Fraudulent activity tends to rise during periods of crisis as attackers understand just how to exploit the situation, says Onfido.
Skilled cybercriminals are adept at not just knowing where and how to strike but when. Taking advantage of fears and curiosity about crises in the news is always a sure-fire tactic. And that’s certainly been true of the coronavirus pandemic. A report released Tuesday by identity verification firm Onfido looks at the increase in ID fraud since the outbreak of COVID-19 and offers tips on how to protect your organization, your users, and your customers from this type of crime.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
To compile its “Identity Fraud Report for 2020,” Onfido teamed up with criminal police organization Interpol to analyze different fraud techniques. ID fraud is defined as the theft or counterfeiting of personal identification or travel documents, such as a driver’s license, passport, or Social Security card. Criminals then use the ill-gotten documents to steal someone’s identity, to sell on the Dark Web, or to commit other crimes.
The research from Onfido and Interpol found that global fraud rates held steady for the first few months of 2020, then jumped in April and beyond just when people were going into lockdown mode. More people at home and more businesses shifting to online operations opened a wider door for identity fraud.
Fraudulent activity peaked in July and August but has started to decrease slightly since then. However, as a second wave of the virus forces large parts of Europe and other regions to re-enter lockdown, fraud rates will likely show another increase for the last few months of the year. Due to the effects of the coronavirus outbreak and the more turbulent economy, there are simply more opportunities for fraud, and criminals have been taking advantage of that.
The report distinguishes between sophisticated, or “hard” fraud attempts, and unsophisticated, or “easy” fraud attempts. Launched by experienced fraudsters, hard attempts are typically savvier, smarter, and more difficult to detect. Often orchestrated by newbies, soft attempts are less advanced and usually easier to spot.
For 2020, the volume of hard fraud attempts stayed the same as in 2019, but easy fraud attempts jumped by 23% from last year. This indicates that first-time fraudsters are trying simple attacks as a side business outside of their regular criminal work to get through the economic downturn.
ID fraud is no longer just a regular, 9-5 job, according to Onfido. In past years, fraud attacks were higher on weekdays and trailed off over the weekend. This year, the fraud rate has been staying consistent over all seven days of the week, a sign that professional and non-professional fraudsters alike are working overtime.
Deep fakes are also gaining greater traction as a tool for fraudsters. For 2020, Onfido found an increased use of 2D and even 3D masks to thwart selfie and video verification facial ID tools. The firm also discovered a rise in replay attacks in which criminals try to sneak past video verification by using stolen videos or deep fakes.
“There is no question that COVID-19 has catalyzed massive growth in identity fraud attempts, with industries like financial services disproportionately affected,” Michael Van Gestel, head of global document fraud at Onfido, said in a press release. “And with sensitive and personally identifiable information easily gleaned from social media and available for sale on the Dark Web, database checks are just not fit for purpose in this escalated fraud environment.”
To help you defend your organization, users, and customers against fraud ID, Onfido offers the following tips:
Find solutions that can dynamically adjust to the changing risk landscape. As fraud attempts progress from easy to medium to hard, you need to do more to prevent fraudsters from attacking your organization. For that, Onfido recommends a hybrid approach using a combination of manual and machine learning checks, both of which can work to respond to a changing risk landscape.
Layer up identity verification measures. You can no longer rely on data alone to verify identities. As one example, security information like your mother’s maiden name or your first car can easily be found on social media, while other sensitive details are available for sale on the Dark Web.
If you’re still relying solely on background signals, consider adopting document verification to make your defenses more robust. If you’re already using document verification, add in biometrics. Such tools will help determine the real identity of people who access your platform and deter fraudsters who don’t want to put their face to a name.
Recalibrate your friendly friction threshold. Anti-fraud technology adds a certain layer of friction into your user experience. The challenge is to keep out fraudsters while not getting in the way of legitimate users. The best way to do this is to keep your processes proportional.
Customers will put up with greater security measures to protect something of value, such as a bank account. But they’re less willing to do so with less sensitive accounts, such as for a retail store. Think about whether you need to catch all fraud (and potentially keep out legitimate users) or allow access to a small number of bad actors to improve the customer experience for the majority.
Be aware of fraud across your customer lifecycle. Resist asking a user for verification when the risk is low, such as when they’ve just given you their email address. Instead, apply the proper identity verification and fraud checks at a more sensitive and critical time, such as when they’re about to activate their credit card or ID card.
“Baking in more sophisticated identity verification methods, such as document and biometric authentication, will ensure that no matter how fraudsters try to capitalize on the changing situation, businesses can significantly lower the risk of fraud to their organization and customers,” Van Gestel said.