By Roy Urrico
It seems unfair that so many organizations, including credit unions, need to not only focus on carrying on business during a pandemic, but also on numerous security threats before, during and, almost certainly, after COVID-19. Here is a roundup of recent reports that highlight the impact of account takeover and supply chain attacks, and digital fraud.
Businesses Underestimate Account Takeover Attacks
A new study from San Francisco-based Arkose Labs, which provides a platform to identify bad actors, revealed that businesses underestimate the full impact of account takeover attacks (ATOs). The study included more than 100 IT executives at U.S. companies in over a dozen industries ranging in size from 1,000 employees to over 10,000.
“We wanted to better understand how ATO attacks are affecting businesses across industries. What we have found is that it can be deeply destructive — from a brand/user experience to the overall monetary loss for an organization,” said Lizzie Clitheroe, head of product marketing at Arkose Labs.
Overall, almost 90% of the respondents said ATO attacks cost them less than $500,000 in 2020, with 39% reporting losses of less than $100,000 over the past year. However, according to the study, many businesses may not have full visibility into the true extent of how ATOs interrupt their business.
“Account takeover attacks are the fuel that powers fraud and abuse globally. Personal data from compromised accounts is shared and sold on the dark web to then be reused, perpetuating the cycle of every data breach,” the study maintained. “Funds drained from hacked user accounts can be used to fund further downstream scams or to make fraudulent purchases. Legitimate accounts can also be used to send authentic-seeming spam and phishing messages to consumers via email or on a digital platform.”
While most businesses recognize the negative impact ATOs have on user experience and brand awareness, many organizations underestimate the volume of attacks, as well as the total cost of ATOs targeting its users. “With the increase in ATOs, credential stuffing, and rising sophistication of attacks, businesses need to be more vigilant in detecting the nuances and full impact of ATOs,” noted Clitheroe.
The Arkose report determined financial services firms have the most at stake in keeping customer accounts safe from fraud attacks. “Financial firms hold the most valuable consumer data, including bank account information, payment credentials, Social Security numbers, addresses and more.”
The study also revealed successfully hacking into a consumer’s financial account is a treasure trove for fraudsters, and that financial institutions, due to the sensitive and valuable data they store, also face greater regulatory scrutiny as a result of compromised accounts, which could result in massive fines.
It comes as no surprise that 94% of financial institutions surveyed either agreed or strongly agreed that ATOs had impacted their customers’ user experience. Also: 72% of financial services firms reported ATOs affected brand reputation, and 66% disclosed ATOs created compliance concerns, both larger than the cross-industry average.
Digital Fraud Attempts, COVID-19 Fraud Increased 46% In Last Year
Chicago-based TransUnion’s quarterly analysis of global online fraud trends found fraudulent digital schemes against businesses increasing since the COVID-19 pandemic. In addition, TransUnion’s 2021 first quarter Global Consumer Pulse Study found that more than one in three global consumers were recently targeted by digital fraud related to COVID-19.
TransUnion came to its conclusions about digital fraud against businesses based on intelligence from billions of transactions and more than 40,000 websites and apps contained in its flagship identity proofing, risk-based authentication and fraud analytics solution suite, TransUnion TruValidate.
It found the percent of suspected fraudulent digital transaction attempts against businesses worldwide increased 46% when comparing the following two periods: March 11, 2019 and March 10, 2020; and March 11, 2020 (when the World Health Organization declared COVID-19 a global pandemic) and March 10, 2021. In the U.S., this percentage increased 22% in the same timeframe.
“Fraudsters are always looking to take advantage of significant world events. The COVID-19 pandemic and its corresponding rapid digital acceleration brought about by stay-at-home orders is a global event unrivaled in the online age,” said Shai Cohen, senior vice president of global fraud solutions at TransUnion. “By analyzing billions of transactions, we screened for fraud indicators over the past year, it has become clear that the war against the virus has also brought about a war against digital fraud.”
The Global Consumer Pulse Study also found (as of March 16, 2021) the number of worldwide consumers targeted by digital fraud related to COVID-19 in the last three months was 36% higher than approximately one year ago.
In April 2020, TransUnion found digital fraud related to COVID-19 affected 29% of consumers globally; in the U.S., this percentage increased from 26% to 38% in the same timeframe. Worldwide, Generation Z at 42% attracts the most targets of any cohort, followed by millennials (37%). In the U.S. Gen Z gets targeted at 53% followed by millennials at 40%.
For financial services, there was a 57.49% suspected fraud change with the top threat being identity theft. Only telecommunication at 57.52% was higher, and for that industry, credit card fraud presented the top fraud.
“TransUnion documented a 21% increase in reported phishing attacks among consumers who were globally targeted with COVID-19-related digital fraud just from November 2020 to recently,” Melissa Gaddis, senior director of customer success, global fraud solutions at TransUnion, said. “This revelation shows just how essential acquiring personal credentials are for carrying out any type of digital fraud. Consumers must be vigilant and businesses should assume all consumer information is available on the dark web and have alternatives to traditional password verification in place.”
TransUnion found the countries with the highest rate of suspected fraudulent digital transactions from March 11, 2020 to March 10, 2021 were: 1) the Seychelles 2) Kazakhstan and 3) Turkmenistan. In the U.S. during that same period, TransUnion found the cities with the highest percent of suspected fraudulent transactions were: 1) Tempe, Ariz. 2) Hamtramck, Mich. and 3) Colonial Park, Pa.
Rise in Breaches and Supply Chain Attacks
According to the first quarter 2021 data breach analysis by El Cajon, Calif.-based the Identity Theft Resource Center, publicly-reported U.S. data compromises have risen 12% percent in the first quarter of 2021 with 363 compromises compared to the fourth quarter of 2020 (325 compromises).
The number of individuals impacted, though, is up significantly more (564%): almost 51 million in quarter one, 2021, versus 8 million in quarter four, 2020. Financial services accounted for 51 breaches and more than 1.7 million individuals.
Phishing and ransomware remain the leading root causes of data compromises, but supply chain attacks are of particular concern. “There were only a handful of supply chain attacks in all of 2020. However, so far in 2021, there have been three high-profile attacks – two in the last two weeks,” noted the ITRC in mid-March 2021.
The three high-profile supply chain incidents included software provider Accellion, which impacted 137 U.S. organizations and 7 million individuals; SITA's Passenger Service System, which handles a number of air transport transactions from reservations to boarding, and processes the frequent flier information of 90% of the world’s airlines; and the Microsoft Exchange server attack, which could affect more than 100,000 organizations worldwide.
The 42% rise in the number of supply chain attacks includes 27 third-party vendors. There were 19 supply chain attacks in fourth quarter 2020.
The trend toward supply chain attacks shows cybercriminals are concentrating attack efforts on single organizations that provide access to the data of multiple businesses. Instead of attacking 1,000 consumers to gain $300,000, threat actors attack one company and walk away with the same amount or more money with less effort and risk.
In a separate announcement, the ITRC said, “The biggest threat to individual identities is the significant shift away from traditional identity theft fueled by personal information acquired in mass attacks and towards credential theft used to commit identity fraud.”
The ITRC pointed out targeted attacks against businesses are easier for threat actors to execute and result in a larger payout. The average ransomware payment from companies has grown from less than $10,000 in the third quarter 2018 to more than $312,000 per event nowadays.
To ensure protection against attacks, businesses and consumers should follow cyber-hygiene best practices, especially good password management. According to the Identity Defined Security Alliance (IDSA), 79% of organizations have experienced an identity-related breach in the last two years, and 99% believe their identity-related breaches were preventable.