Following the H1 2021 update of Fraud the Facts from UK Finance and the LexisNexis® Risk Solutions latest 2021 Cybercrime Report figures, Ellie Burns from LexisNexis Risk Solutions talked to Jason Lane-Sellers, EMEA director, fraud & identity market planning, to discuss how the two reports aligned in their findings, to understand what key trends these data sets tell us about where APP Fraud is heading in 2022.
Ellie Burns (EB): Two big fraud Reports have landed recently; LexisNexis Risk Solutions Cybercrime Report and the Fraud the Facts H1 2021 update from UK Finance. Arguably, the headline grabber for both reports was APP fraud or scams, with the numbers painting a concerning picture to say the very least; the amount of money stolen via APP fraud overtook card fraud losses for the very first time in the Fraud the Facts report, costing the UK £355.5 million after increasing a huge 71%.
What were your initial thoughts when you saw this huge growth in APP fraud, and how does it compare to what we saw in our latest Cybercrime Report?
Jason Lane-Sellers (JLS): It did not come as a surprise, but the findings give an excellent insight into the scale of the increase in APP Fraud this year.
From our analysis we have also seen an increase in that methodology and vector of attack, with current marketplace conditions exacerbating the epidemic of scams we see today. It’s like a perfect storm – just look at how much data is available, the speed of transfers and payments, the advent of open banking, the increase in automation and the decrease in face-to-face interactions – then mix in a global pandemic, which has forced a wave of new-to-digital users who now have to transact online. This perfect storm, coupled with the fact that scams are quick, simple and easy to execute, has made APP fraud extremely lucrative. Remember, fraudsters want quick, fast access to cash, looking to get the best returns for the least effort, which is why scams have become the go-to attack this year.
EB: As we know, fraudsters are constantly evolving and changing their MO and they have been adept at leveraging fear and urgency, utilising events like the pandemic, in their attacks. What I thought was a really interesting trend found in our Cybercrime Report was fraudsters using both bots and social engineering in APP fraud attacks. Can you talk me through that trend in more detail?
JLS: I like to refer to APP fraud now as ‘targeted social engineering’, whereby the fraudster has to know some kind of details about the victim in order to convince them that they are an authoritative body – a bank for example.
What we saw in the Cybercrime Report, at the first stage in this ‘targeted social engineering attack’, is the credential testing of usernames and passwords which the fraudster may have obtained through a data breach or data attack. Usually, fraudsters will credential test against media companies or non-finance organisations, deploying automated bots which can quickly validate usernames and passwords.
Now let’s say you are being targeted , and a fraudster has an email and password that represents you for an IPTV organisation. If they can log in to that account and it works, then that validates the information. The fraudster then contacts you via social media, SMS or phone call, saying that they are from your bank. They tell you not to disclose your password, because they would never ask you to give your entire password, but instead give you the fourth, eighth and ninth digit of your password – using the information previously validated by credential testing – all very convincing.
All the fraudster has done is gain information from a different organisation, validated that information, and then taken a chance that the password used by you is probably the same password used for multiple accounts and services online – which many people still do unfortunately. From that point onwards, the fraudster can interact with you, and when the fraudster asks money to be moved and transferred, it is all the more credible as the ‘bank’ has confirmed three of your password digits. Its more credible, more believable. When the fraudster is validating your credentials, they can gather additional information like billing address and then utilise that information when they are talking and interacting with you. All to make the ruse more believable, so when the time comes to ask for a payment, you are not suspicious, and the scam is more believable.
In our cybercrime report we have also seen fraudsters use password reset protocols to validate stolen credentials, in addition to seeing mass credential testing using other verticals, not just media companies, for credential testing – insurance and gaming and gambling for instance.
This type of attack is much more targeted, and therefore much more lucrative for the fraudsters – if the fraudster does a mass SMS text with a ‘you’ve won this prize’ scenario, they will get very low returns. Whereas with this kind of targeted social engineering, a fraudster may get 10%, 15% or 20% return of interaction with individuals to process that scam.
EB: The conclusion in Fraud the Facts painted a stark future, with UK Finance stating that fraud is now at a level where it poses a national security threat. The report called for coordinated action from public and private industry. What is your take on this?
JLS: I think its key to understand that attacks are no longer committed against one vertical. Going back a few years, if I was working for a telecoms company, or at a bank, or a media organisation, I’d be worried about fraud attacks against my organisation. This is because the target and the end point would be my customers, my revenue and my services that were under attack. From our analysis in the cybercrime report, what we have today are fraudsters utilising the digital industries that are out there to create their own network in which to gather information and assets.
These fraud networks touch almost every industry – media, gaming, gambling, insurance, healthcare, banking, fintech, start-ups – which means all those types of vertical industries can no longer exist in a silo. Attack profiles are multi-industry – look at scams; a scam has a number of steps, with those steps and touchpoints happening across multiple industries. The only way you’re going to get a true view of something happening is when you’re able to interact with those industries together, not in individual silos and individual components.
That’s why we built ThreatMetrix® Consortium – to facilitate information exchange between organisations, enabling businesses to collectively fight fraud together using the LexisNexis® Digital Identity Network®.
Consortium enables businesses with common goals, challenges or fraud risks to share their negative and positive data attributes in near real time, across an agreed set of Consortium members and contributors. This allows for more targeted risk assessment as the transaction occurs, in addition to allowing businesses to see greater context within the data – understanding, for example, which organisation has blacklisted a device and why – this then supports smarter and more contextualised fraud decisions.
Subscribe today to Fraud and Identity in Focus to receive regular email updates.