The new edition of the LexisNexis Risk Solutions Cybercrime Report shows how some fraudulent behavior patterns have shifted during the COVID-19 pandemic. The report is published every six months, with this new edition covering the last six months of 2020.
Vice president of fraud and identity management strategy Kimberly Sutherland said 2020 was noted for the significant increase in digital transactions across all sectors. More than 47 billion transactions were processed across the network in 2020, up from 35 billion in 2019. The 24.6 billion transactions in the second half were a full 12 billion more than in the same period of 2019, as the COVID-19 pandemic persisted and people adjusted their behavior. Global transaction volume across the LexisNexis network rose 29 per cent in the second half.
Two-thirds of those transactions occurred on mobile devices. Interestingly, the rate of mobile transactions continues to be higher in Canada than the United States, though Americans are closing the gap.
This was the first time Lexis Nexis split data into different age groups and they were rewarded with some interesting results, Ms. Sutherland said. The age group experiencing the highest attack rate were people ages 25 and younger. While many of those attacks failed it highlights the fact younger people are most heavily invested in technology but many do not keep up with security protocols such as multi-factor authentication.
“They are the heaviest users of technology and generate the most digital transactions,” Sutherland said. “Fraudsters are going to go where the volume is.”
The young folks are joined by those aged 75 and up as the most frequent targets. While many are quite tech-savvy, others have been forced into digital behaviors such as shopping and banking by the pandemic and are still adjusting their habits, Ms. Sutherland suggested.
The best way for companies to protect their growing number of digital customers is to make the online experience as convenient as it is safe, Ms. Sutherland said.
“Security and CX have to go hand-in-hand,” she explained. “As long as there is no imbalance there is a high likelihood customers will adopt the behaviors presented to them as authentic options.”
As the pandemic stretched into 2020’s second half some patterns began to change. Whereas the first half saw many existing customers increasing their online activity, the second half saw many people create new habits as they adjusted to the pandemic. People who didn’t shop online now created accounts in order to buy groceries, clothing and office supplies.
That sheer volume of new customers led to an increase in bot attacks as fraudsters realized more people were setting up new accounts. The scammers jumped aboard this trend and targeted many sectors with a high volume of new account creation attempts. While e-commerce sites were the most popular target the list also included entertainment streaming and online gambling sites, which were victimized by organizations creating new accounts, taking advantage of the free trial period, and selling that time or free tokens to others. Some fraudsters used the free gambling tokens to try and win large cash sums.
Telecommunications companies have been another popular target, Ms. Sutherland said. Crime groups registered pre- and post-paid phone contracts so they could commit as much theft as possible with those accounts before being discovered. Governments also joined the list of victimized, as they needed to quickly roll out financial assistance programs in partnership with financial institutions. In their haste they left security gaps which fraudsters capitalized on to steal funds.
These large, new and vulnerable populations are conducive to bot-style attacks and that was a key reason why human-initiated attacks declined from 679 million in 2019 to 495 million in 2020, Ms. Sutherland said. Whether they come from humans or bots, the most popular country of origin for any attack is the United States, with Canada and Germany also occupying spots in the top 10.
“The U.S. is at the top year after year,” Ms. Sutherland said.
The largest growth countries for human-initiated attacks are Guatemala, Bahrain and Zimbabwe while the top new ones for bot activity are the Isle of Man, United Arab Emirates and Nigeria.
The best defence? Well-established, layered strategies appear to deter cybercriminals as they gravitate to the more vulnerable who have been forced online due to the pandemic.
I asked Ms. Sutherland if machine learning fraud detection models struggled to adjust to the sudden and dramatic behavior shifts due to the pandemic, but she said the good news is they held up quite well. In some sectors like financial services, the increased number of login attempts from trusted customers bolstered the models. The adaptive nature of the machine learning models, combined with a multi-factor approach that included behavioral biometrics meant many companies were well prepared for the major shifts. Behavioral biometrics were key as they track how users interact with their device. Should changes occur they are easily detected. If large patterns of similar actions appear, they could suggest machine activity.
Other key findings
While financial services organizations saw an overall decline in bot volume, the absolute volume of attacks targeting this industry remains extremely high
Mobile browser transactions continue to see the highest rate of attack, while mobile app transactions are attacked at the lowest rate.
Fraudsters also preyed on consumer anxiety, with pandemic-related scams that offered products and services that were either in demand, or in short supply.