By: Andy Renshaw, SVP product management at Feedzai
Fraudsters are continuing to get more familiar with their targets and dedicating more time to understand their lifestyles, which means highly targeted and personalised scams are becoming the norm. In addition, many banking customers embraced digital banking habits because of the COVID-19 pandemic making them unlikely to switch back to their pre-pandemic practices. This has resulted in a rise in digital interactions, hence leaving increased targets for fraudsters to pursue using social engineering. Armed with personal credentials obtained through the dark web, phishing or even social media, fraudsters can launch account takeover (ATO) attacks and compromise a legitimate user’s account. And if fraudsters can’t breach a customer’s account, they might use social engineering to trick victims into deliberately transferring them money using authorised push payment (APP) tactics. This latter type of fraud has become especially problematic in the UK.
Here’s some other personalised tactics that consumers will have to contend with in 2022:
Fraudsters practice patience: With more effective online security measures in place, fraudsters are thinking bigger to maximise their monetisation opportunities. Instead of quick “smash and grab” attempts that involve breaching an account and quickly transferring money, they will patiently observe a victim’s financial patterns. This includes details like when their paycheck is deposited and where they shop online. With this understanding, they will know when victims receive their pay and when they have the highest amount of money. By conducting layered research using social engineering or personal information obtained from phishing or malware attacks, fraudsters can carefully hone their message to make scams more convincing.
Rise of the narrative: Banks have been working for years to offer more personalised services to customers. Unfortunately, fraudsters are adopting the same strategy by crafting highly tailored narratives to deceive their victims. When a fraudster accesses a victim’s bank account (or email or eCommerce account, for that matter) they can learn important details about their life. For example, if they see their victim recently made payments for a parking violation or paid for a medical procedure, fraudsters can adopt the persona of a municipal employee or a medical office worker and claim a recent payment was not processed correctly. Next, they tell their victim to share their credit card or send money to a bank account they control. Because the fraudster uses such specific details, their scams have a better chance of working. Some fraudsters will craft a portfolio of narratives for a wide range of scenarios.
Taking advantage of FOMO: Want to get rich quick? Fraudsters hope so and they play on well-established human behaviours like the Fear of Missing Out (FOMO). They will use FOMO to lure victims into get-rich-quick schemes. Some scammers will use the same social engineering tactics mentioned earlier to design a scheme specific to their victims’ lifestyle or demographic. Once they familiarize themselves with their targets, the fraudsters will use high-pressure tactics to convince victims that a once-in-a-lifetime, low-risk high-reward opportunity is available to them. Cryptocurrency scams are becoming increasingly popular with fraudsters for these types of schemes, which can cost individuals vast sums of money. Australian Federal Police recently reported a 172% rise in cryptocurrency scams from January to November 2021. Unfortunately, the mystery and newness of crypto makes these scams highly appealing to fraudsters.
Romance Scams: Romance scams proved to be one of the biggest scams of the pandemic, with consumers losing an estimated £68 million in 2020. Scammers approach their victims online using dating sites or apps and pretend to be romantically attracted to them. After they convince their target that their relationship is genuine, they ask them for money for medical expenses, vehicle repairs, or for plane tickets to meet in person. In the end, the fraudsters pocket the money and disappear. This trend is on track to continue as more people turn to dating apps for companionship in 2022.
And it’s not just the personalisation of attacks that will increase, fraudsters will take advantage of new and emerging payment methods that are designed for convenience as well:
B2B Payments: After a long build-up, it’s looking like instant business-to-business payments are on track to finally become a reality in 2022. When instant B2B payments debut, both banks and businesses must apply the lessons learned from consumers real-time payments. Consumers after all, expect to access banking services on a 24/7 basis. Businesses need to prepare for how this enhanced speed of payments leaves them vulnerable to fraud. If a business loses money in real-time to fraud, the organisation will struggle to trust banks that facilitate the transfer. Instant B2B payments opens new opportunities for fraudsters to defraud businesses quickly. That’s why it’s important that banks and businesses both implement the right safeguards.
