There’s no question e-commerce is booming for many reasons during the global pandemic. There’s one other huge growth industry during this same timeframe. It’s something I call a “scamdemic” – a pandemic of payments and financial fraud that’s costing consumers and businesses billions of dollars.
The payments and financial scams vary from fraudulent COVID-19 products and investments, fake online product sales, and non-delivery of product sold online to more familiar cyberattacks such as malicious downloads, loyalty, and rewards program fraud, email imposter scams with a host of new technology-based tools to support online criminal activity.
Among the most popular tactics still used by cybercriminals are ransomware, credentials stuffing, phishing attacks, identity theft, new account fraud, account takeovers, chargeback fraud, and much more. This scamdemic is giving business a migraine and costing billions.
Global fraud facts
Here’s a few sobering US fraud facts for perspective:
- 2019 identity fraud impacted 5.1% of US consumers and cost $16.9 billion, up from $14.7 billion in 2018 (Javelin)
- business email compromises (BEC) accounted for $1.7 billion in US business losses in 2019, an average of $72,000 per incident, and totaling nearly half of the cybercrime losses (FBI)
- US Federal Trade Commission (FTC) received 3.2 million identity theft and fraud reports in 2019; Fraud: 1.7 million reports (53% of all reports); Identity theft: 650,572 reports (20%) – Other: 0.9 million reports (28%) (FTC)
- the overall median loss for fraud was $320 with the top scams including Foreign Money Offers and Counterfeit Check Scams ($1,500); Mortgage Foreclosure Relief and Debt Management ($1,290); and Business and Job Opportunities ($1,000) (FTC)
- top contact method for fraudsters was a telephone (74%) and although only 5% lost money this way, it totaled $493 million in 2019 (FTC)
- credit card fraud resulted in 271,000 complaints about identity theft and account information misuse; (FTC)
Other US consumer payment & FTC fraud facts
The Federal Trade Commission has a whole bunch more fraud facts for the curious.
The states with the highest per capita rates of reported fraud in 2019 were Nevada, Florida, Delaware, Maryland, and Georgia. For reported identity theft, the top states in 2019 were Georgia, Florida, California, Texas, and Nevada.
What is it about the sunshine states that makes them so popular with fraudsters?
When it comes to fraud by type of payment, there were 250,678 reports of payments fraud. Wire fraud with 73,542 reports ($4.39 million) were the largest category of payments fraud followed by credit cards 53,763 ($135 million), gift/reload cards 38,401 ($103 million), bank account debit 35,436 ($89 million), Internet/mobile 25,535 ($84 million), cash/cash advance 12,411 ($120 million), check 7246 ($72 million), money orders 3,868 ($23 million), and telephone bill 956 reports ($2 million).
If you were approached by fraudsters, telephones were used in 74% of fraud attempts ($493 million lost) followed by scam websites 9% ($325 million), email 8% ($226 million), consumer-initiated contact 5% ($87 million), mail 3% ($51 million), and other scams 2% ($136 million).
Several fraud categories showed a big jump in 2019 from the previous year including credit card new account fraud (+88%), auto loan/lease fraud (+105%), business/personal loan fraud) +116%), Federal student loan fraud (+180%), nonfederal student loan fraud (+74%), real estate loan fraud (+74%), and apartment/home rental fraud (+56%).
These scams keep on giving even during the pandemic when consumers are scrambling to meet rent, loan, credit card, healthcare costs, and other payments during higher unemployment and health impacts this year.
Biggest recent fraud and scam incidents
It’s valuable to look beyond the statistics at some of the recent high-profile cybercrime incidents and the comments of cybersecurity experts on them. They make interesting if painful reminders of the need for both consumers and businesses to closely protect their identity, payment practices, and personal financial information.
BlueLeaks data breach exposes COVID patient info
The so-called “BlueLeaks” data breach compromised the information of hundreds of thousands of law enforcement officers across the nation in June. As an outcome, the health information of hundreds of thousands of South Dakota COVID patients was also compromised.
Saryu Nayyar, CEO of Gurucul said, “Security breaches are the “Gift that keeps on giving” in the worst possible way. It should come as no surprise that there have been ongoing repercussions from the BlueLeaks breach in June. The revelation of some people’s COVID-19 status in the database has only come to light now but shows the depth of data revealed and the potential consequences that may not have been realized at the start.”
