve all received the fake messages where you’ve got to pay a delivery fee, for example, because there’s a package that’s supposed to come to you, but you need to click this link and pay a fee for it to be delivered. Um, so that might be a payment page. So typically I would say it would be your login credentials or it would be your payment information. That’s going to be the most valuable.

Speaker3: Yeah.

Kevin Rosenquist: With AI these days, I mean, you don’t have to be a coder to make a website. I mean, it’s so ridiculously easy. I mean, when Squarespace came along and Wix and all that, it was like, oh, you don’t have to be a graphic designer to make a website. Now, you don’t even have to code. You don’t have to do anything. It’s just just clicks. Are you finding, since A.I. has kind of come in and ChatGPT kind of blew everything up that that there’s more of an issue with this because people can create websites easily.

Kate Cox: There’s absolutely more of an issue with the growth of AI. Fish kits have become an incredibly prevalent way of creating these fake websites. Like you said, you don’t have to be a proficient hacker to build one of these. You can use a fish kit and literally at the push of a button with someone with no experience in cyber or hacking or any sort of technical know how, can create not only the fake website, but it’s even going to the extreme where it will create the entire campaign for you. So it will send out the emails. It will, you know, it will register the domains, it will create the website, it will send out the messages all at the push of a button thanks to AI.

Kevin Rosenquist: Wow. Yeah, yeah. You don’t have to be neo from the matrix or or the or the kid on, uh, Mr. Robot anymore in order to make it work. Right?

Kate Cox: Indeed.

Kevin Rosenquist: All right, well, let’s go ahead and talk about Mexico and your use of I and the skanless approach to detecting and countering phishing and fake site attacks. Can you kind of talk about how your methodology differs from the standard and and what what exactly it does?

Kate Cox: Sure. So traditionally, when it comes to fake websites impersonating brands, the majority of organizations will have some sort of threat intelligence tools or that in place that are scanning the web looking for fake versions of their website, fake domains, and then they will request the for them to be taken down? Absolutely. There is a place for that and it’s very much needed. What Mexico are trying to do or are doing, and going a step further is being able to identify these spoofed and cloned sites, or sites that have taken even the tiniest crumb of the original website in real time, the second that it’s launched, the second that your customers are being directed to it Stuff and then going a step further in that. At the moment, organizations don’t have any visibility into which of their customers are clicking on these sites in real time. The moment that it happens, they’re finding out about these scams, these their customers falling victim and being defrauded after the event, after the damage is done, when the customer is calling up and complaining, you know, I clicked on this or I’ve had money go out of my account or I’ve paid for something and I didn’t receive the item. That’s the point they’re finding out. And what Mexico are doing is bringing that visibility a lot earlier, so that the consumer can be protected at the earliest possible opportunity. So not only is it a case of detecting these sites the second they go live, so that they can immediately start the takedown process and minimize that window of exposure. But it’s also about identifying the end users that are clicking on them immediately so that the customers can be protected, Acted, and then going even further by actually preventing the credentials or the card details being harvested on the spoofed sites themselves. So that’s what Mexico is, is taking to the next level.

Kevin Rosenquist: And the key is I mean it’s like real time right. Mhm. That’s that’s incredible. I mean we just talked about how much more sophisticated things are getting how you know, I know we talked a little bit before like we’re not going to get too deep in the weeds in technology. But but can you kind of talk to the about how the technology identifies those attempts early on and what happens when a potential takeover is detected?

Kate Cox: So as I mentioned, one of the things that, um, is currently happening is that organizations are having to wait for customers to, to reach out to them and complain, or that they’ve noticed something amiss on one of their accounts. What are proprietary technology is doing which can’t go into too much detail on sure, but it’s to do with device fingerprinting and behavioral activity of the consumer, and matching that up with our other technology, which is tracking the original website and any crumbs of it that get moved onto a spoofed site so that we can combine that information of, this is a fake site, this is your customer, this is clicking on it. That information can be fed immediately to threat intelligence teams, fraud risk engines, or via an API, so that that risk can be mitigated in real time. So some of the organizations that we work with, some banks, for example, they get a notification that the customer has clicked on the fake site. They can immediately freeze their account, reset their password, issue new card if required, send out some personalized educational content to warn them about scams. Um, immediately stopping the damage further down the line and preventing the account takeover.

Kevin Rosenquist: That’s incredible. I mean, that’s like, who wouldn’t want that, right? I mean.

Kate Cox: Well, that’s what I think.

Kevin Rosenquist: Yeah. I mean, that’s, you know, because I mean, you’re talking basically as soon as they’re live, your system kind of detects it. Right. Mhm. Right.

