Media coverage of cybersecurity usually focuses on mega data breaches (i.e. Yahoo) and large-scale attacks such as the Dyn DDoS attacks, which could be why we have seen more and more companies prepare for these incidents. According to the Ponemon Institute, 86 percent of companies now have a data breach response plan compared to 61 percent in 2013. However, what is often less covered by the media is the subsequent fraud risks consumers and businesses face.
Currently 1.9 million records are compromised every day, leaving millions of people vulnerable to fraud. In fact, more than 13 million people were victims of some form of fraud in 2015 alone. Despite new technologies, such as EMV, it is likely that fraud will continue to persist and possibly increase in 2017. With the New Year upon us, it is a perfect time for companies to examine operations and determine what improvements can be made to fraud prevention practices, making the company more fit to protect itself and customers.
Resurgence of Tax Fraud
While most people are working hard to get their tax returns filed by April 18, another group of people are working hard to separate tax payers from their refund. These scammers use phishing to gain access to the personally identifiable information (PII) needed to file false tax returns.
During the 2015 tax season, hackers specifically targeted individuals at organizations with access to W2s, finding it much easier and more lucrative to target individuals versus computer systems. The time and effort it takes to steal valuable information with a few simple, well-crafted and targeted emails to unaware employees, is significantly less than hacking a larger system for almost the same amount of information. The proliferation of this scam was widespread last year, with Experian’s Data Breach Resolution group handling more than 70 data breaches each week tied to W2 schemes.
It is highly likely that these scams will continue during the 2016 tax season. Despite a push from the private sector, it appears that the IRS still does not alert people when a tax form has been filed.
As such, companies will need to take the lead this year in preventing W2 fraud by educating employees on the threat. According to a recent study from the Ponemon Institute, less than half (49 percent) of organizations include phishing and social engineering attacks in their employee security trainings. With the beginning of tax season approaching, now is the perfect opportunity for companies to get the education started.
Training should focus on identifying phishing emails, what types of information should never be sent in an email (i.e. home addresses, phone numbers, passwords, social security numbers), and what steps should be taken if a request from an apparent colleague or company executive asks for this information via email. Aside from training, companies can also restrict access to files containing PII, limiting the number of potential targets for phishing attacks.
Continued focus on credit card fraud, despite shift to EMV
While the shift to EMV Chip and PIN technology was supposed to be the answer to the issue of credit card fraud, it has not stopped payment breaches. Two factors continue to drive credit card fraud - uneven adoption of EMV across sectors, and attackers targeting new industries and adapting their tactics.
Despite the October 2015 deadline to switch to EMV technology having come and gone, many companies have failed to make the transition to Chip and PIN transactions. According to a recent survey from The Strawhecker Group, only 44 percent of U.S. card-accepting merchants have EMV terminals. In January 2016, the management consulting firm estimated that more than 50 percent would have an EMV terminal by September 2016, showing a slower pace of implementation than expected. The lack of adoption leaves an opening for cybercriminals, who are exploiting these gaps, particularly in smaller franchised stores, who do not have the means to make the transition to EMV.
Ultimately moving to EMV, sooner rather than later, will help protect both companies and customers; however, there are certainly legitimate barriers for some businesses to adopting the technology. Point-to-point (P2P) encryption protection can help companies that are not able to migrate as quickly. This technology limits the exposure of credit card numbers and encrypts the information before it can be stolen.
E-Commerce Fraud
While credit card fraud will, without a doubt, continue to persist in 2017, the information is becoming harder to steal. Similar to what happened in Europe after EMV was implemented, the United States may see a rise in e-commerce, or card-not-present, fraud. In fact, Experian found that this type of fraud increased by 15 percent in 2016.
E-commerce fraud will be fueled by the numerous data breaches over the past few years, where login credentials were stolen. As attackers continue to sell old username and password information on the dark web, the risk extends beyond the initial breach. Companies that didn’t experience a data breach first-hand will likely see an “aftershock” of repeat unauthorized log-ins (we address this in our annual industry forecast whitepaper). Access to this information can make it easy for thieves to hack accounts, as many people use the same credentials across multiple accounts.
To combat e-commerce fraud, companies should move away from passwords and toward two-factor authentication. These secondary authentication methods could include tokens, SMS alerts, geo location confirmation or biometrics to help solve the password reuse problem. Additionally, to combat e-commerce fraud companies can deploy modern forms of fraud detection. The latest monitoring systems use dynamic data points (i.e. location, IP addresses, behaviors) rather than static data points (i.e. date-of-birth, social security number) to determine if a customer’s spending activity is normal.
Fraud is an ever-growing issue for companies, as cybercriminals continually find new ways to undermine defense systems. While it can seem like a never-ending battle, combating fraud is crucial for businesses to maintain a strong reputation among consumers. By resolving to make the changes recommended above, companies can become better equipped to protect themselves and their customers in 2017.
Editor’s Note: With the New Year upon us we are already seeing numerous cybersecurity issues arise, leading many people to ask questions like – “What will the new administration do about cybersecurity?” and “What security threats does artificial intelligence pose?” Michael Bruemmer would like to hear from you on what burning questions are on your mind and what topics you would like him to address in the coming year. Leave your comments below.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].
