The Top 5 Fraud Trends for 2020

Looking at future fraud trends to help you fight them this year. 

Our yearly predictions of fraud trends have become a tradition here at SEON. In 2018, we looked at the changes brought on by machine learning and the PSD2 directive. Last year, we foresaw a huge rise in data breaches and a crackdown on fake reviews. 

And, amazingly, all of it came true.

It means our prediction track record isn’t too bad. After all, it’s our job to peer into the data and to extract patterns. We attend fraud conferences, listen to the industry, and generally try to keep our finger on the pulse of the fraud world.

So without further ado, let’s dive into what we believe will be the key fraud trends for the year 2020.

Account Takeover Techniques Will Move to the Next Level

As more and more of our daily lives takes place online, the value of digital accounts increases. Fraudsters and cybercriminals have long taken note. And while account takeovers (ATO) are nothing new, we’ll continue to see an explosion of methods and techniques used to steal login credentials.

The problem is bad across all verticals. And yet, while organizations spend millions on preventing chargebacks and transaction fraud, ATOs aren’t taken as seriously as they should be – both by merchants and fraud prevention teams.

This creates a perfect storm. Fraudsters have access to increasingly sophisticated tool to:

• Scrape for ATOs: or accessing all the data transferred to a website, including login and password details, illegally of course:
  
• Bypass 2FA: so even multiplying authentication methods isn’t as safe as it once used to be.

As a number of online publications, including the New York Times, have noted that even the best practice of using 2FA is susceptible to phishing attacks. Combined with powerful malware, it’s entirely possible for fraudsters to take over an account, even if it requires multiple authentication (even if Google says 2FA helps reduce 66% of targeted attacks, and 99% of bulk phishing attacks.)

Phishing Will Also Evolve Dangerously

In the category of new worrying fraud trends: organizations and individuals losing valuable assets without giving away passwords. It is also a sign of an increase in the sophistication of phishing fraud techniques. Two stories perfectly shine a light on the problem.

The first one made the news last year, as an impressive feat of social engineering. Using audio deepfakes, a group of criminals managed to trick an executive into wiring $240,000 to a non-existent supplier. 

The second story comes from security legend Brian Krebs and PhishLabs, who detailed a sophisticated phishing scheme targeting Office 365 users. The tactic allowed attackers to access data stored in the cloud by directing them to the real login page via a malicious link. 

Those who take the bait end up forwarding a digital token which gives fraudsters indefinite access to all the cloud data, including emails, files and contacts – even after the victim changes their passwords. 

It’s worth remembering that phishing is still the number one cause for data breaches. Bot attacks and DDoS attacks are sometimes responsible, but more than 35% of the major data breaches started with phishing techniques. And that’s before you even add other social engineering techniques, which also count as a form of phishing.

Over the past years, we’ve uncovered bold phishing techniques from hackers and fraudsters, including the creation of fake job posts to applicants’ personal data, and collecting phone numbers for SIM jacking, which results in multiple accounts takeovers. 

In 2020, more than ever before, companies and individuals will need to ensure they are vigilant at all times to avoid giving away information that could hurt them – especially if they want to avoid embarrassing and reputation-damaging data breaches like the ones we saw last year.

PSD2 and Open Banking Will Continue to Transform The Online Landscape

Fintechs and established financial institutions were the first verticals to feel the changes brought on by the EU’s 2nd Payment Services Directive. But Q1 of 2020 will also see a complete transformation of the ecommerce world as SCA (strong customer authentication) is gradually rolled out across Europe.

Unfortunately, this will probably create a period of customer confusion. As new services provide OTPs (one time passwords) via SMS, 2FA and MFA, and even more app-based biometric authentication methods, fraudsters will try to exploit the lack of consumer info to fool users into submitting valuable data.

Periods of change are often fruitful for fraudsters, as we’ve seen with previous implementations of new techniques like Chip and Pin or the abuse of Captcha forms.

The new security methods could also impact conversion rates. We’ve continuously highlighted how providing a seamless user experience is the new battleground for online businesses, whether it’s for onboarding or for completing transactions. Adding an extra step between customers and their purchases has already proved controversial with certain retailers, for instance when 3DS was rolled out. 

On the flipside, banks and fintechs alike are enthusiastic about the new opportunities of open banking. According to FData, 80% of large banks want to support fintechs application development through open banking. Fintechs also welcome the opportunity to scale by partnering with established financial institutions thanks to the brand recognition they will provide. 

ID Theft and Synthetic ID Fraud Will Target New Services in the UK and US

As mentioned above, new security measures are often likely to increase customer confusion, which opens the door to fraud trends pertaining to data theft. A good example would be the new rules from the UK Gambling Commission, which forces users to provide ID scans upfront.

The problem is that these measures, while born from good intentions, create a massive demand for stolen and synthetic IDs. We’ve already seen how these bad IDs are used to target the payday and fast loan industries, and the size of that market is bound to increase in 2020.

On top of it, we predict the introduction of the new Request to Pay and Request for Payment services (RtP and RfP) in the US and UK will also make things more challenging. 

The service, billed as the new way to settle payment between organisations and friends, is designed to add a flexible channel on top of existing payment infrastructure. In theory, it means faster, simpler and more payments from a variety of devices, including Voice Banking, chatbots and Internet of Things. 

Moreover, companies are scrambling to not be left behind with new payment channels. Any innovative technology is a gift for marketers, and these features are sometimes implemented at the expense of security. For instance, US credit unions were fast to offer Alexa banking to their customers, if only to show users that they could keep up with the big banks.

And you’ve guessed it, fraudsters will find opportunities to exploit these payment channels for their own gain. Especially if fraud prevention measures come as an afterthought for the companies who jump on the new-features bandwagon.

The Asia-Pacific Region Will Need to Curb Fraudulent App Installs

According to a report by AppsFlyer, more than half of non-organic installs of finance apps were fraudulent in the Asia-Pacific region (APAC) in 2019. That’s a huge number of malicious installs and mobile fraud, but shopping and travel apps were also high at 35%, and gaming apps hovered around the 5-6% mark.

So why such high rates in that specific region? Countries like Vietnam, India and Indonesia offer a perfect ecosystem of:

• Higher mobile user volumes
• High marketeer demand for volume
• High rate of fraudulent traffic in local networks
• And a trend towards a cost per action (CPA) business model. 

In SouthEast Asia, the numbers are even more shocking, due to a market driven by cost per install (CPI), which creates a strong incentive for fraudsters to use bots and multiply attacks, even with what appears to be low payouts. 

The good news is that anti-fraud solutions have fantastic track records in reducing bot attacks and install hijacking. So prevention is indeed possible – as long as marketers leverage these solutions efficiently, and fast.

Conclusion

Last year was a record-breaking one in the world of online fraud, but sadly for the wrong reasons. More data breaches, new technologies used for malicious reasons, and more confusion – which fraudsters used to their advantage to steal data, valuable online accounts and eventually money.

The year 2020 is unlikely to look much better on that front, especially with an increase in the sophistication and quantity of phishing and ATO attacks. And yes, it doesn’t take a magic crystal ball to imagine that data breaches will continue to be bigger than ever.

But one thing is for sure, we’ll continue keeping track of all the new tools and fraud trends used to attack so we can help companies prepare themselves to mitigate risk and grow safely, well into 2020 and future years.