Even in the early months of COVID-19, the anti-fraud industry knew that fraudsters were going to find a way to take advantage of the disruption to normal business operations. In fact, nearly every single anti-fraud professional surveyed by the Association of Certified Fraud Examiners (ACFE) in May 2020 expected to face an increased wave of fraud.
Reality proved much worse. By May 2021, another survey by the ACFE in collaboration with Grant Thornton LLP showed that more than half the organizations polled uncovered more fraud than usual since the beginning of the pandemic. And 20% of those organizations detected a significant increase in fraud crimes.
As we inch closer to a post-pandemic world, the temporary changes in business operations — such as the shift to remote work and a greater reliance on contactless payments — appear likely to be permanent. Consumers have become accustomed to purchasing almost everything online and are not in a hurry to shop in person again (see Amazon’s recent earnings report). These factors, along with continuing economic volatility, have broadened the attack surface and provided more opportunities for bad actors to circumvent traditional anti-fraud controls. Travel restrictions and closed borders have forced organized crime groups around the world to migrate to cyberspace, and recent political unrest in Russia and Ukraine has only increased the risk of attacks on Western power grids and other infrastructure as retaliation for economic sanctions.
While unemployment and insurance fraud are on everyone’s radar, anti-fraud professionals are most concerned about three key risk areas: cyberfraud, social engineering attacks, and identity fraud.
We’ll dig deeper into each of these types and share some best practices to protect your business below.
Cyberfraud is fraud committed via the internet and includes hacking and malware, among other activities. Solid security controls throughout an organization can help prevent hackers from gaining access to sensitive data stored in your network, but they’re not enough to defend against increasingly sophisticated attacks.
The most common type of malware is ransomware: malicious software that encrypts files — either on a single targeted victim’s desktop computer or on an organization’s network of servers — making them inoperable or inaccessible until the target pays a ransom. And even then, there’s no guarantee that the attacker will keep their end of the bargain. Sometimes the data — names, addresses, dates of birth, Social Security numbers, and other personally identifying information (PII) — ends up in the public domain anyway, striking a devastating blow to the hacked company’s brand.
Ransomware attacks are likely to become even more frequent — and dangerous — in the post-pandemic world. Between 2020 and 2021, the number of ransomware attacks grew from about 1,400 to almost 2,700, according to Ransom-DB, a group that tracks ransomware attacks. The group also estimates that 35-40% of attacks resulted in a ransom payment. Projections for the next two to three years show the numbers continuing a steep climb.
To date, the most famous ransomware attack occurred just last year, taking Colonial Pipeline, a major U.S. oil supplier, offline for several days, and causing fuel shortages across the country. The source of the attack? A cybercriminal group called DarkSide, which operates from Russia and eastern Europe.
More recently, several European oil transport and storage companies were attacked, forcing them to operate at limited capacity. While signs point to a coordinated ransomware effort originating in Russia or Ukraine, another theory is that the disruption was caused by a type of malware that collects email addresses and contact lists and uses them to spam malicious attachments or links. Since companies in the same industry or geographic area typically share similar connections, this type of malware is often the culprit behind clusters of incidents.
Other common malware attacks include viruses, bots and botnets, adware, spyware, and spam, but the current favorite of fraudsters are attacks in a category all of their own called “social engineering.”
Social engineering attacks
Basically, social engineering attacks leverage human interactions to gain the target’s trust and then trick the target into giving the attacker sensitive information. What makes social engineering attacks, such as phishing and spear phishing, so dangerous for companies is that human error is much more difficult to identify, detect, and thwart than weaknesses in operating systems and software, which is how malware works.
While nearly all (96%) phishing attacks are conducted via email, malicious websites can also serve as hosts. This latter type of attack, commonly called “brandjacking,” involves a fake website that looks astonishingly similar to the actual one. When a user is lured by an email to that fake website, they enter the sensitive information thinking it’s the real one, giving the bad actors behind the false website all the information they need to wreak havoc. Phishing attempts over the telephone (called vishing) and via text message (called smishing) are less prevalent but do still occur.
While phishing is typically bulk in nature and not personalized, spear phishing targets a specific individual. And when a phishing attack targets a company executive, it’s called “whaling,” because the potential bounty is deemed to be significantly greater than a lower-level employee.
What information are these bad actors looking for? User credentials (e.g., usernames, passwords, and PINs), personally identifiable information or PII (e.g., names, street addresses, and email addresses), and medical information (e.g., insurance claim, healthcare provider, and diagnosis/treatment information) top the list.
It’s just this information that fraudsters use to wreak havoc on our personal lives — with good old-fashioned identity fraud.
Whenever data breaches occur, whether through social engineering or other attacks, the information stolen often gets sold on the dark web in bulk to fraudsters. Some sources estimate that there are 15 billion credentials on the dark web — which makes sense given 1.5 billion records were exposed in the United States in 2019 alone.
