Banks risk losing customers with anti-fraud practices

Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.

banking fraud

Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.

For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.

“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.

“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”

Identity verification process issues

The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.

Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.

Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.

Lack of automation is a problem for banks too

The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.

Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.

Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.

By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.

Europol analyzes latest trends, cybercrime impact within the EU and beyond

The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.

europol IOCTA 2020

Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.

Europol IOCTA 2020

Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.

Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.

Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.

The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

Malware reigns supreme

Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.

Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.

Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

Child sexual abuse material continues to increase

The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.

Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.

Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.

Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.

Payment fraud: SIM swapping a new trend

SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.

Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

Criminal abuse of the dark web

In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.

Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.

OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.

“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”

EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.

“The Europol IOCTA 2020 cybercrime report shows the urgent need for the EU to step up the fight against organised crime [online] and confirms the essential role of Europol in that fight”.

Rising reports of fraud signal that some COVID-related schemes may just be getting started

As the economic fallout of the COVID-19 crisis continues to unfold, a research from Next Caller, reveals the pervasive impact that COVID-related fraud has had on Americans, as well as emerging trends that threaten the security of contact centers, as we head towards what may be another wave of call activity.

COVID-related fraud

The company’s latest report found that 55% of Americans believe they’ve been a victim of COVID-related fraud, up more than 20% from when the company conducted a similar study in April.

Perhaps even more worrisome is the fact that 59% of Americans claim they haven’t taken any additional precautions to protect themselves from these attacks.

“Even with massive amounts of PII circulating the dark web and so many new opportunities for criminals to exploit because of the pandemic, it’s still alarming that over half of the country thinks they’ve been targeted by COVID-related fraud,” said Ian Roncoroni, CEO, Next Caller.

“Compounding the problem is COVID’s unique ability to distract and disengage people from carefully monitoring their accounts. Criminals who are already well-equipped to bypass security can now operate longer without detection, worsening the impact exponentially.”

Data has shown the clear correlation between the economic fallout of the crisis – specifically stimulus related events – and the meteoric spikes in overall call volumes and the number of high-risk calls taking place inside contact centers across today’s biggest brands.

Fraudsters eager to replicate their initial success

A pending second stimulus package, combined with a clear urgency from Americans around receiving it, indicates that another wave of activity from customers and criminals is on the horizon.

In regards to the latest findings, Roncoroni said, “We have to prepare for a more sophisticated criminal strategy this time around. Rising reports of fraud activity signal not only that fraudsters are eager to replicate their initial success, but that some of those early schemes may just be getting started.

“The phony mailing address unceremoniously added to a bank account in April is likely just the trojan horse for a scheme ready to be set in motion under the cover of the next stimulus package.”

COVID-related fraud

Key findings

  • 55% of Americans believe they’ve been targeted by COVID-related fraud
  • Despite that, 59% of Americans claiming that they have not taken any additional precautions to protect themselves from attacks
  • Almost 1-in-3 Americans are more worried about becoming a victim of fraud than they are about contracting the virus
  • 56% believe brands are equally responsible for providing flexible and accommodating customer service and protecting personal information
  • When asked about their view of the next stimulus checks, 41% of Americans said “I really need another check”
  • 53% of Americans say that they have already sought out information related to the next round of checks

CEO of NS8 Charged with Securities Fraud

CEO of NS8 Charged with Securities Fraud

The founder and CEO of the Internet security company NS8 has been arrested and “charged in a Complaint in Manhattan federal court with securities fraud, fraud in the offer and sale of securities, and wire fraud.”

I admit that I’ve never even heard of the company before.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Interesting Attack on the EMV Smartcard Payment Standard

It’s complicated, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN.

From a news article:

The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app.

To obtain unauthorized funds from a third-party credit card, the first mobile phone is used to scan the necessary data from the credit card and transfer it to the second phone. The second phone is then used to simultaneously debit the amount at the checkout, as many cardholders do nowadays. As the app declares that the customer is the authorized user of the credit card, the vendor does not realize that the transaction is fraudulent. The crucial factor is that the app outsmarts the card’s security system. Although the amount is over the limit and requires PIN verification, no code is requested.

