How many types of digital fraud are there? Might as well count the shades of color in a rainbow, says Dan Woods, vice president of F5 Networks’ Shape Intelligence Center: “I’d say they’re infinite.”
The list of fraud that hits us up via online/email, text or phone grows faster than black mold. We recently asked people who work in cybersecurity, financial services, and other fraud-focused industries to give us an example—or two, or three, or heavens, that many?!—of the types of digital fraud that they’ve witnessed, how they fended it off (if they did), and/or what advice they have for staying out of the fraudsters’ cross-hairs.
What follows is a primer, reported from the front lines, by those who spend their days wrestling with the ever-innovating crooks who make up the world of digital hucksterism.
Got feedback? Join the conversation on LinkedIn.
Thanks to our article sponsor, F5
Editor’s note: This article is part of CISO Series’ “Topic Takeover” program. While the article sponsor, F5, and our editors agreed on the topic of fraud, all production and editorial is fully controlled by our editorial staff.
1. First-party: Paying you tomorrow for a burger today
This is a situation where an individual or organization promises future repayment, but they have no intention of repaying, explains Simon Goldsmith (@Goldsmith_cyber), information security strategy and programmes team lead for adidas.
Goldsmith has seen:
- Attempts by individuals or organized groups to establish unsecured credit cards, loans or overdrafts,
- Secured products—for example, where stolen checks are credited to a secured credit card, and
- Direct deposit accounts, where the fraudster intends is to manipulate the float, usually using falsified deposits.
“The true extent of this type of fraud was difficult to measure, especially where the fraudster’s financial profile was very similar to that of a good customer,” Goldsmith said.
2. Patents: Patenting thin air
The Electronic Frontier Foundation (EFF) has oodles of examples of patent fraud: from the insanely broad patent for cellphone-based contact tracing to bad actors using patent law to block access to COVID-19 tests and treatment.
Tom Cornelius, senior partner at cybersecurity documentation firm ComplianceForge, says unscrupulous companies use patent fraud to either attack their competition or, in the case of patent trolls, to earn easy money. “Patent litigation can be very expensive and time-consuming, so very often companies just give in and pay,” he said.
To fend it off, “Companies need to have a thought-through strategy for how they will react if they receive a patent claim, since prior planning can be critical in either gaining patents or generating prior art through defensive publications,” Cornelius said.
3. Finance: Paranoid accountant = good accountant
Cybersecurity consultant Braden Anderson worked with a team that investigated compromises of Microsoft Office 365 accounts in the finance department of a big global organization that led to fraudulent payments.
One was for more than $100,000. Others were for tens of thousands—all pulled off within two months of the team developing detection techniques to sniff out how it was being done, such as looking for logins from atypical geographies or an invoice from a new bank account. “The correlation of these … perspectives provides an alert that has a high likelihood of revealing malicious activity,” Anderson said.
4. Medicaid claims: The Great Pizza Heist
While working at a large healthcare payer organization, Dustin Wilcox, now CISO at Anthem Inc., knew a fraud analyst who discovered that Russian organized crime was methodically buying up failed pizza place storefronts in Florida strip-malls. The crooks filed Medicaid claims from the pizza joints for big-ticket procedures such as knee replacements.
How the fraud was foiled: “The fraud analyst … [got] business registry information from the Chamber of Commerce and created a report, affectionately dubbed ‘The Florida Pizza Fraud Report’, that we then used to deny fraudulent payments to Russian organized crime,” explained Wilcox.
5. Credential-stuffing: Trying the key in every lock
Fraudsters get lists of account credentials and test them to see what they unlock: bank accounts? Social media accounts? Maybe all of the above, given rampant password reuse.
Chris Patteson (@RiskWrangler), executive director of the Risk Transformation Office at Archer Integrated Risk Management, says the threat actors often start by buying valid credentials in bulk on the dark web. “From there, [they buy] goods and then ‘virtually’ fence them using elaborate supply chain schemes to hide their identities,” Patteson said.
There are powerful tools that can review customer identities based on usage patterns, device telemetry and social information. Patteson said that if you’re a retailer, these types of controls are “almost mandatory … [Without them], there’s likely [more] fraud in your system than you realize.”
6. Real estate: Don’t skip title insurance!
Nothing like being evicted from a house you thought you owned free and clear, is there? F5’s Woods encountered one case wherein a malcontent decided that his ex-business partner still owed him money, so he looked over his target’s assets to see if he could file a lien against something valuable. He found that his ex-partner’s home wasn’t in his own name. Rather, it was in the name of an LLC. In fact, that LLC didn’t actually exist, the fraudster discovered when he checked the corporate commission website.
