Gear up. The 2019 holiday shopping season is upon us, and with it a sharp increase in online fraud. According to Arkose Labs, fraud increased by 30% in Q3 2019, a preliminary of what’s to come as criminals test stolen credentials to pave the way to successful scamming.
With purchase and transaction volumes elevated during the holidays, it’s easy for attacks to slip by in the flood of legitimate transactions. Not only is this damaging for businesses, it negatively affects the customer experience. Consumers need to be alert to spot scams, but there’s also a lot companies can do to create safer online experiences. What does that look like? First, we take a look at the top tactics for scammers in 2019.
Online Holiday Fraud: Techniques to Watch Out For
Cybercriminals try out a variety of tactics, old and new, to target consumers and businesses during the holiday season. The most obvious target is online and mobile shoppers, but the dangers extend to travel sites, businesses of all sizes, financial institutions, and more.
Social Engineering Scams: Of all the scams out there, social engineering scams are one of the hardest to detect and come in many forms, including phishing emails or even a false customer service representative pretending to be a bank over the phone. The goal of these attacks is to 1) get victims to mistakenly reveal personal information or 2) trick them into initiating a fraudulent transaction.
Though social engineering scams are always a menace, the holidays offer a slew of new opportunities, whether it’s fake shipping notices, e-gift cards, or travel confirmations embedded with malicious links. Once clicked on, victims inadvertently download malware onto their device or are taken to a false site where they enter payment data for the fraudster’s taking. Malicious online websites are getting even harder to detect. One of the top U.S. retailers has over 49,500 look-alike domains targeting their customers, research from Venafi has found.
Also troubling are phone-based social engineering scams, which trick users into initiating transactions and sending funds straight to a fraudster’s account. These transactions are fully authorized because they are initiated by a legitimate person logging in from their own device and at the correct location, although under the guidance of a scammer. Learn more about the steps to phone-based scams here.
Loyalty and reward program fraud: According to Javelin’s 2019 Identity Fraud Study, reward and loyalty program schemes more than doubled between 2017 to 2018. Several prominent breaches show the vulnerability of reward programs, including the attack on the Marriott Hotel chain, the breach of a Mastercard loyalty program in Germany, and recent attacks against popular coffee chain Dunkin’ Donuts. Around the holidays, it’s only natural for consumers to create loyalty accounts as they book travel and make larger purchases, especially as brands incentivize customers with special offers for doing so. The increase creates an even wider playing field for cybercriminals, who already have upward of $60 billion worth of rewards in the United States to play with.
Weak security on loyalty accounts makes the work easy — and profitable. Cybercriminals use leaked credentials to gain access to reward accounts. Once inside, they can access personal information stored within the account, including credit card numbers, date of birth, and more. With this information, criminals can orchestrate account takeover attacks on a host of other sites or turn a profit by selling points and reward accounts on the dark web. Your frequent flyer miles? Those could be purchased for as little as $31.
Clearly there is a need for greater security in the loyalty space to prevent hacks, the leakage of sensitive data, and the damages that follow when customers’ more sensitive accounts, like an online banking account, are taken over and used to make fraudulent transactions as a result.
Human-driven application fraud: The holidays feature a big push for customers to open new accounts, whether for an ecommerce site, mobile app, credit card, or travel booking site. Businesses tempt consumers with “in app only deals” or “special financing rates” to get them to sign up. Scammers aren’t afraid to take advantage.
Nearly 1/3 of all account registration attacks come from malicious humans, who use stolen identities to attempt to open digital accounts. “Every third attack on financial services is human-driven, with the most sophisticated attacks coming from lone fraudsters with access to stolen identity information and the latest tools,” Help Net Security reports. Scammers will use a mix of real and fake personal data to create synthetic identities that often go undetected at account opening. Retail, finance and technology platforms are most-targeted with this highly-effective strategy.
Unfortunately, account opening attacks are only the start. With proven credentials, criminals can use stolen identities to take over accounts and conduct highly-convincing social engineering scams, which then lead to payment fraud. Learn more about application fraud, also known as new account fraud, in this infographic.
Your Best Defense Against These Threats
The holidays escalate the volume of social engineering, account takeover, and application fraud attacks, but the threats are with us all year long. With the proper fraud detection and authentication solutions, companies across industries can stop fraudsters and be prepared to prevent holiday fraud.
The most promising tactic for detecting these tricky scams is to focus on analyzing user behavior, rather than knowledge based authentication (KBA), to sort out legitimate users from cybercriminals, malware, and bot attacks. Behavioral insights are collected through behavioral biometrics, an AI-driven technology that is maximizing fraud detection rates, reducing false alarms, and optimizing the user experience.
The technology works like this: Say a scammer prepares to apply for a new credit card leading up to the holidays. The scammer has the information they need on hand: social security number, date of birth, full name, etc. As they progress through the application, behavioral biometrics begins to pick up on several suspicious patterns. Rather than typing in basic information, like date of birth, the user instead copies and pastes the information, showing low data familiarity. In turn, the applicant seems unusually familiar with the application process and demonstrates a proficiency with keyboard shortcuts and function keys not typically seen with genuine users. All three of these factors are hints that a fraudulent application is in process.
The same type of analysis applies to social engineering scams and account takeover attacks. In both cases, when activity within a session deviates from a legitimate user’s norm or from recognized patterns, behavioral biometrics flags the session for fraud. With customer experience top of mind for most companies, an added benefit of behavioral biometrics is that the technology enables a seamless user experience. All a customer has to do is be themselves.
So when the holidays swing around next year, will your company be prepared? Learn more about the many use cases for behavioral biometrics.