The paper: “The EMV Standard: Break, Fix, Verify.”

Abstract: EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.

We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contact-less card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties.The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.

Online fraud against businesses drops, increases against consumers during reopening

Fraudsters are decreasing their schemes against businesses, but increasing COVID-19 focused scams against consumers online, according to TransUnion.

fraudsters businesses

Fraudsters less targeting businesses

The percent of suspected fraudulent digital transactions against businesses worldwide decreased 9% from the beginning of the pandemic (“phase 1,” March 11-May 18) to when businesses began reopening (“phase 2,” May 19-July 25). In contrast, consumers targeted by digital COVID-19 schemes increased 10% from the early days of the pandemic (week of April 13) to more recently (week of July 27).

“With the rush for businesses to go digital as many were forced to go completely online almost overnight, fraudsters tried to take advantage,” said Shai Cohen, senior vice president of Global Fraud Solutions at TransUnion.

“They were most likely unsuccessful in their attempts and took their scams elsewhere as those businesses ramped up their digital fraud prevention solutions while providing a friction-right consumer experience. Conversely with consumers, fraudsters are increasingly using COVID-19 to prey on those persons who are facing mounting financial pressures.”

In contrast to the recent suspected fraud decrease against businesses, when comparing phase 1 (March 11-May 18) to right before the pandemic (Jan. 1-March 10), there was a 6% rise in suspected digital fraud against businesses.

Fraudsters shifting industries

When comparing digital transactions pre-pandemic to during the pandemic (March 11-July 25), suspected fraud against businesses remained relatively flat, increasing 1%.

“It appears fraudsters assume travel & leisure companies are scrutinizing transactions less in order to capture more revenue as the pandemic continues to severely negatively impact their business,” said Melissa Gaddis, senior director of customer success, Global Fraud Solutions at TransUnion.

“Another interesting note is that telecommunications, e-commerce and financial services companies – all industries that have fared relatively well during the pandemic – were targeted with the most digital fraud early in the pandemic but are now among the least targeted. This shows us that fraudsters initially targeted the hottest industries with the most money to be had early in the pandemic in order to hide behind the rush of transactions but have now made an obvious shift.”

Globally across industries, the countries with the highest percentage of suspected fraudulent transactions were: 1) Kazakhstan, 2) Greece and 3) Cyprus. In the U.S. overall, the cities with the highest percent of suspected fraudulent transactions were: 1) Livonia, Mich. 2) Akron, Ohio and 3) Jackson, Miss.

fraudsters businesses

Consumers targeted by COVID-19 schemes

To better understand the impacts of COVID-19 on consumers, 8,265 adults in Canada, Colombia, Hong Kong, South Africa the U.K. and the U.S. were surveyed the week of July 27.

32% of respondents said they had been targeted by digital fraud related to COVID-19, with Gen Z (age 18-25) being the most targeted at 36%. Among consumers reporting being targeted with digital COVID-19 schemes globally, the top pandemic-themed scam is phishing with 27% saying they were hit with it.

Despite the survey showing Baby Boomers were the generation least targeted with digital COVID-19 scams, among consumers reporting being targeted they were the age group saying they faced the highest percentage of COVID-19 themed phishing scams.

“Phishing shows fraudsters aren’t after a quick hit, but rather looking for the long haul,” said Gaddis. “Once a fraudster steals consumer credentials, the wave of disruption they can cause with a stolen or synthetic identity is endless from compromising multiple online accounts to significantly impacting credit scores.”

Brand impersonation is a go-to tactic for attackers, especially for credential phishing and BEC attacks

Trends in BEC and email security during Q2 2020 included a peaking and plateauing of COVID-19-themed email attacks, an increase in BEC attack volume and acceleration of payment and invoice fraud, according to an Abnormal Security report.

Q2 2020 email security

The report also reveals that Zoom supplanted American Express as the most impersonated brand in email attacks.

