2023 Fraud Predictions
Arguably the weakest link in any security ecosystem is the human — both the employee and the customer. And despite valiant efforts to outfox bad actors with security technology, people are still falling for scams and often not keeping up with good security standards and practices. Hence, several experts believed that trend of cybercrime targeting humans will continue and increase — and financial firms will need to up their game, especially as more sophisticated hackers move upstream. Fraudsters will increasingly target high-net-worth customers, especially the elderly, through "common social engineering tactics and impersonating their personal banker" to access their accounts and collect sensitive personal and financial information.
Regulations & Financial Industry Perspectives
- Proactive client awareness and education
According to a 2022 Q2 survey by Aite-Novarica, only 11% of fraud executives felt that their financial institution's fraud awareness outreach program was adequate. 73% responded that investments in this area are planned within the next 18 months. Plans to invest in proactive client awareness and education were ranked higher in urgency and importance than many other fraud prevention solutions such as ACH/wire fraud, check fraud, P2P/RTP/Zelle, scam behavior detection, card fraud detection, case management solutions, etc.
- Regulatory Developments: Governments will take a more active role in the fight against fraud and will push FI's to take on more liability for scammed account holders. There has been a seismic shift in scams here in the US and 1 in 5 consumers is targeted by phone scammers alone. In 2021, scam calls increased again by over 100%. T-Mobile tracks scam calls on its network and is logging an astounding 2.5 billion scam calls a month. With so much impact on consumers, you can bet the Government is going to continue to push banks to do more to reimburse victims of scams. The Consumer Financial Protection Bureau got the ball rolling last year, but you can expect the trend to gain more steam this year. FI's will need to formulate a comprehensive strategy to stay in compliance in 2023.
- Supply Chain Attacks: The ongoing disruption in supply chains is an opportunity that attackers will try to take greater advantage of in 2022. SolarWinds, Codecov, and Kaseya are still fresh in our memory. We expect an increase in similar attacks that can be used to harvest sensitive data or infect systems with malware. Supply chain attacks will pass malware as the number three root cause of data breaches. This will fuel the need for greater government regulations.
As the cost of living rises, criminals will try to use that in their favor by looking for people who can’t pay their utility bills or can’t afford the price of gas or even food. Fraudsters will try to exploit that by offering them deals, discounts, refunds, or just about anything that will make people believe they are paying less for something that has increased in value or is out of reach at its normal price.
- Rental Fraud: During a recession, people struggle with jobs and finances. If someone wants to rent a property, they may feel compelled to falsify information to get that property. Renters may provide false salary information or other personal data. If these data points are not actively verified, the landlord may end up with a tenant who cannot pay the rent.
- Loan Origination Fraud: It is estimated that loan fraud rose by 75% during 2021. If people are desperate for money, they are more likely to take risks. These risks translate to using fake information when applying for loans. The most common types of loan fraud identified by the Federal Trade Commission (FTC) are student loans, personal loans, and auto loans. This could take many forms, and there is a possibility for an increase in fraudulent loan applications by genuine consumers to be among the most popular ones. In this type of fraud, bad actors lie on registration forms or applications to gain access to funds they wouldn’t normally receive if they added their real information. That could be done by lying about their income and employment information, usually inflating their salaries, extending the amount of time they worked for a certain company, or simply adding a company they have never worked for. Other popular forgeries include anything from supplying fake phone numbers and addresses to providing fake bank statements and utility bills.
- Online Shopping and Identity Fraud:
Juniper Research reports merchant losses to online payment fraud will exceed $206 billion cumulatively for the period between 2021 and 2025. Stolen identities are used for online payment scams and to create other identities used in a cycle of cyber-fraud.
- Mortgage Fraud: During the 2008-2009 recession, the FBI saw mortgage fraud increase by 71%. The FBI identified mortgage fraud perpetrators as insiders such as mortgage brokers, lenders, appraisers, underwriters, accountants, real estate agents, settlement attorneys, land developers, investors, builders, and bank and trust account representatives. In 2022, mortgage fraud is on the rise again and is expected to continue through 2023.
