Tierney - stock.adobe.com
As we settle into our new digital lives, where the internet has become our workplace, our classroom, our shopping venue and our social lifeline, our behaviours have changed forever.
While a pandemic-driven increase in cyber crime and an exacerbation of existing fraud trends were, to a large extent, to be expected, the LexisNexis risk solutions UK cybercrime report 2020 still had a few surprises in store.
New dogs are falling for old (and new) tricks
The accepted wisdom is that, in our increasingly digitised world, the older you are, the more susceptible to scams you will be. Indeed, global figures, such as those in the latest FBI/IC3 Internet crime report, seem to confirm this (see table: 2020 victims by age group).
However, the latest cyber crime report from LexisNexis paints a slightly different picture. Age analysis proved that those most susceptible were the younger age groups, as these saw the highest rate of attacks.
While it remains true that the older you are, the greater the financial loss, why would fraudsters target the young, who are arguably less well off?
The answer lies in volume. Criminals have been offsetting higher monetary gain for higher attack rates, capitalising on the fact that the young are perhaps both more liberal with personal information (and privacy in general) and, at the same time, heavy digital users (social media, surveys, games, and so on).
In fact, it is scary to see how much value the humble email address can have for criminals. We often forget that once obtained, it can be used further down the line to commit more fraud.
As criminals look to benefit from the economic downturn, the younger generations are also being targeted by mule recruiters who post fake adverts on job websites and social media, targeting those looking for work or offering them the hope of making a quick buck in exchange for the use of their bank account.
In fact, the Dedicated Card and Payment Crime Unit (DCPCU) worked with social media platforms to take down more than 700 accounts linked to fraudulent activity in 2020, of which over 250 were money mule recruiters.
Another trend where the UK diverged from global figures is the increase in bot attacks. While global figures show an unremarkable 2% decrease in attacks overall, bot attacks in the UK increased by a huge 44%, specifically across e-commerce and media, sectors typified by being less secure and less regulated than financial services.
Considering that 85% of transactions in the UK originated from a mobile device, this also meant that 52% of attacks were on mobile devices, mostly through a mobile browser. This is because mobile apps are generally more secure, as evidenced by the fact that mobile app attacks were mostly at the point of app registration (as opposed to mobile transactions), demonstrating again that fraudsters continue to capitalise on stolen identities readily available through the dark web.
Once stolen credentials are validated at scale through bots, they can then be used in other more lucrative attacks further down the line, such as creating synthetic identities to obtain financial services or credit.
But it’s not all bad news. While mobile attacks were prominent, they actually decreased by 23% compared with the previous year, mostly due to the fact that attacks from the outside world, such as those delivered through open public Wi-Fi networks, were hampered by lockdowns.
More importantly, great strides have been made to improve authentication in mobile channels, as seen with the increased adoption of technologies such as biometrics.
This is reflected by the figures provided by UK Finance, where mobile banking fraud, while showing an increase of 41% compared with last year, amounted to a mere £21.6m, compared with attacks through mobile browsers or internet banking, which totalled a staggering £159.7m.</p
We’re gaining ground on social engineering, but it’s becoming smarter
In 2020, as the global health crisis unfolded, we became even more hungry for data and information. Criminals capitalised on this global need, repurposing existing technologies and processes to address local opportunity.
Both Google and Microsoft showed that criminals continued to harvest credentials and compromise infrastructures as facilitators to commit further crimes. In fact, social engineering remains the most successful way of attacking businesses and individuals in the US, according to the FBI’s Internet Crime Complaint Center, while the finance and insurance sectors remain the most attractive.
In the UK, the government’s Cyber security breaches survey 2021 also confirms that phishing and impersonation attacks are the most common.
The social engineer’s go-to attack vector, authorised push payment (APP) fraud, was unsurprisingly a leading attack threat in 2020, a trend particularly fuelled in the UK by the increased use of open banking and Faster Payments processes.
UK Finance reported in its March launch of Fraud – the facts an increase of 22% in APP fraud cases to a value of £479m, of which, sadly, only 43% was reimbursed to victims.
We can take some comfort in the fact that attacks on businesses (non-personal) decreased both in volume and value. An optimist might put this down to better security postures overall, but reduced business activity is likely to have had some effect, too.
Equally, while the number of APP attacks on the UK’s high-value sterling payment scheme CHAPS (Clearing House Automated Payment System) doubled, their total value decreased by almost a third, with an average value of £10,000 per transaction, down from £22,000 last year. This suggests banks may be applying more stringent controls on high-value domestic transactions and that these controls are working.
However, personal attacks substantially increased, no doubt driven by increased digitisation, remote working and increased use of mobile devices. While APP fraud via internet banking decreased slightly, this remained the channel where APP losses were the heaviest, at £316.3m, showing online banking is still the most profitable channel of attack.
