RSA Security has released its Q1 2018 Fraud Report, providing analysis of consumer fraud data from the RSA Fraud and Risk Intelligence team.
The report offers a snapshot of the cyberfraud environment from behind enemy lines, showing that the number of fraudulent transactions originating from a mobile app during the quarter has increased by 200% since 2015. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing the dark web as the top hacker marketplace.
Key stats include:
- ‘Appy hunting – the proportion of fraudulent transactions carried out on a mobile app has jumped from just 5% in 2015 to 39% in the first quarter of 2018 – the volume of fraudulent transactions has risen by 680% overall and by 63% since Q1 2017
- Down goes the desktop – use of traditional web browsers for fraudulent transactions is on the decline, dropping from 62% to 35% since 2015
- Burner phones rife – 82% of observed fraudulent e-commerce transactions originated from a new device in Q1 2018, as hackers try to avoid detection
- New profiles and devices used for cash out – Fraudsters used a new account and new device in 32% of all the fraudulent transactions seen during the quarter, suggesting that many are attempting to use stolen identities to create ‘money mule’ accounts as part of their cashing out process
- Phishing remains at number one for cybercriminals – despite being one of the oldest online fraud tactics, phishing accounted for 48% of all fraud attacks observed in Q1 2018
- Trojans still siphoning credentials – financial Trojan malware was present in one in every four fraud attacks observed in Q1 2018
- Cards being compromised – RSA recovered more than 3.1 million unique compromised cards and card previews from reliable online sources in the quarter – these all included CVV numbers
“There has been a sharp rise in the volume of legitimate transactions carried out over mobile apps, so it’s only natural that hackers have followed suit in targeting mobile channels for fraud,” said Daniel Cohen, Director at the RSA Fraud and Risk Intelligence Unit.
“Unfortunately, many mobile apps fail to build security from the ground up. This means cybercriminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds. As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks.”
Mobile’s influence doesn’t stop with malicious apps, the increasing availability of social media on mobile devices has created a thriving cybercriminal ecosystem, with more than four out of five hackers using new devices to carry out fraudulent transactions and avoid being caught.
“Social media provides the perfect control station for cybercriminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces,” explains Cohen.
“Social media’s scalability, anonymity and reach is providing cybercriminals with the perfect disguise; they can jump between accounts and devices at will, rarely using the same device twice.
“This makes it much easier to dodge the authorities and continue scamming. Reddit has recently banned a number of subreddits dedicated to fraud, where hackers were exchanging contacts, advertising services and sharing reliable sources of dark web fraud forums.”
In light of these findings, RSA has provided a number of recommendations to help consumers and businesses alike avoid falling victim to cyberfraud:
- The devil’s in the download – with one in 20 fraud attacks associated with a rogue mobile app, people must practice caution when downloading new apps, making sure to verify the publisher and pay close attention to what permissions each app requests
- It’s who you know – avoiding clicking on links in text messages or emails from unfamiliar senders will significantly lower the chances of having bank details stolen, or malware being installed on devices
- Safe housekeeping – smaller purchases will often be made first to test the waters, so monitoring bank accounts for suspicious purchasing activity is vital to catch fraudsters early in the act
- Educate yourself and your employees – free initiatives such as ActionFraud offer a number of helpful tools to keep consumers safe, while the Cyber Essentials scheme offers a similar service to businesses
- Create a device identification process for your business – take a business-driven approach to security by linking device identification to a clear risk strategy, for example, ask users on new devices to re-authenticate to reduce the risk of fraud
“We all need to take a share of the responsibility for reducing and preventing fraud – from the consumer, through to the banks and social media platforms. After all, fraud is not going away any time soon and can be very costly, to individuals and businesses alike,” explains Cohen.
“We need to get better at spotting it, by being more aware of it. Social media and mobile devices have made it easier than ever for fraudsters to be successful, but there are often tell-tale signs that something is up. Stay vigilant and don’t always trust what you see online!”