- Investment Fraud: During times of economic hardship, people are often looking for ways to keep their savings from getting eaten by inflation. Desperate people will resort to desperate measures to find money quickly, and fraudsters take advantage of this behavior. They usually reach out to potential victims through social media while also presenting them with fake websites that mimic those by real investors. The opportunities being offered can range from cryptocurrency to various schemes and products that don’t exist or are worthless.
- Money Mules: Recessions can result in layoffs or people looking for work not being able to find any. That’s another opportunity for fraudsters to exploit the vulnerable by offering them “jobs.” This could be achieved by posting job ads on real employment websites or social media. Once recruited, people are asked to open new bank accounts or use their previously opened accounts to transfer funds to accounts that are in the possession of criminals. In the end, the funds get laundered, while the genuine account holder receives a fee for the service. People of all ages are a possible target, but this is especially true for younger generations who often don’t understand the consequences of their activities.
- Friendly Fraud: Another type of first-party fraud that could go up as a result of the increased economic pressures could be friendly fraud. In this type of fraud that mostly affects the retail industry, consumers charge back genuine payments made by them in order to end up with both the product purchased and the funds for it back in their possession. They could then keep the product or quickly resell it for less than its original value. Luxury goods and electronics could be especially attractive for this type of fraud. Claiming non-deliveries or transactions not being recognized could be among the top reasons used for charging back the transactions.
- Fake Goods: Companies limiting their production or going out of business due to inability to pay their bills or shortage in sales to issues with supply chains due to the high gas and oil prices. Expect fraudsters to be the first to move in if there are shortages and start offering fake products or goods that will never arrive.
- AI Phishing:
Bad actors can also take advantage of AI in several ways. AI can be used to identify patterns in computer systems that reveal weaknesses in software or security programs, thus allowing hackers to exploit those newly discovered weaknesses. When combined with stolen personal information or collected open-source data such as social media posts, cybercriminals can use AI to create large numbers of phishing emails to spread malware or collect valuable information. AI-generated phishing emails actually have higher rates of being opened. In addition, AI can also be used to design malware that is constantly changing, to avoid detection by automated defensive tools. Constantly changing malware signatures can help attackers evade static defenses such as firewalls and perimeter detection systems. AI-powered malware can sit inside a system, collecting data and observing user behavior up until it's ready to launch another phase of an attack or send out information it has collected with a relatively low risk of detection. Lastly, given the economics of cyberattacks — it's generally easier and cheaper to launch attacks than to build effective defenses potentially making advancements in AI more hurtful than helpful when it comes to fraud.
- Elder fraud will continue to rise: According to the FBI's Internet Crime Complaint Center (IC3), elder fraud losses surpassed 1.7 billion in 2021. This represents 73% of 2020 losses. The most common crime types include Tech Support, Investment, Non-payment/Non-Delivery, Real Estate/Rental, Identity Theft, Overpayment, Confidence Fraud/Romance, and Employment.
- Cybersecurity Awareness Will Increase: Having an idea about what could go wrong in terms of cybersecurity and being curious about what can be done to avoid problems are the first steps of prevention. In 2023 we'll see a massive increase in cybersecurity awareness among both home users and professionals, as more and more people will finally understand that a cybersecurity incident can happen at any time, to anyone and that it really is everyone's responsibility to prevent it.
- Becoming A Scammer Is Increasing In Popularity: Scam-as-a-service models are making it easier for people to buy off-the-shelf tools that enable them to project attacks into the wild without any prior knowledge of coding. The Fraud as a Service Industry is growing exponentially as expert fraudsters and scammers turn their attention to selling their methods, services, and fraud-perpetrating tech to others. Fraudster automation will rapidly accelerate, turning newbies into experts instantly. They may even begin to incorporate Ai to make them smarter, more targeted, and more human-like. These automated bots could include account opening bots, loan application bots, credential stuffing bots, and new hyper-realistic social engineering text and chatbots.
- Imposter Scams: Imposter scams, currently the second most common type of scam, will triple. Criminals will attempt to exploit consumers through many channels, including email, SMS messaging, messaging services, and direct calls to consumers.
- Revictimization: Fraud rates will continue to increase, and a new "chain of victimization" will emerge. Social media account takeover, in particular, will leverage the followers and individual networks to create new chains of victims. Consumer behavior will play a stronger role than in previous years.
