Amid shifting threats, FIs should be mindful of these emerging cybersecurity risks

Fluctuating economic headwinds and mobile banking expediting faster payments have created a hotbed for fraudsters to thrive in 2023.

The US region was the most heavily targeted for fraudulent card transactions from both the acquiring bank on the merchant end of the transaction (63.5%) as well as the issuing bank of the cardholder or consumer's bank (38.8%) over the period of June 2022 to November 2022. This indicates that there is a significant gap in security protocols and infrastructure in place to prevent fraudsters from predicting payment credentials, a new Biannual Threats Report by Visa shows.

As new technologies are enabling commerce to return in new digital and physical formats, fraudsters are continuing to adapt their tactics to find new ways to scam consumers and businesses. This is due to a couple of factors: for instance, the rise of digital payments has transformed money movement, making it easier and faster. While the benefits of digital payments are clear, they can also provide bad actors with increased opportunities to commit fraud. 

Additionally, the potential for an economic slowdown can also provide a stronger incentive to connect with and lure victims for their own gain. As an increased number of applications for unemployment insurance (UI) and Small Business Administration (SBA) loan programs and other government disbursement programs are expected to increase, some of the most common ecosystem threats that the industry might continue to see in 2023 are technical misconfigurations such as one-time password (OTP) bypass schemes and enumeration attacks. 

Enumeration is a process of gathering and extracting information about a system or network. This can include usernames, IP addresses, network resources, shares, and services from the ecosystem. It is used to identify potential security vulnerabilities that can be exploited by attackers.

Other increasing threats include skimming and Purchase Return Authorizations (PRAs), both of which significantly increased during the latter half of 2022. Skimming cases increased 174% in the June 2022 to November 2022 period compared to December 2021 through May 2022, while fraudulent PRAs investigations increased 164% in the same period when compared to the six months prior. This shows that bad actors are constantly innovating to find methodologies and tactics to improve the effectiveness of these schemes against the payments ecosystem. 

However, Third Party Agent breaches, which include a person's identity or personal details being used without their consent or knowledge to gain credit or products, and ransomware cases showed a fluctuating trend. The former decreased by 75% in the September 2022 to November 2022 period when compared to December 2021 - August 2022. Ransomware investigations decreased by 35% in a similar period.

The report highlights several key factors and contributors that elevate risk and fuel vulnerabilities making it possible for bad actors to carry out cyber-attacks and fraudulent activities in current times, including: 

• Weak authentication: Institutions that do not implement robust protocols like biometrics or multifactor authentication (MFA) are often targeted for account takeovers. 
• Lack of investment: Without investment in their cybersecurity infrastructure, capabilities, and overall scarcity of expert security professionals, organizations are leaving their businesses at a disadvantage. 
• Insider threats: Oftentimes, there are employees or third parties that have access to sensitive data that pose a threat – intentionally or unintentionally – to leak data due to inadequate Zero Trust policies. 

“We recommend organizations adopt comprehensive and stringent security controls across their online systems,” said Michael Jabbara, global head of fraud services at Visa.

This includes implementing a Zero Trust architecture by employing the principle of least privilege and granting personnel only the access needed to complete job requirements and segmenting sensitive network environments from other networks to prevent lateral movement by bad actors.

Over the past six months, the number of incidents Visa’s Risk Operations Center (ROC) responded to decreased by 1.4%, compared to the prior six-month period. However, the total number of transactions proactively blocked by ROC during these incidents increased by 28%, showing that individual attacks against the ecosystem have grown in size. 

Countermeasures to strengthen cybersecurity

There is no one-size-fits-all technique to combat fraud. Oftentimes, banks and FIs employ different strategies and techniques when it comes to their needs and level of cybersecurity competency. 

“We have provided several recommendations as to how issuing banks can help combat UI (Unemployment Insurance) fraud in the coming months, including verifying account details (the address, for example) to ensure the details match with those on record and placing velocity checks on dollar amounts to placing velocity checks on dollar amounts and transactions and monitoring high-risk MCCs (Merchant Category Codes) that have been flagged in relation to an attack transaction,” added Jabbara.

Investing in advancing technology to prevent fraud and strengthen security is key for enabling both public and private countermeasures to cyber threats. 

In response to the attacks on digital commerce, many merchants are adding advanced security capabilities like digital tokens, artificial intelligence (AI), and enhanced authorization to quickly detect and reduce fraud before it happens. Organizations can also take steps to establish a governance process to help them better address today’s ever-changing security landscape, according to Jabbara.

“At Visa, we’ve been using risk-scoring AI for nearly 30 years. In less than a millisecond, in-flight transaction analysis harnesses VisaNet’s global data to evaluate more than 500 attributes, analyzing each transaction to help predict the likelihood of fraud. A score for each attempt is then delivered to the issuer to help differentiate between good and bad transactions,” he said.

While AI can be used to thwart sophisticated fraud attacks, it is important to note that fraudsters can also leverage that same technology to threaten the security of modern-day encryption. As new use cases of AI, like ChatGPT, enter the market, it will become easier for fraudsters to leverage AI-enabled tools to their advantage. As a result, fraud continues, and will likely always continue to be a challenge for financial institutions. 

“While we can’t predict if fraud attacks will get ‘better’ or ‘worse’, we know that we will see fraud attacks continue into 2023. Attacks are likely going to be either completely new attack vectors that we haven’t seen before or will be evolutions of attack methods we know, but fraudsters may invent new ways of committing ‘old’ fraud,” noted Jabbara.