The fraudster formed an LLC, assumed ownership of the home, and borrowed $275,000 worth of “his” equity. Eventually, Woods’ team convinced the courts that his client had been defrauded, and the perpetrator wound up in prison: just one reason why he has title insurance.
7. Shipping profiles: The art of the drop
Con artists steal shipping profiles so that packages can be shipped under a victim’s account and intercepted, be they gift cards, bogus tax refunds, or physical goods. “Obviously a fraudster doesn’t want to pay for the shipment and would rather use a compromised account,” Archer’s Patteson said. Nor would they ever ship illicit goods to their own address.
To fend off these shysters, Patteson advises consumers and businesses to protect their shipping account numbers and access to their shipping platforms.
“The worst offenders I see do not use the administrative tools in the shipping platforms and let all users access the same user name and password for shipping,” he said. “This is a terrible practice.”
8. Subscriptions: Who’s watching ‘Bridgerton’ on your dime?
“[It] causes concerns, particularly when reporting monthly active users or total number of viewers to the street,” Escobar said.
Providers are dealing with the problem by adding features such as notification of new devices logging in and of logins from atypical locations. They’re also using low-friction two-factor authentication (2FA): namely, an email code required to make account changes such as email/password changes.
9. Carding: Shop ‘til you cop a plea
Stealing payment card details is just one step in carding, where legitimate, stolen card details are coded onto the fresh magnetic stripe of a blank card.
There are plenty of dark web shops out there that sell cloned cards. One of them that got busted in 2013, Cardplanet, differentiated itself with stellar customer service. Its inventory was well-stocked by solicitation of card details on carding forums, which are easy to find. “The criminals are bold,” noted Archer’s Patteson. “They operate in plain sight right on social media platforms like Facebook!”
10. BEC: Why we pick up the phone
How is multifactor authentication (MFA) still optional, as opposed to mandatory, in Microsoft Office 365? That’s what Patrick Garrity (@patrickmgarrity) wanted to know after hearing about three separate, successful, fraudulent wire transfers where the bad actor used a compromised Office 365 account that didn’t have MFA enabled to pull off business email compromise (BEC). Garrity, vice president of operations for Blumira, said that none of the targeted businesses apparently had account compromise detection capabilities in place.
What could have been done differently: Implementation of MFA, which helps stop account compromise. If an account were compromised in spite of MFA, it could have been detected by monitoring Office 365 logs with a cloud security monitoring tool like Blumira, Garrity says. Such a tool picks up on, and alerts on, things like abnormal log-in location.
Other best practices include detection of new Office 365 rule creation so as to catch attackers creating custom rules for data exfiltration, and verbal confirmation and verification of account numbers.
11. Vishing: ‘Hey, bro!’
Vishing, or voice phishing, is a phone scam where either a person or a computer calls and tries to trick you. Typically there’s a call to action: “Tell me your bank account details,” for example.
Adam Barrett (@DefenseStorm), senior product manager at DefenseStorm, gives the example of a scammer posing as a fraud investigator. “You get a call from your bank alerting you to suspicious activity,” Barrett explained. “Before the agent can proceed, he wants to verify your identity by texting you a security code. Moments later the text arrives, and without reading the message, you provide the code to the agent. Later … you realize $5,000 has been paid to someone you do not know. Looking back at the text message, you notice it reads ‘DO NOT share this security code. We will NEVER call you or text you for it.’ However, you were caught up in the moment and didn’t read the full message before relaying the code to the fraudster.“
When it comes to stopping these attacks, Implementing MFA is a good step. It’s not an airtight defense, but it’s stronger still when combined with the practice of verifying if:
- A login was from a trusted device,
- The IP address and location are common to the customer,
- A payment has been made to this person/entity in the past, or
- The customer is a victim of malware or compromised on the dark web.
12. SBA: Free fraudster candy
Krista Arndt, deputy CISO for Customers Bank, says that Small Business Administration (SBA) fraud is “huge.” Since the bank is primarily digital, she mostly sees forged identities used when passing ID checks or to create checking accounts for money laundering. “[Fraudsters] try to disappear with the money because they consider SBA loans like free candy,” she said.
The bank uses fraud detection platforms that help to identify activity trends within banking applications. Cyber fraud experts correlate the indicators, which leads to shuttering fraudulent accounts.
13. Email spoofing: ‘CEOs’ who don’t act like CEOs
Gene Libov (@Planet9Inc), principal consultant at information security services provider Planet 9, recently investigated the case of a marketing manager who received an email apparently from the CEO. It asked the marketing manager for his personal phone number.
“Shortly after, the manager received a text message from the ‘CEO’ asking him to purchase 25 $100 gift cards and send him pictures of all cards with the code scratched,” Libov said. “The manager’s iPhone contacts suggestion feature recognized the sender’s number as the CEO’s number. Why? Because the attacker embedded this phone number in the initial email message signature, and the iPhone connected the contacts.”
