Are Fraudsters Using Breached Data to Scam Members?
By Roy Urrico
Most data breaches do not generate major headlines lately, but under-the-radar COVID-19 related scams could nevertheless put member data in jeopardy if credit unions do not stay abreast of information exposure.
"Any crisis is a green light to cybercriminals and scammers," Jim Van Dyke, CEO for San Francisco fraud prevention and detection technology firm Breach Clarity, said. "COVID-19 has created an enormous amount of uncertainty and chaos at a scale we’ve not seen before. That makes [people] incredibly vulnerable.” Considering the amount of private information available on the dark web, it is the perfect storm, he added.
Cybercriminals continually try to access the data storage areas where there is lots of information to steal. “Nearly four breaches happen every average day, and every one raises the credit union’s risk of identity theft, scams and fraud. The credit union cannot do anything to stop these breaches,” Van Dyke held.
Some recent incidents present a great risk for COVID-19 scams:
LimeLeads (reported January 2020) uncovered employer names, contacts and email addresses. ZDNet said a hacker claimed to have a LimeLeads database of 49 million contacts for sale on an underground forum.
Health Share of Oregon (February 2020) exposed almost 655,000 records containing health information, insurance and Social Security account numbers, and other personal data.
Market analysis company Tetrad (February 2020) breached blended data of some 120 million individuals from multiple sources such as names, genders and addresses.
Marriott International (March 2020) exposed some 5.2 million hotel guest records including employer names, addresses, emails and phone numbers. In late 2018, a different Marriott breach exposed 383 million records.
In April 2020, cybersecurity intelligence firm Cyble told BleepingComputer over 500,000 of conferencing app Zoom accounts ‑ containing email addresses, passwords and personal meeting URLs – are on sale on the dark web for less than one cent each.
Tupperware.com (March 2020) exposed credit and debit card information and billing addresses.
"A number of smaller breaches directly tied to COVID-19 assistance programs pose particularly concentrated risk to victims," added Van Dyke. Those breaches, he noted, included the SBA exposing data on some 8,000 small business owners applying for disaster loans, and the Arkansas Division of Workforce Services exposing approximately 30,000 Pandemic Unemployment Assistance applicants’ Social Security and bank account numbers.
Van Dyke maintained not every breach opens victims to COVID-19 scams. Breach Clarity’s machine-learning platform for financial services providers analyzes 1,188 data points to assess the specific breach risks for members. One of the most serious risks involves identity theft, which Van Dyke said is a two-crime transgression. “You compromise the data and then you use the data. Sometimes it is the same identity criminal, or maybe the data gets sold.”
COVID-19 scammers depend on social engineering to attack financial accounts using acquired contact and account information. Identity criminals posing as intended recipients of coronavirus-related payments and loans claimed too much of these funds already, explained Van Dyke. The IRS, for example, advised Americans to guard against phishing scams by emails, texts and phone calls that mention "stimulus check"; and the Federal Trade Commission warned consumers not to fall for vaccinations and home test kit offers.
For credit unions, identify theft shows up in new account origination or account takeovers (ATOs), Van Dyke said. A July 2019 Fed white paper, “Synthetic Identity Fraud in the U.S. Payment System,” focused on this mounting problem of synthetic ID fraud for credit unions and other FIs, whereby impostors increasingly use fake identities created from amassing enough info on individuals from various schemes and frauds to execute scams.
“The bullets aimed at the bad people better be fired by both credit unions and members working together. When credit unions ignore the consumers’ unique breach history they are working from a strong disadvantage,” said Van Dyke.
“Our Breach Clarity service, offered by credit unions as a financial health digital tool in the same way that many offer free credit scores, allows a member to log in (mobile or online), and enter the name of any new breach or a collection of breaches.”
Van Dyke further explained that the credit union’s algorithm instantly tells the member the breach severity, the specific ID crime risks (i.e. ATO, card fraud) and, most importantly, which of the 50 available consumer action steps to prioritize. “Most breaches call for members to implement at least one account safety feature offered by the credit union, such as two-factor authentication or text alerts,” he said.
Van Dyke added that Breach Clarity’s recommendation engine takes members to the right screen in the credit union’s environment. “We’re out to improve everyone’s safety, working with credit unions to bring personalized advice to every member.”