“The only bright spot to this revelation is the revealed information is largely time-sensitive, which somewhat reduces the impact. Unfortunately, it doesn’t eliminate it, or in any way excuse the breach,” Nayyar added.
“There’s plenty of blame to go around – the problem doesn’t sit solely with the third-party vendor. It’s up to every organization to regularly get assurances from their vendors about the security and currency of their technologies,” said Chloé Messdaghi, VP of Strategy at Point3 Security. “It’s a reminder to those who patch & update software – which can be among the more mundane of IT tasks — are everyday heroes doing necessary and important work.”
Experian data breach hits 24 million South Africans & 800,000 businesses
In South Africa, Experian is in the headlines again for another major cyberattack after the company admitted handing over the data of millions of clients to a fraudster posing as a client.
“As a consumer credit reporting company, they are clearly a high-value target for cybercriminals. Likely the company has an array of cybersecurity protections in place to prevent data breaches. Social Engineering, however, is a different animal. In this case, an individual fraudulently claimed to represent a client and gained access to Experian services. This person then made off with 24 million South African’s PII as well as information from 800,000 businesses,” said Gurucul’s Nayyar.
South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, said the breach impacted 24 million South Africans and 793,749 local businesses and reported it publicly after Experian failed to disclose the incident publicly. Experian claimed police helped it recover the fraudster’s computers and that the data was subsequently secured and deleted and only involved personal and not financial information.
“Fraud is malware’s ugly cousin. You need different controls to detect and catch social engineering and fraudulent behavior because fraud isn’t code. Fraud isn’t a malware application. People commit fraud,” Nayyar added.
Twitter fraud exposed security weaknesses
A 17-year-old was one of three people arrested in connection with the largest privacy and security breach in Twitter’s history and a bitcoin scam that saw the accounts of public figures such as Barack Obama, Bill Gates and Joe Biden hijacked for fraud. Police recovered more than $700,000 in bitcoin from the young cybercriminal.
Point 3 Security’s Messdaghi says the Twitter incident is just another example of pandemic overwhelm and hackers shifting tactics to actively exploiting the public in ever more creative ways.
“Think about it. Now more than ever, if someone gets a text on their mobile from a boss who doesn’t usually reach out that way, they’re likely to chalk it up to the interoffice lines of communications that have been blurred and rewritten by the Pandemic,” she said.
“And if an employee is then asked by someone purporting to be their boss with a message saying “we have a serious problem” and to please call a helpdesk number immediately, they’re more likely to comply before thinking things through – again, because the Pandemic has made people overwhelmed and eager to respond to security threats.”
Messdaghi said research shows even well-informed users are three times more likely to fall for a phishing link on mobile than desktop because it’s harder visually and logistically to double-check a link on the small screen.
She shares some common phishing-through-mobile approaches: “SMS messages that warn of a security situation or ask the recipient to “click here to validate”, URL padding – where a bad actor takes a legitimate domain and adds malicious extensions onto it, that can lead elsewhere – but the recipient doesn’t know because when they get the SMS message, only the main domain shows; malicious Tiny URLs – we see these a lot, and they take the unsuspecting recipient to an insecure and dangerous site, and mobile verification code scams – those are the most popular.”
Personal banking app Dave exposed data of 7.5 million users
It’s not always a company’s direct fault for data breaches. Companies need to be on guard for the security levels and performance of their vendors as well.
US personal finance and challenger bank app Dave was the victim of a data breach in July after former third-party service provider Waydev was breached by malicious hackers stole the personal data of more than 7.5 million users. The company said bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers were not disclosed or affected.
“The Dave.com breach is another example of attacks that come through a third-party with access to the environment. It’s a common theme and has led to some high profile, and expensive, breaches,” Gurucul CEO Saryu Nayyar said.
“The challenge is gaining visibility into 3rd party environments or applications that can access your own systems. It’s very difficult to hold outside vendors to your organization’s security requirements. You often have little recourse but to require it in writing, and hope they hold up their end of the bargain,” she added.
The list of serious identity theft, payment fraud, and data breach incidents is growing longer and is amplified by the pandemic and cybercriminal creativity. Consumers and businesses must simply learn, monitor more carefully, and respond faster to potential problems and more ingenious hacker attempts.
LET’S CONNECT