What are the biggest fraud challenges for businesses in 2022?
As the year comes to an end, we got together as a team to think about what kind of threats the future might bring. Thanks to the benefit of hindsight, we can see what kind of developments in fraud look sticky enough to cause more headaches for years to come.
With that in mind, here are our top five predictions for 2022 in terms of fraud threats and trends you should look out for!
1. Phishing Kits Will Affect Everyone
In recent years, growing cybercrime has nested in the wider development of the Crime-as-a-Service (CaaS) industry.
Criminals have realized that making money is not just about executing fraud. By streamlining the fraud process and packaging it, they can offer it to less experienced folk who want to do the same, getting their cut of the profits.
One of the fastest-growing segments of 2021 were phishing kits, which are tailored to mimic the communication of a given brand, from its landing page to emails or even SMS messages.
According to Help Net Security, the biggest affected brand was Amazon, whose likeness was frequently used to defraud shoppers and even Marketplace merchants. But as these kits are relatively easy to build, we expect that in 2021 more companies will be targeted.
Industries where customer accounts are more valuable, such as those where accounts double as e-wallets, are at higher risk but by the nature of the beast, the methodology will extend until it reaches drag-and-drop adaptability and it’s possible to target any company.
From the fraudster’s point of view, all they need to do is grab an email or phone number list, and they are free to attack your customers with a kit.
Above and beyond protecting your user accounts through information, education and 2FA, you can (and should) also proactively monitor domain typosquats for your brands.
The phishing kit method relies on tricking your customers by impersonating your company, and one of the best ways to do that is via the use of domains that resemble your brand name.
While it can be a costly investment, it’s worth getting control of domains very similar to yours in the long run, considering the cost of the harm they can lead to in the wrong hands. If a customer were to lose money due to a typosquat, it’s almost certain your reputation will take a hit.
2. The Rise of Complex, Two and Three-Way Fraud
There are scams, there are frauds, and then there are audacious heists. Then the pandemic came along and… well, it just opened the floodgates!
During times of crisis, consumers are more susceptible to scams, and governments around the world introduce relief programs – an opportunity that fraudsters were eager to capitalize on.
In our modern, security-heavy environment, our personal information, IDs and associated selfies are a pot of gold for criminals, who can use these details to pass mandatory KYC checks of various financial services, such as loans.
While in the past we’ve seen the increase of rent-an-ID services and fake KYC portals, a new and disturbing development is the use of outright scams to trick people into willingly handing over their details, which can then be used against companies.
These types of attacks are hard to detect in advance and can fly under the radar if you only rely on biometrics and hard KYC checks for approvals. Complex fraud, two-way fraud and three-way fraud complicate the scheme further by targeting more than one attack surface or organization at the same time, creating confusion or even coordinating in order to give the appearance of normalcy.
An enterprising fraudster will at first test out the waters with a couple of accounts, and then quickly scale their attack with a “go big or go home” attitude before you get a chance to close the loophole in the system.
Your best defense against these heists is having a warning system in place.
If, out of the blue, metrics in your organization look good to be true, exceed expectations, or don’t match marketing spend in a given market, you have reason to pause and investigate deeper. It is possible that you are being targeted by scammers.
To better understand how these kinds of schemes operate, take a look at our Fraud She Wrote webinar.
3. Synthetic Data + Deepfakes = More Stress on Biometrics
Connected to the above, we can now see the drawbacks of the normalization of biometrics-based verification. As it becomes an industry standard, it is increasingly constituting a single point of failure.
With hundreds of companies working with just a handful of vendors on this step, fraudsters only need to figure out how to beat those checks once and then peddle their method to other criminals.
We have seen a wide variety of attempts, from doctored documents to rented IDs but, in some cases, even a simple printout has been able to beat the expensive facial recognition technology.
Meanwhile, the security vendors themselves offer live detection – at further cost, of course – to block simpler bypass methods.
Onfido’s latest Identity Fraud Report confirms this information and gives deeper insights into how these attempts are evolving.
In our reading, this means that the arms race between criminals and biometric identity verification providers will continue to escalate in 2022.
As a merchant, you will have to add more layers to your fraud prevention stack, such as data enrichment for details acquired at user registration (IP addresses, emails, and phone numbers).
These can act as additional barriers and checks, allowing you to frustrate fraud attempts even in case they are prepared to beat biometric verification.
4. One-Time Passwords Will Come Under Challenge
In 2021, we saw a wide-scale rollout of one-time password-based authentication systems via SMS or apps across many leading services and verticals.
The idea behind this scheme of course is to stop account takeover fraud; the point being that even if a fraudster were to acquire our password, our account would still be protected as sensitive actions (such as logins or transactions) require a secure second factor of authentication from the account holder.
Sound logic. Except, from the point of view of a fraudster, this is just one additional piece of information they need to get, and Krebs on Security has already reported on the rise of one-time password interception bots.
These are specialized CaaS tools similar to phishing kits, except their entire goal is to get the user to submit their OTP just at the right moment when the fraudster has access to their account.
Build a higher wall, and they bring a taller ladder.
One thing is for sure: Businesses should tread carefully in automatically trusting user actions approved by OTPs, as these attacks continue to gain steam.
While, categorically, they fall under spear phishing, meaning that they are expected to be rare, your alerts that are set up to detect account takeover should keep in mind the risk of intercepted OTPs. Additional manual reviews or stronger customer authorization may be required to protect your users.
Furthermore, make sure that you are clear with your users about what kind of communications they can expect from you and from which numbers and addresses, as this type of attack will try to fool your customers by claiming to be from your organization.
5. Data Breaches Will Become Bigger and Weirder
Talking about data breaches in the security industry is like talking about the weather. They always happen, in mostly predictably unpredictable ways.
The last few years saw some pretty bad breaches from pretty big companies. And if they can’t seem to keep a lid on the problem, that does not bode well for the future.
Because yes, we did accelerate the digitalization of the economy, but we saw how many industries and legacy players well-versed in offline operations struggled with these transformations.
We’re not out of the tunnel, either. The rollout of 5G and IoT everywhere means more data will be gathered by more devices around us, and data security doesn’t seem to be on anyone’s mind.
With that said, we expect the next year to bring bigger and weirder breaches across the board. Whether or not these smart devices carry data that’s of use to fraudsters remains unknown but they are enterprising folk, and we’re sure they’ll figure out how to weaponize some of it in one way or another.
After all, burglars have used social media to check whether or not a target is home, and information like that can be easily gathered from device telemetry.
How do you protect yourself against such unknown unknowns? Who knows!
But going into the holiday season, before purchasing a range of smart devices, you might want to consider whether or not those gizmos are gathering data that could be used against you or your company…
The 2022 Fraud Landscape: Mega-Trends
Looking at the bigger picture of fraud trends, we see the familiar patterns of a game of cat-and-mouse, with cybercriminals directly responding to measures introduced to bolster your defenses with their own technological advancements, as we’ve seen in the case of OTP interception and phishing kits.
In what can be described as a mega-trend, there is also a move towards Crime-as-a-Service on multiple fronts, which mirrors the shift to SaaS we have seen from big companies, in a worrying development. Once again, it will be those who remain proactive and adopt flexible and scalable anti-fraud solutions who will be best prepared to fight off fraudsters.
You can read more about these and other types of fraud, cybercrime and protection from it in our website’s Resources section.
Sources of data in this article:
See a live demo of our product