Cat and mouse

Digital fraud has surged as the COVID-19 pandemic only accelerated the use of computers and cell phones for everything from banking to shopping. Here’s the latest on the evolving threat landscape and what CFEs and security experts are doing to stop cybercrime.

In October of last year, Vladimir Dunaev found himself sitting in a U.S. federal court accused of conspiracy to commit computer fraud, aggravated identity theft, wire and bank fraud, and money laundering. The Russian national, who’d been extradited from South Korea that same month, was a member of a cybercriminal gang known for deploying banking malware called Trickbot.

Dunaev had been a developer responsible for executing the malware attacks and preventing security software from detecting the malicious code, which helps criminals steal online banking login credentials and harvests other personally identifiable information (PII). Trickbot remains one of the most popular malware among cybercriminal organizations, partly because it’s so flexible and can be customized for different types of frauds. (See “December 2021’s Most Wanted Malware: Trickbot, Emotet and the Log4j plague,” Check Point Software Technologies Ltd., Jan. 12, 2022.)

Between November 2015 and August 2020, Dunaev and his co-conspirators allegedly stole money and confidential information from individuals, financial institutions, school districts, utility companies, government entities and private businesses across the globe. (See “Russian National Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization,” U.S. Department of Justice, Oct. 28, 2021.)

“This indictment reflects the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of, and defraud, unsuspecting victims anywhere in the world,” said Eric Smith of the FBI’s Cleveland Field Office, who oversaw the Dunaev case.

Indeed, while malware like TrickBot still often relies on long-used social engineering techniques such as phishing, fraudsters in the digital world are growing more sophisticated and attacking more frequently from countries that are far from the reach of their victims.

Digital fraud, which is often reliant on the harvesting of PII, is on the rise as everything from banking to insurance to retail shopping increasingly takes place online through home computers and particularly mobile phones. Customers are asking for more convenience and speed, and the social distancing brought on by the COVID-19 pandemic has only accelerated this trend, particularly the use of digital and contactless payments. Fraudsters have spotted opportunities. (See “Financial Crime, Payment Fraudand the Role of Digital Identity 2021,” by Jane Jee, Emerging Payments Association.)

“In the last 12 to 18 months there has been a surge in online purchases, and the customer preference is moving to digital,” says Charanjeet Singh, CFE, senior vice president and head of fraud risk & investigation at First Abu Dhabi Bank, in an interview with Fraud Magazine.

“With the move to digital, organizations have adopted remote onboarding of their clients through multiple channels, which aims to authenticate the identity of the person using the classic model of what they have, what they know and who they are. With digitization, such onboarding has expanded to mobile or watch wallets, apps and other channels, and this is what fraudsters exploit by a mixture of social engineering and phishing techniques.”

Trickbot remains one of the most popular malware among cybercriminal organizations, partly because it’s so flexible and can be customized for different types of frauds.

Surge in digital fraud

Digital fraud attempts across the globe grew 23.82% when comparing the last four months of 2020 against the first four months of 2021, according to a report from credit agency TransUnion. That surge predominated in countries like the U.K., Colombia and Brazil, where online fraud attacks respectively leapt 53.61%, 60.74% and 53.49% over that period. In the U.S. and Canada, the growth in digital fraud attacks was closer to the global average at 25.07% and 23.36%, respectively. (See “Digital Fraud in 2021,” TransUnion.)

Frauds of all kinds — some old, some new — are thriving as we make greater use of digital devices, such as smartphones, and live in a virtual reality that happens in constantly evolving real time. This means that CFEs and security experts are having to change their approaches in tackling crimes, such as identity theft, account takeovers (ATOs), new account fraud, synthetic ID fraud and, more recently, authorized push payment fraud (APP).

APP, for example, involves tricking the victim to make a real-time payment to a fraudster’s account. But because digital real-time transfers often are irrevocable, it’s often too late by the time the victim realizes they’ve been conned. (See “What Is Authorised Push Payment Fraud?” by Sarah Rutherford, FICO/Blog, Dec. 5, 2017.)

