rsa quarterly fraud report...rsa quarterly fraud report q2 2020 | 4 phishing and malware-based...

RSA QuarterlyFraud ReportVolume 3, Issue 2Q2 2020

RSA QUARTERLY FRAUD REPORT Q2 2020 | 2

ContentsExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Fraud Attack Trends: Q2 2020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Fraud Attack Type Distribution 5

Top Phishing Target Countries 6

Top Phishing Hosting Countries 7

Consumer Fraud Trends: Q2 2020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Transaction and Fraud Transaction Distribution by Channel 9

Average Credit Card Transaction and Fraud Transaction Values 10

Device Age vs. Account Age 11

Compromised Credit Cards Discovered/Recovered by RSA 12

Feature Article . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Time for a Fresh Look at Fraud Prevention 13


Executive Summary

Feature Article Time for a Fresh Look at Fraud Prevention

After the dramatic shift in Q2 to doing much

more business digitally, it’s time for organizations

to reassess fraud prevention strategies.

Increased digital interaction can precipitate

changes in fraud risks, and a fresh look will

help ensure that fraud prevention efforts are

aligned with how consumers and companies are

interacting—and how fraudsters are responding.

This article explains the challenge and offers

guidance on practical steps to take for an

effective reassessment.

The RSA® Quarterly Fraud Report presents an analysis of fraud attack and consumer fraud data collected by the RSA Fraud and Risk Intelligence team in the course of its work identifying threats for RSA customers. As such, it provides a glimpse into the cyber fraud landscape for consumer-facing organizations of all sizes and types.

RSA-Observed Fraud Attack and Consumer Trends

For the period starting April 1, 2020, and ending June 30, 2020, RSA observed several global fraud trends across attack vectors and digital channels. The highlights include:

In Q2 2020, RSA identified a total of 46,821 global cyber attacks.

Phishing remained the predominant attack vector used by fraudsters, representing 43% of all attacks. Brand abuse was the next largest attack vector, at 35% of total attacks.

Canada was the most targeted country for phishing, with 59% of all attacks. (The next most targeted accounted for only 9%.)

The United States was the top hosting country for phishing attacks, with 67% of attacks originating there.

The percentage of fraud transactions originating in the mobile channel was 69%—little change from the previous quarter, but a year-over-year increase of 26%.

There continued to be a significant gap between the percentage of logins from a combination of new account/new device (0.7%) and the percentage of fraud volume associated with this combination (31%) .


Phishing and malware-based attacks are the most prolific online fraud tactics developed over the past decade. Phishing attacks not only enable online financial fraud, but these sneaky threats also chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites. Automated fraud comes in the form of the various active banking Trojan horse malware families in the wild today; these malicious programs do their work quietly and often without detection until it is too late.

By tracking and reporting the volume and regional distribution of these fraud threats, RSA hopes to contribute to the ongoing work of making consumers and organizations more aware of the current state of cybercrime and fueling the conversation about combating it more effectively.

Fraud Attack Trends: Q2 2020



Fraud Attack Type DistributionIn the second quarter of 2020, RSA identified 46,821 cyber attacks worldwide. The greatest percentage of these were phishing attacks, representing 43% of all attacks identified. The next greatest percentage of attacks were brand abuse attacks, which made up 35% of all attacks (an increase of 13% over the previous quarter). The percentage attributable to Trojan horse attacks remained unchanged from Q1 at 9%, while the percentage attributable to rogue mobile attacks was 13%, down just two percentage points from Q1.

Fraud Attack GlossaryPhishing Cyber attacks attempting to steal personal information from unwitting end-users under false pretenses either by email, phone call (vishing) or SMS text (smishing).

Trojan Horse Stealthy malware installed under false pretenses, attempting to steal personal user information.

Brand Abuse Online content, such as social media, that misuses an organization’s brand with the purpose of misleading users.

Mobile Application Fraud Mobile applications using an organization’s brand without permission.

