Online fraud prevention is often likened to a game of cat and mouse, where determined cybercriminals are constantly innovating with new techniques to [1]bypass security systems, infiltrate networks and perform illegitimate financial transactions.
Almost every day, a fraudster somewhere is able to exploit some new kind of vulnerability and steal money, which often comes at the expense of brands and their customers. Given this situation, organizations have no choice but to remain vigilant and adapt to the evolving threat landscape.
The Increasing Sophistication of Hackers
Cybercriminals have been around ever since the internet first emerged, and the techniques they employ now are far more sophisticated than the old “advance fee scams” that involved tall tales of Nigerian princes requesting “help” in moving millions of dollars offshore.
These days, hacking is all about “phishing” for employees’ and consumers’ login credentials, social media and investment scams, and advanced “client-side attacks” that take advantage of vulnerabilities in JavaScript code. These techniques are often alarmingly effective making online fraud prevention challenging.
This is evidenced by a February 2024 report by the Federal Trade Commision, which revealed that U.S. consumers lost more than $10 billion to online fraud scams in 2023, up 13% from the previous year[2]. Some of the most common attacks included online shopping fraud, investment scams, imposter scams, and business and job opportunity scams, the report found.Why Is Online Fraud on the Rise?
One major reason for the growth in online fraud is the accelerating shift towards digital payments. This trend got a huge boost with the COVID-19 pandemic, when millions of consumers turned to online shopping and contactless payments.
A 2022 report from McKinsey shows that global payment revenues hit an astonishing $1.9 trillion in 2020, making the burgeoning industry an increasingly attractive target for cybercriminals[3]. In North America and Europe, digital payments have expanded at twice the rate of GDP growth in those regions, McKinsey found, while in Asia their adoption is growing at an even faster rate.
More consumers buying goods and services online using digital payment tools means more user accounts and transactions for hackers to target. A second report by KPMG notes that cybercriminals are actively trying to develop new strategies to exploit digital payment services, leading to an increase in fraud, money laundering, terrorist financing and other risks[4].
Fraud as a Commodity
Not only do hackers have more targets than ever, but their job is also getting much easier thanks to the commoditization of fraud. Online fraud prevention efforts are increasingly hampered by the growing availability of stolen credentials, which are openly sold on dark web marketplaces, enabling hackers to bypass the most capable security systems.
In 2022, cybercriminals stole a staggering 22.62 billion credentials and personal records, including account logins, financial information, email addresses and social security numbers, according to a report from the security firm Flashpoint[5]. These stolen credentials have become a valuable commodity for hackers, since they can be purchased relatively cheaply to obtain direct access into corporate networks, databases and other digital assets.
The same report details that 190 illicit marketplaces for stolen credentials emerged on the dark web in 2022. Apparently, one forum alone – advertised as the successor to the infamous Raid Forums site that was taken offline by law enforcement – grew from just 1,500 members in March of that year to more than 190,000 by the year’s end.
One worrying trend that has emerged from this flourishing marketplace for stolen credentials is the rise of ransomware gangs that operate on an “as-a-service” business model. Rather than attempt to hack victims themselves, ransomware creators will either purchase stolen credentials, or more commonly, collaborate with hackers to infiltrate organization’s IT systems and share the ransom payments they collect.
Rising Client Side Attacks
The demand for stolen credentials has led to a significant rise in security breaches that happen on the client side. Traditionally, hackers used to focus their efforts on corporate data center servers, but as these targets have become much tougher nuts to crack, the trend now is to focus on the clients, or the content they see on websites and applications, often exploiting vulnerabilities to steal valuable information.
Generally, client-side attacks rely on the overwhelming popularity of the JavaScript programming language, which, according to W3Techs, is used by 99% of all websites and applications today[6]. JavaScript is especially useful because it enables rich functionality such as the ability for users to log into accounts and manipulate elements on a website or app (such as posting a comment), and read data.
But the power of JavaScript also makes it extremely vulnerable to malicious code injection, which gives hackers almost unlimited access to any data that’s entered into the website or app.
The risks of client-side attacks are ever-present, with Tala Security’s 2020 Global Data at Risk report finding vulnerabilities in 92% of the 1000 most-trafficked websites, enabling potential client-side attacks such as cross-site scripting, form-jacking and credit card skimming[7].
Bots Getting More Sophisticated
The data stolen from client-side attacks and sold on illicit marketplaces is often leveraged by increasingly more sophisticated bots, which aim to automate attacks such as carding, account takeovers and data scraping.
The 2023 Enterprise Bot Fraud Benchmark Report highlights how account takeover attacks increased by 123% in the second half of 2022, while carding attacks, where bots make repeated attempts to authorize stolen credit card information, were up 161%[8]. Moreover, scraping attacks, which is where bots scrape websites for information that could be used to perpetrate fraud, were up 112%.
These numbers provide a stark reminder of the threat of bots, which have evolved to perform many different tasks associated with hacking. Once used almost exclusively for distributed denial-of-service attacks, bots can now automate almost every aspect of hacking, creating enormous headaches for online fraud prevention teams.
One growing trend involves the use of bots that combine both automation and human input to create “mule accounts” at financial services institutions. These bots have evolved to evade the most rigorous fraud detection systems used by banks, enabling hackers to open multiple accounts that can be used for money laundering and scams.
Cybersecurity Must Evolve Accordingly
The threat of online fraud is evolving rapidly, and the only way for organizations to respond is by reacting as fast as the changing nature of the threats they face. These days, cybersecurity strategies must be made up of a combination of advanced authentication, integrated AI-powered threat detection, account takeover protection, client-side attack prevention and bot detection systems.
By embracing these innovations, organizations can build a robust cybersecurity system that allows them to stay one step ahead of the bad guys in the never-ending battle against online fraud.
[1] https://www.globalbankingandfinance.com/enhancing-safety-and-security-through-ai-powered-fraud-prevention/[2] https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public[3] https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/managing-financial-crime-risk-in-digital-payments[4] https://kpmg.com/us/en/articles/2023/rising-financial-crime-risks-digital-payments.html[5] https://flashpoint.io/resources/report/state-of-cyber-threat-intel-2023/[6] https://w3techs.com/technologies/details/cp-javascript[7] https://www.securitymagazine.com/articles/92824-of-top-websites-provide-attackers-with-access-to-customer-data[8] https://www.humansecurity.com/hubfs/HUMAN_Report_2023-Enterprise-Bot-Fraud-Benchmark-Report.pdf
Share on FacebookShare on TwitterShare on Linkedin
