Are High-Security Checks Worth It?

by Tamas Kadar
Every year sets a new record for the number of exposed records in email data breaches. In 2022, 15M records were lost due to leaks and breaches. Of course, this sounds like bad news for everyone involved – both companies and users whose records will be made public. But we can also use that information judiciously to protect them. Let’s see how it works in practice.
An email data breach is an event where private email addresses are made public. It is also known as an email data leak, because the addresses and associated data are likely to be leaked on online forums, the darknet, or other public spaces.
Email data breaches can be the result of cybercrime, phishing, internal sabotage, or fraud attacks. Criminals usually target email addresses and their associated login details, such as passwords, to infiltrate existing user accounts. This is why email data breaches are often synonymous with account takeover fraud, where fraudsters access someone else’s account in order to withdraw money, mine it for information, or use it as a phishing tool to target other victims.
The type of companies more likely to be targeted for email data breaches includes social media companies, neobanks, financial institutions, BNPLs, e-wallets, online stores, and iGaming accounts – among others. However, in recent years, email addresses have been leaked from any kind of company, including travel operators, car companies, healthcare, nonprofits, education, etc.
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Book a Demo
The reason email data breaches happen in the first place is that criminals can resell the information on the dark web. That’s the first thing that will happen. You’ll come across huge data dumps, as they’re called, which are sold in bulk on shady internet forums.
These account login details are used for account takeover (ATO attacks), or credential stuffing, where fraudsters attempt a combination of the email and password on numerous services.
As a side note, this is why using slightly customized passwords for different services can backfire. If your Gmail password is passw0rd4Gmail, it’s easy enough to infer what it will be for LinkedIn.
If fraudsters do succeed in getting in, they will mine the accounts for personal details or, ideally, currency (crypto fiat and even bonus points).
Now, if we switch over to the side of the company that lost the data, it will probably have to inform its users. This is especially true for European companies since the GDPR forces companies to publicly acknowledge when they’ve lost customer records.
Once the user is made aware of the leak, they tend to change their passwords – but not their email address. This is where it becomes interesting from a fraud management perspective.
It is important to learn if your personal information has been revealed due to an email data breach. With SEON, it’s included as part of our email API, which relies on data breaches to estimate how old an email address is. This is a key point to understand: when it comes to fraud prevention, learning that an email address has previously been leaked is actually positive: it helps confirm that the address wasn’t created recently by fraudsters.
You can also do check for email leaks manually, by looking at the latest news about email data breaches. There are a number of online services designed to let you verify if your address was made public or not.
There is also a step-by-step guide on how to improve your own security (usually including paid sponsorships by password managers).
It’s also worth noting that a growing number of companies, such as Firefox, allow you to check if your personal information has been compromised directly within their product. Google will also regularly send security emails if your details have appeared in online leaks.
Preventing email data breaches takes effort from your security team, IT team, and every employee and executive. Training and education go a long way, and here are steps you can implement today:
As an online user, if your email address has been leaked in a data breach, you may want to consider the following steps:
Last but not least, remember that the company that lost your data is responsible for the leak. You may be contacted about a class-action lawsuit or compensated for your loss.
The good news is that data breaches can be turned into a force for good. That is, in the context of fraud prevention, where you can check if data has appeared in a breach before. Here is how it works:
When users sign up for your service, chances are they must provide an email address. We’ve previously covered the merits of an email analysis tool in another post, but in the context of data breaches, here’s the key takeaway:
This is a tremendous advantage in modern credit scoring, where you need to calculate how risky a user is based on as little data as possible.
You can read more about how to reduce fraud with reverse email lookup here.
Things get even more interesting at the login stage. One way to ensure only legitimate users get into their accounts would be to keep an eye out for the latest data breach news, and manually check if their login details have been leaked.
But there’s a smarter way to automate checks: using a combination of email analysis and device fingerprinting.
Put simply, here are examples of rules you could set up:
You could even go into more sophisticated setups using velocity rules, for instance. If a user email appears on a data breach, logs into their account, and makes a password reset request within a short timeframe: does it mean they are legitimate users worried about their accounts? Or an opportunistic fraudster?
Only a previously installed device fingerprinting solution will help complete the full picture to reduce customer insult rate and improve security.
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Book a Demo
In conclusion, you can see how checking for a data breach can be a boon for fraud managers. It may seem counterintuitive, but sometimes, the work of cybercriminals can actually be employed against them.
Of course, this is just one weapon in your email profiling arsenal. You’ll also need to complete the picture using every tool at your disposal, such as IP analysis, device fingerprinting, and, ideally, custom rules specific to your industry.
Yes. You can go to a website or a fraud prevention tool and type in your email address. The system will check all the latest data breaches to let you know if your information has been compromised.
Yes. You may receive an email alerting you that your information has been found in a data breach.
It means you are vulnerable to an account takeover attack, where someone logs into your account illegally. The best thing to do is to regularly change your passwords – especially if your data has been leaked online.
No. But a phishing email could lead to a data breach. Fraudsters use phishing emails to gather information about people, including company employees and those with access to business data. If they can impersonate them through social engineering, it is very likely that it will result in a data breach.
Sources:
• Statista: Number of data records exposed worldwide from 1st quarter 2020 to 3rd quarter 2022
Further Reading
Showing all with `` tag
Click here
Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.
The top stories of the month delivered straight to your inbox