Connected Commerce Confusion: Gone are the days when consumers have a checking, savings, and credit card account. Now, most consumers have multiple traditional accounts, and a host of digital accounts like Paypal, Venmo, or even WhatsApp. And it doesn’t stop there. Many connected smart internet of things (IoT) devices like Amazon’s Alexa or Google Home can send money using voice commands. And soon it will be commonplace for people to send money through social media platforms. If all this sounds like a dream come true for fraudsters, it is. In a connected commerce ecosystem, we expect to see a spike in attacks on IoT-connected devices and social engineering attacks. A disparate arrangement of finances calls for a new approach for banks to manage their customers’ financial risks.
Challenger Banks: Digital-only and digital-first challenger banks need to attract more customers. One way they’re doing that is by making it easier for customers to quickly onboard. They also specifically want to appeal to younger customers, so they’re marketing their services on social media or partnering with digital influencers like YouTube and TikTok celebrities. Unfortunately, fraudsters are also looking to onboard with challenger banks. They realise many challenger banks have no physical infrastructure to meet customers face-to-face, and want to make onboarding as seamless as possible. Given the combination of these factors, fraudsters see challenger banks as top targets.
Targeting of Millennials & Gen Z: As younger people join the digital banking system, fraudsters will be eager to take advantage of their unfamiliarity with digital banking. While younger people are more tech-savvy in a social context than their older counterparts, fraudsters have found several tactics that have proven effective against millennials and Gen Z customers to take advantage of them from a financial perspective. The latter group is falling for fake check scams at the same rate as senior citizens. Meanwhile, one in five millennial shoppers experienced online fraud during the 2020 holiday shopping season. Fraudsters will also scour these users’ social media accounts for social engineering purposes.
The Evolution and Challenges of Crypto Regulation
Cryptocurrency regulations are evolving quickly around the globe with authorities responding to developing risks professed by criminals exploiting the latest payment methods to mask and launder the profits from their crimes.
According to William Je Founder & CEO, Hamilton Investment Management Ltd, this has warranted the introduction of a more stringent level of due diligence by additional bodies to introduce preventative measures.
William Je Founder & CEO, Hamilton Investment Management Ltd explains: “The past ten years has seen several structural changes in Know Your Customer (KYC) and anti-money laundering (AML) regulations in both Europe and across the world. High-profile money laundering cases and the penetration of illegal monies into global markets have caught the attention of regulators.
“As regulators improve their understanding of these criminal practices, AML requirements have also been improved. However, these improvements have been a reactive process.”
To address the challenges of the blockchain ecosystem, the European Union has started to introduce financial regulations that further bolster the regulatory system in order to improve licensing models. Many member states are regulating crypto assets individually, and Germany is leading the way in being the first to regulate.
Je continues: “These national driven regulations clearly point to a future pathway for crypto companies, outlining the requirements for obtaining and maintaining a financial license from the regulator.
“Compliance, however, is to my mind essential as it not only boosts investor confidence but adds a necessary layer of protection to investors.”
As crypto evolves, so have regulatory bodies’ efforts to monitor, address and enforce restrictions. The most prominent is the Financial Action Task Force (FATF), which details guidance and determines best practices in anti-money-laundering practices and combating the financing of terrorism.
FATF Recommendations number 16, better known as the ‘travel rule’, which requires businesses to collect and store the personal data of the originators and the beneficiaries in blockchain transactions, is the most notable.
Je concludes: “What does this mean? In theory, access to this data will enable authorities to have better oversight and enforcement of crypto market regulations. In other words, they’ll know exactly who is doing exactly what.
As we have always argued – transparency is key. We need to regulate crypto as an asset class with efficacy, which necessitates legislation that is applicable specifically to digital assets and does not hinder the market.
The criminal financial trade which arguably encompasses money laundering, illegal weapons sales, human trafficking, is also international. Thus, cracking down on it is, out of necessity, an international effort.
The decentralised nature of blockchain, which runs contrary to the central-server standard we know and use nearly everywhere, presents a formidable challenge here. Rules and regulations for traditional financial institutions are being implemented wholescale into the crypto sector. We believe that this is arguably wrong footed as it ignores the innovation and uniqueness this asset class and its underlying technology entails.
Traditional forms of regulation from the fiat world do not reciprocally apply to every aspect of crypto nor to the fundamental nature of blockchain technology. However well-intentioned they may be, because these imposed regulations are built on an old system, they must be adapted and modified.”