However, mobile banking fraud losses increased by 159%, and although they only amounted to £89.2m, banks and their customers should pay particular attention to the risks associated with the increasing popularity of the mobile channel.
It was also interesting to note the difference in APP fraud levels between the various payment types, with Faster Payments being, perhaps unsurprisingly, the most regularly attacked since they are probably the most simple and expedient to set up and send.
So why do attacks continue to enjoy high success rates and how are fraudsters getting smarter?
- They’re getting more targeted: While BACS APP fraud levels decreased in both volume and value, the average fraud amount was £24,000, compared with £13,500 in 2019. This shows that attacks, while fewer in number, were more targeted and therefore more lucrative, showing that criminals will go to great lengths to accurately profile their victims. Similarly, criminals capitalised on the substantial increase in mobile device usage.
- They’re finding the weaknesses: It was very surprising to note the 77% increase in fraud value where intrabank transfers were used – £4,000, up from £1,800 in 2019. This suggests that whereas governance on transfers to other banks was tighter, the same oversight was not applied to transfers between accounts within the same bank (“on us”), and fraudsters, realising this, quickly capitalised on it, also pointing to the worrying fact that they have an intimate knowledge of banks’ business processes.
- They understand our behaviours: Authorised push payment attacks have one thing in common – they weaponise credentials, either by stealing them or by coercing legitimate users to commit fraud, knowingly or not. Criminals are not only proficient at analysing human behaviours, preferred modes of interaction and business processes, but they are equally adept at using technology. Indeed, innovation has become a double-edged sword, necessary for the greater good, but also an enabler of crime.
The solutions are staring us in the face
Remote working increased substantially during the pandemic, leading businesses to rush to replicate the comparative safety of the “corporate infrastructure” in a distributed environment. This led to a welcome increase in deployments of zero-trust architectures and passwordless solutions, to name but a few.
New regulatory developments also drove enhanced security globally, as seen with PSD2 Strong Customer Authentication in Europe, the various anti-money laundering (AML) laws, and data protection regulations worldwide. In the UK, the fight against APP fraud is underway, with the adoption of the Contingent Reimbursement Voluntary Code of Conduct gaining traction beyond the original signatories, as well as the continuing deployment of Confirmation of Payee.
Further guidance is also expected when the Payment Systems Regulator publishes the results of its latest consultation. Signalling greater cooperation across public and private sectors, many counter-fraud initiatives have been launched, including the Mules Insights Tactical Solution (MITS), the Banking Protocol and others. For a full list, see the UK Finance report, Fraud – the facts, mentioned earlier.
Neira Jones, consultant and financial advisor
In addition, tech giants are under increasing pressure to fight scams and protect victims. When it comes to technology’s use in fraud detection, the LexisNexis report notes that the UK is already ahead of other regions in deploying best practice, as UK businesses often use layered defences rather than single point solutions, putting them ahead of the global curve.
As online interactions continue to increase, trusted identity assurance has never been more crucial. Many businesses have successfully deployed dynamic multifactor authentication tools, and physical biometrics are increasingly being enhanced with liveness tests. As more emphasis is put on seamless customer experiences, behavioural biometrics is gaining wider traction, supplemented with the likes of email and phone intelligence. As a result, identity assurance is getting richer.
Many businesses are making their first steps towards recovery in 2021, stabilising their operations. Cyber crime cost the world $1tn in 2020, and Forrester recently identified a number of threats that could hinder recovery, including insider threats, identity theft, account takeover and bot attacks.
To address these challenges moving forward, the fundamental security principles are unchanged: deploy processes in line with the new normal, train people to recognise threats, take advantage of industry and public sector initiatives, cooperate within and across industries to keep abreast of the threat landscape, and use technology where it can truly help.
As Rebekah Moody, market planning director at LexisNexis Risk Solutions, explained in my recent interview with her: “It’s really important to be able to harness intelligence at every touchpoint of the customer’s online journey, not just looking at a point in time interaction – for example, a payment – but looking across every interaction, from the point the customer opens an account, to when they log in, or initiate potentially risky interactions, such as changing address or email address, or adding a new telephone number to their account. All of these are potential points of compromise.”
In the same way as it offers criminals more opportunities, technology innovation gives us more ways to counter threats than ever before. We should apply common sense and take advantage of these innovations within the appropriate risk management, governance and regulatory frameworks. And maybe, just maybe, we’ll remain a few steps ahead.
Neira Jones is a consultant and financial advisor, specialising in payments, fintech, regtech, cyber crime, information security, regulations (PSD2, GDPR and AML) and digital innovation.