IN Q2 2020,

20,373ATTACKS WERE THE RESULT OF PHISHING— more than any other individual type of attack

13%Rogue Mobile Apps

35%Brand Abuse

9%Trojan Horse

43%Phishing


ALL OTHERS

3%Fraud Attack Trends: Q2 2020

Top Phishing Target Countries

EMEAAPAC

NORTH AMERICA

Atlantic OceanPacific Ocean

LATAM Pacific Ocean

Australia

Argentina

Barbados

Bermuda

Bolivia

Chile

Brazil

Colombia

Dominican RepublicHaiti

Jamaica

Peru

Puerto Rico

Trinidad and Tobago

VenezuelaBangladesh

Hong Kong

Indonesia

Japan

Republic of Korea

Macau

Myanmar

New Zealand

Philippines

Singapore

Taiwan

Thailand

Vietnam

Austria

Belgium

Cyprus

Czech Republic

Denmark

Finland

France

GibraltarGreece

Iceland

Ireland

IsraelItaly

Kazakhstan

Kuwait

Lebanon

Luxembourg

Mozambique

Nigeria

Poland

Qatar

Romania

Russian Federation

Saudia Arabia

Serbia

Slovakia

Slovenia

Sweden

SwitzerlandUkraine

United Arab Emirates

United Kingdom

Brunei Darussalam

CANADA

59%

SPAIN

5% INDIA

3%

PHILIPPINES

4%

PERU

1 .5%

CHINA

1%

NETHERLANDS

7%

POLAND

1%

UNITED STATES

9%

SOUTH AFRICA

6%

MEXICO

1 .5%

TURKEY

1%Germany

Phishing Targets Canada continues to dominate the list of top targeted countries for phishing attacks, as it has in every quarter since RSA began publishing this report in Q1 2017. The United States was again second on the list. Most of the countries in the top ten saw a decrease in total attacks, except for the Netherlands (up 63%) and South Africa (up 48%). Peru joined the list at #8, while Chile dropped off.



Top Phishing Hosting Countries

Phishing HostsThe United States continues to be the top hosting country for phishing attacks, accounting for 67% of ISPs hosting these types of attacks. This is largely attributable to a handful of large-scale hosting authorities, whose sheer magnitude makes it easy for fraudulent activity to go undetected. (For most of the other countries in the top ten, the percentage for hosting phishing attacks is in the low single digits.)

Hosting Countries

1. United States 6. Canada

2. Germany 7. Moldova

3. Malaysia 8. France

4. Russia 9. Netherlands

5. India 10. China


Consumer Fraud Trends: Q2 2020The RSA Fraud and Risk Intelligence team analyzes consumer fraud data and informs the security and risk management decisions for major organizations while serving the public interest by identifying, preventing and reducing financial cyber fraud attacks on consumers. Observing consumer fraud trends over time can support decision-makers on how to build or refine their digital risk management strategy across customer-facing digital channels.

These data points are intended to broadly frame the current consumer fraud atmosphere, and identify relevant trends, by tracking broad indicators of online fraud across both financial and e-commerce focus areas.


Consumer Fraud Trends: Q2 2020

Transaction and Fraud Transaction Distribution by Channel

Fraud Transaction MethodIn the second quarter of 2020, there was a slight decrease from the previous quarter in the percentage of fraud originating in the mobile channel. There was also little change in the distribution of fraud within that channel—a departure from the previous quarter, which saw a doubling of fraud transactions originating in a mobile app rather than a mobile browser.

2017Q2

2017Q3

2017Q4

2018Q1

2018Q2

2018Q3

32%

17%

51%

33%

20%

47%

34%

21%

45%

34%

21%

45%

34%

21%

45%

2018Q4

34%

22%

44%

35%

21%

44%

35%

21%

44%

Web Mobile Browser Mobile App

2019Q1

34%

21%

45%

2019Q2

15%

35%

50%

2019Q3

28%

25%

47%

2019Q4

28%

26%

45%

2020Q1

29%

27%

44%

2020Q2

2017Q2

2017Q3

2017Q4

2018Q1

25%

36%

39%

29%

36%

35%

36%

32%

32%

39%

26%

35%

2018Q2

40%

31%

29%

2018Q3

37%

36%

27%

2018Q4

21%

49%

30%

Web Mobile Browser Mobile App

29%

43%

28%

2019Q1

16%

27%

57%

2019Q2

18%

20%

62%

2019Q3

13%

59%

59%

28%

2019Q4

26%

46%

28%

2020Q1

26%

43%

31%

2020Q2

Transaction MethodIn the second quarter of 2020, mobile browsers and mobile applications accounted for 56% of overall transactions observed by RSA, reflecting only a slight increase from the previous quarter.

