By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
Two recent reports focus on information security, one from the Identity Theft Resource Center (ITRC) on data breaches, and the other from the Association for Financial Professionals on payment fraud.
ITRC’s Quarterly Data Breach Analysis
The Identity Theft Resource Center (ITRC), a national nonprofit organization established to support identity crime victims, released its U.S. data breach findings for the first quarter of 2023. The analysis reported 445 publicly-reported data compromises in the quarter, a 13% percent decrease compared to the previous quarter (512 compromises), the last quarter of 2022.
However, the El Cajon, Calif.-based ITRC also reported the number of data breaches with no actionable information about the root cause of the compromise grew to 187 in the first quarter of 2023, compared to 155 in the first quarter of 2022 and five in the first quarter of 2021. This continues a trend the ITRC revealed in its 2022 Annual Data Breach Report, that disclosed the number of breach notices with detailed attack and victim information had dropped by more than 50% since 2019.
“The number of victims and compromises normally drop in (first quarter) each year,” said Eva Velasquez, president and CEO of the ITRC. “However, it is troubling to see the trend of a lack of actionable information in data breaches continue from 2022.” Velasquez noted among the top ten breaches in the first quarter of 2023, 60% did not include information about the root cause of the event, compared to 40% in the last quarter of 2022. “This means individuals and businesses remain at a higher risk of cyberattacks and data compromises.”
Other findings in the Q1 2023 Data Breach Analysis include:
· Total number of victims hit 89,140,686 over this year’s first quarter.
· The number of victims (89 million) decreased by 64% from the fourth quarter of 2022 total of 252 million victims.
· Compromises in the manufacturing and utilities, technology, healthcare, and transportation industries impacted an estimated 84 million victims.
· The healthcare category accounted for the most breaches (81); but the technology category had the most victims with 22,362,858. Financial services saw 70 compromises, which impacted 1,707,888 victims.
· Supply chain continued to be a significant attack vector for threat actors seeking personal information in the first quarter of 2023. Of the 378 breaches attributed to cyberattacks, 53 were supply chain attacks compared to 54 ransomware attacks. Phishing remained the most common attack vector leading to a data breach in the quarter.
AFP Survey: Payments Fraud Affected 65% of Organizations in 2022
The Bethesda, Md.-based Association for Financial Professionals (AFP), a professional society committed to advancing the success of treasury and finance members, released it 2023 AFP Payments Fraud and Control Survey. The report, underwritten by J.P. Morgan, revealed 65% of organizations were victims of payments fraud attacks/attempts in 2022.
According to the AFP report, though still significant, the number of payment fraud victims represents the lowest reported percentage of fraud activity since 2014, when it was 62%. A decrease in reported fraud activity suggests some success from the efforts of treasury leaders to mitigate fraud attacks and alleviate their impact.
“The overall decrease in payments fraud activity is an encouraging sign of the proactive efforts of treasury and finance practitioners to curb fraud attacks,” said Jim Kaitz, president and CEO of AFP. “We must remain vigilant in our training and innovation around payments fraud prevention to stay ahead of our adversaries.”
The survey also revealed that of companies that were victims of payments fraud in 2022, 71% faced fraud via business email compromise (BEC). Larger organizations with annual revenue of at least $1 billion are more susceptible to BEC scams.
The AFP study also indicated checks continue to be the payment method most vulnerable to fraud, with 63% of respondents reporting their organizations faced fraud activity through this paper-based payment method. The report uncovered although checks are a frequent target of payments fraud, three-fourths of organizations surveyed currently using checks do not plan to discontinue issuing checks. The reasons companies are reluctant to eliminate check usage include customer resistance to Automated Clearing House (ACH) transfers, and the need for checks in refund issuance.
Another old-school payment fraud method seemingly making a comeback involves mailbox break-ins. Said the report: “2022 saw a large increase in brazen and successful attempts at stealing mail from post office boxes: i.e., the blue boxes typically found on street corners. Perpetrators of these crimes replicated keys to mailboxes and stole mail. Mail was then opened, and payments containing checks (government, business, personal, etc.) were washed (erasing details to allow them to be rewritten) and check amounts and names of payees altered. These checks were then endorsed and deposited into accounts with a short life.” The report noted the Financial Crimes Enforcement Network recently issued a warning to financial institutions about how this type of fraud is low-tech (being paper based) and low cost, and an attractive method for fraudsters.
Other key findings from the 2023 AFP Payments Fraud and Control Survey include:
· Of those who were victims of payments fraud in 2022, more than one-fourth of organizations (27%) were able to successfully recover at least 75% of funds lost. However, nearly half (44%) were unsuccessful in recouping any of the stolen funds.
· Forty-five percent of respondents (the highest in the past five years) cited wire transfers as a top payment method used during BEC attempts.
· Instances of fraud via commercial cards increased by 10 percentage points, and instances of fraud via ACH credits and virtual cards increased by 6 percentage points each.
· When looking to report payments fraud, nearly 80% of organizations are most likely to seek assistance from their banking partners for guidance regarding the steps to take to minimize the impact of the fraud.