How 2018 Changed the Face of Fraud
3 Jan 2019
2018 has seen dramatic changes in how businesses approach trust & safety: everything from compliance to data breaches to content abuse. As you’re tying up this year’s loose ends and prepping for next year, it’s worth revisiting what we learned (and didn’t!) this past year. So, let’s recap!
1. Businesses can no longer procrastinate on data protection.
2018 might be remembered as the year of compliance. Remember all those emails about updated privacy policies that hit your inbox earlier this year? And all those websites that now tell you they’re tracking cookies? The culprit was GDPR, the European Union’s General Data Protection Regulation.
As of May 25th, every company that processes EU citizens’ data has to comply with GDPR. Businesses that didn’t prepare for GDPR were caught flat-footed. They struggled to put data protection and fraud prevention measures in place without burdening customers with op-tins, restrictions, notifications, and other hassles. GDPR ruined product roadmaps for a lot of companies as resources had to be reallocated to address it. To make matters worse, GDPR was top-of-mind for consumers and media alike, which magnified non-compliant businesses’ failures.
But some businesses did prepare for GDPR: those who viewed it as an opportunity rather than a burden. Companies that planned early, put a system in place to secure customers’ data, and shared this information with their customers could use GDPR compliance as a selling point. GDPR gave businesses a chance to showcase their dedication to customer safety. By investing in transparent and robust fraud prevention solutions, GDPR-compliant companies could prove they were worth their users’ time.
Regulation will be the name of the game going forward. 73% of consumers say their concern over the privacy of their personal data has increased in recent years. 66% have started taking steps like changing their privacy settings, removing social media accounts, or declining terms of agreement. And 67% think the government should do more to protect their data. In the future, businesses that take steps to secure customer data before they’re hit by laws like GDPR will get ahead. Those that don’t will fall behind. It’s that simple.
2. Content abuse took center stage.
Spammy content is a problem. Though we’re all still trying to grasp the magnitude of that problem, 2018 offered a glimpse.
Facebook’s war against misinformation and other forms of content abuse has held up a magnifying glass to the pervasive threat. Earlier this year, Mark Zuckerberg testified before Congress on the spread of fake news and other forms of fraudulent content on Facebook. Since then, Facebook has attempted a massive cleanup of its platform. Last quarter, Facebook removed 1.23 billion spammy posts (compared to 957 million during the previous quarter). In addition to spam, it’s struggling to keep up with a deluge of other TOS-violating content like nudity (Facebook removed 8.7 million pieces of content in that category) and explicit violence (15.4 million, as opposed to 7.9 million the previous quarter). Community health was a top priority for Twitter too. The platform removed millions of fake accounts throughout 2018.
But it’s not just social media platforms. Every business that offers a platform for user-generated content (UGC) is struggling to deal with content abuse. Google Maps, for instance, is often inundated with content fraud posted by bots. Fraudsters are also using bots to overwhelm Twitter’s analysts with fraud, spam, and misinformation. Everyone from fraudsters to run-of-the-mill merchants routinely pay for fake reviews on sites like Amazon.
The struggle against content abuse came to an unexpected head during the net neutrality debate. When the Federal Communications Commission (FCC) opened its website to public comment on net neutrality, it received over 22 million comments. But the Pew Research Center soon found that half — half! — of those comments were fake. In an ensuing investigation, the Wall Street Journal discovered that every government agency’s website contained fake comments. For instance, a shocking 40% of comments on a Department of Labor forum were fake. This is a big deal: public comments help government agencies determine which rules to implement, can prompt Congressional debate or slow a rule implementation, can help determine the White House’s responsiveness, or can be used to persuade a judge to reverse an existing rule.
Why is content abuse so hard to fight? As this year’s cases have shown, content abuse is a moving target. Content moderators on sites like Facebook and Twitter ban words and images fraudsters use to spread spammy or abusive content. The problem, of course, is that savvy fraudsters circumvent these bans by using coded language to hide their misdeeds. Similarly, when fraud analysts and moderators implement a ban on all abusive content, fraudsters trick people into clicking on innocent-looking URLs that may lead to scams, attacks, and other types of fraud. Technically, they aren’t committing content abuse on the site…so there’s nothing fraud moderators can do.
It’s also remarkably difficult for content moderators to remain objective while sorting through questionable content. For example, most websites prohibit abusive language. Seems straightforward, right? But what is abusive language? Who gets to write that definition? What happens when someone disagrees with the definition?
To get ahead, businesses have a few options. They can emulate Facebook by hiring thousands of content moderators to patrol the site. But businesses that don’t have half a billion dollars to spare will have to take a different route. They must invest in a machine learning fraud prevention platform that can examine questionable content through an objective lens and stop content fraud before it’s posted.
3. Data breaches forced businesses to rethink fraud-fighting.
If you thought you’d seen the end of debilitating data breaches in 2017, you were soon proven wrong! 2018 brought even more data breaches, and they were larger and more hard-hitting than ever.
The worst one might’ve been overlooked in a sea of data breaches. Back in March, India’s government database — which stores citizens’ identity and biometric information — “experienced a data leak on a system run by a state-owned utility company Indane”. Indane didn’t secure their API, so hackers accessed personal information belonging to 1.1 billion Indian residents.
The U.S. had its fair share of data breaches too. The year’s second largest breach hit the Marriott Starwood Hotels. About 500 million guests had their phone numbers, email addresses, passport numbers, and payment info stolen. Marriott wasn’t alone: MyFitnessPal, Quora, MyHeritage, Google+, Chegg, Panera Bread, Facebook, T-Mobile, Arby’s, and of course Cambridge Analytica… the list goes on ad nauseam.
Though it’s tempting to get lost in the sheer volume of data breaches, don’t overlook the forest for the trees. There are three main takeaways from 2018’s string of data breaches.
First, 2018 has underscored something we learned last year. Every business is vulnerable: fast food restaurants, social media platforms, e-commerce sites — everything.
Second, it’s going to get worse before it gets better. Every time a data breach happens, a massive array of stolen information appears on the dark web: email addresses, passwords, social security numbers, home addresses, answers to security questions, device IDs, and much more. On average, it takes about 191 days for a business to detect a data breach. For over half a year, fraudsters can use this data however they want without risking detection. They often end up selling it on the dark web, putting it in the hands of more fraudsters.
That means the potential downstream effects of data breaches can be devastating. Businesses can no longer turn a blind eye to data breaches, even when they’re happening to someone else or in a different vertical. Data breaches are arming fraudsters with the information they need to commit account takeovers and other types of attacks, further threatening customers and businesses.Third, customer safety demands a new kind of thinking. We have to pay attention to how fraud happens at both the individual level and the business level. Of course, businesses (and governments) must do everything they can to stop fraud from the top-down. But it’s up to individuals — consumers and employees — to do their part to stop fraud from the ground up. Take LinkedIn, for example. Back in 2012, a data breach exposed 6.5 million encrypted passwords on the platform. LinkedIn did everything right: long before the breach, they scrambled users’ passwords to make them unintelligible to fraudsters, and after the breach, they quickly reset affected users’ passwords. But fraudsters were still able to find accounts all over the internet where users had reused their passwords. The moral of the story is this: stopping data breaches is a long-term partnership that lasts years and requires trust on all sides.