Fraud seems to be up by 30% and steady year over year, while fraudsters continue to adapt and evolve their tactics to stay ahead of detection and prevention measures. The fraud losses and the cost of cybercrime, like investments in advanced security systems, intellectual theft, restoration costs, reputational harm and so on, are in the range of trillions of dollars annually. Undoubtedly, for some is a great risk challenge but for others, and certainly for the bad actors, is a great profitable opportunity. Let’s go over the major fraud trends in alphabetical order for 2023, responsible for the trillions of dollars in fraud costs, which were evidently laundered uninterruptedly; noted that billions of dollars are spent for AML to monitor and counter-attack through sanctions, compliance rules, audits, transaction monitoring, and KYC… however, with less than 2% recovery of Losses!
1. Account takeover
Supported by enhanced and customized AI Phishing tactics, and by the vast increase in Personal Identifiable Information (PII) data compromises, ATO fraud continues to grow exponentially year over year (30% to 40%) using synthetic IDs as a powerful weapon. Account takeovers are especially notable in online social platforms and online financial services.
2. AI Fraud
As technology evolves, giving rise to an exploding AI driven fraud, has provided a stream of new forms of fraud and cybersecurity threats. Attackers leverage AI to enhance the sophistication of their attacks, by automating and tailoring attacks. In addition, Generative AI which is a mutation of AI, is facilitated to create extremely convincing impersonation images, texts videos and audios, based on AI sophisticated models, applied to learn the patterns and structure of input behavioral data. The AI technology utilized by bad actors, devotes considerable concentration on customized Social Engineering attacks, posing vast challenges to fraud prevention controls.
3. Authorized fraudulent payments
Social engineering, malware (keyloggers, spyware, rootkits, etc.), SIM card swaps and Deepfake technology are some of the combinations used for this tactic, that makes it so effective. Otherwise called Push Payments or Impersonation Fraud, it involves bad actors impersonating a service provider or a business associate or a CEO, that trick manipulated victim(s) into sending them money with proper authorization. Huge concerns are raised about this, given the unprecedented spread globally.
4. BNPL Credit Abuse
Through a credit agreement, where consumers can Buy Now and Pay Later (BNPL) with almost no interest and through an unregulated framework, offers convenience and tremendous growth in sales but also carries considerable risks in credit abuse. Once again, Application Fraud through Synthetic IDs or use of fraudulent documents or Account Takeover Fraud, are some of the means to considerably abuse BNPL.
5. Business email compromise – BEC Fraud
BEC is a detrimental threat to businesses and individuals alike, which leads to data compromises, ransomware, GDPR issues, fines, and reputational impact. Attackers manage to gain access to business email accounts and through these channels manage to spread malware infection to the network or to external associates. It can be combination of Phishing, Impersonation, man in the middle attacks and Social Engineering, with a high rate of success. BEC fraud has been reported in 2022 as responsible for the biggest financial fraud losses, larger than any other attack method.
6. Card testing
Fraudsters attempt to determine the validity and expiry of Stolen card credentials (obtained through Phishing or hacking) or Generated bank card information (Credit master attack), by conducting small online test purchases at compromised merchants, aiming to validate missing card data. Card testing has become prevalent in recent years while businesses are shifting their operations online. The consequences to Issuing Banks, cardholders and merchants can be severe with evident disputes, higher decline rates, additional fees, infrastructure strain, that damage the overall health and integrity of the payment ecosystems.
7. Crypto fraud
Crypto is well established in the rapidly advancing world of digital currencies. However, Cryptocurrency fraud exceeded 25% increase in 2023, with prevalent scams the fake wallets, impersonation, fake investment schemes, romance fraud, rug pull fraud, ransomware attacks, fake crypto exchanges, ponzi schemes, etc. It's therefore crucial for Crypto users to exercise extreme caution and monitoring throughout their crypto activities.
8. Deep fakes
A rising threat, consequence of the AI technology, where algorithms are trained on vast datasets of compromised images and videos for the purpose of streaming fake content that is almost realistic. Generative AI relative platforms are used in unimaginable ways to create a fearful reality in the cyber threat landscape, mainly adopted for identity theft and fake news. Exceptional use is noted towards impersonating CEOs and other business leaders like CFOs’ for succeeding Authorized Fraudulent Payments. Major concerns are raised around the luck of regulations to address the misuse of deepfake technology.
9. Deposit Cheque Fraud
Surprise as it may sound, this old-fashioned fraud became once again a popular one. Consequently, has raised challenges to Banks that should fight back with more advanced processing technology, to address more effectively identity checks and fake accounts, which are the primary triggers. Deposit Cheque Fraud is conducted when a cheque with insufficient funds is deposited at a Bank, and where the Bank immediately allows the withdrawal of part of the deposited funds.
