The EU has set the stage with its SCA (Strong Consumer Authentication) regulations designed to make digital payments more secure. The goal of this implementation is to increase the level of security surrounding electronic payments that benefit both consumers and merchants, but is the end result meeting the objective?
We were honored to contribute to this year’s Ecommerce Fraud Report from The Paypers with an article from Kevin J. Sprake, Managing Partner, discussing the impact of the pandemic on eCommerce. We invite you to download the article and FREE copy of the full report.
According to a recent survey, more than one-third of merchants have seen at least 10 percent of their user accounts taken over in the past year while more than one-quarter of merchants have no measures in place to protect against account takeover. Meanwhile, less than 8 percent of consumers were notified about account takeover incidents by the merchant custodian of their compromised account.
There’s a good reason why web administrator credentials sell for over $3,000 on fraudsters forums: because they are highly valuable to fraudsters. It’s imperative for merchants and any organization with an online presence to keep theirs safe, and now more so than ever as fraudsters have found clever ways to hide credential stealing malware to compromise customer and website user data.
Once fraudsters takeover a website, here are some of the things they can do:
While it is commonly accepted that passwords and the consumers who set them are inherently insecure, organizations put a lot of trust behind two-factor authentication (2FA) solutions. Here are several ways fraudsters have been able to beat this additional layer of security.
After compromising the email account of a government official at one agency, targeted phishing attacks were sent from this trusted contact to other government agencies purporting that bank accounts for receiving their payments had changed. Puerto Rico’s Industrial Development Company sent over $2.6 million while the Tourism Company paid $1.5 million to fraudster-controlled accounts held on the US mainland.
More than 3,800 data breaches occurred in the first half of this year, a 54 percent increase from the first half of 2018. The number of consumer records compromised in data breaches increased 52 percent over this time, with 4.1 billion records compromised in the first half of 2019 and 3.2 billion of those coming from just eight breaches.
This comes as the Identity Theft Resource Center tallied the most records compromised in 2018 and highest number of data breaches in 2017 in more than a decade.
Fraudsters find more success with getting phishing campaigns delivered as well as with open and click rates when sending from an existing, known and trusted email address. This may be why a recent report found that 20 percent of phishing email attacks against employees are sent from email addresses a fraudster has taken over. Most phishing attacks, however, are brand impersonation attacks, with Microsoft being the most impersonated.
For their Email Fraud & Identity Deception Trends report, Agari surveyed more than 300 US and UK businesses with 23,053 reported phishing incidents in the fourth quarter of 2018. Analysis found that 20 percent of these phishing emails came from compromised email accounts, while 67 percent impersonated a trusted brand with deception or a look-a-like domain.
In partnership with another Alphabet group company, Google recently released a way for consumers to test their skills in detecting phishing emails. It includes eight simulated emails based on characteristics of real phishing attacks, where the user is to indicate whether each email is legitimate or fake.
According to a recent survey, 83 percent of those who deal with phishing attacks against their organizations say they are increasing. The fraud solution provider market is addressing this need with phishing simulation services that help organizations identify employees most likely to fall victim real phishing attacks and provide them training.
According to a recent survey from ProofPoint, more than 80 percent of information security (infosec) professionals saw an increase in phishing attacks in 2018 while nearly two-thirds reported an increase in spear phishing. Meanwhile, those who reported compromised accounts as a result of phishing attacks increased from 38 percent of infosec professionals in 2017 to 65 percent today.
In this context, phishing refers to fraudulent emails targeting an organization’s employees from an outside or untrusted source, and 83 percent of infosec professionals surveyed say these attacks increased last year. Nearly half of respondents reported malware infections as the result of phishing attacks mimicking their organization and 65 percent reported compromised account credentials. This is according to the 2019 State of the Phish Report from ProofPoint.