There have been surges in COVID-19-themed email security attacks, which continued in Q2, with weekly campaign volume increasing 389% between Q1 and Q2. There has also been a continued increase in BEC attacks targeting finance department employees over C-level executives, which grew by 50% quarter-over-quarter.

A spike in payment and invoice fraud attacks

Payment and invoice fraud attacks, largely driven by vendor fraud, grew by 112% over the last quarter, spiking at the end of June. For the first time, a surge in payment and invoice fraud related to the pandemic has been detected.

BEC-specific attacks also saw an acceleration of attack campaign volume, growing by 11% over Q2 as hackers took advantage of new work-from-home scenarios. As BEC attacks are highly targeted and sophisticated, designed to dupe key targets with the potential to lead to big payouts, this increase is substantial in nature.

The shift to remote work makes employees more susceptible to BEC attacks and gives threat actors the opportunity to apply tactics likely to be successful given these working conditions.

“The pandemic has ignited digital transformation efforts at a breakneck pace and cybercriminals are moving just as fast, taking advantage of a new work-from-home landscape amid great business uncertainty,” said Even Reiser, CEO, Abnormal Security.

“Keeping pace with change is critical, as attackers have continued to exploit enterprises’ weak links – such as vendor and partner relationships – and are pushing more sophisticated and targeted BEC attacks than we’ve seen previously.”

Q2 2020 email security

Changing trends in brand impersonation attacks

The report also uncovered changing trends in brand impersonation attacks, a form of fraud where a bad actor assumes the identity of a trusted or known entity. These attacks tend to follow the zeitgeist, which may help explain why Zoom became the most impersonated brand in Q2 due to its instant popularity and ubiquity.

Rounding out the top three were two other brands very much associated with COVID-19 shifts toward e-commerce and delivery: Amazon and DHL. For comparison, the three most impersonated brands in Q1 2020 were American Express, Amazon and iCloud.

“Our analysis of BEC and email security trends in Q3 will certainly prove to be interesting as we expect a downward trend in COVID-19-related attacks, an uptick in attacks related to the 2020 election and a continued rise in BEC, as attackers find success with socially-engineered techniques that evade traditional email security defenses,” said Reiser.

“Business leaders need to continue to focus on reviewing email security measures, most importantly examining BEC defenses, to ensure protection against attackers who are gaining steam.”

Content farms develop and spread fake news about COVID-19 for profit

​RiskIQ​ released a research report revealing a large-scale digital scam advertisement campaign spread through fraudulent news sites and affiliate ad networks that cater to highly partisan audiences.

fake news COVID-19

Scammers are taking advantage of COVID-19 to spread fake news

The report details how misleading, false, and inflammatory news stories about the COVID-19 pandemic are developed on a massive scale by “content farms,” which monetize through ads served by ad networks targeting highly partisan readership. Some of these ads are purpose-built to lure readers into misleading ‘subscription traps’ for products billed as remedies or cures for the virus.

How does a subscription trap work?

A subscription trap works by offering a free or deeply discounted trial of a product while hiding clauses in the terms of service that sign victims up for costly payments remitted on a repeated basis, usually monthly. These subscriptions are often difficult, if not impossible, to escape.

The report clearly defines an ecosystem between partisan content farms that monetize through ad revenue, ad networks that take a cut of the profit, and advertisers that use the generated traffic to ensnare victims in subscription traps. These traps fraudulent subscriptions are for products such as dietary supplements or beauty products, and more recently, supposed remedies to COVID-19 in the form of CBD oil.

“Scam ads leading to subscription traps seem to be endemic to content farm sites, but there’s a particular network of companies and individuals using the COVID-19 pandemic for financial gain,” said Jordan Herman, threat researcher, RiskIQ.

“We wanted to do a deep dive into this ecosystem to expose how these shady practices are taking advantage of people on a massive scale and making the schemers a lot of money in the process.”

Leveraging fear, anxiety, and uncertainty around COVID-19

These content farms generate traffic by creating politically charged articles leveraging the fear, anxiety, and uncertainty around COVID-19 and gearing them toward a specific audience. These articles, often misleading or patently false, target readers the creators have assessed will likely read, share, and engage with them.