10. Exploitation of biometric data
Attacks targeting Biometric data can simply be performed through communication interception, while data is transmitted during verification, or by hacking the storage location. Once hacked, biometric information can be used to simulate and authenticate impersonations or to gain access to accounts or to Personal Identifiable Information data (PII). Other means of biometric data exploitation are skimmers placed at ID authentication devices or by spoofing through cloning (i.e. fingerprint or iris) to manipulate identity scanners. Hacking biometrics is the upcoming issue and will be a challenge to control since technology builds great trust and reliance on biometric integrity.
11. Fake job adverts
Attractive job ads can be fake and designed to lure applicants into providing personal information, to be exploited for activities like fraudulent bank applications, mule accounts and impersonation activities. The year 2023 was predicted to be the year of fake ads and indeed indicated a huge spike in sophistication and frequency.
12. Fraud as a service (FaaS)
A fraud service that gained great popularity, where fraudsters provide advice on how to carry out illicit activities effectively without getting caught. FaaS is particularly popular for ransomware attacks, unauthorized access to sensitive systems, financial fraud, and identity theft. This is a consequence of the unstoppable global economic recessions, caused by epidemics and the recent wars, where people have become more and more susceptible to collusive actions like participating in Inside Fraud involvement.
13. Fraudulent Applications
Fraudulent applications are specially focused on credit card fraud, fake loans, money laundering via mule account creations or insurance fraud. Given the vast available compromised PII data provided through the dark net, one can only imagine the easiness to succeed bank account openings via synthetic fake IDs. Hoping that Artificial intelligence will confront this issue, by effectively detect anomalies and suspicious patterns, allowing companies and banks to alleviate the problem of fraudulent applications.
14. Internal fraud
This type of fraud is mainly the cause of the unstable economic conditions, raised once again by the Pandemics and the recent wars, which scarred the earth with consequent recessions leading to peoples’ financial despair. These conditions trigger the ‘Triangle of Fraud’, the framework that applies the reasons behind an individual’s decision to commit fraud. It is comprised of three components, Opportunity, Motivation and Rationalization. Evident statistics indicate that nowadays 15% of employees are either committing fraud or at least thinking about it. Internal fraud for example, can be caused by an ‘Opportunity’ raised due to the luck of internal controls or from the existence of assets susceptible to fraud, by the ‘Motivation’ elevated from the employees’ financial despair or greed, and by ‘Rationalization’ when individuals justify crime in their mind, like ‘it’s for a good purpose’ or ‘I will pay it back if I get caught’. Some consequences of Insider fraud are SIM Swaps, PII data theft, fraudulent refunds, and the tip off for access to networks. Another type of Internal Fraud, otherwise called ‘Friendly Fraud’, is when people intentionally dispute transactions, so they can receive the goods or services for free while funds are refunded, given provisions to chargeback rights.
15. Impersonating family members
Usually, it starts with a bad actor impersonating a family member, a friend, or a hospital representative, where via text or a ‘spoofed’ phone number requests funds from its victim ‘for an urgent medical surgery’ or any other request of sensitive matter. The pressure prompts immediate response since requests target people's emotions for their loved ones. The elderly people are targeted the most, since are considered weak in terms of security awareness and are generally more sensitive. In the UK, a 25% increase in impersonation fraud is noted by Banks, which prompted an urgent need for alert notification and awareness to customers and to the public.
16. Investment fraud
A particularly disturbing fraud type given the high fraud loss average per attack. It aims to deceive prospective investors into deposits with ‘allegedly’ high investment returns. Some of the investment fraud types include pyramid schemes, Ponzi schemes, pump-and-dump schemes. Recently, crypto assets joined the investment fraud categories, featuring high yield investments with initial coin offerings (ICOs), posing an exceptional number of reported victims. Investment fraud is also an issue to organizations in the financial services industry, with heavy losses. Investment fraud has increased in frequency due to rapid technological advancements and through the user-friendly online investment platforms.
17. Man in the middle attacks (MITM)
An attacker intercepts the communication of two parties, targeting a breach, malware injection, phishing, content injection, alteration, etc., to access and/or manipulate or steal sensitive data. The fraudster generally eavesdrops on or impersonates one of the two parties with the intention to steal personal information, such as login credentials, account details and credit card numbers. This is materially harmful for individuals with low security awareness, malware protection in place or adequate network security.
18. Merchant fraud - Mirroring company websites
A particularly tricky scam, where a customer can be fooled easily when awareness of circumstances, such as ‘price too good to be true’, is low. The lack of awareness is noted to be the major ingredient for the huge number of victims attracted by the fake merchant baits, which are usually escalated during ‘sale’ periods. Consequently, victims provide complete card credentials that are immediately used for fraudulent transactions. This fraud category is not newfound, however the lower the security awareness is the longer this fraud MO shall continue.
