2020 was no doubt an unprecedented year as it left indelible changes on the global economy. Digital transformation efforts of businesses around the globe evolve rapidly with the need to transition exclusively to digital channels almost overnight. Millions of consumers sheltering in place went online for practically every aspect of their lives.
In the midst of all this flurry of digital activity, fraud made inroads into new frontiers as bad actors took advantage of the expanded attack surface and new attack vectors. Arkose Labs, in collaboration with experts from the industry, took a deep-dive into the fraud trends that have their roots in COVID-19 and continue to flummox businesses as well as how businesses can prioritize their fraud prevention efforts. Here is what we found:
New avenues: As digital traffic continues to remain at elevated levels across industries, fraudsters exploited every opportunity to attack. From price gouging to delivery scams—especially those involving masks and sanitizers—fraud rings milked every opportunity they could.
Ecommerce and gaming: More people now prefer shopping online over in-store, causing fraud rates to remain consistently high and strong in the ecommerce space. In 2020, there was a steady increase in chargeback volumes as well as click and collect. The gaming industry also saw a rise in popularity that in turn fueled in-game cheating and currencies fraud. Black markets provided currency cheating services and sold leveled up characters.
Stimulus fraud: Concerns around stimulus checks provided fraudsters with the easiest way to make money with the least possible effort. Fraudsters created new fake accounts in hordes to score stimulus funds. They exploited the lack of processes, convenience of creating digital accounts, and onboarding to seek SMB loans, open lines of credit, and launder money.
Human-driven fraud: Due to economic hardships, many unemployed people turned to fraud to make ends meet. Whether by disputing legitimate transactions to claim refunds or working as a recruit within larger fraud rings, people grabbed every opportunity to earn money. As a result, there was a spike in human click-farms. People at home, with more free time and open to experimenting, also accounted for this spike.
New account fraud: There was an increase in the number of new digital accounts created as homebound people increasingly accessed digital channels for everyday activities. Fraudsters cashed in on this opportunity to open new fake accounts using stolen credentials and synthetic identities.
Credential stuffing: As the number of new users—and therefore, new digital accounts—proliferated, fraudsters mobilized their resources—bots and humans—to drive credential stuffing attacks at scale in an attempt to compromise these new accounts.
Account takeover: The biggest growth in attacks happened in account takeover attempts with fraudsters trying to take over genuine accounts created by numerous new digital users. This is one of the fraud trends that will continue to plague all industries.
Phishing: Fraudsters used spam, social media, and social engineering techniques to play on the panic around COVID-19 to trick users into sharing their passwords. They even targeted labs creating vaccines for COVID-19 with ransomware. Further, they are using phishing and spearphishing to target internal fraud teams as well as fraud prevention vendors.
Synthetic identities: One of the top fraud trends is the greater use of synthetic identities. There is a volume shift away from cash to card not present online transactions, which causes businesses to relook at authorization, fraud models and how to manage identities, especially in the wake of fraudsters increasingly using synthetic identities. Synthetic fraud is not busting out anytime soon, as it provides fraudsters with numerous avenues to make money.
Authentication challenges: Fraudsters relied on tried and tested attack methods instead of employing new techniques. Still, all businesses faced authentication challenges as fraudsters also used synthetic IDs and spoofed SMS verification to fool defense mechanisms.
Priorities for businesses in the coming quarters
As we move ahead into 2021, businesses must learn from these fraud trends and use the learnings from the forced stress tests of their defense systems to sharpen their fight against fraud. The key areas that businesses must focus their attention should include:
Digital transformation: Businesses that could adapt quickly to a digital-first environment were able to better serve their customers and sustain business growth. As people continue to use digital channels due to the convenience they offer, organizations have realized the importance of digital transformation. As a result, they must try to be more nimble and look to enhance security measures as they move to the cloud.
User experience: UX will be the key to attracting and retaining new users. During the pandemic, platforms that made digital interaction simple were able to attract more users. This means businesses cannot make the barriers to entry so high that the customers cannot pass it. Therefore, businesses must focus on user experience, accessibility, and ease of use.
Mobile-first: Although millions of people adopted digital tools during the pandemic-driven lockdowns, there still exists a large section of people who could not adopt the technology. Businesses will have to make an effort to take this potential customer base along. To this end, they will want to simplify the onboarding process with consumers on the front end primarily in mobile.
Going frictionless: Businesses will aim for frictionless authentication and checkouts. However, they will still need to use friction smartly to stop the bad actors and enhance controls to be able to react quickly to the new threats.
New challenges: Apart from the measures that businesses need to retain new customers they gained during the pandemic, they must prepare to fight challenges in managing identities, especially synthetic identities and look for ways to counter account takeover attempts.
Identity management: Social security numbers (SSN) have been abused to such an extent that they are no longer reliable as an identity. There will be an effort to advocate federating identity across multiple sources to help accurately identify a human. The idea of user control and user consent to get a verified set of credentials from a set of different resources, sharing it with relying parties on need basis, and finally having a protocol built in will pick up. Also, since the current methods of verifying identities are lax, digital methods of ID proofing will be more useful going forward, especially for customer service.
Human-driven attacks: Human-driven credential stuffing activities will continue to rise. The problem will get exacerbated as fraud farm activities increase due to unemployment levels remaining high. Therefore, businesses will need to identify the fraud farm locations and activities to be able to better counter them.
Account takeover: One of the biggest fallouts of the heightened online activity will be a steady growth in account takeover attacks. Businesses must focus more on account logins in order to make pre-authorization decisioning better. However, they will need to make extra effort to get users to take account security seriously while not disrupting user experience. They will also need to focus their attention on how to identify account takeover attempts quickly and accurately.
Phishing: Phishing will not only increase but also become more sophisticated and will include a larger mix of social engineering. Apart from common users, fraudsters will increasingly target employees and fraud teams. Once stimulus packages dry up, fraudsters will rely greatly on phishing campaigns to try and take over genuine user accounts.
Greater support for fraud teams: One of the primary focus areas for internal fraud teams, going forward, will be to hunt down manual fraud and sleeper accounts created in 2020. In order to strengthen the fight against fraud in an increasingly complex fraud landscape, businesses must provide greater support to their internal fraud teams.
A solution that works for everyone: While there is a lot of debate about using passwords for account protection, passwords are unlikely to go anywhere, as no perfect alternative is in sight. Device biometric protocols may start making inroads as replacement for passwords. However, industries like video games do not allow using biometrics for authentication. Therefore, businesses will need a solution that works for everyone.
Reassess fraud defense approach
Traditional fraud defense strategies and point solutions cannot effectively fight complicated fraud and online abuse methods. To counter the growing threat, businesses need a fresh approach that allows them to stop fraud long-term while offering seamless user experience.
Arkose Labs enables global businesses to screen every incoming user to precisely single out attackers. Using targeted friction, the Arkose Labs platform bankrupts the business model of fraud and forces attackers to move on. To learn more about this multi-tiered, user-centric authentication, please book a demo now.