Almost everyone can remember where we were and what we were doing when it finally dawned on us the coronavirus was going to be a really big deal.
I admit, I was blindsided. Although I was aware of COVID-19, the full seriousness of the threat seemed to develop almost overnight. Friends and colleagues say they had the same feeling, like “it came out of nowhere.” We can all identify with the clueless before persona in Julie Nolke’s hilariously scary “Explaining the Pandemic to my Past Self” video.
Many business executives are also feeling blindsided by surging fraud. Although financial institutions, online marketplaces and other digital businesses are accustomed to protecting their customers against fraud risk -like having your bank account compromised or your credit card lifted from a hacked account- , today’s rapidly rising fraud rates must come as a shock. Among the whammies in the 2020 Identity Fraud Report, released in May by Javelin Strategy & Research, account takeover fraud jumped 72% in 2019, and consumer out-of-pocket fraud costs doubled. The report also says P2P fraudulent transactions have skyrocketed, growing by a whopping 733% between 2016 and 2019.
And that’s not all the bad news: Juniper Research found that digital and online payment fraud doubled from 2018 to 2019. At that rate of growth, we’re looking at some $200 billion in cumulative fraud losses between 2020 and 2024—yikes!
But the truth is neither the pandemic nor the fraud surge came out of nowhere. In both situations, there were known trends and contributing factors as well as fraud prevention and detection defenses that could have been put in place much earlier.
In the case of the COVID-19 pandemic, viral risk from the wild animal trade, and particularly, wet markets, has been known for some time. After the SARS pandemic of 2002, experts warned of the probability of a new virus emerging and causing even more serious, rapidly spreading illness. We got another scare with the swine flu pandemic of 2009.
Here in the US, we might have seen these experiences as “warning shots over the bow” or even trial runs. Instead we largely ignored advice to set aside resources in preparation for future threats, valuing economic efficiency above resiliency in our operations and supply chains. A recent Wall Street Journal article details how “miscalculation at every level left U.S. unequipped to fight coronavirus.”
In the case of surging fraud, there have also been signals of what is coming.
Layers of fraud pressure building
What causes P2P fraud to jump 733% over four years, or account takeover fraud to jump 72% in just one year? It’s the result of layers of fraud trends that have been building one atop another for years. I think of it kind of like the way pressure builds below the earth’s crust until eventually it creates an earthquake that throws up mountains.
The base layer is data breaches. There have been troublesome rumblings for over a decade now, as we’ve read about one breach after another. But besides the really big breaches drawing news spotlights —like eBay, Equifax and Marriott International—there are thousands more each year. In fact, 2019 was, according to a Cnet article on research by Risk Based Security, “the worst year on record,” with over 5,000 breaches and nearly 9 billion records exposed.
This data hemorrhaging is likely to continue. As more and more businesses move their customer interactions online, targets for criminal gangs expand. Fraudsters increasingly go for less technically sophisticated, more vulnerable businesses. In fact, according to Accenture, more than 40% of attacks are now aimed at small businesses. And the pandemic is accelerating these trends.
“A wake-up call” Krista Tedder, head of fraud at Javelin, raised the alarm at the release of the company’s 2020 Identity Fraud Report:
“These findings should be a wake-up call for financial institutions, the payments industry, businesses and consumers across America. The data is proof of what we’ve long known—the full weight of identity fraud lies not only in counterfeit credit cards and magnetic stripes but in full account takeover and new account fraud.”
The big danger here is that breaches are becoming almost a new business normal. Companies have set up processes for notifying customers of breaches in a timely way, apologizing and maybe even paying for credit bureau monitoring. We’re seeing progress in the movement away from relying on knowledge-based questions for identity verification—though this has taken way too long. Businesses and government agencies are finally coming to grips with the fact that there is no such thing as “secret” personal information anymore.
What we haven’t seen enough of is follow-through thinking about what data breaches mean to fraud trends, and how to prepare for rising threats. Criminals are using compromised PII (personal identifying information) to misrepresent and misuse identity in numerous ways that are leading to massive monetary fraud
Data breaches enabling account takeover fraud
Compromised personal information from database breaches is widely available on secondary dark web markets for next to nothing. Of course criminals also get PII from phishing, social engineering, bot farm brute-force attacks and other methods. However the information is stolen, PII is so easy to get today that committing fraud by taking over accounts is often easier than trying to do it by opening new ones, especially for individuals that haven’t enabled adequate security features.
Another advantage for fraudsters, when they take over an account, they don’t have to patiently build up a smokescreen history of legitimate-looking transactions and activity. They can immediately tap into the privileges and trust the real account owner has earned over time.
