While one might reasonably infer on their own that digital fraud is on the rise due to the pandemic conditions, a new report from fraud detection firm DataVisor breaks down the current trends and finds a confluence of causes. Mass moves to online work and shopping due to safety and movement restrictions are certainly part of the picture, but criminals are also rapidly developing sophisticated new techniques to take advantage of a more general and long-term shift to handling matters of both personal finance and business online.
Digital fraud spiking on social media, jailbroken mobile devices
The report observes three major factors driving the present jump in digital fraud attempts: a significant shift from offline to online transactions in retail sales (4% in the first two quarters of 2020), the widespread turn to remote work (and schooling) that was done so rapidly that security holes inevitably developed, and a longer-term shift to mobile device usage for shopping and banking that continued during this period.
Financial services, e-commerce and travel platforms all saw tremendous spikes in digital fraud activity during various portions of 2020, and there was consistent growth across all of these verticals in terms of event volume. However, the steadiest growth in digital fraud rates in 2020 was seen on social media platforms.
Digital fraud on financial platforms is something of a unique pattern. This is the only vertical in which fraud rates started high in March of 2020 but then substantially declined through the rest of the year. Additionally, the vast majority (79 to 90%) of this activity consists of account takeover attempts. New account fraud and transaction fraud had some spikes in activity throughout the year, but have overall been substantially lower than attempts to obtain banking credentials or find some other backdoor into an existing account.
Though social media is being heavily targeted and mobile devices are playing a growing role in digital fraud attempts, the bulk of these attempts (a little over 50%) are still coming from Windows computers. The fraud rate among all desktop computer users is at 7.4%, while it remains at only 0.5% for users of mobile operating systems. This stands to reason as computers provide criminals with more powerful tools for perpetrating schemes. However, the report estimates that the rates of fraudulent user accounts operating on the web are more balanced — 34% from computer web browsers versus 26% from mobile browsers.
That accounts for the major social and economic trends contributing to the present jump in digital fraud, but it is not the full fraud risk picture. Criminals have also been developing (and making use of) more sophisticated identity fraud techniques as of late. These new attacks are overwhelmingly aimed at “rooted” or “jailbroken” mobile devices; one of these devices is 22 times more likely to be the source of a fraud attempt than any other category. For criminals, the primary appeal of this attack is to be able to “spoof” a physical device to obtain all the permissions and personally identifiable information that it would normally have if held in the hand (such as passing device fingerprinting checks and the ability to intercept calls and messages). 10% of the initial wave of financial fraud in March 2020 came from devices such as these. When criminals compromise one of these unlocked devices, they can run a special emulator that essentially creates a virtual clone of the device that can be used in nearly all of the same ways.
Fighting digital fraud
What can organizations do to stop these emerging digital fraud techniques and head off data breaches? The report finds that “reputation score” fraud detection systems, or those that assign a value to accounts based on previous indicators of questionable activity, have limited utility in modern settings and are only catching about 4% to 6% of financial fraud. A more useful tool for fraud prevention in e-commerce is software that scans for “profile re-use” elements, given that some 40% of accounts that commit digital fraud re-use some piece of contact information such as an email address or phone number.
The report also finds that 100% of fraudulent accounts are making use of automation or machine learning at some point in executing financial crimes. Most often this is the use of bots to do things like automate multiple attempts at new account creation or coordinate attacks that involve multiple devices. The report finds that anywhere from 55% to 90% of new accounts created for the purpose of digital fraud were done so with some sort of automated scripting. With financial institutions that have stronger-than-usual identity verification elements for the creation of new accounts (such as banks and investment brokers), 10% of the fraudulent accounts were created by a spoofed or emulated device. CAPTCHAS still provide strong protection against these scripting elements, but are not perfect; 2% of fraudulent accounts were found to have beaten a CAPTCHA, and the systems tend to have an 8% false positive rate which jumps to 29% when they are case-sensitive.