How bug bounty programs can help financial institutions be more secure
Rodolphe Harand, Managing Director at YesWeHack
Financial services have been one of the most heavily targeted industries by cybercriminals for several years. One alarming stat from the Boston Consulting Group found these firms to be 300x as likely as other companies to be targeted by cyberattacks.
Furthermore, the pandemic has led to a significant increase in the number of cyberattacks targeting financial institutions (FIs), with around 74% experiencing a spike in threats linked to COVID-19.
With FIs holding some of the largest collections of sensitive and private data, it’s clear they will remain an attractive target for malicious actors, especially as any data stolen can be used for fraudulent activities. This leads to the reputational damage of the financial entity that was compromised and has a knock-on effect in terms of monetary and reputational damage to affected customers.
For CISOs at FIs, the conundrum faced is how do you protect intellectual and customer data, and ensure accountability and transparency for clients and stakeholders, at a time when the pandemic has created budget constraints. Research from BAE Systems found that last year alone, IT security, cybercrime as well as fraud and risk departments had their budgets cut by a third.
Below we look at how bug bounty programs can help to address these pressing issues.
Protecting valuable data
Protecting customer and intellectual data has always been a top priority for FIs. However, as opportunistic cybercriminals have a lot to gain by stealing this valuable data, there is a constant evolution of threats, which means FIs must stay on their toes. By deploying a bug bounty program, FIs can work with ethical hackers that have a wealth of experience and unique skills when it comes to identifying security weaknesses within a FI’s defence, thus helping to implement effective security measures to help prevent data breaches.
Building trust among various stakeholders such as customers, suppliers and investors is critical for achieving business goals. By deploying a bug bounty program, FIs send out a message that they care about protecting the security of the data of those they work with – which in turn can have a cascading effect resulting in better business performance.
For FIs to win customers and keep them happy, amidst the growing threat of neo banks and customer-centric fintech organisations, speed of innovation is crucial. As such, many FIs have adopted an agile approach to build, test, and release software faster to bring online and mobile banking solutions to market quicker. However, this can create frictions between development and security teams. Security mandates are deemed to be unnecessarily intrusive and a cause of delayed application development and deployment.
Yet, with DevOps teams needing to build and deploy applications faster than ever before, an epidemic of insecure applications has emerged. According to Osterman Research, 81% of developers admit to knowingly releasing vulnerable applications, while research from WhiteSource found 73% of developers are forced to cut corners and sacrifice security over speed.
With developers often not having the time, tools, skills, or motivation to write impeccably secure code, there is an evident need to provide developers with more support when it comes to building applications securely Fortunately, bug bounty programs can provide a “fact-based” financial implication of inherent security flaws within the process. This makes it possible to hold development teams and service providers accountable for creating or delivering insecure products, thus addressing inherent security gaps within the business units and helping to drive continuous improvement.
Moreover, security awareness and education of developments teams can be improved significantly for those developers that are directly involved with the management of vulnerability reports for their bug bounty programs. This is because, the mere fact of exchanging information with ethical hackers, or assimilating the thinking of a potential hacker and having proof of concepts of vulnerability exploitation on their application components, naturally accelerates consideration of security early in the development stage and provides ongoing learning.
Get more return on your investment
According to Gartner, 30% of CISOs effectiveness will be directly measured on their ability to create value for the business. When security budgets are challenged, CISOs need to demonstrate business value through initiatives designed to enhance efficiency whilst stretching the dollar.
This is where bug bounties can help tremendously. Compared to conventional penetration testing, bug bounty offers a fast, complete, and measurable return on your security investment, with businesses only paying out for successful discovery of vulnerabilities. Equally, businesses get access to hundreds of ethical hackers that can test their programs, each with their own unique skillsets as opposed to only one skilled researcher testing the network. This results-driven model ensures you pay for the vulnerabilities that pose a threat to your organisation and not for the time or effort it took to find them.
Bug bounty programs also deliver rapid vulnerability discovery across multiple attack surfaces. With this approach, organisations receive prioritised vulnerabilities and real-time remediation advice throughout the process to accelerate the discovery of, and solution to vulnerabilities.
