RSA Security has released its Q1 2018 Fraud Report featuring an analysis of consumer fraud data from the RSA Fraud and Risk Intelligence team. The report offers a snapshot of the cyber fraud environment from ‘behind enemy lines’, showing that the number of fraudulent transactions originating from a mobile app during the quarter has increased by 200% since 2015. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing The Dark Web as the top hacker marketplace.
The proportion of fraudulent transactions carried out on a mobile app has jumped from just 5% in 2015 to 39%in the first quarter of 2018. The volume of fraudulent transactions has risen by 680% overall and by 63% since Q1 2017. The use of traditional web browsers for fraudulent transactions is on the decline, dropping from 62% to 35% since 2015. Meanwhile, 82% of observed fraudulent e-commerce transactions originated from a new device in Q1 2018 as hackers try to avoid detection.
Fraudsters used a new account and a new device in 32% of all the fraudulent transactions seen during the quarter, suggesting that many are attempting to use stolen identities to create ‘money mule’ accounts as part of their cashing out process. Despite being one of the oldest online fraud tactics, phishing accounted for 48% of all fraud attacks observed in Q1 2018. Financial Trojan malware was present in one in every four fraud attacks observed in Q1 2018, while RSA recovered more than 3.1 million unique compromised cards and card previews from reliable online sources in the quarter. These all include CVV numbers.
“There has been a sharp rise in the volume of legitimate transactions carried out over mobile apps, so it’s only natural that hackers have followed suit in targeting mobile channels for fraud,” commented Daniel Cohen, director at the RSA Fraud and Risk Intelligence Unit. “Unfortunately, many mobile apps fail to build security from the ground up. This means that cyber criminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds. As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks.”
Mobile’s influence doesn’t stop with malicious apps. The increasing availability of social media on mobile devices has created a thriving cyber criminal ecosystem, with more than four out of five hackers using new devices to carry out fraudulent transactions to avoid being caught.
“Social media provides the perfect control station for cyber criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups or peddling stolen wares in online marketplaces,” explained Cohen. “Social media’s scaleability, anonymity and reach is providing cyber criminals with the perfect disguise. They can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming. Reddit has recently banned a number of sub-Reddits dedicated to fraud, where hackers were exchanging contacts, advertising services and sharing reliable sources of Dark Web fraud forums.”
Avoid becoming a victim
In light of these findings, RSA has provided a number of recommendations to help consumers and businesses alike avoid the scenario of falling victim to cyber fraud. These are as follows:
The devil’s in the download With one-in-20 fraud attacks associated with a rogue mobile app, people must practice caution when downloading new apps, making sure to verify the publisher and pay close attention to what permissions each app requests
It’s who you know Avoidance of clicking on links in text messages or e-mails from unfamiliar senders will significantly lower the chances of having bank details stolen or malware being installed on devices
Safe housekeeping Smaller purchases will often be made first to test the waters, so monitoring bank accounts for suspicious purchasing activity is vital to catch fraudsters early in the act
Educate yourself and your employees Free initiatives such as ActionFraud offer a number of helpful tools to keep consumers safe, while the Cyber Essentials scheme offers a similar service to businesses
Create a device identification process for your business Take a business-driven approach to security by linking device identification to a clear risk strategy (eg ask users on new devices to re-authenticate in order to reduce the risk of fraud)
“We all need to take a share of the responsibility for reducing and preventing fraud – from the consumer through to the banks and social media platforms,” explained Cohen. “After all, fraud isn’t going away any time soon and can be very costly for individuals and businesses alike. We need to be better at spotting fraud by being more aware of it. Social media and mobile devices have made it easier than ever for fraudsters to be successful, but there are often tell-tale signs that something’s up. Stay vigilant and don’t always trust what you see online.”
*The full Q1 2018 Fraud Report from the RSA may be downloaded here