Kate Cox: As soon as the spoof site is, is going live, as soon as that customer is clicking on it, we’re telling you this is the site. Here’s a screenshot of it. Here’s the domain. We’re immediately taking it down and requesting to take it down rather. Um, now the issue with the takedowns and this is the window of exposure part of it, obviously there’s already takedown solutions. They’re already scanning so it can take hours, days, weeks, months sometimes depending on where that domain is registered to take down these fake websites in that time, how many of the of how many consumers are clicking on that site?

Kevin Rosenquist: Yeah, there’s a lot of.

Kate Cox: Damage.

Kevin Rosenquist: That.

Kate Cox: Can be done handed over their credentials. How many of them have then had their account taken over and fraudulent activity taking place? There’s no visibility of that, right? When you have a solution like Mexico in place, you have that visibility. The window of exposure gets minimized and there is protection for the duration of that window of exposure.

Kevin Rosenquist: Mhm. You’re on the business development side of things. Um can you kind of talk to the the idea of digital trust? We all are pretty I talk about this on this podcast a lot. A lot of us are pretty cavalier with our data. Right. We don’t necessarily read the fine print. We agree a lot and all that stuff. But we expect the companies that that we work with, especially when it concerns our money to be to have the best security and all that stuff. Can you kind of talk about how what you know, what Mexico does to help companies build that digital trust with their customers?

Kate Cox: Certainly, I think this is a really interesting topic, actually. Digital trust in general, as the world has, particularly since Covid, you know, has moved to a more digital environment. We’re interacting so much more. Our banking is done online. We’re shopping online. You know, our healthcare, everything is digital. Um, which leaves us open to much more digital risk, which means we require a bit more digital trust as well. The impact of that, of these sorts of scams, um, and impersonation attacks and, and phishing attacks, or whichever terminology you want to use, is that people don’t trust the digital world anymore. I myself, especially working in this industry, I’m reluctant to click on anything. So it goes in the other direction. Then in that we’re we’re moving towards this digital world, but we’re getting more reluctant to interact digitally because we can’t always trust the communications that we’re receiving. Funnily enough, I had a, um, a friend of mine saying that she wanted to do her her Christmas shopping, but she was scared to be ordering online because she was worried that she was going to click on a fake website and get scammed. So it’s moving us into a different direction. Even though we’re supposed to be moving to a more digital world, we’re becoming more digitally averse because of the risk of these attacks. So what can we do to combat that? There’s a lot that organizations have to do. A big part of that is education and awareness. Now a lot of organizations are putting this into place. I believe the majority of the websites that you go onto is going to have a section about fraud and security and sharing information and making sure that you’re checking the links and things like that. That’s all very well, but I trying to remember the exact percentage, but I think it’s somewhere over 80% of fake websites actually have the Https security certificate. So that’s not something that can be even trusted anymore. My advice?

Kevin Rosenquist: Be honest. How many people actually look for that to make sure that their website is the website they’re on is legit, right? I mean, I don’t I don’t know that.

Kate Cox: And especially when you’re, you know, clicking on something on your phone because you’re not always seeing that full URL at the top, are you?

Kevin Rosenquist: Yeah.

Kate Cox: It’s not always going to be checked. So in my opinion, when it comes to, I think, believe that organizations do have to start taking a bit more responsibility in protecting consumers from these scams. And I’m not the only one that think that 73% of consumers believe it’s the brand’s responsibility to protect them from these types of attacks, and 81% of consumers would actually stop engaging with the brand that’s been known to be impersonated where people have, you know. So I do think that brands and organizations have got to take a bit more responsibility on protecting their consumers from falling victim to these sorts of attacks and trying to improve that digital trust, not just through education and awareness, through tools, through solutions, and also through sharing information. I’ve been to numerous conferences over the last 12 months, and one of the biggest takeaways that’s coming from all of these, these organizations is we have to start sharing more data and finding a way to do that to protect more people.

Kevin Rosenquist: Yeah, I’m on that side. I feel like like I expect the brands if I’m on a on a company’s website, I expect that brand to protect my, my data. You know, I mean, how can otherwise what it’s just like the Wild West. Like there’s not much you can do, you know, like that’s that’s your only chance. And, you know, AI is moving fast. That’s not a hot take. That’s pretty obvious. But I mean, is it difficult to try to keep up? I mean, like, is the the threats keep getting more sophisticated. So the defense has to keep getting more sophisticated. And it’s just moving so fast that I can’t even imagine being in the position of somebody like, like Mexico trying to keep up with that. It’s got to be tough.

Kate Cox: It’s developing constantly. And I do believe that with the progression of AI for these threats, the progression of AI to combat them is keeping pace. I do believe that we that we are getting ahead of that, not just Mexico. Many organizations that are utilizing AI and moving towards machine learning and AI to actually combat these threats proactively and preemptively. I think one of the things that we’re seeing with AI is that preemptive intelligence to build a picture to mitigate the risk, that’s that’s where I believe that it’s becoming of huge value if being able to preempt these issues.

