Building a fraud fortress. Fraud Report

Transcription

1 Fraud Report Building a fraud fortress Fraud is ever-changing and ever-present. Find out how businesses like yours can protect your customers, your staff, and your company

2 Fraud Report Education is clearly an important fraud prevention tool. But if businesses lack the right verification and fraud prevention technologies, they re giving themselves little chance. John Cannon, Managing Director, Fraud and ID, TransUnion 2

3 Contents 4 Foreword 6 Fraud in Where fraud bites 11 Fightback tactics 15 The building blocks for a fraud fortress 18 The fraud fortress 3

4 Fraud Report Foreword White collar crime, also called fraud or (a) scam, has been with us for a while. DR. DAVID MODIC Research Associate, Computer Laboratory at Cambridge University REFERENCES Luce, H. R. (1963, 28th of June). Actors: The Mild One. Time Magazine, LXXXI/26. AUTHOR NOTE Article commissioned by Octopus Group and Callcredit. CORRESPONDING AUTHOR S ADDRESS: Dr. David Modic Computer Laboratory William Gates Building Cambridge University 15 JJ Thomson Avenue Cambridge CB3 0FD Even some of the terms themselves are fairly old. The word fraud comes from Latin (i.e. fraudem; to cheat, swindle, embezzle). The term scam was first used in the early sixties by the actor Steve McQueen in a Time Magazine interview (Luce, 1963). Ben Jonson wrote the play Volpone in Volpone is a play about a con-man scamming his friends and getting away with it. There had to be scammers around at that time, for Jonson to write about them. There are documented cases of what are now defined as Nigerian 419 scams appearing in the 16th Century (they were called the Spanish prisoner letters) where a minor nobility would receive a letter informing them that their distant relative is imprisoned in Spain and they would need to pay ransom to be released. Said ransom would of course be returned to the aristocrat in question as soon as their second cousin Archie was released. We all know where this is going... 4

5 These scams that appeared 400 years ago were focusing on people and exploiting their inability to correctly evaluate fraudulent communications. They were, in effect, pushing the same buttons that fraudsters and black-hats do now. Therefore, scams are not new, pre-dating the internet significantly. Currently, we seem to have regressed to a certain extent. It used to be that people were the ones who were exploited by fraudsters before the internet was a glimmer in its creator s eye. With the widespread use of digital technologies, the delivery vehicle changed but the underlying mechanics remained similar. However, in the early days, IT was an emerging technology which was not inherently secure, thus it became easier to explore holes that the idealists creating it did not foresee would need closing. Suddenly, the infrastructure bore the brunt of the attacks. As a consequence, we developed an industry, designed to protect businesses through protecting their equipment. And we are protecting users and employees themselves almost as an afterthought. In Cambridge University, our intrusion detection system (IDS) detect approximately 10,000 intrusion attempts per day, and approximately 200,000 attempts per month. The CamCERT team receives reports of approximately 1700 incidents per month, where individuals have breached our defenses in certain ways. Crucially, practically all of these breaches (99.9%) include exploitation of human vectors. Cambridge University runs by far the largest private digital network in Europe. We do not know how many machines are connected to it, but we do know that we have assigned in excess of 250,000 IP addresses (if we include some of our NAT [Network Address Translation] connections). Clearly, based on observational data, we can infer that in a network like ours, there is an absolute need for mechanical deterrents. Otherwise we would have 200,000 breaches per month. However, it is also clear that mechanical measures are not enough. Exploiting humans is cheaper, easier and requires less specialist knowledge, compared to exploiting machines. Thus, we should focus on people too, when it comes to security. There is not much previous empirical data showing how much attention security companies pay to social engineering. While our netflow / IDS data shows humanbased attack vectors to be overwhelmingly present in successful breaches, we were not sure whether the industry in general is paying any attention to this. Therefore, we decided to establish a baseline by asking professionals and fraud leaders to tell us more about the threats they are facing, the procedures they have in place to combat the emerging threats and their intentions of investing time and resources to improve their businesses resistance. The present report confirms some of our expectations concerning business engagement with social engineering threats and highlights some of the emerging threat responses in a new and interesting light. 5

