The New Danger of Cybercrime and Fraud in the Age of Pandemic
17 January 2022
Cybersecurity analysts forecast a perfect storm for quantum leaps in cybercrime and fraud and scams as lockdowns across the globe over the past couple of years have rippled into serious economic disruption while vastly expanding the number of people transacting, working and exchanging over digital channels.
In the first half of last year alone, criminals in the UK stole a total of £753.9 million through fraud, 30% more than H1 2020. Sure, the ‘advanced security systems’ used by banks prevented a further £736 million from being taken. But we’re now at a point in which it’s like an entire unicorn company is being wiped from the UK’s economy annually.
Recently, the threat of fraudsters was upgraded from concern to ‘national security threat’. We hope to inspire everyone with renewed vigilance – that is: using the best tools in the industry to protect your business, your users and the payments and financial services markets.
The fast-evolving threat of cybercrime and fraud
Cybercriminals evolve much faster than in-house security and IT teams’ efforts to meet the challenge. While lost and stolen card fraud has shown its first-ever yearly decrease in losses in the UK, we are experiencing the highest level of overall cybercrime and fraud “since records began” – a staggering 33% YoY surge. Moving with the times, fraudsters took advantage of digital activity spikes with new social engineering attacks.
Mimecast Threat Center reported a 64% increase in email threats over the past year. Whilst the informed consumer choice brand, Which? reported phone/text scams and online shopping and auctions fraud were also both up 83% and 65% respectively. KPMG also reported alleged fraud reaching UK courts hitting just under £140 million in H1 2021 – doubling the previous year’s hit already, further straining legal resources and complexifying backlogs.
Scams tend to trend in similar markets; correlating with the USA’s now-most-predominate scam, robocalling. The number of people receiving robocall scams in the UK (claiming to be HMRC, your bank, your delivery company or any other widely-used services) is also skyrocketing. Caller ID verification firm, Hiya, reported 1 billion nuisance calls in the UK have been made so far in 2021. Increasing ~30% per month, we’d already passed last year’s total nuisance call count in May.
Even the highly credible futurists in The Simpsons’ writing room animated an entire episode around the ease of robocall-scam centres popping up. At £535m, however, investment fraud reported the most in losses at an average of £25,496 for each of the 20,989 reported incidents according to Which?.
Fighting the spread of cybercrime
The onslaught of these new variants is visible – what are its root causes and how can we stem the tide? Cybertonica tracks both data hacks and follows dark web information daily to keep its models and fraud defences at the sharp pointy end. The scam scourge has now begun deploying its own technical and replication kits that are sold on the dark web or even in some cases given away for free for a share of the profits.
IT teams simply can not keep up with the doubling – or even tripling – volume of GOOD customers. Unprecedented and highly professional cybercrime and fraud organisations add fuel to this fire by investing in the fraud arms race faster than they are. An aggregation of said under-preparedness is revealed in a Mimecast report stating 79% of all businesses in the USA falling victim to at least one form of cybercrime over the last 12 months. The rapid sea-change in going all digital, open banking and new regulations at the same time, means you must be buying or hiring the latest of what tech offers to consolidate defences – the pandemic, of course, exacerbated this. The 2021 State of Email Security Report’s global respondents reported that the UK, the Netherlands, South Africa and the United Arab Emirates had half or more of the survey respondents (51%, 50%, 52% and 50% respectively) view the lack of cyber sophistication among employees as a major threat to their companies’ security, compared with 43% globally and so naiveté is clearly a major concern across the board. Worse than the naiveté, ignorance: PwC’s Global Economic Crime and Fraud Survey 2020 reported that only 56% of businesses even conducted an investigation into their worst fraud incident.
Data from hacking and from fraud rings is freely offered on the web or sold to the highest bidder. The growing voids in this profession attract highly skilled professionals collaborating across geographies. Speaking at Amsterdam’s Money 2020, revered white hat hacker Alyssa Knight from the USA pointed out that cybersecurity and fraud prevention simply synergise best in a single coordinated package.