Source: RSA Fraud & Risk Intelligence Service, April 2020-June 2020

of fraud volume originated in the mobile channel in Q2, 26% higher than the same time one year earlier

69%



Average Credit Card Transaction and Fraud Transaction Values(E-Commerce, by Region)

In Q2 2020, the greatest average fraud transaction value was $306 (Americas), which is 13% higher than the next nearest amount of $266 (EU) and 39% higher than the smallest average fraud transaction value of $187 (UK). The UK also had the smallest difference between the value of genuine and fraudulent credit-card transactions. Unlike in the previous quarter, when the average fraud transaction value was nearly triple that of a genuine transaction in at least one region (Australia and New Zealand), the average fraud transaction in Q2 was at most a little more than double that of a genuine transaction. The average value of a fraudulent payment transaction in the mobile channel increased again in Q2—but only by 17%, less than a third of the 60% increase seen in the previous quarter.

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$

$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$

$$$$$$$

$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$

$$$$$$$$$$

Transaction Value Fraud Transaction Value

$$$$$$

$219

$187

$306

$266

$139

$162

$118$96

EUROPEANUNION AMERICAS UK AUSTRALIA/

NEW ZEALAND


Region Transaction Value Fraud Transaction Value Difference $

European Union $118 $266 $148Americas $162 $306 $144UK $139 $187 $48Australia/New Zealand $96 $219 $123



Device Age vs. Account AgeAnalysis“Device Age” refers to how long the RSA Fraud Platform has “known” or “trusted” a given device (laptop, smartphone, etc.). “Account Age” refers to how long the RSA Fraud Platform has “known” or “trusted” a given account (login, etc.). This data demonstrates the importance of accurate device identification to minimize false positives and customer friction during a login or transaction event.

E-CommerceIn Q2 2020, 59% of fraud transaction value originated from a new device but trusted account. This reflects little change from the previous quarter, continuing the trend of account takeover activity being a preferred attack vector.

One interesting thing to note in e-commerce is that transaction volumes for various merchant categories changed dramatically in Q2. For example, public transportation and airline transactions were down 92% and 71%, respectively, while transactions in automobile sales were up 283%—reflecting concerns about increased health risk associated with crowded modes of transportation.

Online Banking: Login While only .7% of logins were attempted from a combination of new account and new device, this scenario accounted for 31% of total fraud volume observed in Q2. As in Q1, this is a significant gap, suggesting fraudsters are continuing to use stolen credentials from data breaches to set up mule accounts to facilitate cash out or new account fraud.


Online Banking: PaymentIn Q2, only .5% of total payment transactions came from a new account and a new device, but 18% of fraud value was in this category. In addition, the percentage of fraud value associated with a combination of trusted account and trusted device dropped to 16%, a return to pre-Q1 levels.

New Account/New Device

Trusted Account/Trusted Device

Trusted Account/New Device







E-COMMERCE PAYMENT ONLINE BANKING LOGIN ONLINE BANKING PAYMENT

NEW ACCOUNT: Account Age < 1DTRUSTED ACCOUNT: Account Age >= 90D

NEW DEVICE: Account-Device Age < 1DTRUSTED DEVICE: Account-Device Age >= 90D

% of fraud value% of transaction volume

4.8

19.5

3.8

2.5

37.0

32.0

4.1

0.4% 0.4%4.5%

20.5%

31%

3%

44%

59%

31%

.7%

66.5%

12%

2%

28.5%

32.0 12.0

0.4%

18%

.5%

78.5%

16%

4%

30%

E-COMMERCE PAYMENT4.5% [% of transaction volume]20.5% [% of fraud value]New Account/New Device31% [% of transaction volume]3% [% of fraud value]Trusted Account/Trusted Device44% [% of transaction volume]59% [% of fraud value]Trusted Account/New DeviceONLINE BANKING: LOGIN.7% [% of transaction volume]31% [% of fraud value]New Account/New Device66.5% [% of transaction volume]12% [% of fraud value]Trusted Account/Trusted Device2% [% of transaction volume]28.5% [% of fraud value]Trusted Account/New DeviceONLINE BANKING: PAYMENT.5% [% of transaction volume]18% [% of fraud value]New Account/New Device78.5% [% of transaction volume]16% [% of fraud value]Trusted Account/Trusted Device4% [% of transaction volume]30% [% of fraud value]Trusted Account/New Device New Account/