Kevin Rosenquist: Yeah, I think that that’s got to be the key, right. You got to be proactive. You can’t just react to things anymore. You used to be able to okay, we’ve been breached okay. That’s not so bad. We can we can stop this. We can shut this down. We can do this. But now that’s the difference. You can’t get you can’t do that anymore.

Kate Cox: No, I believe that that is the the major difference. And for all the the cyber and fraud teams that we speak to, everyone is moving towards a more proactive stance. And like you say, historically it has been reactive and all of the organizations that we’re speaking to are very keen to move towards preemptive, proactive approaches.

Kevin Rosenquist: You talked a little bit about how business some of the things businesses can do to try to to to stay, you know, sharp, whether it’s education or whatever. What do consumers need to do? How can they be better at protecting themselves?

Kate Cox: That’s a really tough question because there’s so many threats facing them. And digital impersonation, um, is a huge part of it. But as these threats progress, um, these bad actors and these fraudsters are utilizing multiple ways to target consumers. So where it may have just been a fake website in the past and expecting people to, you know, share their credentials and their card details, which does still happen. They’re also being used in conjunction with social engineering in general. So these bad actors aren’t just using the fake websites themselves. They’re taking the information that’s been collected from the fake websites. And then because of the evolution of things like multi-factor authentication, which is great, but then what they’re doing is introducing social engineering as well and then calling, putting pressure on. And so my biggest thing that I always say to people is any sense of urgency that you get from somebody when you’re getting an email or a text message or a phone call, if there’s a sense of urgency for you to share information, move something, stop. Stop what you are doing because there’s a very high chance that this is a scam. So that’s the advice I give to most people. Just pause, you know, go back. Check. Have you said, you know, what links have you clicked on? What number is this person calling from if there is that part of it. If there’s any sense of urgency, stop. Reach out to the organization yourself directly. Which then leads to a whole other problem of SEO poisoning. But that might be a whole other subject.

Kevin Rosenquist: Yeah, yeah. No, we don’t have time for that. But, uh, yeah, you’re right. You’re you’re absolutely right. Yeah. I’ve gotten I had something recently where somebody, uh, like, it was like a fake email that basically asked me to, uh, they said they were interested in me being a podcast host for them, and they were a major, a major player in the podcasting space. And but they were like, we need to talk today. We need to do this right now. It’s like it was like this immediate thing. And I knew right away I’m like, none of these companies moved that fast. So like, there’s no there’s no way that that’s an issue. So it’s a great, great tip to like, if somebody’s pushing you, if you’re feeling like if you’re feeling like you’re being rushed, pause.

Kate Cox: For me, that’s that’s the, the main thing that I see and and talk about and hear in all the, the people that I speak with, all the conferences that I’ve been to, the main, consistent thing is urgency, pressure. Watch out for it.

Kevin Rosenquist: Yeah. I mean, it makes sense because they want they need to get they know their window is small, so they’ve got to get as much as they can while they while they can. Yeah.

Kate Cox: Yeah I’m glad that you picked up on that one and didn’t fall for anything.

Kevin Rosenquist: Right. Yeah, I know, I was like, I actually forwarded it to the company. And I’m like, I, you know, let me know if this is real because I’d be interested. But like, you know, but I’m pretty sure. And they’re like, yeah, no, that’s not that’s not us.

Speaker4: But yeah, you did exactly what I would have advised then.

Kevin Rosenquist: Yeah, it was really convincing. I mean, I gotta say it was pretty, pretty impressive. And I know that businesses struggle sometimes with the fact that, like, you know, you don’t want, like, bottlenecks. You know, you don’t want you want to make sure that you have a good user experience, you don’t want friction. And we and we all do it right. We’re all just like, you know, I’m trying to you know, my son’s freaking out about downloading some new game on his tablet. And I’m just like, agree. Fine. Whatever. You know, And I need to stop doing that. And I try not to do that, but we all kind of we all kind of move too fast. A lot of times when it comes to data and when it comes to websites and apps.

Kate Cox: This is interesting that you use that word friction because there’s um, we say Mexico itself is frictionless solution. You know, we’re completely agentless. We don’t require consumers to, to download anything or log into anything for them to be able to be protected or for us to identify that they’ve clicked on a fake website and then protect them from falling victim. However, what organizations may do with the information that we provide is maybe add a little element of friction to ensure that people are protected. So when we’re providing that information of this customer has clicked on a link, this customer has shared information. Or I mean, we prevent their information from from being used by the bad guys because we scramble it. But what the organization can then do with that, as I mentioned, is, you know, freezing the account or changing the card details. It adds a little bit of friction, but it’s that time to pause to make sure that some that something worse doesn’t happen. So okay, you might have a pause for a couple of minutes or however long it may be, but to me, that’s the better alternative than being defrauded out of thousands of pounds or dollars.

