Understanding Evolving Fraud Threats During COVID-19 Shutdowns

David Vergara, June 18, 2020
Addressing Evolving Fraud Threats Amid Workplace Distancing

We regularly host webcasts on topics such as fraud prevention, security best practices, and tech innovation, to provide guidance on how to protect against cyberfraud. If you missed our latest webcast, Addressing Evolving Fraud Amid Workplace Distancing, here is the 5-minute summary.

The COVID-19 pandemic has altered how we live in countless ways. From grocery shopping to banking, this global crisis is forcing us to learn new skills and develop new habits, especially related to the online world. 

As consumers, we spend more time online than ever before. As employees, we are quickly adapting to remote work and new technologies that enable us to get our jobs done. With our accelerated increase in digital activity, it’s no wonder that fraud amid workplace distancing is increasing in tandem.  

Fraudsters have always exploited times of uncertainty, and COVID-19 is no exception. As consumers get inundated with communications by businesses and governments to act with more caution, many are at greater risk to fraud attacks. 

From SMS scams to social engineering schemes, the “stay home” movement is being targeted by those with malicious intent. In addition, while financial institutions around the world are making their digital tools easier for consumers to use, they may also end up being easier for scammers to exploit. 

To help you understand the current and evolving situation, Aite Group’s Research Director, Julie Conroy, joined OneSpan’s Director of Security Solutions, Will LaSala, for an in-depth look at the most prominent fraud attacks and challenges happening right now.

5 Increasingly Common Digital Habits 

The fear of contracting or spreading COVID-19 has inspired new digital habits, as well as the strengthening of habits that are already considered the norm. These habits include: 

  1. Low-touch or no-touch transactions
    To decrease chances of coming into contact with the virus, it’s being emphasized to not touch money or any form of payment machine. For this reason, touch-free transactions have become increasingly necessary for consumers.
     
  2. Pre-payment and pickup
    To avoid direct contact with others, most consumers are opting to pre-pay for goods and services and pick up at their own convenience or according to a schedule given by the retailer. Similarly, curbside pickup is becoming the new normal as businesses work to make purchasing safe and simple.
     
  3. Online shopping
    Although trends toward online shopping have been growing each year, COVID-19 has brought this particular digital activity to a new level. As of April 2020, figures for year-over-year global e-commerce are up 209%.
     
  4. P2P transactions 
    Another way for consumers to avoid ATM and other touch-based machines is through electronic payments. P2P transfers have seen a massive spike during the pandemic as people exchange money and make payments through online vendors.
     
  5. Increased use of digital banking 
    Not only is digital banking more convenient for consumers, it also allows them to avoid physically going into a bank for financial activities. When interviewing a large bank, Conroy found that the number of first-time online users at the bank greatly increased in March, when people were encouraged to stay at home. The following month, the same bank saw a 276% increase in digital banking usage. 

Types of Fraud Becoming More Prevalent

With the sudden and massive migration to the digital world, financial institutions and fraud teams are seeing an increase in certain types of malicious attacks. 

Phishing & Pharming 

Although phishing and pharming are not new methods, fraudsters are using them in new ways to capitalize on COVID-19. Phishing is an attempt to access sensitive information, such as passwords and credit card details, by tricking the victim into believing they’re giving their information to a credible source. These schemes are most often executed through email and SMS. 

Phishing scams are typically accompanied with messaging that makes the person feel under threat if they don’t comply or address a particular desire, such as earning more money. The purpose is to convince the victim to hand over their personal information, which will then be used to infiltrate a banking account or otherwise exploit the victim. 

During COVID-19, some phishing subject lines that have been seen include, “Get a COVID-19 test kit” or “Lower your debt”. Scammers are playing off of the fear of contracting the virus or the stress from a lost job or uncertain financial times. Many of these scams are claiming to be coming from trustworthy sources, such as government organizations, tax collectors, health institutions, and others. 

