Article

Biggest Fraud Scandals in 2020

2020 will primarily be remembered for all the changes that the COVID-19 pandemic brought in our lives. But it was also the year of a few high profile fraud cases that are noteworthy. In our view, these events are interesting not just in themselves, but also because they reveal issues that might be deeper and systemic, thus potentially affecting many more people and industries.

In other words: they reveal patterns of risk, for which we must be prepared for, and the first step is reading and understanding these stories.

So in the same way as last year, we have decided to collect some of the fraud cases that made the news to illustrate what we think is happening around us in terms of fraud – from the viewpoint of a fraud fighting company. 

1. Europol nabs SIM swapping fraud ring in Europe

Gains: €3.5 million before being arrested by Europol
Arrested: 26
Number of victims: 100+

A criminal gang with members from Spain and Romania made over 3.5 million Euros by scamming over 100 victims via SIM swapping attacks before being arrested by Europol.

Why is this interesting?

Two-factor authentication has become a mandatory security procedure when it comes to sensitive information, whether it is changing passwords or conducting online banking. As a result, a technique called SIM swapping has been on the rise, in which criminals use social engineering methods against a phone carrier to redirect the victim’s phone traffic, allowing them to intercept verification messages. Not only are these attacks on the rise, but they are also extremely lucrative, as evidenced by the proliferation of criminal gangs and web forums dedicated to these sorts of fraud crimes. In addition, this brings up other types of risks such as open banking fraud.

Sim swapping scam. Graphics explaining the sim swapping scam process

The criminals in this case went even further than just making fraudulent wires – they also serviced themselves by targeting cardless ATM-s.

Cases like these show that while 2FA is a common-sense solution in securing access points to services, they also shift the focus of attack vectors. The rise of SIM swapping attacks shows that citizens must be educated about social engineering attacks and phone carriers must invest in more serious verification procedures to protect their customers.

Until that happens, we expect to see more of these cases on the news: 2FA is only gaining more adoption, not less, making SIM swapping all the more valuable as services are lulled into a false sense of security by authorising transactions that were verified this way, and the scam is relatively easy enough to pull off for criminals to quickly specialise in it.

2. Profits via Food Delivery Arbitrage

Profits: $8 / Pizza
Doordash losses: $450 Million last quarter
Valuation: $60 Billion

This story is not really a fraud scandal – although, under normal circumstances, every fraud detection service (like the one we’re offering for example) would have flared up in red. It just goes to show how extraordinary this year really was.

Confused by the sky-high valuations of food delivery services while they are running at mind-boggling losses? This story illuminates some of the math behind it.

Food delivery services really took a central point in our lives amid the several lockdown measures due to the pandemic, which made the sector extremely competitive. The delivery startup Doordash (which recently IPO-d) was very aggressive in their efforts to gain market share, scraping restaurant menus and subsidising food orders. This meant that an enterprising restaurant owner – or in this case, the ex-day trader Ranjan Roy – could make arbitrage profits by ordering from themselves through the platform.

We recommend reading the entire writeup, as it shines a light on more than just Doordash, but on the rapidly evolving food delivery industry that’s reshaping how we eat.

From our point of view: there are ambitious and risky promotional offers, and then there is creating a large-scale arbitrage opportunity accessible by anyone with a smartphone. For most businesses who are not Doordash, you’d be happy to get away with the first one if you have your risk management system set up. 

As the lockdowns ease up next year, such aggressive risk-taking might not be feasible while also avoiding fraudulent chargebacks for anyone once the competitive landscape adapts to the new situation.

3. Florida teenager hacks Twitter

Money made: $117 Thousand
Arrested: 3

Sometime during the summer several high-profile Twitter users, including Jeff Bezos, tweeted what was apparently a crypto-currency scam. While that in itself was weird, the investigation revealed that Twitter (the leading communication platform on the planet) was hacked by some teenagers in Florida, using social engineering and SIM swaps, gaining access to Twitter’s admin panel… where low-level employees apparently had access rights to all users.

Jeff Bezos Screenshot, Jeff Bezos Hacked Tweet
Original screenshot: KrebsonSecurity

They made away with over $100,000, which is not that much if you consider the fact that they could’ve started a war based on Twitter’s importance in global communication.