Kevin Rosenquist: Yeah. I mean, we’re just so impatient, right? And that’s, you know, we’re so used to having everything right away that that. Yeah. Those few minutes you’re talking about, some people would be like, this is the worst day of my life. You know, trying to having having to pause on that as security regulations, you know, everything related to AI from a compliance standpoint and all that constantly changing. And obviously we’ve got a long way to go. You guys over there are a little ahead of us. We’re kind of behind on the regulations and things like that. Do you find it difficult to try to keep, to keep up, like to balance innovation with still being in compliance, especially when dealing with financial institutions?

Speaker4: It’s really interesting.

Kate Cox: For different parts of the world, actually, um, it’s that’s a really interesting point that you raised, because when you’re dealing with the UK and Australia and Singapore, there are lots of, as you mentioned, you know, compliance regulations in place to protect the consumer. There’s I would still say there’s the same appetite across the world when it comes to protecting and ensuring that everything is compliant. But there’s different driving points, I would say, because when you’re dealing with areas that have got these mandates and regulations in place that consumers have to be reimbursed, obviously they have got an incentive to making sure that they’re compliant because otherwise they’re going to be paying out more in, in compensation.

Speaker4: Right.

Kate Cox: Um, whereas then you’ve got the US where there’s a bit of catching up to do, but it comes to the, um, the regulations and compliance, but we can see it happening. You can see that there’s been you know, I won’t mention names, but there’s been some some lawsuits and there’s been some things in the news. And that goes back to that digital trust and the brand reputation. And how much of an impact is that having on the the customers actually doing business with them if they aren’t being compliant? So I would say there’s appetite on, on, on all areas, but I’d say there’s different points that are driving it.

Kevin Rosenquist: As far as the future goes. Obviously it changes fast. And I’m not not asking you to predict the future, but what’s the next thing that Mexico is going to kind of move towards? What are there other threats you think are that need to be addressed?

Kate Cox: Yes. So we’ve got a few things in the pipeline, um, coming out in 2025. So session hijacking is something that we’re going to be working on man in the browser.

Kevin Rosenquist: So what’s next for Mexico or what’s what’s what are the next threats that we we need to be aware of and that you guys already are, and that you’re working to, to protect people from.

Kate Cox: Well, there’s always lots of threats to consider, unfortunately. But a couple of things that we’ve got coming up are will be to address um, session hijacking and um, man in the browser attacks, which uh, we see becoming more prevalent over the next year or two.

Kevin Rosenquist: Can you kind of talk about what man in the browser and session, uh, what was it? Session attacks.

Kate Cox: Uh, session hijacking.

Kevin Rosenquist: Session hijacking. Yeah.

Kate Cox: Yeah. So session hijacking, in essence, it’s about the attacker taking control of an authenticated session. So which allows the hijacker to impersonate the victim, access whatever resources the victim can access, and carry out actions within the already authenticated application without needing to authenticate themselves. Well said. Authenticate a lot there.

Kevin Rosenquist: That’s okay. And man in the browser which that one was uh, that that’s kind of is it similar.

Kate Cox: Man in the browser is moving towards using malware to actually infect the user’s browser. Um, so that they can modify the the bad actor can modify transactions and capture session information without the user ever being aware.

Kevin Rosenquist: Man. Terrifying stuff. Kate. Terrifying stuff.

Kate Cox: Yeah, sorry about that. But we’re here to try to help. We’re here to try to help and get people protected from these sorts of things so that people can live and, you know, use everything in a digital world safely.

Kevin Rosenquist: Are you do you find, since you’re since your time at Mexico started, that that you’ve, like, changed the way you browse and change the way that you use your cell phone and all that? I mean, are you way more careful?

Kate Cox: I am way more careful. I’m very wary of clicking on anything. In fact, and my family will sort of double check everything with me now. Um, before that, they will transact.

Kevin Rosenquist: You’re there.

Kate Cox: Um, but yes, I think, you know, we need to live in this world. We need to work. We shouldn’t live in constant fear. I certainly don’t want that to be the case. And that’s something I take great pride in, in working for Mexico, knowing that at the end of the day, me, you, our families are going to be protected from clicking on these sites, sharing information and having that awful moment of realizing that they’ve been scammed. I take great pride in the fact that knowing that getting the message out there about what we’re doing is going to protect so many people.

Kevin Rosenquist: Well, we appreciate it, certainly. And and, Kate, I appreciate you being here very much. Kate Cox with Mexico, thanks for all the insights and the conversation. Really appreciate it.
Kate Cox: Thanks a lot, Kevin. It’s great to be here.