By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
Online payment fraud is in the midst of a seven-year binge, according to Online Payment Method Fraud: Figures & Stats, a new report from London-based anti-fraud experts SEON. It is based on their own research and data retrieved from the Identity Threat Research Center’s Data Breach Annual Report.
According to SEON’s report, digital and mobile payment methods have increased dramatically over recent years. Digital and mobile wallets are now the most used forms of payment in the world, accounting for 41.8% of payments worldwide,. Credit and debit cards also make up a significant proportion of payments worldwide, together accounting for 34.8% of worldwide payments – many of which are card-not-present payments conducted online.
In line with this, there has been a steady rise in the number of data compromises related to online payments year-on-year, according to the Identity Threat Research Center. In 2021, there were 1,862 data compromises and a total of 293 million victims of data breaches. While the number of victims has decreased, the number of compromises is at an all-time high.
Online Payment Data Breaches in the U.S.
“Many of us are aware of how our data is recorded, stored, and used by the organizations we work for and buy from, but some unlucky individuals are often caught in the crossfire of professional cybergangs attacking the organizations that store our data,” according to Gergo Varga, Content Manager at SEON and author of the report.
The report reveals the capability of fraudsters to access and steal as much personal information as possible, such as financial account and social security numbers and driver’s licenses, to access online accounts and payments and engage in phishing and smishing (a combination of text messaging and phishing). Accessing and misusing consumer information drives a great proportion of cybercrime, noted Varga. And one of the main ways for cyber attackers to make money, he added, is through online payment fraud.
The report also details how digital and mobile payment methods have increased dramatically over recent years and are now the most used forms of payment in the world, accounting for 41.8% of payments worldwide. Credit and debit cards also make up a significant proportion of payments worldwide, together accounting for 34.8% of worldwide payments – many of which are card-not-present payments conducted online.
How Fraud Affects Online Payments
There are numerous types of data breaches and online payment fraud, according to SEON’s report. The type of data compromised can impact how much damage a fraudster can cause or how many resources they can steal.
The report reveals the number of data compromises related to online payments in 2021 involved a person’s full name, 1,603 breaches and exposures; complete Social Security number, 1,136 breaches and exposures; and birthdate, 686 breaches and exposures.
Personally identifiable information (PII), such as financial account and Social Security number, and driver’s licenses helps fraudsters access online accounts and payments. Information such as a name and birthday help fraudsters more successfully engage in phishing and smishing.
The SEON research also highlights several methods fraudsters employ to steal data. The most common include phishing and smishing, human and systems errors, such as improperly configured cloud security, and physical attacks, where criminals steal devices and documents containing personal data.
Varga suggested, “Some of the data types lost here may seem inconsequential.” However, fraudsters can use PII to impersonate and damage the individual. “If cyber attackers get access to someone’s background information, for example, they can check data leaks for any other details and bypass anti-fraud checks more easily,” Varga said.
Most common types of fraud attacks include:
· Phishing/smishing/business email compromise (BEC): 537 attacks in 2021. Phishing involves messaging e.g., an email disguised as coming from a known financial institution, such as a credit union and popular websites. “It invites the recipient to take an urgent action, such as log in or change their password, in an attempt to hijack this personal information (real banks, for instance, never ask for confidential data),” wrote Varga. BEC is a specific type of phishing attack aimed at tricking employees.
· Ransomware: 321 attacks in 2021. Where cyber attackers encrypt important files and demand a ransom payment for the decryption key.
· Malware: 139 attacks in 2021. Any type of malicious software designed to exploit a device, service or network, including spyware, for instance.
Findings from SEON and the Identity Threat Research Center make it clear that fraud is prevalent across all industries and is increasing. Broken down by industry:
· Most victims: manufacturing and utilities, 49,775,124; technology, 44,035,156; healthcare: 28,045,658.
· Most data compromises: healthcare, 330; financial services, 279 compromises; manufacturing and utilities, 222 compromises.
The Best Fraud Prevention and Detection Methods
“With this many fraud attacks happening across all industries, it is important that businesses and individuals consider improving their fraud prevention tactics,” said Varga in the report. “We have seen how fraudsters can obtain various types of personal information.” SEON suggests that the capability to verify who consumers really are is a great first step in preventing fraud.
SEON in its report offered the best ways to avoid fraud:
Data enrichment: This process aggregates external data to complete a picture of a user, for example, reverse email lookup can signal how risky the user is based on the single data point of an email address.
Social media lookup: “A powerful way to learn if your user has a social media presence.” This allows compliance to verify someone’s identity. “Make sure that your solution can check as many social media networks in as many regions as possible.”
Custom risk scoring: This assures the results adapt to a business. “This is not only important to improve accuracy, but also to automate the approval, review, or rejection of certain user actions.”
Machine learning: A collection of artificial intelligence algorithms trained with historical data, can implement risk rules to block or allow certain user actions, such as suspicious logins, identity theft, or fraudulent transactions.
Device fingerprinting: Collects information about a user’s device, such as browser and hardware, as they connect to a website, app or other server. This helps websites track the user’s actions and visits, and assesses whether their intentions are fraudulent.