The most vulnerable cybercrime victims are young adults and adults over 75, according to the latest research revealed in the LexisNexis Risk Solutions biannual Cybercrime Report.
Released on Feb. 23, the report tracks global cybercrime activity from July 2020 through December 2020. The report reveals how unprecedented global change in 2020 created new opportunities for cybercriminals around the world, particularly as they targeted new users of online channels.
LexisNexis’ research found a 29 percent growth in global transaction volume compared to the second half of 2019. This growth came in the financial services (29 percent), e-commerce (38 percent), and media (9 percent) sectors. The number of human-initiated attacks dropped in 2020 by roughly 184 million, while the number of bot attacks grew by 100 million.
The e-commerce sector experienced the largest growth in bot attack volume in comparison to other industries despite declining human-initiated attack rates. The attack rate for e-commerce payments made on a mobile app is higher than for any other industry.
This represents a potential point of risk for these businesses. Although e-commerce merchants experience a higher rate of account takeover attempts in comparison to financial services, overall attack rates remain relatively low and are declining across all channels year-over-year.
Not the Pandemic’s Fault
Contrary to conventional thinking, the increase in bot attacks in the second half of last year was not related to the relocation of the workforce from office to home.
The culprits were fraudsters testing lists of stolen identity credentials, according to Kimberly Sutherland, vice president of fraud and identity at LexisNexis Risk Solutions.
“Our network registered large-scale, high-velocity automated attacks, often from the same machine or location, and these attacks typically targeted e-commerce and media platforms,” she told TechNewsWorld.
These validated credentials can then be used in higher value downstream attacks, such as account takeovers in multiple industries, including financial institutions, she explained.
One of the working assumptions is that these validated credential testing attacks may then show up in human-initiated attacks in 2021. Researchers will track this scenario over the next year to see if any growth in fraud attack rates appears.
What Puts Younger and Older Adults at Added Risk?
A large influx of new-to-digital customers went online in 2020. It was the under-25 age group, followed by the over-75 age group, that proved most vulnerable to fraud attacks.
“We most often think of these young adults as highly tech savvy, but many also tend to be more relaxed in their usage patterns and willingness to share personal data,” noted Sutherland.
The over-75 age group faces a different challenge as they are generally considered to be less familiar with the latest digital technologies. This lack of familiarity increases their susceptibility to scams and phishing attempts, she added.
“Fraudsters are opportunists, looking for the easiest targets. The paradox of why fraudsters choose to target the younger age group in proportionally higher volumes can perhaps be answered by the fact that higher success rates can offset the lower monetary gains,” she added.
Key Findings
The largest number of fraud attacks by volume originated from fraudsters located in the United States. Countries like Canada, the United Kingdom, and Germany also fit into the top 10 countries for each attack method.
Growth economies increasingly contributed to the number of fraud attacks, with rises in human-initiated attacks originating from Guatemala, Bahrain, and Zimbabwe. Also, a larger number of bot attacks came from the Isle of Man, the United Arab Emirates, and Nigeria.
Sixty-seven percent of all transactions were via mobile channels. Much of the transaction growth came from trusted customers.
Malicious attack vectors persist despite reduced attack rates recorded across businesses as automated bot attacks offer fraudsters a cheap, quick, and effective method of initial attack.
The study analyzed 24.6 billion transactions from July through December 2020 and found that mass automated bots used to test identity credentials remain widespread.
New account creations continue to see high attack rates. This represents a key point of entry for fraudsters looking to monetize credentials harvested from data breaches.
Age Greatly Matters
Many new-to-digital customers came online for the first time. The youngest age group of online users became the most susceptible to fraud attacks over the six-month period. Analysis found that there was a 10 percent growth in new customers among the under-25 age group.
The oldest age group, 75 and older, experienced the next highest attack rate. This group is generally considered to be less tech-savvy and, therefore, more vulnerable to digital fraud.
Millennials and Gen Zers are most susceptible to fraud attacks. The average fraud loss per customer increases progressively with age, likely influenced by larger disposable incomes later in life.
Most Significant Takeaways
The continued shift towards transacting on a mobile device is notable, according to Sutherland. While desktop transactions still make up a large volume of transactions, consumers continue to move further toward the mobile channel.
“This makes a mobile-first, and not just a digital-first strategy key for businesses in 2021,” she said.
The age analysis was particularly surprising. It goes against the tendency to assume that the older population is most vulnerable to fraud attacks.
“While this age group stands to lose the most money, the results that show the youngest population are attacked at the highest rate emphasizes just how important education, online messaging, and layered fraud defenses are to protecting the full spectrum of online users,” said Sutherland.
Fraudsters Follow Money Trail
The analysis of networked fraud also continues to be a key feature of the cybercrime report. Isolated attacks have the ability to cause significant damage to businesses and end users. Worse is the scale of hyperconnected, networked fraud, which is huge and pernicious, noted Sutherland.
This type of organized, networked fraud involves the same fraudsters or stolen credentials operating across multiple organizations and global regions. It seeks to highlight the scale of the fraud challenge.
“Providing businesses with the opportunity to analyze user behavior across thousands of global digital businesses gives them a more networked view of trust and risk, rather than viewing it in isolation,” she said.
One fraud network LexisNexis researchers analyzed as part of this report saw fraudsters target several financial services organizations across the U.S. and Canada. The potential monetary exposure was at least $8.7 million, and at least $1.5 million of fraud was blocked.
Fighting Back
Two major problems exist with today’s approach to cybersecurity risk, according to Robert McKay, senior vice president, risk solutions at Neustar.
First, the security measures being implemented are no longer effective at protecting customers from fraud. Most fraud-fighting efforts rely on the idea that people’s online and offline data is secure, and that is simply not true anymore.
Second, the authentication measures many organizations are implementing to protect against fraud are angering customers. Some people find step-up authentication (using, say, a one-time passcode or asking knowledge-based authentication questions) to be so much of a hassle that they will abandon the transaction and sometimes even cease doing business with that organization.
“These may be valid authentication measures, but they can end up making legitimate customers feel like they are being viewed as fraudsters,” he told TechNewsWorld.
A layered defense is vital in fighting back against cybercriminals, countered Sutherland. Deploying the best physical and digital fraud and identity solutions across every touchpoint in the customer journey will help gain an enhanced view of trust and risk as a customer transacts online.
“Technologies such as behavioral biometrics can then be layered onto this digital identity intelligence. Behavioral biometrics data helps organizations to understand better how a user interacts with their device as they transact online and can reveal instances of fraudulent patterns of behavior which can alert businesses to potential threats,” she explained.
These types of solutions minimize friction for good customers: high-risk transactions can be stepped up with additional authentication tools or manually reviewed, minimizing unnecessary fraud spend, she concluded.
Rustling Up the Bad Guys
The biggest threat-doers are sponsored by both bad actor states and cybergangs with no state affiliations, according to Michael Kaczmarek, vice president of product management within Neustar’s security solutions business.
“I think the biggest threats come from both, but they both have differing agendas. Both exercise similar tactics with respect to conducting attacks on either governments, infrastructure targets, or private organizations.
“Their intentions may be different, but the results are still the same — to disrupt the normal course of business,” he told TechNewsWorld.