Family and friends are not the only ones anticipating the start of another holiday season this year—many cybercriminals and nefarious online entities are as well. In fact, annual research points to cyberattacks surging during the last two weeks of December when individuals and organizations are least prepared and most distracted. Aside from the ongoing threat of recession and growing inflation, upcoming holiday revelry will also be punctuated by highly-creative digital maleficence.
What does this mean for businesses?
Enterprises will be more vulnerable to bad actors, as legions of fraudsters continue to craft highly sophisticated and effective schemes to target consumers’ online accounts, to gain access to your systems and steal money and other goods they can sell on the dark web. With an ever-increasing arsenal of tools to attack organizations at scale, cybercriminals are now launching attacks that can do more than just ruin the holiday mood—they can deal serious blows to a company’s bottom line and brand reputation, ones that can last for years.
Despite these threats, C-suite leaders can rest easier knowing there are effective ways to protect their organizations and client base from the latest digital scams. The holidays do not have to be a time of fear, uncertainty and dread—if you understand the landscape of online fraud attacks and have the right digital solutions in place to identify and mitigate them.
Evolving Holiday Threats
From account takeover attacks to phishing scams to malicious grinch bots, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning shoppers to be alert this holiday season. According to the agency, holiday-themed scams come in many forms, including phishing emails, phone calls and text messages to personal devices.
Other scams may include clever but fraudulent mobile applications or web pages touting holiday themes such as Black Friday or other sales events. When excited shoppers looking to save money download these applications or visit these websites and enter their personal information, they are instantly welcomed into a bogus environment where their data is now at risk.
A popular scam last year involved the popular messaging platform WhatsApp, which promised 99% off discounts to anyone shopping ahead of Black Friday. Because mobile browsers have a shorter field for addresses, users often do not notice the full (and fraudulent) URL on their device. This scam was so effective at breaching data, Amazon used its official Twitter account to remind customers about never sharing their personal details and financial information on these types of websites.
Monetizing Maleficence
It is predicted that cybercrime profits will cost the world up to $10.5 trillion annually by the year 2025. This estimate is based on historical cybercrime data that includes elements such as:
• theft of personal and financial information
• lost productivity
• stolen money
• destruction of data
• fraud and embezzlement
• post-attack disruption
• restoration of breached systems
This means cybercrime outfits are now more profitable than the global drug trade, with fraudsters essentially creating their own ecosystem of corruption.
For bad actors, making money through digital fraud is fairly easy and comes with little to no risk. The business model for fraudsters is based on their unfettered access to the tools, resources and incentives they need to launch and intensify digital threats. Until this lucrative model is disrupted in all three areas, attackers will continue to threaten the security and success of legitimate businesses with exploits like account takeovers, chargebacks, new account fraud, inventory scraping and general spam.
Fraudsters wake up every day and complete their nefarious online work for money—often, big money. With wide disparities in global wages, cost of labor and the purchasing power of different currencies, cybercriminals also launch attacks for socio-economic reasons. Take Russia, for example. Based on IMF statistics on purchasing power, the Russian ruble only has a quarter of the value of the U.S. dollar. When bad actors in Russia manage to exploit a U.S. business, they can potentially quadruple their earnings. Lower income countries now have the greatest incentive to partake in global cybercrime, as it provides the opportunity to pull in real profits.
Today’s cybercriminals have no reason to stop their online shenanigans other than the loss of profit. It is the only motivator for them to cease and desist. Every successful attack gives the fraudsters a new playbook from which to pull exploits—that is, until businesses find a way to stop the cycle of crime.
Identifying Criminal Incentives
Online threats and scams will continue to flourish unless organizations stop accepting this reality as part of their digital landscape. Losing money to fraudsters is not related to the cost of doing business, and anything less than a zero-tolerance stance is actually feeding future exploits and allowing scammers to improve their attack vectors. Instead of accepting these threats as inevitable, organizations need to focus on how to disrupt the model to the point where crime literally does not pay.
This effort demands targeted action that affects the bottom line for fraudsters. When mounting a cyberattack becomes too expensive, or strains the resources needed to carry one out, bad actors lose their incentives, and the attack surface shifts in the favor of businesses. This is why organizations must adopt the mentality of an arms race, where steps are taken to increase the time, cost and effort of scamming. Increasing the burden in these three areas is what forces fraudsters to move on to an easier target.
For example, a common phishing tactic involves criminals sending a fake text message or email to legitimate users of a popular website. Users are targeted in different ways, often with the scammers purporting to be from the actual business platform. When unsuspecting users put their credentials into the bogus login site, attackers then use that information to log into the real user account, where they can steal money or commit other types of downstream fraud.
This scam sometimes extends into vishing attacks, where users are contacted by someone on the phone claiming to be from the business and in need of personal information. The company itself is ultimately unable to gain clear insight into whether the entity visiting their site is a legitimate user or fraudster.
A digital solution that offers insight into traffic patterns—and detects fraudulent account logins using phished or stolen credentials—enables companies to visualize the truth behind their security. By redirecting suspicious sessions to a platform that provides independent verification of identity, companies can shift the attack surface in their favor. In this way, trusted customers find the seamless experience they want, while businesses can send red flag sessions to targeted step-up authentication.
Sharing intelligence among trusted business partners is another way to ensure existing attacks are not replicated across different organizations, thereby driving up the time and resources needed to reach a positive return on investment. When fraudsters are forced to dig deeper to get access to better tools, online attacks suddenly seem a lot less appealing.