Another appeal of bug bounties is that due to the continuous nature of testing, more vulnerabilities are found over time as opposed to pen-testing. This is key to financial institutions that require agility to keep up with the continuous roll-out and updates of applications.
The cornerstone to a successful security programme
The risk posed to financial institutions by cyber threats will only continue, as evidenced by the number of data breaches seen in recent times. The COVID-19 pandemic has only exacerbated these risks, especially with almost all FIs having needed to shift to a remote working environment – which has only widened the attack landscape.
For FIs, a bug bounty program should be considered a fundamental cornerstone of any security strategy, with it being a modern-day cybersecurity solution that is well-equipped to tackle the immediate security challenges they face. In doing so, FIs will not only prove to customers and stakeholders their commitment to data protection and security but this will also be help them to avoid the monetary damages that could be imposed by regulators if a breach was to take place.
What Every Small Business Should Do
The majority of the difficulties associated with establishing a business stem from failing to accomplish the small things correctly. The...
5 Ways That Businesses Can Get the Most Out of Their Digital Marketing
Everyone knows that the world of marketing has been changing for the last two or three decades. The days of...
Transact365 launches seamless cross border payments in India
Transact365 enables merchants to transact locally in India Merchants can partner directly with Transact365 without needing to source local partners...
Cloud technology in banking: Why adoption is on the rise
Alpesh Tailor, Executive Director at digital transformation specialist GFT The banking sector has never shied away from innovation, whether...
A Smarter World: What role will electronics play in 2022
There has been a sharp increase in technology and devices designed to make our lives simpler, faster and more productive...
Top 4 Electronics Development from 2021
Phil Simmonds, Chief Executive Officer of EC Electronics. As we embark on a new year of business, it is a good time to...
Investing in workforce intelligence now, leads to an optimised tomorrow
Michael Cupps (Senior VP, Marketing, ActiveOps) discusses four critical ways in which a new world of workforce data improves organisational...
The Evolution and Challenges of Crypto Regulation
Cryptocurrency regulations are evolving quickly around the globe with authorities responding to developing risks professed by criminals exploiting the latest payment...
Europe’s first blockchain neobank, BENKER, opens for pre-registration
BENKER(http://www.benker.io/) is to become the first officially licensed blockchain neobank launched in Europe following approval by the Bank of Lithuania under the Electronic Money Institution...
AI-Powered Fraud Prevention for Digital Transactions
By Martin Rehak, CEO of Resistant AI Fraud is on the rise, thanks to the rapid escalation of digital channels...
The future of retail trading
Joe Jowett, CEO of StrikeX The 2020s look set to be the decade of the retail trader. As the...
Dissecting the expansion of online checkouts
Daniel Kornitzer, Chief Business Development Officer Card payments have long existed as the preferred payment method for online consumers....
How bug bounty programs can help financial institutions be more secure
Rodolphe Harand, Managing Director at YesWeHack Financial services have been one of the most heavily targeted industries by cybercriminals...
Resolving the unintended friction of Web 3.0
Marten Nelson, CEO, M10 Networks Media is buzzing about Web 3.0 and the metaverse. Companies and investors are scrambling to get...
Predictions for Alternative Data in 2022
Neil Chapman, CEO of Exabel 2021 saw various firsts for alternative data. The $1.6bn flotation of SimilarWeb evidenced the...
Why Zero Trust and securing the supply chain is key to post-pandemic recovery
Jim Hietala, Vice President, Business Development and Security at The Open Group Banking and finance have grown to provide...
Five predictions set impact the finance teams in 2022
By Rob Israch, GM Europe at Tipalti The CFO now has a very different set of responsibilities in comparison...
Three ways to reduce uncertainty in financial services marketing
By Patrick Costello, Senior Product Strategy Director, Optimizely According to Bain & Company, uncertainty is one of the key factors affecting marketing...
Bringing Automation to Banking
Ron Benegbi, Founder & CEO, Uplinq Financial Technologies Automation is everywhere you look these days; from supermarkets to warehouses...
Why financial services is stepping into a new era
by James Mingard, Head of Retail & Finance at Maintel When comparing industries, financial services has arguably fallen behind when...