The reduced number of good candidates for fraud teams and the fight for talent across the whole spectrum of IT. Brad Smith, President of the Microsoft Corporation, highlighted last month that ⅓ (464,200) of all cybersecurity positions in the USA currently remain critically unfilled because of a shortage of skilled people. Unfortunately, the problem isn’t only human capital; the majority of payment platforms and banks have also slowed innovative efforts in cybercrime and fraud prevention, allowing for more voids and variants of black hat hackers to sit in the eye of this storm. Cybertonica often creates a quasi-managed service for customers because recruiting is so difficult in this market. One customer reported being unable to hire even 25% of their target in fraud and risk management. Another large distributor was asked to hire 100 risk people worldwide per month but found only 50 and abandoned the target.
The failure to proactively monitor in real-time on all channels simultaneously and have established protocols of intervention for each type of fraud and intrusion observed. Many paytech and fintech executives fail to understand the value of having a company like Cybertonica that brings the services together and provides guidance on the best methods in a difficult market. Leveraging technology, with our team’s experience, 4 can do the work of 12.
The ability of fraudsters to use new regulations, technologies and payment methods to mask their activity. With open banking, for example, we saw that the Monzo card was used to scam/defraud Barclays customers in the 10s of millions. Another recent example of this includes a leading neobank entering the USA markets initially facing ~50% of their transactions rated as fraudulent – taking months to rectify and keeping their investors in the dark, we really start to see the ‘grey hats’. At N26, it is publicly known that the fine of $4,25 million from BaFin was imposed for a lack of rigorous reporting. Currently, the German government has even put a “brake” on N26’s expansion due to the lack of a solution for risk controls that is suitable. Part of this comes down to communication, part of it has to do with technology choices.
Future-proofing fraud is an ongoing effort for specialists
Cyberthreats and vulnerability on a planetary scale can damage the economy and living standards even as seriously as the virus itself. The UN’s Project 2020, an initiative of the International Cyber Security Protection Alliance (ICSPA) projects significant new forms of fraud in metaverse applications. Such as a fully immersive AR or VR environment (in the private sector), where data appears before one’s eyes rather than on a screen at arm’s length: unauthorised access, intrusion, unlawful interception, authorised data exposure or manipulation of data is possible.
Project 2020 also noted concerns about the newly preferentially decentralised nature of web users, enhancing anonymity, speed and capacity of criminals to steal personal and sensitive data, for example. GDPR in Europe for instance can help fraudsters “hide in the shadows” by giving them a right to erase their profiles to reduce tracking capability.
The silver lining, despite the evolution of cybercrime and fraud, is that most forms of crime can still be generally categorised in today’s terms such as unauthorised access or intrusion, unlawful interception, authorised data exposure, manipulation of data, extortion, denial of service or disruption of service. “Anticipatory compliance — showing that an organization is studying and responding to potential threats — should be embraced by organizations, not necessarily from the compliance lens, but from the security and privacy lens,” said Tom Garrubba, senior director and CISO at Shared Assessments, in an email statement.
Cybertonica has partnered with Risk Manager Acuris to create CyberCheck, a package that allows CISOs to monitor risk among employee exposure in real-time… to alleviate this issue – it allows any company to get alerts to all its employees if their data, payment credentials or other assets have been found to be compromised. This new way of tying the CISO into the fight against cybercrime is sure to support positive defence tools.
Reputation loss in moments of crisis is magnitudes greater than a smaller monthly charge from expert service providers. Forward-thinking industry executives, on the other hand, in both paytech and banking attribute fraud management software to their investment category of expenses; the ROI includes vast reduction of (rapidly growing) non-compliance fees (eg. Visa/Mastercard’s high-risk merchant list) and scam losses but also by retaining more customers with your consequently-improved, less-irritating and more-secure customer journey.
Lastly, the ‘distribution’ of fraud to new markets avalanching from large-scale credential stealing and social engineering supports the adversarial nature of cybercriminals’ innovative complex variance against the very-limited cybersecurity talent. And so, Covid-19, for cybercrime, has been a significant catalyst in weathering capital off of global GDP.