About 236.1 million ransomware attacks occurred globally in the first half of 2022. As organisations focus on mitigating cyberattacks and reducing risks, very little is said about the effects of cybercrimes on the victims. Victims often experience a wide range of emotions and negative psychological experiences including guilt, shame, helplessness, emotional trauma and post-traumatic stress or sleep problems.
In this article, Ian Lauth, Senior Technical Marketing Manager, F5, explains the cost of cybercrime to emotional wellbeing and what both individuals and organisations can do in the phase of an attack.
“I don’t give a damn about my reputation.” These were the opening lines on the song Bad Reputation by Joan Jett and the Blackhearts, a rock group that made classical hits long before the arrival of modern Internet age.
Joan and the Blackhearts made music at a time when counterculture was subversive, cool and edgy. Today, counterculture is mainstream and online reputation is prominent. Digital personas can be deliberately curated, highly visible and tightly managed as we’re seemingly wedded to the devices in our pockets. The results can be devastating when bad actors take advantage, accounts get compromised and credential stuffing occurs.
Panic, embarrassment and shame are the real feelings resulting from things that happen in our digital world. This is specifically true in the case of social media account takeovers which has been named ‘Account Takeover Epidemic’ by the Identity Theft Resource Centre (ITRC).
ITRC – which in 2021 had over 15,000 identity crime victims contact them for support services – said there was a 1044% increase in social media account takeovers from 2020 to 2021. As a follow up, the organisation conducted a survey of social media account takeover victims and found that 66% were experiencing strong emotional reactions to losing control of their social media account, 92% felt violated, 83% were worried and anxious, 78% felt angry, 77% felt vulnerable and 7% felt suicidal. These are important statistics to consider within the cybersecurity space.
While it may be easy for some to view social media identity theft as a mere inconvenience, these figures illustrate how closely tied one’s online reputation is to their emotional wellbeing.
Two of my friends, Trevor and Stacey, had their social media accounts hacked by a credential stuffing attack in July 2022 and none of them had 2-factor authentication set up. They were both professionals active on social media with one of them being a crypto enthusiast.
On their Instagram stories, the bad actors posted a message about getting involved in a bitcoin mining scheme. It was a screenshot of an iPhone lock screen which included a picture from their profile. In Trevor’s case, it was a picture with his wife displaying a bogus text message from Bank of America, followed by a screenshot from his supposed bank account.
While it doesn’t take a cybersecurity expert to recognise this was a scam, it could nonetheless prove to be an effective phishing tactic since it is coming from the trusted source’s actual account within a social ecosystem not known for abuse.
Curious about the sophistication of these attackers – and because I’ll never pass up an opportunity to speak directly to our black-hatted counterparts – I responded to the story to see how effective their messaging was.
But it was an awful ordeal for both friends. Trevor finally used Instagram’s facial recognition verification process to scan his face and compare it against their endless library of tagged photos. He was able to regain access within 27 hours and set up his 2-factor authentication.
Stacey, on the other hand, quit social media. The ordeal was too much of an embarrassment and created so much anxiety for her that she decided the whole persona in a digital realm was not for her.
But this is not unusual. On several occasions, consumers have stopped using a platform when their account is hacked. Panic, embarrassment and shame are not the sort of feelings we want customers and end-users to have when they rely on our products. And while this example may be specific to social media, the sentiment is something we can all share.
Whether it’s social media, FinTech, e-commerce or any other organisation with an exploitable user base, credential stuffing is a cat-and-mouse game that is here to stay-and with eyebrow-raising impact.
Javelin Strategy and Research in their 2021 Identity Fraud Study, reported that account takeover (ATO) fraud resulted in over US$6 billion in total losses in 2020. When companies create new defences, hackers develop tools to bypass these safeguards and the cycle continues.
So, how can businesses fight back?
In a recent Aite Group report, risk executives from financial institutions, FinTech lenders and e-commerce companies were interviewed to learn how they were protecting themselves from the escalating volume of ATO attacks. Some of the key takeaways were:
- Most consumers use the same usernames and passwords across websites, creating a vulnerability exploited by organised crime rings.
- The available attack surface continues to expand making detection and mitigation more complex.
- Organisations need a solution that leverages real-time data analytics to keep pace with automated attacks and block malicious activity before it affects the business.
- Firms with robust defences will see attack volumes decrease as criminals focus their attacks on easier targets.
Beyond the obvious bottom-line impacts of ATO attacks, it is important to remember that these crimes have a real human impact. Stopping fraud isn’t only about saving money. It is just as critical for preventing the kind of human trauma that is surreptitiously corroding the fundamental fibres of a more ideal digital future. Just like the physical world, what we want is safety, security and trust.
Click below to share this article