The content farm operators publish these articles on their websites, which use social media accounts and spam email campaigns to further their reach and generate more traffic they can monetize.

27% of consumers hit with pandemic-themed phishing scams

Phishing is the top digital fraud scheme worldwide related to the COVID-19 pandemic, TransUnion reveals.

Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.

“From the impacts of phishing and other well documented COVID-19 scams like unemployment fraud, it’s clear that fraudsters have the data and increasing opportunities to create synthetic identities and utilize stolen identities,” said Shai Cohen, senior vice president of Global Fraud & Identity Solutions at TransUnion.

Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.”

To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.

It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:

Top global online COVID-19 scams targeting consumers

pandemic-themed phishing scams

Online COVID-19 scams targeting consumers by country

pandemic-themed phishing scams

“Although the schemes may vary by country, a new approach to identity verification that supplements traditional authentication methods is needed to defend against their impact,” said Cohen. “The key is creating a friction-right experience where consumers are confident they are dealing with a legitimate organization or business.”

Cybersecurity concerns front and center as online voting expected to shape future elections

Online voting is likely to shape future election cycles, according to a study from OneLogin. 59% of respondents expect online voting will become a reality within five years.

cybersecurity online voting

Online voting demographics

Though various demographics differ in their opinions about online voting, respondents shared concerns about the possibility of fraud and compromised data security.

49% of millennial and 55% of Gen Z voters believe that online options would make them more likely to vote while only 35% of those ages 74+ felt the same. Digital voting might also assist during the pandemic as 26% of respondents indicated COVID-19 could impact their likelihood of voting in the general election this fall.

An online voting option could also boost voter turnout among minority groups: 55% of black and 54% of Hispanic voters said an online voting option would make them more likely to vote this fall, compared to 42% of whites.

By party lines, 37% of Republicans do not want online voting compared to 12% of Democrats. Additionally, 43% of self-identified Trump supporters do not want online voting, compared to 12% among non-supporters.

Online voting and cybersecurity

Regardless of these divisions, respondents came together around two issues: convenience and security. Among those in favor of moving to online voting, 68% liked the potential convenience and 61% believed it would increase voter turnout. For those against it, the opportunity for fraud (77%) and lack of security (75%) were major concerns.

“The 2020 presidential election is happening in one of the most turbulent and divisive times in our country’s history,” said Brad Brooks, CEO and president of OneLogin.

“We were curious to understand the opinions around online voting and cybersecurity. The results speak to the demand and call for safe and secure identity management, today, in the 2020 election, and beyond.”

Most security experts agree that the process to cast a secure online vote would require multiple steps of authentication. Although 61% of respondents were willing to take up to three steps, 13% weren’t willing to take any security steps at all if voting online.

Similarly, 48% of voters would spend no more than five minutes logging in to vote, with only 5% willing to take more than 30 minutes, even though there are often long waits for in-person voting.

cybersecurity online voting

Who is the most trustworthy?

Trust will be another hurdle, as voters are uncertain which group is the most trustworthy to manage and administer online voting. Only 25% felt the government was best equipped, while 21% believed a private company could do it best and 20% would rely on a big tech company. Over 35% stated they wouldn’t trust any of the choices listed.

Other findings from the study include:

  • Pandemic politics: 31% of those who disapprove of President Trump say the pandemic is influencing them towards not voting compared to only 17% among Trump supporters.
  • Online turnout: 45% say that if they could vote online, they would be more likely to vote in the general election this fall while only 6% say they would be less likely to vote. 49% were the same either way.
  • Disenfranchisement: Out of those who are not in favor of moving to online voting, 44% believe it would disenfranchise people who are computer illiterate. 61% of those ages 74+ have this concern.
  • Voting by mail: 1 in 3 rural voters have security concerns with voting by mail, compared to 1 in 4 from urban/suburban areas. 46% of Trump supporters are worried about security and fraud with voting by mail, compared to just 16% among those who don’t support Trump.