6 Fraud Report Fraud in 2018 Historically, fraud has been a human problem. The criminally minded have looked for vulnerabilities and frailties in the honest, seeking to exploit them for immediate financial gain. Unlike many other crimes, there s a level of intelligence and creativity to fraud. Perpetrators are constantly searching for new ways to gain an advantage. Meaning that businesses are frequently playing catch up. This means that while fraud is a human problem, the fightback to it must be designed to help humans out with intelligent, future-focused solutions. As this report will detail, education and training can only be part of the answer. Technology has a huge part to play, through innovations such as identity verification, biometrics and AI. Anyone who wants to turn their business into a fraud fortress needs to consider each of these, otherwise there ll only be one winner in the battle with fraud. KEY RESEARCH FINDINGS 90% pinpoint implementing fraud prevention technology as a priority for 2018, up from 76% in % will be looking at identification verification measures, up from 75% in % suggest that data breaches are going to be a key security threat in 2018, with identity fraud an issue for 37% and social engineering for 31% 45% say attempts against authentication systems is the threat they experience most often 25% think their technology can fully protect them against the threat of computer-based fraud 6 RESEARCH METHODOLOGY TransUnion (formerly Callcredit) worked in conjunction with London-based research agency Loudhouse to conduct a survey on fraud prevention in May We spoke to 105 Fraud Prevention Managers and Directors. Respondents were sourced from a variety of industries, including IT, retail and local government

7 Fraud Fortress (noun) frɔːd/ /ˈfɔːtrɪs/ A fraud fortress is a combination of fraud prevention technologies and staff and user education that makes a business or organisation more resilient to fraud. It encapsulates the best ID verification and intelligence-based systems to stop fraud before it affects a business; and twins them with a programme to help all stakeholders within a business to understand modern fraud vectors and how to recognise when fraud might be taking place. Building a fraud fortress is essential to fraud prevention in 2018 and beyond. 7

8 Fraud Report Where fraud bites While fraud has been a consistent threat to businesses for years, 2017 saw a shift in what the primary fraud vectors are. And things are expected to change again in a few years time, as technology and fraud sophistication both develop. Over the past year fraud managers report a substantial rise in the threat posed by data breaches caused by malicious employees (up to 63% from 41% in 2017), or other internal factors. Likewise malicious external loss is on the rise (50% from 42%). However, these growing threats should not distract attention from identity fraud and phishing, both of which are still a threat for approximately a third of respondents, thereby still representing a huge challenge in fraud prevention. Particularly as the most frequently experienced threats according to our respondents are attempts against authentication systems (45%), attempts against web services (43%) and phishing (42%), as Fig. 1 details. What we re seeing is fraudsters continuing to look for vulnerabilities within businesses, where technology is not sufficient to counter the scale of the threat they present. They re posing as customers and many businesses are falling for it, losing money, trust and reputation in the process. The trouble is that many of these fraudsters are not faceless criminals, they re employees and contractors. Fraud managers can t take their eye off the ball. They must recognise that the threats they face come from within their own walls, as well as from external agents. And that their verification and protection measures must work for both these groups. FIG. 1: THREATS EXPERIENCED FREQUENTLY OR CONSTANTLY Attempts against authentication systems 45% Attempts against web-based services 43% Phishing attempts 42% Attempts against company s infrastructure 39% State actor backed disclosure requests 35% Spear-phishing attempts 26% Other 38% 8

9 Are businesses well equipped? The problem here is that managers working in fraud are not always as confident as they should be in their company s technological ability to meet the challenges posed by fraudsters. This is a problem when recent research from CIFAS found that 175,000 cases of fraud were reported in 2017 (125% more than ten years ago). Just 17% of respondents feel that technology is a foolproof method of fraud prevention. And they view it as no more likely to protect them against computer-based or human security breaches which Fig. 2 expands on. FIG.2: CONFIDENCE THAT TECHNOLOGY CAN FULLY PROTECT ORGANISATIONS 53% 16% 6%...from the threat of computer-based security breaches 25% Clearly, fraud managers feel that they need more from prevention technologies. As a result, it s perhaps unsurprising to see that some of the most common prevention initiatives are human based, such as employee education (66%), customer education (45%) and policies (31%). With better frontline protection through robust ID verification and fraud prevention technology, employees and customers will be better protected by default, meaning that education becomes the supplementary protection, not the primary form of defence. 54% 18% 1%...from the threat of human security breaches 27% Very confident Fairly confident Not particularly confident Not at all confident 9