The U.K. alone lost 355.3 million pounds to APP in the first half of 2021. Most of those scams, which took place online, marked a 71% increase in APP fraud over the same period the prior year, according to UK Finance, a banking trade association. Fraud in the U.K. financial sector — often carried out through digital devices — has been so bad that UK Finance has called it a “national security threat.” (See “2021 Half Year Fraud Update,” by Katy Worobec, UK Finance.)

TransUnion’s survey underscores such concerns, showing that the U.K. financial services sector saw a 791.34% growth in digital-fraud attempts during the first four months of 2021 compared to the prior four-month period. Yet it isn’t just in the U.K. The financial sector has been a prime target in other countries. The rate of digital fraud attacks soared 149.44% on average across the globe during the same period, particularly identity fraud, according to TransUnion.

Data breaches, identity fraud and account takeovers

In the financial services sector, account takeovers and identity fraud are increasingly popular among fraudsters who’ve been helped in recent years by massive data breaches that have flooded the darknet with stolen username/password combinations that can be purchased in large quantities and for a relatively cheap price.

Fraudsters now have access to automated software tools for carrying out log-in attempts. Developers like Dunaev can also bypass detection controls by using stolen IP addresses to mask their identity or by using a network of computers infected with malware (botnets) that can carry out coordinated attacks.

Those IP addresses have never been easier to come by since the recent global explosion in connected devices (i.e., the Internet of Things). Everything from computers to mobile phones to TVs and refrigerators potentially have IP addresses that hackers could exploit. (See “Could your smart refrigerator be giving hackers a path to corporate data?” by Ray Overby, Global Banking and Finance Review, and “How To Check Your Samsung TV’s IP Address,” by William Stanton, alphr, May 17, 2020.)

This has made identity theft — and in turn account takeovers and new account fraud — that much easier. A survey tracking banking behavior by security firm GIACT found that over the last two years, 47% of U.S. consumers experienced identity theft, 37% experienced unauthorized use of their identities to apply for accounts (application fraud) and 38% experienced account takeovers (unauthorized account access). [See “U.S. Identity Theft: The Stark Reality,” GIACT, and “Mobile Banking Adoption In The United States Has Skyrocketed (But So Have Fraud Concerns),” by Ron Shevlin, Forbes, July 29, 2021.]

In its most basic form, account-takeover fraud, which is really a subset of identity fraud, occurs when a wrongdoer steals or comes into possession of a legitimate account holder’s credentials and other PPI (i.e., username and password), and then uses those credentials to access the account to commit theft or some other harm. It can be as simple as one person stealing the credentials of another person, such as in a traditional identity theft paradigm.

Eric Afre, CFE, is senior director, financial crimes unit at Allianz Life Insurance Company of North America. He tells Fraud Magazine that fraudsters have increasingly been carrying out fraudulent registrations on websites using other legitimate customer’s credentials. Once they’ve done that, they change the email, so all correspondence goes to the fraudster instead. That’s why Allianz encourages its clients to register right away before someone else does in their names. “So, the minute you get a policy, we are encouraging you to register, register, register,” Afre says.

Fraudsters are also using synthetic and stolen identities to carry out new account fraud in various ways — and more efficiently as technology becomes more sophisticated. One example of this is micro-deposit fraud, which has been around for a while, but is happening with greater frequency, says Lien Nguyen, CFE, senior vice president, fraud prevention at Bank of the West.

Here’s one way the scam works. When someone opens a new account, financial institutions verify the ownership of  that person’s existing account by sending micro-deposits that are sometimes just a few cents. Fraudsters will create multiple fake accounts with a stolen or synthetic identity. When the financial institution that’s opening the new account makes the micro-deposit to the fraudster’s existing external account, the fraudster skims off the funding amount, less the micro-deposits, from the new account. Michael Largent scammed E-Trade, Charles Schwab & Co. and Google for hundreds of thousands of dollars this way in the late 2000s when he tried to open over 58,000 brokerage accounts. (See “Micro-Deposit Scams,” Harvester Financial Credit Union, and “Plumas Lake Man Sentenced to One Year and Three Months in Prison for Computer Fraud,” FBI, Sacramento Division, Sept. 17, 2009.)