New DeviceTrusted Account/

Trusted DeviceTrusted Account/

New DeviceNew Account/



New DeviceNew Account/



New Device

E-COMMERCE PAYMENT ONLINE BANKING LOGIN ONLINE BANKING PAYMENT

NEW ACCOUNT: Account Age < 1DTRUSTED ACCOUNT: Account Age >= 90D

NEW DEVICE: Account-Device Age < 1DTRUSTED DEVICE: Account-Device Age >= 90D

% of fraud value% of transaction volume

4.8

19.5

39.8

2.5

37.0

.1

32.0

4.10.4% 0.4%

6%

16%

37%

4%

37%

64%

36%

0.5%

83%

13%

5%

26% 32.0 12.0

0.4%

27%

0.3%

86%

26%

4%

28%


AnalysisIn Q2 2020, RSA recovered 4,838,249 unique compromised cards and card previews from online credit-card stores and fraud communication channels. Fraudsters categorize compromised cards as “CVV2” or “dumps,” depending on how they were compromised; RSA FraudAction™ service collects CVV2-related data, which is card data compromised through cyber attacks targeting online transactions or e-commerce. This type of compromised card data can be used for a variety of fraudulent activities, including “carding,” which refers to using compromised cards to buy goods both in physical stores and on e-commerce websites.

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

APRIL MAY JUNE

869,350

1,722,358

2,246,541


Compromised Credit Cards Discovered/Recovered by RSA



FEATURE ARTICLE

One of the consequences of COVID-19 has been a sharp turn away from consumers and companies doing in-person interactions and toward relying on a digital model for doing business. While this digital transformation had already been underway for some time at many organizations, the emergence of COVID-19 accelerated it. The recognition that people in close personal contact were at risk of spreading or contracting the disease served as a catalyst for dramatic changes—from banks shuttering branches and conducting everyday transactions entirely online, to healthcare providers quickly standing up technology for virtual patient visits, to retail stores and restaurants moving to 100% online ordering.

The pivot to digital-first operations enabled organizations to continue to serve their customers and communities in spite of the pandemic. At the same time, though, it also changed the nature of fraud risk, both increasing existing digital fraud risk and introducing new vulnerabilities. At the time of this writing, the digital-first approach has largely remained the norm, even as in-person interactions have returned to some extent in many locales. And now that the initial rush to establish a strong digital presence is behind us, this is a good time for organizations to take a fresh look at their fraud risk posture and reassess fraud prevention strategies to ensure they are well-prepared to manage fraud risk in a digital world.

How Can a Pandemic Change Fraud Risk?The pandemic has brought about changes not only in how organizations transact business with customers, but also in how fraudsters carry out their business. RSA intelligence and anti-fraud teams observed a number of pandemic-related changes in the nature of fraud in Q2 2020, including:

• A sharp spike in fraud related to economic hardship. In the accompanying image, a fraudster shares with other fraudsters a screenshot of a fraudulent unemployment claim made using stolen PII. In the second image, we see a similar example in which a fraudulent application for pandemic-related disaster loan assistance is made with PII. Fraudsters often use phishing as a way to get PII to use in these and other fraud schemes.

Time for a Fresh Look at Fraud Prevention


• Reduced fraudster interest in hotel and airline fraud. Based on RSA intelligence analysis of messages collected from fraud groups on social media, there was an overall 67% drop in mentions of hotels and airlines in Q2 as compared to Q1, as shown in the accompanying graph. This is consistent with drops in airline and tourism transactions observed in Q2.

• Increases in breaches/leaks and ransomware attacks. The RSA intelligence team saw a significant Q2 increase in breach data dumps available for download in social media fraudster forums, attributable to employees working remotely and moving outside traditional network perimeters. And amid media reports of the effects of COVID-191 on ransomware attacks, the team also observed a sharp increase in the activity of several ransomware groups that upload stolen data to the darknet after victims refuse to make ransom payments.

6 Steps To Take To Reassess Fraud RiskThe preceding examples of pandemic-related fraud changes illustrate one of the reasons it is so important for organizations to step back and examine their own recent experience, look for changes in fraud risk, and adapt accordingly to protect themselves and those with whom they do business. To determine how their risk has changed and what to do to manage it, organizations can take the following steps to analyze consumer interactions and transactions, identify vulnerabilities associated with them and adjust their efforts to protect digital channels as needed.