10 Fraud Report What do businesses do when an employee is exploited by fraudsters? This research shows that businesses take a range of measures when an employee is the focus of a fraud attack. The graph below highlights that almost as many are likely to dismiss an employee as hold a meeting about what s happened. PUNITIVE ACTIONS TAKEN WHEN INTERNAL FRAUD OCCURS Monitor PC activity of specific individual Internal meetings with staff/work groups 68% 57% 66% Company-wide communication Written warning to specific individuals Dismissal of specific individual 56% CIFAS reports that 95% of fraud cases involve the fraudster using the identity of an innocent victim. Our Trust & Risk Suites are designed to counter this problem helping businesses to identify risk and establish trust that the person they re talking to is the customer they say they are. 56% John Cannon, Managing Director, Fraud and ID, TransUnion 10

11 Fightback tactics Fraud managers know their stuff. They re keenly aware of the difficult environment they re working within, and what threats they are facing. Accordingly, our survey reveals substantial fightback measures are taking place. However, as has been alluded to, these are not always the right measures or weighted in the right way. Where is the fightback happening? The research reveals that the most common technologies used to combat fraud are log on (52%), traditional antivirus solutions (50%) and surveillance (45%). Interestingly fraud managers see technology being increasingly important in preventing fraud in the future, with AI (45%), machine learning (37%) and biometric screening (37%). But, clearly, their current toolkit is not sufficient for the battle of today. Fraud managers need more and want more to counter the ongoing threat posed to their businesses by malicious agents (both internal and external). This point is emphasised further by Fig. 3, which shows a substantial gap between what fraud prevention is happening and what managers would like to see happening. They want a move from theoretical measures towards more practical ones. But to do this requires a strategic change in how fraud prevention is managed within businesses. FIG. 3: FRAUD PREVENTION SOLUTIONS CURRENTLY USED/LIKE TO DEPLOY Employee training 18% 71% Security team training 54% Security policy testing and modifying 25% 63% Silver team/ live exercises 25% 43% Employee drills 42% Currently use Like to deploy 11

12 Fraud Report Resource is imperative As things stand, both technology and people are used to fight fraud. And there s a growing case to say that neither are currently sufficiently robust to deal with the fraud challenges businesses are facing but with a little work, they can be. Indeed, Fig. 4 reveals that a worryingly high proportion of fraud managers believe that they will be hit with a breach if their current technology, tools and processes don t change. And only a very small minority think they re well protected. At its heart, the change in the fraud fightback is a question of resource. Fraud managers know what they re dealing with and they have an idea of how to react to it. But they ll only get there with proper backing from their businesses. Interestingly, 52% of fraud managers feel more confident in technology solutions than they did a year ago (33% feel the same about human). Suggesting that they know the proposed direction of travel for fraud prevention. The final section of this report explores what a fraud fortress should look like, with a combination of education, understanding and core fraud prevention technologies like ID verification. Investment is essential. Businesses really need to back their fraud managers and help them to get smarter with their human and technological resources; and smarter in their response to serious fraud. FIG. 4: EXPECTED TIMESCALE BEFORE SECURITY BREACH GIVEN CURRENT TECHNOLOGY AND PROCESSES 15% 9% 17% 28% It s already happened Less than 6 months 31% 6 months 1 year 1 2 years Don t see this happening/fully confident in our access management security 12

13 Are humans more vulnerable than technology? The research looked at where the most vulnerable attack vectors are: with humans, or with technology. Findings reveal that fraud leaders are no more likely to feel a threat from one than the other. Suggesting again that any solution should adequately cover both. 29% 43% 23% 2% We are more vulnerable to a technology based attack 4% 2% 26% 44% 24% We are more vulnerable to a human based attack 5% Strongly agree Tend to agree Tend to disagree Strongly disagree Don t know We re seeing that fraud managers know the direction they want to go in with prevention tactics. They want better technology to keep their businesses safe. Now they need high level backing. John Cannon, Managing Director, Fraud and ID, TransUnion 13