With so many people working from home or laid off, many are spending their extra time on social media. This channel is becoming one of the top breeding grounds for pharming schemes. A seemingly innocent trending post on social could get forwarded to your friends and be providing hackers with personal passwords and security question responses. 

pharming

Click Farms

A click farm is a type of fraud in which humans are paid a small wage to simulate activity on a website for fraudulent purposes as part of a credential stuffing attack. Typically, fraudsters use automated bots and username password combinations acquired off the Dark Web. These bots are then directed to use these credentials on as many website and applications as possible in the hopes of finding a match and gaining entry. However, many business have controls to detect and prevent these automated attacks. Should one of the fraudster's automated login attempts fail, that login attempt can be routed to a click farm or human farm. There, a living person is paid a very small wage to then manually enter stolen data by hand to circumvent these controls.

When COVID-19 lockdowns were first implemented, click farm activity actually saw a sharp decline as the workforce transitioned to working from home. But, it didn’t take long for click farmers to adapt to a remote work model. Additionally, with so many people laid off and desperate for work, recruitment was easy and quick. 

In China, for example, human farm activity was hitting 9.1 million clicks per day before a sharp decline of 50% in January when the lockdown came into effect. By the end of March, activity had jumped to 20.7 million hits per day — more than double the rate prior to COVID-19. 

According to a recent customer survey, 1 in 4 consumers stated they have been targeted by phishing, pharming, or social engineering scams. The number is likely greater as many consumers get targeted without even knowing it. 

click farms

Money Muling

During COVID-19, banks have seen a major spike in online accounts associated with money muling. In these scams, third parties, aka “money mules”, are used to move stolen funds. This process typically involves sending money, then getting the recipient to transfer it to someone else. 

With many people searching for new ways to generate income, money mule recruitment has surged to a rate similar to click farms. Additionally, as electronic transactions and digital banking become more popular, mule schemes are capitalizing on these new consumer behaviors and targeting victims online. 

The Impacts of Fraud on Contact Centers

With new and old forms of fraud on the rise, it’s not just fraud and security teams that are being heavily impacted within businesses. Contact centers are also getting hit hard by the surge in service requests.  

Since COVID-19 began, many industries, such as banks and fintech, have seen a 40% increase in contact center volumes. The shift to remote work has also caused extreme downsizing for many support teams. As a result, contact centers are being overwhelmed with customer inquiries and complaints, leading to incredibly long service wait times and employee burnout. 

Consequently, as customer support teams struggle to manage the influx of COVID-19 related requests, fraud reports are less likely to be reported and/or addressed, making it less likely that scammers get caught.

Significant Losses Expected Due to Fraud in 2020

Before COVID-19, financial institutions were predicting an eight percent decrease in fraud losses in 2020. However, today, fraud loss projections show an increase up to 10 – 15%. That is almost a 20% change in annual fraud projections. This stat was reinforced by a poll taken during the webinar in which 50% of attendees confirmed their fraud rates have risen as well.

Account takeover is on the minds of many fraud teams. The rise in phishing scams is refreshing the inventory of credentials that organized fraud rings use to conduct their operations. Meanwhile, financial institutions are raising credit limits, removing limits on remote deposit capture and peer-to-peer transactions, and updating processes to enable easier access to digital banking. Unfortunately, the combination of rising fraud and lighter restrictions will allow more room for fraudsters to exploit online systems. 

At the same time, we are seeing many financial institutions take action to secure their remote workforce. For example, we saw a massive demand for mobile authenticators in the first days of the lockdown. As these organizations deployed and expanded their virtual private networks (VPN) to enable remote workers, they leveraged mobile authenticators and one-time passwords (OTP) to protect access. As we move forward, financial institutions should remain vigilant and continue to re-evaluate their 2020 tech investments to respond to the changing fraud landscape. 

Webast | Addressing Evolving Fraud Amid Workplace Distancing
Webcast

Addressing Evolving Fraud Amid Workplace Distancing

In this webinar, we explore the evolving risk vectors as bad actors adjust their tactics to the COVID-19 reality.

Watch now

David Vergara is Director of Security Product Marketing at OneSpan and has over 10 years of experience in the software security space. Prior to OneSpan, he was VP Marketing for Accertify leading go-to-market strategy for their online fraud detection solution.