A year after the COVID-19 pandemic struck, consumers have become accustomed to the new normal and continue to work, shop, and entertain online. Digital businesses continue to witness elevated levels of user activity owing to an unprecedented increase in the number of people using digital channels for daily life activities. Along with this new normal, there is another, rather dangerous, normal—an explosion in fraud attacks.
The global business landscape is changed, forever
The chaos that followed the outbreak of the pandemic, provided a fertile ground for fraudsters to ramp up their fraud attacks. Our Q1 2021 Fraud and Abuse Report reveals that compared to the 1.3 billion attacks detected across the Arkose Labs network in 2019, the number rose to 2.4 billion attacks by September 2020.
The pandemic has resulted in a lasting change to the global business landscape. Restrictions on people movement spelled doom for industries such as travel, hospitality, and tourism; with many businesses seeing a 200-400% spike in chargebacks as holidays were canceled and hotels closed for business. Digital businesses including gaming, social media, and eCommerce, however, saw a record number of users. Some retailers broke Black Friday records in April, and others saw an increase in transactions from 100 thousand to 1 million requests per second. This explosion in digital activity meant many more avenues for fraud.
Many businesses rushed to cope with this growing demand but plagued by never-seen-before levels of fraud attacks, they were forced to adapt their operations to deal with the new fraud trends. Bots constituted the bulk of the attacks, given that they help attackers achieve scale and maximize profits with minimum investment. That said, there has been a spike in human-driven fraud, with sweatshops now accounting for 18% of all attacks. High levels of unemployment also forced many people to turn to fraud so they could seek alternative income streams. The rise of the amateur fraudster has resulted in a significant increase in fraud attacks from mobile devices, which account for 16% of all fraud.
The business of cybercrime flourished across geographies
The business of cybercrime flourished during the pandemic with non-traditional geographies replacing the more traditional fraud hubs to emerge as the most attacking regions. In 2020, Europe emerged as the biggest attack originator with the surprising rise of the Netherlands and Denmark as the new fraud destinations. Russia, the UK, Germany too registered sharp spikes in the number of fraud attacks during COVID-19 originating from their soil.
This underscores the economic hardships that people endured and that they took to fraud to make ends meet. This is also a reflection of the global nature of cyber crime and how fraudsters quickly adapt to the changing economic circumstances to pivot their operations and maximize their exploits. Fraudsters took full advantage of the COVID-19 crisis to recruit new workers in order to scale up their attacks. Our Q1 2021 Fraud and Abuse report reveals that a massive 64% of human-driven attacks originated from Europe in Q3 2020, with 10 million attacks from Russia and seven million attacks from the UK. Although in Q4, Asia reemerged as the most attacking region.
New attack vectors, new attack types
The COVID-19 pandemic gave rise to many new types of fraud and increased the attack surface for the tried-and-tested attack types. Some of the fraud trends attributed to the COVID-19 pandemic that kept the businesses and consumers on tenterhooks throughout the year are described below:
COVID-19 Scams: From masks to PPE kits to vaccine labs, fraudsters exploited every opportunity to take advantage of the fear and panic around COVID-19. They also targeted official agencies to score stimulus checks, small business loans, and other financial assistance for economically distressed consumers.
Credential Stuffing: Credential stuffing is on the rise across all industries, as fraudsters attempt to corrupt the huge wave of new accounts that were created during the crisis.
Social Engineering: As a far greater number of people are living in isolation, fraudsters have found an ideal opportunity to execute phishing attacks. This is especially true for the new digital users as they are not too accustomed to the hazards of the online world.
Identity Theft: Children and young people have become increasingly easy targets as they spend huge amounts of unsupervised time logged onto digital classrooms, social media platforms, and gaming networks. Increased screentime—due to online classes, entertainment, and socializing—is making them vulnerable to scams and fraud in addition to bullying, sexual abuse, exposure to inappropriate content, social engineering, ransomware, malicious links, and addiction.
Friendly Fraud: There are increasing reports of chargebacks and friendly fraud, as many people face financial hardship and moral lines become blurred.
First Party Fraud: Fraudsters are targeting financial institutions, taking out loans with no intention of repaying them. This has also hampered the processing of legitimate loan applications.
Split Personalities: The deepening economic crisis is leading more people to fraud. These 'split personality' customers are genuine customers on one site, but commit fraud on another. This unpredictability makes it challenging for some fraud prevention systems to distinguish between good and bad actors.
Identity Crisis: The concept of identity became warped as interactions—and identification—moved online. Digital identity is data-driven and fraudsters have easy access to millions of stolen identities and toolkits. This makes it far easier for fraudsters to mask their real identity and intent.
Trust Issues: The pandemic has caused extraordinary levels of anxiety and distrust among people. Social media platforms have become a hotbed for fear-mongering and misinformation.
Digital Debutants: The stay-at-home diktat following the outbreak of COVID-19 pandemic meant increased reliance on digital channels. Many users were introduced to digital life for the first time. These users are at a greater risk of exposure given they are still trying to figure out the best ways to navigate the online world.
Looking at the positives
It is said every cloud has a silver lining and that holds true even for the COVID-19 crisis. Businesses have become more agile and adaptive that will help them survive—and thrive—should such an event occur again. Elevated attack levels have enabled many fraud teams to stress-test their systems, plug-in the lacunae, and strengthen their defenses for the future. This will help them become more vigilant and resilient in the future.
Adopt a zero-tolerance to fraud approach
Remote-working and cashless payments will be the new norm, so will fraud attacks—that will remain at historically high levels in 2021 and beyond. As businesses try to acquire and retain customers through reward and retention programs, they will become attractive targets for increased fraud attempts. COVID-19 continues to fuel fraud attacks, assisted by easily available, commoditized tools and human sweatshops. As a result, fraud attacks have not only become more frequent but also more severe. Reliance on 'suspicious' or 'trusted' behavior signals and legacy bot solutions are no longer relevant as fraud techniques are continuously evolving.
Businesses must reassess their fraud strategies and look beyond mitigation to eliminate the financial incentives associated with fraud attacks. They must ramp up their defenses to ensure they are prepared to thwart any fraud and abuse attempts going into the future. A zero-tolerance to fraud approach will help businesses bankrupt the business model of fraud and force fraudsters to abandon the attack and move on.
To learn how Arkose Labs helps global businesses eliminate the financial incentives from fraud attacks and ensure long-term protection, book a demo now.