14 Fraud Report The building blocks for a fraud fortress 14

15 If there s one common trait that all fraudsters have, it s that they re smart. This is a big problem for businesses, who need to be smarter, faster and more thorough than fraudsters if they re ever going to get ahead of them. Fig. 5 shows us that businesses are able to establish a level of detail about the event and the perpetrator when a fraud event occurs. Whilst it is harder for businesses to get their hands on personal information or names of the perpetrator, it s important to note that factors including region, and telephone numbers are commonly collected pieces of information. These could also act as key fraud indicators crucial tells that give businesses more information about their attackers and allows them to identify risk before an attack takes place. This neatly demonstrates the advantage fraudsters currently have right now, as they re able to go one better than those they re defrauding. Meanwhile businesses are constantly on the back foot. This is where things need to change, and where businesses need to help their fraud managers to build a fraud fortress. Businesses need to understand current and future fraud risk indicators, and have the technological capacity to identify these and stop fraud at the first opportunity. FIG. 5: FREQUENCY THAT INFORMATION ABOUT PERPETRATORS OF FRAUD IS LEARNED Exact time of attack 24% 39% 6% 2% ISPs or service providers used in the attack 23% 38% 9% 1% Country or origin of attack 23% 35% 10% 3% 12% 38% 16% 4% Telephone numbers 12% 31% 39% 10% 7% Organisation behind the attack 12% 34% 15% 8% Their final hop IP address(es) 14% 28% 36% 14% 8% Personal info of the perpetrator 10% 32% 26% 21% 11% Name of the perpetrator 11% 27% 23% 10% Always Mostly Occasionally Rarely Never 15

16 Fraud Report The building blocks According to 59% of respondents, a layered approach comprising technology and human-based solutions is needed to tackle fraud today. Meanwhile, 58% agree that machine learning and pattern recognition will be vital to future fraud prevention activities; and 42% rank a fraud response strategy as one of their top three priorities. What this layered, strategic approach looks like will differ by business, according to their risk appetite, products offered, and channels used to service customers. However, there are some general things most respondents agree on. These split between the human and the technological. 1 Technology The primary element to an effective fraud fortress is technology. The research shows that AI, machine learning and biometrics all have a part to play (Fig. 6). And 59% are set to increase expenditure on the latter, boosting their fraud prevention mechanisms with it. However, one of the foremost technologies that will perform a major role in fraud prevention going forward is implementing ID verification. Indeed, 90% see it as a priority in 2018, up from 75% in While, on a similar note, introducing higher verification rates will be a priority for 78%. What we re seeing here is that fraud managers understand that they need to get the basics on fraud prevention right as they face changing and complex threats. And that it s only by having these core technological foundations in place that they ll be set up to battle fraud and fraudsters particularly as data breaches becomes the primary attack vector over the coming years. FIG. 6: TECHNOLOGIES TO DEPLOY IN 2 3 YEARS Artificial intelligence Machine learning Biometric screening techniques URL tracking Voice recognition systems Behavioural analytics Traditional solution antivirus/antispam Surveillance Two factor/knowledge-based authentications Unique IDs systems Log-in details Sandboxing 32% 27% 24% 23% 22% 20% 19% 37% 37% 45% 16

17 2 Human Technology is a mainstay of a fraud fortress. But education and customer/staff understanding is important, too. As things stand, just 26% provide ongoing training on fraud. Yet 60% find it to be an effective measure and 66% think that only by exposing people to real fraud scenarios will they be able to cope with the real thing. Crucially, this training needs to be for everyone. As Fig. 7 suggests, all levels of employees are being targeted by fraudsters. Therefore all need to know about what fraud looks like, and what their businesses are doing to protect them. 90% of fraud leaders see implementing ID verification as a priority for 2018 FIG. 7: FREQUENCY OF EMPLOYEES FALLING VICTIM TO PSYCHOLOGICAL MANIPULATIONS Board or managment 10% 20% 10% Middle management 10% 24% 33% 27% 6% General managment 9% 21% 37% 26% 8% Constantly Frequently Occasionally Rarely Never 17

18 Fraud Report The fraud fortress Fraudsters love technology. It gives them more opportunities than they ve ever had before to target businesses and people. And in new and different ways. Over the past few years, we ve seen social engineering grow to become a huge problem for businesses. Yet before people have really got to grips with it, a new attack vector is set to take over our attention as data breaches become the big problem businesses have to deal with. But businesses should love technology too. Although it s essential to have a training and educational response to fraud, without the right technological tools in place there s almost no chance of mounting a fightback. 18 So as fraudsters grow and evolve in their means, so should businesses. As this research has shown, they need to back their fraud managers with the right investment in AI, biometrics and ID verification. And they need to heed their call for a layered approach to combat a multifaceted problem. Within that is a huge opportunity to protect a business greatest asset in its people, and to become known as a trusted place, protected by a fraud fortress. Yes, fraud can be a human problem. But without the right technology, we leave our people incredibly vulnerable.

19 19

20 Isn t it time to find out how we can support your fraud prevention defenses? CALL +44 (0) OR VISIT transunion.co.uk/fraud-and-id twitter.com/transunionuk Copyright TransUnion. TransUnion Limited is authorised and regulated by the Financial Conduct Authority