200% increase in invoice and payment fraud BEC attacks

There has been a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020, according to Abnormal Security. This sharp rise continues the trend.

payment fraud BEC attacks

Also, according to the report, invoice and payment fraud attacks increased more than 75 percent in the first three months of 2020.

Larger dollar amounts are involved

During invoice and payment fraud BEC attacks, attackers pose as vendors, suppliers or customers in order to steal money using tactics such as initiating fraudulent wire transfers or hijacking vendor conversations to redirect vendor payments. These types of attacks typically involve much larger dollar amounts compared to other types of BEC attacks since they target business to business transactions.

In one example, the Abnormal Security team detected and stopped an attempted invoice fraud targeting a telecommunications provider, preventing more than $700,000 in losses. The attacker impersonated a real vendor and methodically engaged numerous employees over the course of two months, eventually convincing the target to change banking details and redirect the payment of a legitimate invoice of over $700,000 to the attacker’s account before the transaction was prevented.

Increasing number of attacks

An increasing number of these attacks were tracked, both in the number of organizations targeted and the number of attacks received per organization. The research team observed:

  • A 200% increase in the average rate of invoice and payment fraud BEC attacks each week
  • A 36% increase in the number of organizations experiencing these attacks
  • Out of all types of BEC attacks, invoice and payment fraud BEC attacks are increasing in popularity. In April, these types of attacks comprised 14% of all BEC attacks, increasing to 17% in May.

payment fraud BEC attacks

“While all business email compromise attacks can lead to significant financial loss, those focused on invoice and payment fraud can have an even greater financial impact,” said Evan Reiser, CEO and co-founder, Abnormal Security.

“Even when an organization has established best-in-class security, third-parties represent a weak link. As these types of attacks continue to climb, it’s more important than ever for companies to implement technology that detects and stops them.”

80% of consumers trust a review platform more if it displays fake reviews

Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.

fake reviews

Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.

A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.

“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.

“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”

Fake reviews aid decision making

A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.

Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.

“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”

Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.

This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.

Transparency over censorship

Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.

The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.

“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.

When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.

A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.

New technique protects consumers from voice spoofing attacks

Researchers from CSIRO’s Data61 have developed a new technique to protect consumers from voice spoofing attacks.

voice spoofing attacks

Fraudsters can record a person’s voice for voice assistants like Amazon Alexa or Google Assistant and replay it to impersonate that individual. They can also stitch samples together to mimic a person’s voice in order to spoof, or trick third parties.

Detecting when hackers are attempting to spoof a system

The new solution, called Void (Voice liveness detection), can be embedded in a smartphone or voice assistant software and works by identifying the differences in spectral power between a live human voice and a voice replayed through a speaker, in order to detect when hackers are attempting to spoof a system.

Consumers use voice assistants to shop online, make phone calls, send messages, control smart home appliances and access banking services.

Muhammad Ejaz Ahmed, Cybersecurity Research Scientist at CSIRO’s Data61, said privacy preserving technologies are becoming increasingly important in enhancing consumer privacy and security as voice technologies become part of daily life.

“Voice spoofing attacks can be used to make purchases using a victim’s credit card details, control Internet of Things connected devices like smart appliances and give hackers unsolicited access to personal consumer data such as financial information, home addresses and more,” Mr Ahmed said.

“Although voice spoofing is known as one of the easiest attacks to perform as it simply involves a recording of the victim’s voice, it is incredibly difficult to detect because the recorded voice has similar characteristics to the victim’s live voice. Void is game-changing technology that allows for more efficient and accurate detection helping to prevent people’s voice commands from being misused”.

Relying on insights from spectrograms

Unlike existing voice spoofing techniques which typically use deep learning models, Void was designed relying on insights from spectrograms — a visual representation of the spectrum of frequencies of a signal as it varies with time to detect the ‘liveness’ of a voice.

This technique provides a highly accurate outcome, detecting attacks eight times faster than deep learning methods, and uses 153 times less memory, making it a viable and lightweight solution that could be incorporated into smart devices.

