It is a known fact that cybercriminals choose the path of least resistance. Naturally, easy cashout methods with good returns are much more favorable than methods that are high risk, complicated or yield small profits. While this is not the only factor in determining how much fraud is committed through a certain vector (for example, it takes time for cashout methods to become public knowledge in cybercriminal circles and thus become widely adopted), it is a major aspect.
If a certain financial institution is dramatically more targeted than its counterparts by cybercriminals, it is usually because it is the easiest prey. If fraudsters find a way to reliably circumvent anti-fraud measures (i.e. the bank automatically approves all transactions under a certain sum), or in more rare instances, a vulnerability in the processing parameters, criminals will set their sights on that particular bank.
The dynamic digital world provides criminals with more vectors than ever to commit fraud. The rise of fintech, digital currency and e-commerce solutions have opened up new cashout methods and enabled fraudsters to diversify fraud, extending their work to more than carding and online banking.
While it makes sense that P2P payments and e-commerce solutions would attract fraud, innovative fraudsters find opportunities in new industries and vectors. The major benefit of targeting such industries is that while financial and e-commerce services are built with fraud prevention in mind, the targeted industries are less prepared.
Take for example the music streaming industry. As described by Alex Karlinsky, a cyber intelligence expert who also happens to be a popular musician in the retro synthwave music genre, streaming services have a big impersonation problem. Many artists discover that someone released music under their name, banking on a musician’s popularity to draw in their followers, get play counts which are then translated to pay checks from the streaming service. A somewhat established name can also lend credibility for those who use bots to raise their play count, in order to eventually get a higher pay.
These scams, which target mostly indie artists with moderate success, are left with no real solution on how to mitigate the issue and no one to talk to. The ease of this abuse, as described by Alex, suggests that information is not being shared between the different services, unlike financial institutions who do share intelligence. The poor communication on how to report such incidents (if it is at all possible) by those who are affected by it, who also happen to depend on these services for a living, suggests that these companies have yet to implement procedures to handle such fraud cases.
This example can be applied to various other emerging industries. When looking at an industry, it is often possible to measure its anti-fraud maturity as a whole. The maturity of an industry evolves over time and has a distinct lifecycle.
New types of services usually start with a limited fraud prevention operation, as anti-fraud processes take time to build. As word gets spread around the dark web that these services are lucrative targets, more fraudsters will begin to target these services. This would result in the services improving their fraud prevention capabilities, leading to an arms race between the fraudsters and the fraud teams. New ways to abuse the services will be used, while new defensive capabilities will be added.
Eventually, fraudsters will determine who to target within the industry based on each service’s fraud prevention policies and maturity, rather than generally targeting the industry. Naturally, for every rule there are exceptions and some services can either be ahead or behind of the pack when it comes to fraud prevention maturity within their industry.
We can break down this anti-fraud lifecycle to three main maturity stages and we can identify the stage of an industry based on the question the services within the industry ask themselves in regards to fraud.
Organizations in the earliest maturity stage ask, “am I being attacked?”. At the beginning of this stage the fraud levels are relatively low and do not trigger any alarms on the operational side. The lack of anti-fraud tools, procedures or dedicated personnel make it difficult to identify fraudulent activity in the first place. Only when the amount of fraud increases and goes over a certain threshold these organizations begin to take note of the issue.
The second maturity stage is “how am I being attacked?”. These organizations have already experienced enough fraud to recruit dedicated anti-fraud personnel, usually as a separate function. Anti-fraud solutions are acquired and implemented, while better reporting mechanisms and general fraud processes are established. More of the work involves tracking fraud trends and adjusting fraud rules accordingly to detect these patterns.
The final maturity stage is “why am I being attacked?”. At this stage anti-fraud on an industry level has matured to the point where anti-fraud teams look beyond the techniques used to defraud their organizations and look for the root cause of what makes them an easier prey. Anti-fraud processes, including reporting on incidents and the identification of compromised user credentials are well established. New offerings are designed with the impact of fraud in mind. On an industry level, we expect to see more collaborations, with intelligence sharing across competing services.
As organizations can be in different stages compared to the rest of their industries’ general maturity, organizations that are more advanced than their counterparts in the lifecycle will enjoy a relatively low amount of fraud. As fraudsters shift their sights towards emerging industries, there will not be a shortage of easy prey. The first step towards moving between the stages is to ask the question of the next stage, then working on building the infrastructure to answer it.