Security Experts:

Actions Enterprises Can Take to Combat Common Fraud Types

Fraud is a very general term that is used quite commonly in a variety of contexts.  Although many of us have heard the term repeatedly, fewer of us have likely ever stopped to think about what fraud really is and what it means.

Fraud can mean many things, and it can mean different things to different people. Because of that, when trying to gain an initial understanding around the subject of fraud, I find it helpful to learn by looking into specific types of fraud.  In this piece, I’d like to examine three types of fraud:

● Account Takeover (ATO)

● Account Opening (AO) - sometimes called Fraudulent Applications (FRAP)

● Payment

Beyond just an initial understanding of each of these types of fraud, I’d also like to examine what enterprises can do to mitigate risk and limit losses for each type.

Account Takeover (ATO)

As you might expect, Account Takeover (ATO) fraud occurs when a fraudster takes control of a legitimate account that belongs to someone else.  While there are many ways in which this can happen, here are a few of the more common ones:

● Credential theft through phishing and phishing sites

● Credential theft through malicious code (e.g., keylogging malware)

● Session hijacking or Man-in-the-Browser malware

The volume of stolen credentials and the rate at which they are stolen make it impractical, if not impossible, to keep up with which accounts have been compromised.  A far more practical approach is to look for the signs of account takeover.  There are many such signs, but a few notable ones are:

● Anomalous activity in the user journey (e.g., visiting unusual pages or pages rarely, if ever, visited in prior sessions)

● Anomalous behavior in the session (e.g., excessive cutting and pasting, erratic mouse movements, click speed, etc.)

● Anomalous environmental factors (e.g., connecting from a new or unknown device, mismatched ASN and timezone, strange language or user agent settings)

Of course, looking for these signs requires enterprises to have both mature controls and a robust fraud monitoring capability - neither of which is a given.  Both capabilities require strategic planning, diligent implementation, and continued focus.  Further, detecting ATO is one thing - doing so reliably enough to confidently block or deny fraudulent transactions is another thing entirely.

While thinking of ATO, we may think of bank accounts or other financial accounts.  It is important to note, however, that really any online account can be taken over.  Frequent traveler accounts are one example of a non-financial account type that often falls victim to ATO.  Because of this, the number of enterprises that need to protect themselves against ATO is larger than one might expect.

Account Opening (AO)

Account Opening (AO) fraud, sometimes called Fraudulent Applications (FRAP) fraud, involves opening entirely new accounts.  Obviously, fraudsters open these accounts in other people’s names and with other people’s information. Where do the fraudsters get this information?  From the dark web - due to the large number of breaches over the last 10 years, there is a wealth of PII available to the fraudsters at a very low cost.

Once fraudsters have obtained the PII of others, they turn their attention to opening new accounts.  In some cases, they may directly use the stolen PII of real people.  In other cases, they may combine PII from several people to create a new, fake person.  However they arrive at a stolen persona, once the fraudsters are able to successfully open a new account, they can begin enjoying the benefits of that account.

What are a few account types that fraudsters love to open?  There are many, though here are a few of the more popular ones:

● Unemployment benefits (filing for and receiving unemployment benefits using someone else’s PII or a the PII of a fake person created from different people’s PII)

● Credit cards (opening credit card accounts and using those credit cards)

● Income tax refund (filing taxes using someone else’s PII and receiving a tax refund)

As with ATO, detecting and preventing AO requires mature controls and a robust fraud monitoring capability.

Payment Fraud

Payment fraud is more than likely the type of fraud that most of us are familiar with. When enterprises do not have a robust fraud monitoring capability, it is the stage at which fraudulent transactions are most often identified. Generally, payment fraud is detected when a customer notifies the institution that they have noticed a fraudulent transaction on their account. Obviously, at this point, the money is long gone, and the enterprise has suffered a fraud loss.  It is much better for the enterprise to detect and prevent fraud much earlier in the fraud chain - before the fraudster has a chance to execute a fraudulent payment.

While there are, unfortunately, many types of fraud, I’ve attempted to provide a basic introduction to three of the more common types. Detecting and preventing ATO, AO, and payment fraud requires enterprises to put the requisite controls in place, as well as a robust fraud monitoring capability.  Enterprises that do not have these two important capabilities will continue to suffer increasingly large fraud losses. There are steps that can be taken to detect and prevent fraud before it happens, and my hope is that as awareness of the situation increases, so will action to address it.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.