Void has been tested using datasets from Samsung and Automatic Speaker Verification Spoofing and Countermeasures challenges, achieving an accuracy of 99 per cent and 94 per cent for each dataset.

Research estimates that by 2023, as many as 275 million voice assistant devices will be used to control homes across the globe — a growth of 1000 percent since 2018.

How to protect data when using voice assistants

Dr Adnene Guabtni, Senior Research Scientist at CSIRO‘s Data61, shares tips for consumers on how to protect their data when using voice assistants:

  • Always change your voice assistant settings to only activate the assistant using a physical action, such as pressing a button.
  • On mobile devices, make sure the voice assistant can only activate when the device is unlocked.
  • Turn off all home voice assistants before you leave your house, to reduce the risk of successful voice spoofing while you are out of the house.
  • Voice spoofing requires hackers to get samples of your voice. Make sure you regularly delete any voice data that Google, Apple or Amazon store.
  • Try to limit the use of voice assistants to commands that do not involve online purchases or authorizations – hackers or people around you might record you issuing payment commands and replay them at a later stage.

Email security challenges and BEC trends during the pandemic

COVID-related attacks increased 436% between the second and third weeks of March 2020, with an average 173% week-over-week increase during the quarter, according to Abnormal Security.

email security challenges 2020

A trend toward payment fraud

There has also been a shift from individual to group BEC attacks, with campaigns with more than 10 recipients up 27% compared to Q4 2019. Attackers also adjusted their targets, with attacks on finance employees increasing more than 75% as attacks on C-Suite executives decreased by 37%. This illustrates a trend away from paycheck and engagement fraud and toward payment fraud, specifically invoice fraud attacks, which increased more than 75%.

“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Evan Reiser, CEO, Abnormal Security.

“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”

email security challenges 2020

COVID-19-related attacks capitalizing on fear and uncertainty

COVID-19-related attacks during Q1 2020 capitalized on fear and uncertainty, leveraging trusted entities and using spoofed and compromised accounts to scam recipients, steal credentials or install malware.

Attack themes followed the pandemic news cycle, using lures such as testing and vaccines and financial relief and stimulus payments, as attackers impersonated trusted entities such as the CDC.

“With employees largely working from home and a daily inundation of information related to the pandemic, attackers saw multiple areas of vulnerability in Q12020 and they took swift advantage of them,” said Reiser.

“Without sophisticated BEC security measures in place, the likelihood of business and email compromise increases significantly. The good news is that technology exists to thwart these attacks before they reach their intended targets.”

The “return” of fraudulent wire transfers

Ransomware gangs targeting businesses are currently getting more public attention, but scammers trying to trick employees into performing fraudulent wire transfers are once again ramping up their efforts, US-headquartered law firm BakerHostetler has warned.

fraudulent wire transfers

BEC scams and fraudulent wire transfers

The same tactics have been employed by BEC scammers for years, but businesses of all sizes continue to fall for them.

The scam is usually discovered when the accounting department of a company starts seeing an increase in accounts receivable for one or more customers, then follows up on the outstanding invoices.

The customer reports that they have already paid the invoices and provides proof of the wire transfer, but the document shows that the money transfer was made to the worn bank account. The customer says they’ve followed the accounting department’s instructions, after receiving an email with “new” wire instructions from them.

“The email, of course, is not from the accounting department but from a fraudster,” the lawyers explained.

“Sometimes the bad actor compromised an accounting department employee’s email account to find customers, steal invoices and gain an understanding of the cadence and manner of billing emails. Sometimes the bad actor compromised the customer’s email account for the same purpose and then used an email that looked enough like the vendor’s accounting department email address to trick the customer. But whatever the method of access and communication, the two entities share the same outcome: Money has been paid to bad actors, and it is highly unlikely that it will be recouped, even with law enforcement intervention.”

Prevention

The worst thing about these schemes is that they are easily thwarted by setting up certain policies and low-cost technical measures.

For example: companies should consider enabling multi-factor authentication for web-based email access so that scammer can’t exploit phished credentials to take over business email accounts.