1. Keep in mind the importance of an omnichannel perspectiveThe more an organization relies on digital interactions, the more critical it becomes to have a holistic view of fraud—a view in which fraud is examined across channels rather than in silos of interaction. In the digital world, interactions that happen online, via mobile or by some other means need to be seen as a whole rather than as discrete and separate. This is critical in fraud prevention because it reflects the way fraudsters operate: They look for the weakest link to get credentials, and then use those credentials in another channel to cash out. This is why an omnichannel approach that provides a seamless customer experience across channels also needs an omnichannel approach to prevent fraud across channels.

The pivot to digital-first operations enabled organizations to continue to serve their customers and communities in spite of the pandemic. At the same time, though, it also changed their fraud risk profiles, both increasing existing digital fraud risk and introducing new vulnerabilities.

An omnichannel approach considers all channels holistically, both to enable transactions and to prevent fraud.


2. Examine consumer adoption of digital channels (and fraud associated with them)

Organizations should look at consumer adoption of new or expanded digital channels, and calculate transaction volumes as well as correlated fraud transaction volumes. To gain accurate insights into fraud from this analysis, it is important to understand the strategic context for the presence or absence of fraud. For example, an organization that has adopted a mobile-first approach may introduce a feature (such as a new payment method) on the mobile app before making it available on the web; therefore, they’ll see fraud on the mobile channel, but not on the web channel—because that’s how they designed their digital strategy.

3. Look at fraud rates and intervention rates (in general, and by channel)In any digital channel, organizations should generally strive for more fraud detection with less intervention. It may seem optimal to identify as much fraud as possible, but if high detection rates result from excessive intervention with authentication challenges, that will ultimately impact the customer experience. A fraud prevention tool that detects fraud with high accuracy and low false positives will allow organizations to balance fraud prevention with the customer experience and thus help to meet business objectives. In addition to generally applying metrics that reflect the desired balance for fraud detection, false positives and customer intervention, organizations may also find it useful to break down fraud and intervention rates by channel, rather than trying to take a standardized approach across channels.

4. Survey customers on their experiences and preferencesReassessment of fraud prevention strategies in the wake of a digital shift also presents an opportunity to see what effect that shift is having on the customer experience. For example, in consumer banking, some customers may have already been relying on digital channels before the pandemic, while others only began to use them after the bank steered them in that direction because other ways of banking were no longer available. The latter group in particular can provide valuable feedback to continue to improve the digital experience going forward.

5. Review confirmed fraud cases, identify new patterns and adjust accordinglyStrategy reassessment and ongoing fraud prevention will benefit from reviewing confirmed fraud cases in case management and gathering feedback on confirmed fraud/confirmed genuine transactions. This feedback can be provided to supervised machine-learning tools to help ensure more accurate risk assessment for future interactions. In addition, identifying new fraud patterns from case management investigations should lead to creating new policies or adjusting existing ones.

6. Determine the impact of step-up options across channels Organizations often use different step-up options in different digital channels, making it crucial to review the impact of options in various channels. For example, one option may produce more false declines than another because the flow is overly complicated and consumers are simply abandoning the process midway through. Close review makes it possible to better understand why legitimate consumers are failing to authenticate, and to remediate the issue. Remediation requires a consistent set of challenge flows that perform equally well, taking into account the difference between digital channels and the fact that the user experience for a particular step-up option might be ideal for one channel but not for another.

Beware the Consequences of InactionWhile it may have made sense in Q1 to move as quickly as possible to all-digital or mostly digital interactions, it is important now to stop and reflect on strategies for preventing fraud and managing the fraud risk that has been altered—if not accelerated—by this change. Organizations that fail to explore their changing fraud vulnerabilities now run the risk of substantial losses to fraud and will face a much larger challenge to protect against fraud going forward.

©2020 RSA Security LLC or its affiliates. All rights reserved. RSA and the RSA logo are registered trademarks or trademarks of RSA Security LLC or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. Published in the USA. 9/20 W411419 H#####

About RSARSA, a leader in cybersecurity and risk management solutions, provides organizations with technology to address challenges across security, risk management and fraud prevention in the digital era. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access control; and reduce operational risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information, go to rsa.com.

1. Dan Lohrmann, “Ransomware During COVID-19,” Government Technology, August 29, 2020

http://rsa.com

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/ransomware-during-covid-19.html

rsa quarterly fraud report...rsa quarterly fraud report q2 2020 | 4 phishing and malware-based...

Documents