“With new account fraud if you open up hundreds and hundreds of accounts at multiple financial institutions, it can be very lucrative,” Nguyen tells Fraud Magazine.

Micro-deposit frauds in turn help cybercriminals test a bank’s fraud controls and can lead to larger so-called salami attacks, where they “slice” small and often unnoticeable amounts from people’s accounts. These attacks have been a growing threat to banks as technology improves automation. (See “Banks confront new type of phishing: ‘Salami’ attacks,” by David Heun, Sept. 16, 2021; and “Micro-Deposits, Salami Attacks, Oh My,” by Jenn Redlich, Dwolla, June 22, 2021.)

Indeed, what poses the biggest risk to organizations is criminals collecting vast troves of username/password combinations and using technology to systematically test them to try to gain access to many accounts whose owners may have used the same usernames or passwords on multiple platforms. This is called credential stuffing. (See “Credential stuffing,” by Neal Mueller, OWASP.)

Cybercriminals use different ways to take advantage of compromised accounts, which is one of the reasons it’s such an attractive form of fraud. Draining funds from an account might seem the most straightforward form of ATO fraud. But crooks also use compromised accounts to apply for credit; make purchases; swipe reward points, miles or gift card balances, which they can then use or resell on secondary markets; and submit fraudulent returns and warranty claims.

Attackers can also use the accounts to which they gain access to carry out a variety of malware attacks. When a person with bad intentions possesses working usernames/passwords credentials, the possibilities are essentially unlimited.

Customers are asking for more convenience and speed, and the social distancing brought on by the COVID-19 pandemic has only accelerated this trend, particularly the use of digital and contactless payments.

Cat-and-mouse game

Defending against such attacks is a perpetual battle for companies and government entities trying to stay abreast of fraudsters’ latest technological tricks. “It’s like a cat-and-mouse game,” says Nguyen. “You put in controls and catch up to them, and they change their methods. To manage fraud, you have to be able to understand the evolving threat landscape.”

In many ways, clients are the first line of defense, but they can’t always be relied upon to carry out the necessary cyber hygiene, such as regularly changing passwords and not reusing the same password across multiple platforms.

“Customers are their own best advocates in safeguarding against fraud and cyber threats,” says John Albanese, CFE, vice president, corporate security and investigations at Voya Financial. “You really need customer awareness to make sure they’re doing their best to protect themselves, which, in turn, is protecting us because we are entrusted with their assets at the end of the day.”

Even so, customer education only goes so far, as do passwords. So, security experts are finding other ways to stop cyberfraudsters.

[See “Beyond passwords” at the end of this article.]             

Singh says the long-term plan is to move away from one-time passwords and a dependence on customers authenticating their identity — all of which are vulnerable to manipulation by fraudsters. Preferably, the verification of new accounts or transactions can be done through primary devices, such as mobile phones, which can be authenticated and monitored for suspicious activity, he says.

“I don’t want to rely on customers to confirm whether it is a genuine transaction because they can be tricked through social engineering,” says Singh. “Instead, we want to work through secured channels and a trusted device.”

Security experts are also employing new technology, such as artificial intelligence and machine learning, to their advantage. For example, some security firms have made good use of passive biometrics, the study of an individual’s unique movements, to validate the identity of an account holder. This includes gaining knowledge of how the account holder types on the keyboard, screen swipes and mouse moves — even at what angle they hold their mobile phones. (See “Behavioral Biometrics: Explaining in Detail,” Rec Faces, June 14, 2021, and “5 Ways Biometrics Help Fight Fraud,” ID R&D.)

The problem is that cybercriminals also have access to technology, which they’re using to avoid detection. Not only can they now distribute attacks across a wide range of IP addresses with cheap, available technology, but they’re also using machine-learning applications to mimic how humans navigate computers. “The endgame [for fraudsters] is flawless emulation of human behavior and real devices on home networks,” Jarrod Overson, director of engineering at Shape Security, explained at a talk organized by the Open Web Application Security Project. (See “The State Of Credential Stuffing And The Future Of Account Takeovers - Jarrod Overson,” YouTube, Oct. 16, 2019.)

