November 15-21 2020 marks International Fraud Awareness Week – a global effort to minimize the impact of fraud by promoting anti-fraud awareness and education.
In the modern data-driven and internet-dependent world, fraud is not only a perpetual threat to both organizations and users, but it is one that is becoming ever more diverse and sophisticated.
What’s more, recent research has indicated that fraudsters are increasingly moving online to cash-in on the COVID-19 pandemic, further highlighting the level of fraud risk during the current period.
With the above in mind, it seems that now is the perfect time to be raising awareness around fraud and its potential impact, and one man who has been speaking to Infosecurity on that very notion is David Britton, vice-president of industry solutions at Experian.
As one of the very first internet fraud investigators, Britton played a central role in the development of innovative fraud prevention technologies in the online space. In his current role at Experian, he often engages with executives across the e-commerce, financial services, travel, telco and other verticals around the globe to help frame strategies for mitigating fraud while preserving the consumer experience.
What is the state of the current fraud landscape?
Our recent studies indicate that fraud continues to rise across a number of sectors, including account takeover fraud, new account application/origination fraud and synthetic identity fraud. In virtually all of these cases, fraudsters are taking advantage of the massive surge to digital that was driven by the COVID-19 pandemic and allowed fraudsters to hide in the increasingly large haystack of overall traffic.
We have also seen that operational teams have been overwhelmed this year, causing businesses to modify practices and threshold limits in their risk detection systems to reduce the amount of overall traffic that requires manual intervention. Unfortunately, this often has the side effect of missing some lower-level risk events, which are often the leading indicators or telltale signs of more serious and costly fraud attacks.
“The evolution of fraud is shifting toward much more automation”
How has fraud evolved in recent times, and particularly this year?
The evolution of fraud is shifting toward much more automation, in the form of scripted attacks and bot attacks, as well as more sophisticated phishing attacks. Even though phishing attacks have been around for more than 20 years, they remain a highly effective form of data theft, as they target unwitting victims and expand beyond simple emails to every communication channel. In 2020, we observed a slew of attacks that leveraged the pandemic, with messages (whether it be via email, text, social media or phone calls) promising news of COVID-19 relief, outbreak maps, fake cleaning and medical supplies, etc. Unfortunately, the links included in those messages often pointed to fraudster-owned websites and domains, where victims would be asked to submit sensitive data, or would include drive-by/downloadable malware, causing further data theft.
While not completely novel this year, there seems to have been a surge in credential stuffing attack bots, as fraudsters attempt to test their newly-stolen credentials, to either build lists of still-active credentials, or to sell higher value credentials on the dark web.
“Fraudsters use various software toolkits to make their devices appear to be different than they are”
What are the most common and effective fraud methods implemented by fraudsters?
Similar to the above, the use of phishing and social engineering with current, seemingly legitimate news or services remain popular and effective. Further, while there are increased automated attacks, we are also seeing the rise of human click farms, where fraudsters recruit ‘employees’ in economically-depressed areas to use device farms with hundreds or thousands of devices to avoid bot detection, while they test credentials, place orders with stolen payment details, etc.
We are also seeing an increase in what we call ‘device emulation’ where fraudsters use various software toolkits (designed originally for testing software across multiple device platforms) to make their devices appear to be different than they are. For example, they may make their laptop appear to be a smartphone, or an Android device look like an Apple device. These techniques are deployed by fraudsters to defeat device recognition and fraudulent device consortium countermeasures.
What are the best practices for preventing fraud for organizations?
We find that the most effective approach to stopping fraud for businesses is to use a layered capabilities strategy, where the business does not rely on a single technology or data set to assess risk.
Rather, we believe in layering solutions such as:
- Advanced device intelligence
- Behavioral analytics
- Authenticated identity data leveraging
Being able to combine all of these layers and use advanced analytics and machine learning to weed out fraudsters with great accuracy, while ensuring that you do not disrupt the good user experience, all become paramount in the advanced fight against fraud. It is this approach that gave rise to Experian’s own CrossCore identity and risk platform, which does all this heavy lifting for the business, with a single point of integration to gain access to this powerful combination of capabilities.