19. Mobile SIM swaps
Two factor authentication (via SMS) is not considered robust any longer. Phishing/Vishing techniques can succeed ‘mobile account takeover’ via breach of OTP verifications through SIM swaps. Mobile Providers operators can be swayed to provide a SIM copy to a fraudster that will control an incoming OTP. The fraudster takes over the victim’s phone, usually at times when the victim is sleeping, at rest and or unable to notice reception glitches. The fraudster will pursue authenticated card transactions with OTP verification, or money transfers, with the victim becoming fully liable and responsible for the losses. This fraud is particularly harmful, as the victim cannot defend its position or respond with a chargeback right.
20. Money Mules
They are individuals recruited by bad actors that will ‘knowingly’ create accounts for illicit deposits and conduct money transfers for a fee. They pose significant risk to financial society, like banking institutions and FinTech companies. Money mules facilitate money laundering, and their recruitment serves the movement of illicit funds around the world and back, until they become untraceable. Some of the trails that indicate the mule account phenomenon, is when accounts are linked to multiple IP addresses, when connected to high-risk countries, any out of the ordinary transfers, funds withdrawn immediately after deposit, unwillingness of customers to participate due diligence checks, and so on. This phenomenon is particularly widespread and is supported by many actors, either ones that do not understand the seriousness of their actions (i.e. students) or individuals suffering from poverty, despair, or intentional greed.
21. Phone scams
Phone scams are particularly harmful when numbers are masked or spoofed (altered to match a known number), or when they leave a missed call so can trigger the victim’s curiosity to call back. This scam is global, with fake ‘call centers’ located in different continents. The targets are both individuals and businesses (i.e. impersonation fraud ‘CEO Fraud’, the ‘call from Microsoft’, in the pursue of ‘technical support’, or for Bank for Account verification). The anonymity of the callers and the high potential for easy profits are the grounds for its popularity. It is highly organized and with the support of the Dark Net. The Wangiri fraud is a perfect example of phone scams, which was originated in Japan but was spread worldwide with tremendous success and speed.
22. Ransomware attacks
The accelerated rate of ransomware attacks and the doubling of remediation cost average has raised red alerts globally. Ransomware is mainly the effect of phishing, BEC, and brute force attacks, which could be prompted by a malware on a device, computer, or database with the purpose to exploit vulnerabilities or gain access to sensitive system and network configurations. Consequently, the encryption of data or data removal from victim’s database can trigger a request for ransom as a remediation. Noted that, no guarantee can be provided by the bad actors that the data will be recovered/returned in whole or partially or uncorrupted. These cyberattacks can be particularly damaging, resulting in major data loss, unavailability, and reputational harm. It is also recorded that over 50% of the victims do pay the ransom with only 70% recovery.
23. Romance scams
The Covid era and the notion of people to avoid social events amplified the isolation effects, which induced the seek for company through online dating sites. The shift of dating and socializing online has opened the door for romance scams. This is usually conducted when scammers start an online chat that will create a relationship through a fake social media profile. Ultimately, the aim is to convince the victim to send money. Usually the conversation starts by catfishing, using a fake identity and photos that can attract the victim’s attention to succeed the victim’s trust over a period. These scams result in financial losses but also in emotional effects to the victim. As one can suspect, most romance scams are not usually reported. These have been around for a long time, but cases have increased dramatically recently and especially with the rise of cryptocurrencies. A byproduct of this scan is called pig butchering or pig fattening, where the criminal attempts to build a relationship over time so can later introduce a bogus investment scheme, that promises great returns, for the purpose of cashing out the victim’s investment funds.
24. Social Engineering
Possibly the worst, most effective and increasing fraud type of all. It can be summed up as a manipulation trick which exploits human psychology, aiming to succeed access to personal and confidential information, or to gain access to systems or to physical locations. Main types of social engineering are Phishing emails, Business email compromises (BEC), Vishing (voice solicitation) and Smishing (through SMS), via techniques such as emails, Baiting, Pretexting, Quizzes and surveys, impersonations, telephone communications, fake adverts, etc. The response to these attacks should be to increase peoples ‘security awareness’ to these tactics through security training, and by establishing policies and procedures to verify identities and validate the requests for sensitive information.
25. Synthetic IDs
Last, but not least, is the composure of synthetic IDs consequence of data compromises, for use at Fraudulent Application attacks (for credit cards, loans, bank accounts) and for ‘mulling’ for money laundering purposes. Criminals combine real and fake information to create a fraudulent identity, where the fresher the ID data is the better the effectiveness will be.
Source: Infocredit Group