It’s important to be familiar with multiple types of fraud that could affect your organization
Leveraging threat intelligence to combat nation state espionage threats is a common practice for cybersecurity teams. However, outside of common types of fraud seen in darkweb or closed forums, the same threat intelligence often is not leveraged to combat enterprise fraud.
If you are a target of APT threats by espionage actors, buying access to known behaviors and TTPs used by APT groups is helpful to build detection models. For instance, the foothold, lateral movement, privilege escalation, and exfiltration techniques are generally repeatable across Windows and Linux corporate and production systems. Security teams build threat alerts and threat hunting models on the TTPs that are likely to target their organizations.
There is no universal type of fraud, and no “one size fits all” way to fight fraud. It’s important to be familiar with multiple types of fraud that could affect your organization in order to build customized defenses that pertain to loss and brand degradation.
12 Common Types of Fraud in Enterprise:
1. Online Shopping Fraud: Involves setting up fake online shopping portals to cheat people of their money.
2. Chargeback Fraud: Consumers fraudulently attempt to secure a refund using chargeback processes.
3. SIM Swap Scam: Account takeover fraud targeting weaknesses in two-factor authentication where the second factor is a call or text message to a mobile device. This allows interception of one time passcodes to gain access to victims’ accounts so fraudsters can transfer funds.
4. Identity Theft Account Takeover: Personal information is stolen through account takeover by modifying PII, adding authorized users, and changing passwords. It is used to carry out unauthorized transactions. Synthetic identity theft combines real and fake information to create a new identity.
5. Phishing and Spoofing: The use of email, online messaging, fake websites, and social engineering to dupe victims into sharing personal data, login credentials, and financial details.
6. Ghost Employee Scam: The scams use fraudulent PII to apply for IT, programming, database, and software jobs. These positions have access to sensitive customer or employee data implying the imposters could steal sensitive information and cash a fraudulent paycheck.
7. Credential Stuffing: Credentials are obtained from a data breach on one service and used to attempt to log in to another service. This includes data being stolen from users and organizations and being resold on the darkweb or closed forums.
8. Business Email Compromise (BEC): This is a sophisticated form of attack targeting businesses that frequently make wire payments. It compromises legitimate email accounts through social engineering techniques to submit unauthorized payments.
9. Rewards Point Fraud: Fraudsters call credit cardholders claiming to be from their credit card company. They offer to help redeem cardholder’s accumulated points and request the card details along with OTP. Then, fraudsters carry out transactions using these details.
10. Social Media Fraud: This includes bulk fake account creation, token abuse using OAuth access, and hacked accounts of friends who send links asking for money.
11. Credit Card Fraud: Hackers fraudulently acquire people’s credit or debit card details in an attempt to steal money or make purchases. Skimming and bust-out are common types of credit card fraud.
12. Tech Support Fake Virus Warning Scams: The consumer receives a warning indicating their computer is infected. The scammer then prompts the user to download an application, takes control of the computer, downloads an actual virus, and tells the consumer they need to fix the problem for a fee.
Overlapping Capabilities in Threat Intelligence to Detect and Combat Fraud
While solutions exist for prevention, most solutions focus on one or a few types of fraud. Fraud happens at such an unprecedented scale that utilizing law enforcement to disrupt bad actors is a hard value proposition. Organizations and individuals simply need to make themselves a harder target so the fraudsters move on.
There is no silver bullet for fraud detection. However, the following capabilities will allow organizations to detect fraud regardless of the techniques and methods used.
1. Gather comprehensive and demonstrated collection coverage against darkweb, closed forum, social media, and open source websites for your organization’s PII. It’s critical for these coverage areas to be in alignment with the most substantial monetary losses to the business.
2. Use Threat actor engagement to understand TTPs and make stronger requirements on application architecture, processes, and controls. Employing the right linguists is key to identifying critical slang terminology.
3. Test the tools fraudsters create to exploit enterprise platforms and employees.
4. Employ threat intelligence analysts who can use obfuscated payments to buy on closed forums on an organization’s or individual’s behalf.
5. Conduct discreet investigations in coordination with general counsel, human resources, IT, and engineering.
Organizations need to be able to go outside the firewall to gather as much threat actor information as possible to build robust internal defenses against fraud. Further, security and fraud teams need to align with other business stakeholders, and often with each other, to determine additional disruption outcomes that culminate with assigning dollar value loss to these outcomes.