We were honored to contribute to this year’s Ecommerce Fraud Report from The Paypers with an article from Kevin J. Sprake, Managing Partner, discussing the impact of the pandemic on eCommerce. We invite you to download the article and FREE copy of the full report.
Download the Article
Download the Full Report
According to a recent survey, more than one-third of merchants have seen at least 10 percent of their user accounts taken over in the past year while more than one-quarter of merchants have no measures in place to protect against account takeover. Meanwhile, less than 8 percent of consumers were notified about account takeover incidents by the merchant custodian of their compromised account.
There’s a good reason why web administrator credentials sell for over $3,000 on fraudsters forums: because they are highly valuable to fraudsters. It’s imperative for merchants and any organization with an online presence to keep theirs safe, and now more so than ever as fraudsters have found clever ways to hide credential stealing malware to compromise customer and website user data.
Once fraudsters takeover a website, here are some of the things they can do:
While it is commonly accepted that passwords and the consumers who set them are inherently insecure, organizations put a lot of trust behind two-factor authentication (2FA) solutions. Here are several ways fraudsters have been able to beat this additional layer of security.
Fraudsters find more success with getting phishing campaigns delivered as well as with open and click rates when sending from an existing, known and trusted email address. This may be why a recent report found that 20 percent of phishing email attacks against employees are sent from email addresses a fraudster has taken over. Most phishing attacks, however, are brand impersonation attacks, with Microsoft being the most impersonated.
For their Email Fraud & Identity Deception Trends report, Agari surveyed more than 300 US and UK businesses with 23,053 reported phishing incidents in the fourth quarter of 2018. Analysis found that 20 percent of these phishing emails came from compromised email accounts, while 67 percent impersonated a trusted brand with deception or a look-a-like domain.
In partnership with another Alphabet group company, Google recently released a way for consumers to test their skills in detecting phishing emails. It includes eight simulated emails based on characteristics of real phishing attacks, where the user is to indicate whether each email is legitimate or fake.
According to a recent survey, 83 percent of those who deal with phishing attacks against their organizations say they are increasing. The fraud solution provider market is addressing this need with phishing simulation services that help organizations identify employees most likely to fall victim real phishing attacks and provide them training.
Nearly 1,600 data breaches occurred in the United States in 2017, breaking the annual record of 1,093 that was set just last year. The number of compromised data records, of which 88 percent included Social Security Numbers and 8 percent included payment card numbers, increased to nearly 180 million, the highest total since 2009.
The featured chart shows the number of data breaches that occurred and the total number of records compromised each year from 2009 to 2017 as reported by the ITRC. While there is a clear upward trend in the number of data breaches over this time, the number of compromised data records fluctuates greatly. This is particularly true over the past three years, when stolen data records ballooned to 169 million in 2015 before falling to 36.6 million in 2016, and then increasing nearly five-fold in 2017.
A recent study cataloging prices across English- and Russian-language fraudster forums examined 320 purchases for stolen payment, identity and log-in information earning hackers between $1 million and $2 million, while the fraudsters using this information from less than half of these transactions were able to steal between $1.7 million and $3.4 million.
These estimates came from a study conducted by a criminal justice professor at Michigan State University, analyzing posts from the dark web on ten Russian and three English-language fraudster forums. The report detailed the marketplace nature of these sites, where fraudsters posted dumps for sale and buyers rated sellers on product quality.
Starbucks has had one of the most successful mobile payments strategies to date with more than one in six transactions being conducted via the Starbucks mobile app, which is connected to a reloadable Starbucks gift card. Targeting Starbucks mobile app users and exploiting a setting that automatically reloads the Starbucks gift card, fraudsters are taking over accounts and repeatedly stealing funds.
Consumer security journalist Bob Sullivan was the first to report of these attacks targeting consumers with Starbucks accounts for managing their reloadable card, most often used with in-store mobile payments through the Starbucks mobile app. When paying the consumer opens the Starbucks app to scan a QR code that references and charges the consumer’s closed-loop Starbucks Card. In 2014 Starbucks processed $2 billion in mobile payment transactions via their mobile app, which has over 12 million users.
2015 will likely bring many changes and developments in the payments and risk industries, but none more anticipated than the EMV liability shift taking place on October 15. As issuing banks prepare to replace magnetic-stripe cards with EMV Chip cards, many merchants will upgrade their POS equipment and prepare for the expected increase in online fraud attempts. While U.S. adoption of EMV has already started there will be significant growth this year, and it is expected that fraudsters and hackers will respond accordingly.
Merchants and issuing banks aren’t the only ones making preparations for the increased adoption of EMV and the liability shift date. There is little doubt that EMV cards and card readers will curb counterfeit card fraud at the physical point-of-sale, but fraud flows with the force of water and when one hole is plugged new leaks pop-up or existing ones grow larger. There are many considerations and preparations organizations should be thinking about in anticipation of this, and here we discuss a few trends that are expected to prevail in the payments and risk industries as EMV grows.