So in an online marketplace, this could mean cashing in loyalty points for rewards, making fraudulent purchases or signing up for premium digital services.
At financial institutions, it could mean fraudulent purchases and—if the real account holder hasn’t set up any limits or notifications—illegitimate money transfers and P2P payments. A lot of consumers don’t abide by P2P vendor warnings to make payments only to people and entities they know. They may mistakenly assume vendors will cover them for fraud the way credit card companies do. But that’s usually not the case. More likely—whether a legitimate account holder is duped into paying a fraudster or the fraudster takes over an account and then makes payments to a crony or another of his own accounts—the money is gone.
And here’s where we see the layered uplift effect pushing up fraud rates: The 733% growth in P2P fraud between 2016 and 2019 isn’t just the result of increasing adoption of P2P apps by consumers. This surge has been enabled by a surge in account takeovers, which has been enabled by all those data breaches.
Data breaches enabling synthetic identities for new account fraud
But, oh no, even though account takeovers are attractively easy for fraudsters, new account fraud also has renewed appeal.
Today fraudsters can use all the PII floating around the dark web with new tech tools to create synthetic identities and open new accounts in their name. Often these identities are combinations of real consumer information, slightly modified information and made up information.
Because synthetic identities look legitimate at onboarding and fraudsters manage the newly opened accounts to mimic legitimate user behavior, traditional fraud defenses usually don’t pick them up. That gives fraudsters time to spin out complicated schemes for stealing funds, purchasing high-value goods or making money illegally.
At financial institutions, fraudsters opening accounts with synthetic identities bide their time, earning higher levels of credit or services and possibly lower levels of security with their normal purchasing patterns. At the moment of maximum advantage, they “bust out” to take as much as possible, then disappear.
In online marketplaces, synthetic identities are being used on the buy side to make purchases and book travel packages or transportation services with stolen payment credentials.
On the sell side of marketplaces, synthetic identities are being used to offer counterfeit and substandard products. Perhaps you’ve already had the misfortune of inadvertently doing business with a vendor who isn’t real. In a marketplace version of bust-out fraud, synthetic sellers might legitimately fulfill orders for authentic products long enough to earn high customer ratings, before suddenly filling the order pipeline with counterfeit versions. Or they might accept a large number of orders, stop fulfilling them and just vanish.
Flattening the curve
How do we bring these unsustainable fraud growth rates down?
Certainly it’s essential to replace outdated identity verification methods like knowledge-based authentication and over-reliance on passwords with modern digital methods. More and more organizations are turning to solutions that include digitization and AI-based analysis of real-world IDs, device data and multiple forms of physical and behavioral biometrics.
Still, some people may have focused too much hope on physical biometrics. The recent hacking of biometric databases and emergence of deepfakes make that a questionable strategy.
There’s also enthusiasm for using many different facial biometrics to identify consumers in low-friction ways using background processes invisible to them. The idea is to build up an aggregate context view of the consumer that would be very difficult, and probably not worth the time and effort, for fraudsters to reproduce.
While I’m sure biometrics are going to become an increasingly important part of identity verification solutions and fraud defenses, we need to proceed cautiously. Already criminals are learning how to use AI tools to understand and create fake identities, including fake videos like Deepfakes, of individual consumers. Some of these are available on the dark web as “digital masks” that can make fraudsters look a lot like the real person.
Also, while studies show consumers increasingly want the companies they do business with online to take measures for their security, some are wary of background methods. A couple of days ago I read a Forbes article entitled “Did you know eBay is probing your computer? Here’s how to stop it.”
So I think it’s becoming clear we’re unlikely to ever find a “silver bullet,” and the mix of solution elements will continue to evolve.
Mitek Fraud series: Biometrics and Fraud in the COVID era. What's changing? | Identity Verification through the customer journey | The Pandemic blindsided us; will surging digital fraud do the same? | How to fight fraud with data | What is a Deepfake and how does it impact fraud? | Financial services and online marketplaces face shifting fraud landscapes | What is synthetic identity fraud? | What is Account Takeover Fraud?
About Sanjay Gupta
Sanjay Gupta serves as Vice President, Global Head of Products and Corporate Development at Mitek. He is responsible for global product strategy across the organization, working closely with engineering, design, marketing, customer support and customer success teams to drive product innovations and ensure solutions meet customer needs. Prior to joining Mitek, Sanjay was most recently Vice President of Corporate Development at Accelrys (Dassault Systems), among other senior level corporate and engineering positions with Lockheed Martin and Corvis Corporation. He holds a Bachelor of Science degree in electrical engineering from the University of Arizona and received his MBA from the Kellogg School of Management at Northwestern University.