3 Tactics Fraudsters Have Learned from Fraud Fighters
23 Jul 2018
Most fraud fighters have one thing in common: they’re curious. They’re constantly learning, observing fraudsters’ tactics and evolving in response. But what if fraudsters are doing the same thing?
According to Brett Johnson, a former FBI Most Wanted hacker, this isn’t a hypothetical. Brett says cybercriminals have started to learn from fraud fighters. “It’s important for companies and the anti-fraud industry to understand just how sophisticated criminals are,” he points out.
To make matters worse, fraudsters aren’t bound by the same rules and norms that keep businesses and anti-fraud companies from sharing information. For legal reasons, bug bounty hunters and white hat hackers can’t always share website vulnerabilities with affected businesses. Regulations and privacy policies affect businesses, too: because of the rules surrounding online safety, merchants find it difficult to share information with each other. Brett says cybercriminals don’t have that problem. They can share without consideration for regulations and proprietary technology.
This free flow of information has allowed fraudsters to assemble a sophisticated toolbox. Their weapons of choice draw heavily on our own fraud-fighting methods: device fingerprinting, machine learning techniques, and so on. Here are three advanced tactics cybercriminals are using against fraud fighters.
Fraudsters’ Advanced Tactics
1. Using machine learning to customize phishing emails
Machine learning (ML) is a powerful tool to fight fraud. ML systems learn from fraudsters’ behavior, so as fraudsters get smarter, so does the technology. But criminals are starting to develop ML tools that allow them to customize phishing emails. Fraudsters use publically available data and market trends to craft phishing emails tailored to their victims, as well as to identify which employees are most likely to fall victim to phishing scams. In 2016, 1 in every 131 emails contained malware — and that number is likely to rise.
2. Using device ID to look legitimate
A device ID is a unique identifier assigned to a smartphone or similar device. Fraud fighters use device IDs and other fingerprints to adjudicate between suspicious and honest users. But according to Brett, fraudsters now sell device IDs on the dark web, as well as credit card numbers and passwords with honest users’ device fingerprints attached to them. As legitimate users and fraudsters start to look more alike, stolen device IDs might become even more of a problem. Apple just debuted privacy settings that may make legitimate users harder to track; as privacy becomes more of a selling point for browsers and devices, fraudsters will continue to reap the benefits.
3. Using background checks and PII to steal identities
Many e-commerce sites rely on personally identifiable information (PII) like Social Security numbers, passwords, and security questions to verify users’ identities. But Brett says any fraudster can leverage PII to steal someone’s whole identity. PII go for just a few bucks on the dark web. Fraudsters who aren’t willing to pay simply need to comb through someone’s social media profile to find relevant PII: their date of birth, mother’s maiden name, the name of their elementary school, and more. This tactic has become so widespread that some have started pushing for users to lie on security questions. Once fraudsters have the victim’s Social Security number, date of birth, and address, they can proceed to the next step.
The fraudster then uses a standard background check program to get the victim’s credit report. That’s where it gets really devious, Brett says. The fraudster calls the utility company their victim is using and asks the company to update their billing info. Brett says that’s usually easy to do, since no one expects a criminal to defraud a utility company. Adding the fraudster’s billing info to the utility company simultaneously adds it to the credit report. Then the fraudster can set up new bank accounts, order replacement cards, and more under the victim’s name…without setting off any red flags. “With just a password and login,” says Brett, “a savvy criminal can take over someone’s entire online life.”
Your To-Do List
Fortunately, there are steps you can take to guard against these advanced tactics. Here are a few suggestions.
1) If you are using an external fraud prevention solution, ask them what they’re doing to respond to new threats.
2) Share trust & safety learnings and best practices at merchant conferences, industry meetups, and online forums.
3) Make sure your employees and network maintain an open line of communication about fraud.
Download our ebook to discover the 5 trends redefining fraud!