Which begs the more unnerving question: how come a company of this size and importance didn’t have the necessary access restrictions or the access log monitoring in place that would’ve prevented this fiasco from happening?

While we don’t know the answer, we hope that other businesses take the time and effort to have these procedures – not just in an effort to protect their users and customers, but to avoid similar embarrassing situations should they get targeted.

Considering that the cybercriminals, in this case, were affiliated with a forum that operates in the open web and focuses on buying and selling access to high profile accounts, it’s more than likely that more and more platforms will get attacked by similar methods. When it’s in the open web, you can be sure that the tactic has a very low barrier to entry and carries a low level of risk for the attacker. 

You can read more about it over at Krebs on Security.

4. The Curious Case of former PM Tony Abbott’s Passport Number

Number of crimes committed: 0
Security issues fixed: 1
Ex-Prime Minister Educated: 1

Former Prime Minister Tony Abbott posted his boarding pass on Instagram. What follows is the most hilarious security writeup of the year, in which we learn why this was a bad idea and how badly configured software can end up displaying your customer service representatives’ comments on your frontend. The story has a happy ending with a security hole patched and some wholesome advice on how to educate our less tech-savvy fellow men on the dangers of information. A recommended, lighthearted read.

The fact that boarding passes can be used as passwords have been long known, and it’s something that all travel fraud solutions need to consider: if users are sharing their tickets on social media, are we printing information that can be used to access online accounts? Once those accounts are accessed, what else do they reveal from the user?

While we design our online systems and solutions it’s easy to get lost on the level of abstractions and forget the all too human factors of everyday behaviour. The more we do so, the more we expose our users to be preyed on by malicious actors who scour social media to pick up any crumb that can be used in an attack. And human users leave crumbs everywhere, just by going on with their daily lives.  

This story was interesting because it illustrates this perfectly: a non-tech savvy user (and indeed a very high profile one!) does something that a lot of people do every day. This one crumb of information was then used by a curious individual, armed with nothing but Google Chrome’s built-in “Inspect Element” feature to uncover a potential security issue in Amadeus – the platform that virtually all global airlines use.

Thankfully, there was a happy ending. But if you really think about it, that’s kind of mind-boggling.

5. The Wirecard Meltdown

Original market valuation: €17 Billion+ 
Market Cap as of today: €70.74 Million

This is a story about a company that was not quite upfront on what it was actually making money off of, fought against reporters trying to uncover the facts, and then was caught fabricating its revenues.

Without a doubt: biggest fraud news of 2020.

The German fintech giant Wirecard was heralded to be Europe’s answer to Silicon Valley – until its stock value evaporated overnight once they “misplaced” €1.9 billion. The revelations were a shocker for the fintech industry and came to light after serious investigative work by Dan McCrum from the Financial Times was confirmed by the auditors of KPMG – 8 months later.

The entire writeup is mind-blowing, and there’s already a documentary in the works that’s set to come out in early 2021.

With the fintech sector facing regulatory challenges everywhere, we hope that it will still be viewed as an economic opportunity by lawmakers. But that will only happen if the companies involved give their best in following anti-money laundering procedures and view each other with the proper scrutiny that is required by existing due diligence requirements.

Wrapping up this year’s fraud scandals

The top fraud cases and scandals of 2020 show that no matter how big or small, niche or famous we are, as the fraud landscape shifts we might be hit by attacks and from angles that were unheard of even some years ago.

The underlying story is that of shifting risk and responsibility – as digital commerce solidifies as a part of our everyday lives. Services require more and more security measures on their end, which might lead fraudsters to other weak points in the system – such is the case of sim swaps. Both companies – whether big or small – and individuals are targeted for profit. As the infrastructural barriers to committing fraud have lowered and still many consumers are without the technical knowledge necessary to protect their data.

No matter how big or small, niche or famous we are, as the fraud landscape shifts we might be hit by attacks and from angles that were unheard of even some years ago. Share on X

Ultimately it’s the responsibility of businesses and service providers to ensure that every existing and potential customer is safe by having adequate risk measures and responses in place. Not just because it’s the law, but because it’s in our collective best interest to do so.