Blocking access to company email accounts from internet provider addresses that resolve to countries where the company does not have employees is also a good idea, and so is setting up alerts that are triggered when the email account is accessed from two locations within a time span that would not allow for travel between the two locations, the lawyers advise.

On the other hand, scammers may choose not to compromise legitimate business email accounts but set up rogue ones that are made to look like they are owned by the business.

Employees who deal with payments should be taught about the danger presented by these emails, instructed on how to spot red flags, and regularly reminded to always verify all requests to change bank account information by calling a known telephone number for that customer, vendor or business partner (definitely not a phone number included in the email!).

Finally, a business might be wise to these tricks, but it costs them nothing to raise awareness and educate customers and business partners by sending an email delineating all this information and good advice.

You’ve been scammed, now what?

Recouping the fraudulently transferred funds once an employee falls for the scam might end up to be a challenging endeavor.

The sooner the company discovers the incident, the better for your chances of getting back the money. You have to notify your bank immediately and report the incident to law enforcement.

If you’re in the US and the fraudulent wire transfer has been made to a domestic bank account, the FBI’s Internet Crime Complaint Center (IC3)’s Recovery Asset Team might be able to get it back for you. “During its inaugural year, the team assisted in the recovery of over $300 million lost through on-line scams, boasting a 79% return rate of reported losses,” the FBI boasted earlier this year.

It’s also important to find out whose email account was compromised by the scammers.

Not only is this important to decide who will “eat” the loss if the money can’t be recovered, but also because companies whose email account(s) have been compromised might have more to lose than just money: the scammers might have accessed personal and business information residing in the account and might use it to perpetrate additional fraud.

Also, the lawyers noted, “the business whose email was compromised may have additional legal obligations based on state or federal data breach notification laws or contractual clauses with other business partners.”

Create a safe haven for your customers to build loyalty

“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity and fraud prevention, too.

fraudulent transactions

The phrase always seemed more like an empty platitude, but a growing number of banks and other financial institutions now understand that optimizing convenient consumer experience with risk and safety across all their channels is a strategic differentiator.

Dealing with fraudulent transactions

Financial institutions have been on the lookout for fraudulent transactions in hopes of preventing customers from falling victim to illegal fund withdrawal since the dawn of the digital age. Things like usernames and passwords have become less of a proof of identity and ownership in a world of endless data breaches.

Cybercriminals today easily harvest all manner of personal identity credentials from the dark web as well as through social engineering schemes. They gain access to customer accounts and make transfers or payments with the legitimate customer none the wiser—at least until their next login or they encounter a declined transaction due to insufficient funds.

Automated bots increasingly spur fraudulent transactions by allowing fraud to occur at unprecedented speed and volumes. The goal for fraudsters using bot attacks is to compromise accounts and harvest stolen data, leading to ever-greater risk in new channels and services and for recently digitized and experienced digital channel companies alike.

Efforts to stop these nefarious activities have sometimes led to either a one-size fits all approach or overly aggressive policies and additional identity proofing requirements. Customers get frustrated when they need to jump through hoops to log in or complete a transaction.

The lengthy process seems especially frivolous when cybercriminals continue to find inventive new ways to bypass these same controls. Consumers do not expect a “no-friction” transaction every time. They want the incremental steps to be commensurate with the risk of the transaction (e.g., checking an account balance vs. a large balance withdrawal).

Organizations should look beyond the disruption of fraudulent financial transactions and stop viewing the consumer as a financial event or a financial risk to contain. Instead, organizations should treat the consumer at every customer interaction and not as a single touchpoint or a stand-alone transaction. Only then can organizations effectively protect consumers throughout their experience.

Data insight = Consumer satisfaction and safety

Data insight drives greater consumer satisfaction and safety. To a financial institution, both digital and physical data is often as valuable as a consumers’ financial worth – at least when it comes to visibility into fraud and how to stop it.

Criminals use information within a banking relationship to commit fraud at multiple points during the customer journey. Compromised consumer information exposes the consumer to wider risks outside of specific applications, increasing the risk for the consumer and the organization.