- Fraudsters Will Continue Dialing Into Mobile: Over 80% of the world's population now own smartphones, and mobile apps have become an integral part of people's everyday routines. Anyone can hail a ride, get food delivered, and make transactions using a mobile app. In a bid to secure a larger slice of the mobile app pie, companies are pushing out more services on a single platform. But there's a trade-off: the more services an app provides, the wider the attack surface, and the harder it is to secure. With malicious tools such as emulators and app cloners now easily available, we expect mobile app fraud attacks to rise in prominence beyond 2022.
- Phishing: With numerous spelling errors, faulty language, and unbelievable claims, it was fairly easy to identify a phishing email three to five years ago. However, over the years, phishing emails and URLs have become more refined and believable, which helps scammers execute hyper-targeted attacks. In the coming year, scammers will continue to spend time improving their phishing tactics by making them more personalized and specific.
- Scarcity Will Push Selling Scams Higher: Supply chain shortages are expected to continue into 2023 and that means scarcity and inflation will persist well into the year. Fraudsters and scammers thrive in this environment. They can peddle their non-existent goods in online marketplaces for extraordinary prices to desperate buyers looking for things they want and can't get.
- Money Mules: The use of money mules will grow in popularity, with the younger population increasingly targeted.
- First-party fraud: We can expect to see explosive growth in first-party fraud due to BNPL and the use of pre-qualification "soft inquiry" credit report pulls.
- Bots Are Ushering In A New Era Of Fraud Automation: Bots create a new level of social engineering tools designed to make fraud easier for those hundreds and thousands of new fraudsters that are entering the scene. In June of 2021, OTP Bot services began to appear which completely automated the pilfering of One-Time Password (OTP) passcodes from victims with zero human-to-human interaction.
- Digital Identity Will Transform: Data breaches and new social engineering techniques have made it possible for bad actors to obtain all the information they need to fake their digital identities. In 2023, more technologies will be authenticated with biometrics. This includes facial recognition, iris detection, and voice and fingerprint matching. Digital Identity will come to your phone this year too. Apple is adding the ability to add digital driver's licenses to the Apple Wallet. Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah have already signed on and TSA will accept those digital identities at the security lines.
- Deep Fake Technology: Deepfake technology continues to advance rapidly and will create havoc for the uninformed. This technology will also be used to attack call centers and for business email compromise scams.
- Know Your User (KYU) Takes The Lead Over KYC: From neobanks to Buy-Now-Pay-Later services, fintech products are all the rage amongst businesses and consumers. One thing they all have in common is Know Your Customer (KYC) checks. KYC is the process of validating a customer's identity and is an essential component in the fight against identity fraud, financial crime, and money laundering. There's no doubt that KYC has been the main focus of financial platforms, but expect Know Your User (KYU) protocols to take the lead going forward. Coming in at a time when organizations are shifting towards a Zero Trust model, KYU requires a more comprehensive approach to identify digital users, new and recurring alike. While KYC usually requires proof of identity, residence, and national identity verification checks to onboard customers, KYU draws information from additional data sources such as the device, behavioral biometrics, account activity, and thousands of other parameters to provide multidimensional insights into personas behind the screen. This equips organizations with the ability to decipher user intentions and motivations across and throughout the entire user lifecycle, which is a crucial capability to have when keeping up with fast-growing financial crime.
- Account Takeover (ATO) Fraud Will Continue To Conquer: 2021 was a record-breaking year for data leaks, with the total number of events exceeding that of 2020 by 17%. More ammo for fraudsters means we can expect the number of ATO attempts to surge in the coming months. The tactics used to take over accounts have also evolved rapidly. Fake photos, videos, and audio are becoming increasingly believable as deepfake technology advances, leading to more effective social engineering scams. Fraudsters are also using artificial intelligence and machine learning to engineer attacks. For example, bots powered with machine learning aren't just used to automate clicks and auto-fill credentials, but to mimic real user login behavior and successfully perform thousands of login attempts in seconds.