While fraud is constantly evolving, there are three main types of identity fraud to watch out for in 2022:
Account takeover fraud
Account takeover (ATO) fraud is a type of identity theft where a bad actor poses as a genuine customer to gain control of (take over) an online account, make unauthorized transactions and changes, and/or sell the verified credentials.
Bad actors are often able to perform ATO fraud in bulk by using bot attacks and credential stuffing tools to quickly verify stolen login credentials — sometimes making it look like their login attempts are coming from different IP addresses to bypass security systems. According to Forter, “bots are capable of performing upwards of 100 attacks per second, making it easier and faster for fraudsters to commit nearly limitless account takeover.”
When fraudsters perform account takeovers, they usually attack personal, not corporate, accounts. However, ATO fraud can cost companies money as well. For example, if the affected user disputes the fraudulent transactions, the business may be held liable. In fact, US businesses lost around $5 billion in 2017 due to account takeovers. Additionally, ATO fraud incidents can damage companies’ reputations and make it hard to attract and retain customers. In fact, according to Twilio, 86% of consumers said they’d stop using a business if their account was compromised.
While most types of fraud typically involve a real person’s identity, synthetic fraud creates a whole new identity with real and false information — and it’s the fastest-growing crime in the country, estimated to cause $48 billion in annual online fraud losses by 2023. Basically, synthetic fraud happens when someone combines a real piece of information (e.g., SSN) with fake Personally Identifiable Information (PII) (e.g., birthdates, addresses, or even a permutation on the spelling of the individual’s first or last name) to create a fake identity — and then they use this fake or synthetic identity to open fraudulent accounts, access credit they don’t intend to repay, and make purchases.
It’s more difficult for organizations to identify and protect against synthetic fraud because it’s harder to detect, as attackers aren’t stealing whole identities. Additionally, when using synthetic identities, fraudsters may use accounts legitimately for months or even years, appearing to be real customers and lulling businesses into a false sense of security.
Another type of identity fraud, the deepfake, is concerning enough to warrant an FBI bulletin warning that “malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months.” Also called “synthetic media,” deepfakes are image, video, or audio representations of people seemingly doing or saying things they’ve never actually done or said.
Most criminals use publicly available information to create deepfakes – including social media posts, corporate directory information, emails, and physical documentation such as magazines or photographs. In some cases, deepfake creators stitch portions of real audio or video clips with fake imagery and sound to create an out-of-context, partially true version of original events that’s been modified for a specific purpose. The seeming authenticity of this type of synthetic and sophisticated fraud is what makes it so worrisome: it plays on the natural human tendency to trust people we’re familiar with, so attackers can fly under the radar until it’s too late.
By mimicking the images and voices of customers or staff, deepfakes make it even easier for fraudsters to commit identity theft, fooling a business into granting account access, authorizing purchases, transferring funds, and more.
How to protect your company from fraud
Now that you have the lay of the malware, social engineering, and identity fraud landscape and have a general idea of what to look out for, how can you protect your company?
Unfortunately, there’s no silver bullet to fight fraud. Fraudsters are becoming more sophisticated by the day, and each new type of fraud poses its own unique challenges. However, there are a few best practices that can help guard your business:
- Stay educated. The more you understand how bad actors are committing fraud, the better you can arm your business against them. It’s also important to educate your employees on common types of fraud. For example, showing them how to identify and report phishing emails can reduce the likelihood that they’ll give away sensitive information to a bad actor.
- Follow cybersecurity best practices, such as enforcing strong passwords and two-factor authentication and updating software regularly (or allowing software to auto-update).
- Take a holistic approach to identity verification. You can no longer solely rely on one method — like asking for an individual’s SSN, having them take a picture of a government ID, or even asking them to take a selfie — to verify identities. No method is error-proof, so it’s essential to take into account multiple signals. Known as the “Swiss Cheese Model,” each additional layer is another chance to identify a fraudster and prevent them from damaging your business.
How to deter, detect, and deny fraud with Persona
At Persona, we offer one of the industry’s widest range of verification types, including government IDs, supplemental docs, biometric selfies, and database verifications from authoritative and issuing sources like the IRS and Global Telecommunications Carriers.
However, we also know adding too much identity-related friction can hurt conversion rates. That’s why our identity infrastructure allows businesses to segment individuals based on signals that occur in real time and adjust the level of identity verification based on the riskiness of the interaction. This way, users only have to submit the minimum needed for their specific situation. Download our white paper to learn how to implement progressive risk segmentation and find the right balance between risk management and conversion optimization at your business.
Interested in learning more about how Persona can help you fight fraud while still letting good users through? Contact us, and we’d love to chat.