For instance, a fraudster could use compromised customer data to open additional accounts or new lines of credit. Fraudsters with access to online banking information can easily circumvent security questions that require information ostensibly known only to the customer. Then criminals often add their phone number to the account or use account information to re-direct the consumer’s phone calls back to them when users return bogus “security” checks by the financial institution.

The mess left behind in the fraudster’s wake entangles banks who do not employ adequate risk controls. Customers do not like that kind of breach. Neither do regulators.

Smarter security

Banks can benefit from risk signals that can identify this kind of fraud and stop it in its tracks.

When organizations use a combination of data and customer insights (such as pinpointing the last time a device accessed a specific account) measured against transaction risk (whether an account was accessed to change personally identifiable Information or to check a balance), it can tailor each consumer’s experience with the right risk controls.

Also critical is real-time and historical intelligence of the customer’s legitimate identity usage in other interactions on other sites or apps around the world. Organizations should shift emphasis to establishing “the good” in terms of normative devices and behaviors informed by global-scale intelligence instead of focusing on trying to ferret out “the bad.” This practice uncovers anomalies instantly. The key then is to ensure the identification of anomalies and a proactive response at every decisive moment – not just when the financial transaction is taking place.

Bigger value

For all of this, the other side of the equation is just as important. Recalling “the customer comes first,” this focus on protecting the customer also pays serious dividends for the institutions they do business with. Finally, the brand experience matches the brand marketing.

Cybersecurity and fraud risk controls enable significant differentiation for the brand through consumer loyalty and convenience. According to Forrester, less than 10% of organizations ever crack that code.

Institutions that use data insights to coordinate risk and fraud control strategies across channel and consumer journey silos inevitably deliver a faster, more consistent experience across the entire omni-channel spectrum.

Less than a quarter of Americans use a password manager

A large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online, FICO reveals.

use password manager

As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.

Do you use a password manager?

The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and 4 percent use a single password across all accounts.

Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high risk strategies such as writing their passwords down in a notebook. If you’re a security leader and your organization is still not using a password manager, find out how to evaluate a password management solution for business purposes.

“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO.

“Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”

A forgotten password can affect online purchases

The study shows that consumers struggle with maintaining their current passwords as 28 percent reported abandoning an online purchase because they forgot login information, and 26 percent reported being unable to check an account balance.

Forgotten usernames and passwords even affect new account openings, 13 percent said that it has stopped them from opening a new account with an existing provider.

This is a notable trend as consumers are more willing than ever to do business digitally. The study found that the majority of respondents would open a checking (52 percent) or mobile phone (64 percent) account online, while an overwhelming majority of respondents (82 percent) said they would open a credit card account online.

Consumers trusting physical and behavioral biometrics

However, while there is significant room to improve how consumers protect their login credentials, the survey also found that Americans are becoming more trusting of using physical and behavioral biometrics to secure their financial accounts.

The survey found that 78 percent of respondents said they would be happy for their bank to analyze behavioral biometrics – such as how you type – for security and 65 percent are happy to provide biometrics to their bank; while 60 percent are open to using fingerprint scans to secure their accounts.

Security alternatives

Additionally, when logging into their mobile banking apps, respondents are now considering alternative security measures beyond the traditional username and password. The five most widely used security alternatives are:

  • One-time passcode via SMS (53 percent)
  • One-time passcode via email (43 percent)
  • Fingerprint scan (39 percent)
  • Facial Scan (24 percent)
  • One-time passcode delivered and spoken to mobile phone (23 percent)

“Digital services are currently playing a critical role in daily life. It is a good time to evaluate how we protect ourselves and our information online,” said Lasher.

“Customers have been happy to adopt security such as one-time passcodes, and are now showing that they are willing to adopt additional options, such as biometrics, to protect their accounts.

“There are no magic bullets and the ability to layer and deploy multiple authentication methods appropriate to each occasion is key. Financial services organizations and consumers need to continue to keep security best practices top of mind to help combat fraudsters now and in the future.”