In many ways, clients are the first line of defense, but they can’t always be relied upon to carry out the necessary cyber hygiene, such as regularly changing passwords and not reusing the same password across multiple platforms.

Cost-benefit analysis

Either way, all this costs money and not all organizations have the resources to combat sophisticated cybercriminals. Fraudsters know this, so attacks are on the rise at mid-sized financial institutions, regional credit unions and smaller e-commerce sites. [See “Four Reasons Hackers are Targeting Small and Medium Sized Businesses,” by Steve Nice, SMLR Group, Consolidated Technologies, Inc., and “30 Surprising Small Business Cyber Security Statistics (2021),” by Maddie Shepherd, Fundera by nerdwallet, Dec. 16, 2020.]

“Not every company has the funding to handle (these attacks),” says Afre. “If you are a middle-level carrier, you are not going to necessarily have the funding and sometimes when you get the funding, fraud has evolved. Fraud isn’t stale and it evolves rapidly.”

Even so, organizations will have to weigh the costs of investing less in fraud prevention. With countries across the world passing privacy legislation, organizations face greater liability risks related to the theft and abuse of personal data, not to mention the other costs that come from ransomware and other fraud attacks. A study by Juniper Research predicted that losses due to e-commerce fraud alone would jump to more than $20 billion in 2021, up from $17.5 billion in 2020. (See “Financial Services risk: Cyber security concerns grow,” Allianz Global Corporate & Specialty, May 2021, and “Ecommerce losses to online payment fraud to exceed $20 billion annually in 2021,” Juniper Research, April 26, 2021.)

It’s also essentially a cost-value game for criminals who typically will only invest in technology if the payoff justifies the cost. So, while criminals will always catch up with new technology as it becomes better understood and subsequently less expensive, organizations must continue to innovate to drive up fraudsters’ cost of doing business. But the fight can’t be just a technical problem of building a better mouse trap or a stronger lockbox. Data governance, risk management and internal audit also have roles to play in solving the problems. Accurate risk assessments and prioritization are key to understanding what’s most important to protect and how the organization should balance customer/user experience against security. At the same time, security, technology and governance leaders must be aligned on what methods are consistent with the organizations’ missions and core values.

[See “Looking for red flags at the back end” at the end of this article.]

Kevin M. Alvero, CFE, is senior vice president, internal audit, for Nielsen. Contact him at kevin.alvero@nielsen.com.

Beyond passwords

Password protections are becoming increasingly fallible partly because people fail to update them, don’t make them complicated enough or use the same ones across multiple platforms. And technology has only made them easier to break. Security experts are seeking alternatives.

Large tech companies like Microsoft, Google and Apple have long advocated that customers should be less reliant on passwords as they are far too easy to compromise and have led to multiple data breaches. (See “Why Microsoft, Google and Apple want you to ditch your password,” by Magdalena Petrova, CNBC, Tech, Jan. 19, 2020.)

Biometrics and multifactor authenticators, used individually or in tandem, are among the most likely replacements, but they aren’t without problems. For one thing, exposed biometric data may pose a greater threat to people than leaked PII, particularly as biometrics use in public security broadens. (See “Technologies That Can Replace Passwords,” Gbenga Ogbonyenitan, Techidence, Jan. 29, 2020.)

Meanwhile, crooks have already demonstrated an ability to defeat CAPTCHA challenges and multifactor authentications through a blend of technology and social engineering. (See “How hackers use CAPTCHA to evade automated detection,” by Dan Virgillito, Security Boulevard, Oct. 13, 2020.)

And in the field of synthetic identity, deepfake technology can enable fictitious personas to have online video or audio presences. Ultimately, no fool-proof solutions exist.

Looking for red flags at the back end

Behind the scenes, security experts and anti-fraud professionals are constantly monitoring red flags and behavior that differs from authentic user activity. This can include:

1. A spike in login attempts from particular IP addresses.
2. Spikes in shipping address changes, item purchase price, password reset requests, etc.
3. User activity that differs from normal behavior in time of day, or country of origin.
4. Mouse- and page-scroll movements that are faster and more mechanical than a human’s. (See “A CISO’s Guide To Stopping ATO Against The Digital Storefront,” Perimeter.)