- Identity Fraud: The shift from identity theft to identity fraud will accelerate. Identity fraud will change consumer behaviors such as forcing consumers to withdraw from certain interactions, transactions, and communication channels. For example, the continued improvement in phishing attacks will force some consumers to rethink online purchases and change communication habits for fear of falling prey to a perfectly spoofed email, website, or text. Synthetic identity fraud, especially for children, will increase ahead of the full roll-out of new anti-fraud tools. (eCBSV)
- Synthetic Identity: In 2023 Synthetic Identity will only get better with fraudsters leveraging a variety of techniques including:
- Using CPN profiles aged for at least 24 to 36 months to appear more legitimate.
- Use of real high-value tradelines such as mortgages and high-limit personal loans to bolster credit history.
- Using third-party public records tools (the same search tools banks and investigators use) to identify true non-issued social security numbers which will make detection more difficult.
- Leveraging more realistic Driver's Licenses, SSN Cards, and other supporting documentation.
- Using computer-generated synthetic faces for documentation and selfies.
- Fraudsters will shift their focus to using synthetic identities tied to shell companies and aged corporations to go after much higher-value business credit lines. Most credit repair companies are already pushing consumers in this direction now.
- Automation: Automation will continue to play a central role in attacks such as credential stuffing, password spraying, and brute-forcing. Fraudsters need fewer investments to scale attacks when they use bots and automation. Further, bot technology has advanced to the point today that bots can mimic humans fairly accurately, which causes bot detection to be even more difficult for businesses. The availability of commoditized botnets-as-a-service and the required support will make automation an even more potent tool for legitimate businesses to defend against in the coming year.
- Account Takeover: Account takeover (ATO) attacks have grown leaps and bounds over the last few years – thanks to an explosion in the number of digital accounts – as more and more people turned to digital channels for daily life activities. This increase in digital accounts combined with incessant incidents of data breaches will continue to provide attackers with the required raw materials to launch account takeover attacks. High returns and ease of execution will continue to drive the rise of account takeover attacks well into 2023.
- Targeted Attacks: Businesses will experience a diversification of attacks and a rise in attacks designed to target specific industries. Attackers have studied the prevalent fraud defenses across several industries. They will use this knowledge to maneuver their resources and extract maximum returns from these attacks.
- Ransomware Attacks: Ransomware developers will make their code more evasive so that they can establish a foothold in a system, encrypt more data without being noticed, and possibly scale operations to other networks. Ransomware will be a preferred tool for targeted attacks, especially against payment service providers (PSP). This trend will affect all partners in the payment ecosystem globally. Ransomware may catch up or surpass phishing-related breaches.
- Cyberactivism: An online version of real-world protests, cyberactivism is on the rise. Protesters engage in disrupting the websites of target businesses. Fraudsters can game web authentication measures to take advantage of such protests and exploit loopholes in business networks. They can use these protests as a means to drop malware or ransomware to steal sensitive information or to extort money.
- Account Security: In the wake of rising fraud and online abuse, digital businesses will focus their attention on the account security of the customers. Comprehensive account security will be on top of the priority list of fraud teams and they will look beyond the traditional castle-and-moat method to verify user identities. A tiered approach to web authentication of users will become popular.
- Cross-border Fraud: With consumers holed up in their homes, cross-border e-commerce transactions rose to sky-high levels, reaching $5 trillion globally in 2021. However, this also led to a spike in cross-border fraud. More than 60% of US and UK businesses experienced cross-border fraud on their platforms in 2021. A clear indicator of this was the explosion of e-commerce fraud, with global card-not-present (CNP) fraud tripling to $32.39 billion.
- Fraud API Attacks: The use of APIs for fraud checks is surging as lenders and banks push their digital transformation projects forward. But sophisticated attacks against those same services could become a devastating reality for some in 2023. The average number of API endpoints within an organization grew from 28 in June 2020 to 89 in 2021. API traffic now accounts for 80% of all internet traffic.
- Crypto Attacks: The popularity of digital payments including cryptocurrency platforms has increased cyber threats to fintech companies a notch higher. Fraudsters increasingly will improvise on phishing and social engineering to target cryptocurrency platforms. The use of malware for crypto-jacking and infecting the system to enable the mining of cryptocurrency will evolve into a bigger threat.
- Fraud Payments: Cybercriminals will shift towards alternative, digital payment forms as the payment method of choice. Payment apps and services will surpass debit and gift cards in 2023. Cryptocurrency will surpass bank transfers and may exceed wire transfers.