By Ian Newns, Fraud Specialist at RSA Security
2020 was full of surprises. But one thing that didn’t come as a revelation was the speed and agility with which the criminal community reacted to unfolding global events. We’ve often witnessed groups behind phishing attacks, for example, capitalise on breaking news stories and consumer behavioural change to improve click-through rates. Well, news events don’t come much bigger than a global healthcare and financial crisis, and 2020 has been the year we’ve all had to embrace online working, shopping and socialising.
UK consumers are predicted to have spent more than £141 billion on internet shopping last year, up nearly 35% from 2019. The bad news for 2021 is that cyber-criminals and fraudsters will continue to exploit our rapidly changing world to monetise their campaigns. On the other hand, following some simple best practices still offers a highly effective way for businesses to mitigate escalating online fraud risk. With that, here are five fraud and cyber-threat predictions for the coming year:
- Loyalty points become a valuable commodity
From frequent flyer miles to retailer loyalty schemes, the pandemic and subsequent lockdowns mean there’s a lot of loyalty points that weren’t used in 2020 and may have been forgotten about. That hasn’t been lost on the cybercrime community though, who have been observed by RSA’s FraudAction team to be discussing in online forums how to conduct loyalty scams on a range of companies – from fast food restaurants and retailers to hotel companies and gaming websites. These fraudsters will increasingly look to target the growing trove of points accruing in consumers’ online accounts this year.
Tried-and-tested methods for account takeover, including phishing or credential stuffing, will be among the tactics of choice here. That makes it even more important that every retailer or business with a loyalty scheme communicates the dangers of password reuse, and offers multi-factor authentication (MFA) options for customers. Monitoring for suspected botnet activity with behavioural tools can also help.
2. Beware the rise of malicious QR codes
The past year has seen an explosion in the use of QR codes. They’ve become especially common in hospitality settings where businesses want to promote hygienic access to menus and useful in facilitating the government’s Track & Trace scheme. However, whenever a new form of tech starts to become popular, there’s always the danger that it will be subverted by cyber-criminals.
QR codes are no exception – they are now being used in phishing emails and via social media to take users to fake websites designed to harvest their details or covertly download malware. Tackling the problem is more about user education than anything else. Just as recipients shouldn’t click on links in unsolicited communications, they need to be educated not to scan QR codes either. Organisations can also help by aligning any QR codes they use with MFA to mitigate the risk of account takeover.
3. Fraudsters will capitalise on COVID-19 vaccine hype
COVID-19 vaccines signal the beginning of the end of a traumatic period in recent history. But the media attention focused on the vaccine roll-out at the moment will also help cybercriminals hoping to make gains at the expense of others. Europol has already warned of counterfeit versions of the Pfizer/BioNTech vaccine appearing for sale on dark web sites, and warns that these types of forgeries will increase.
Online promotions and phishing emails are a perfect way to lure individuals desperate to jump the queue and get inoculated. Unfortunately, by paying the fraudsters up front, they not only have your money but potentially also your bank details. Governments and social media companies will need to step-up their efforts at taking down any signs of fake advertising related to COVID-19 vaccines and warn citizens of the dangers of engaging with them.
4. Buyer’s revenge as consumers dabble in first-party fraud
Historically, times of recession usually lead to an increase in fraud. According to Portsmouth University, there was an increase in fraud offences after both the 1990 recession (10%) and the financial crash of 2008 (7.3%). The coming economic crisis could be much deeper than these events, especially after the government furlough scheme ends. Cash-strapped individuals may be forced to try and see what they can get away with to make ends meet. A classic example is chargeback fraud, where a customer makes a legitimate purchase and then claims the product was never delivered, thereby generating a refund from their bank.
It’s suspected by some banks that as many as 35% of cases classified as third-party fraud could in fact be first-party scams. Many banks would prefer to write-off lower value transactions than go through the painful and awkward experience of accusing customers of lying, especially as figures showed a 36% rise in complaints last year about how banks deal with fraud and scams. If they’re going to try and tackle first-party fraud, banks need cast-iron proof. This is where more sophisticated data-centric fraud solutions can help. Such tools can crunch hundreds of data points – like age, buying habits, and previous fraud claims – to determine the likelihood of fraud having taken place.
5. Brexit: good news for scammers
There’s still some uncertainty for businesses surrounding Brexit, which opens the door for fraudsters to step in. Given the huge demand for information and advice on how to adapt, this is the perfect opportunity for cybercriminals to swoop in with some well-timed phishing emails spoofing government and other trusted institutions. Some may even request the recipient confirm bank details to continue trading in the EU.
Organisations should enhance their user awareness training simulations accordingly, and ensure they have the right email security tools to spot any phishing. Aside from URL and attachment scanning and IP reputation checks, they could invest in AI-powered tools that analyse writing style and other elements to say with more certainty whether inbound messages are to be trusted or not.
There’s plenty to look forward to this year, not least hopefully an end to social distancing, self-isolation and concerns over vulnerable friends and family. But consumers and organisations alike will need to retain their digital savvy and invest in new tools to ensure the next 12 months is a success.