To detect email spoofing, Libov suggests:
1. Looking for signs of phishing emails, such as odd email addresses in the “from” and “reply to” fields; a sense of urgency; or links that look fishy when you hover over them.
2. Don’t open unexpected attachments.
3. Verify sensitive requests in person or by calling.
14. Phishing: 1,001 ways to spike adrenaline
Christopher Covino, policy director for cybersecurity in Mayor Eric Garcetti’s Office of Public Safety at City of Los Angeles, received an email the other day. “Thank you for your order,” it said. “Your PayPal has been charged $799.99. If you don’t recognize this charge, call this #”. Really?! Nope, nyet, and no charge.
DefenseStorm’s Barrett advises financial Institutions to detect phishing attacks by:
- Performing security checks to ensure the reply address exactly matches the business and isn’t spoofed,
- Checking the dark web for indications of malware or a data breach on the business,
- Confirming the existence of a new vendor,
- Checking consortiums for known business scams, and
- Validating that the invoice amount is within the norm.
15. Catfishing: Dogs in front of keyboards
On the Internet, nobody can tell you’re a dog. Like, say, the guy who pretended he was Justin Bieber, but who was actually a 35-year-old UK man who was subsequently imprisoned for talking children into stripping in front of a webcam.
It’s known as catfishing. Luis Valenzuela (@luisvalenzuela), a technology project manager specialist for the financial transaction firm FIS, says these scammers do things like create a fake LinkedIn profile with an attractive picture and a position in a reputable organization. “Then, they start connecting with legitimate employees, who accept the connection because, ‘Well, we work at the same company!’,” Valenzuela explained.
Be careful what you believe online—you might be talking to a phony.
16. 419 scams: Not just Nigerian princes
419 scams, also known as advance fee or Nigerian scams, can originate from anywhere. A sender requests help—generally via email—to transfer money. Stan Stahl, founder and president of SecureTheVillage, overheard a heart-wrenching story: A single, middle-aged, successful businesswoman fell in love with a Nigerian “businessman.” Two years in, she got an email. He was selling his business and would be home soon. He just needed a little help with the transaction. Could she help?
“‘The money will show up in your account,’ she’s told,” Stahl recounted. “‘Transfer it to this account.’ [She did.] Now, she’s the money mule. She sends the money and expects him to show up.”
Instead came a knock on the door. It was the FBI. She not only wound up with a broken heart; she also had to pay restitution, given that she was, legally, an accessory to money laundering.
17. Identity: Invasion of the developer snatchers
A few years ago, Paul Lanzi (@planzi), co-founder and COO of privileged-access management firm Remediant, was leading an app development team at a biotech with developers in India and San Francisco Bay. On average, the company recruited one new developer a month. Once, they video-interviewed a great candidate— “tons of technical depth, very clear communicator, and had even worked in the biotech industry previously,” Lanzi recalled.
Slight problem: The candidate couldn’t get his video working for the call, so it was audio-only. The team was still unanimous on hiring him. But on his first day, whoever showed up had the same name as the person they had interviewed, but none of the skills. “We had been bamboozled by a strange form of impersonation fraud,” Lanzi said.
No more audio-only interviews for that dev team. “From then on, we insisted on video interviews, and we ultimately fired the recruiting company that had led us down that particular garden path,” Lanzi said. “I see this as a great example of how online Identity fraud can show up with implications in the real world. This pair of guys bamboozled our recruiter, our background check, and interview processes.”
18. Unemployment: Out of work all over
Shortly after being downsized from Deloitte last year, Dr. Andrew Aken (@AndrewAken2), zero trust lead technical architect at Twitter, received a notice that his unemployment claim had been processed … even though he hadn’t applied. When he did apply, he found that someone else filed an unemployment claim using his data, acquired from the 2017 Equifax breach. It took two months to get his claim processed.
DefenseStorm’s Barrett tells the tale of another flavor of unemployment fraud: the worker who’s “unemployed” in multiple states. “A fraud investigator [was] auditing recent benefit payments deposited at her financial institution,” he recounted. “She discovers an account that was opened within the past month, was linked to an account at another financial institution, and has received unemployment benefits from four different states. Further, those funds were transferred out of the account to the linked account within 24 hours of posting.”
Barrett has a slew of suggestions about how to respond to these money-mule accounts before they’re used for money laundering. Here are a few:
- Monitor IP addresses at account opening and online login and flagging when multiple accounts are opened or accessed by the same IP,
- Monitor new accounts for activity such as linking to another financial institution before any deposits are made, and
- Review email addresses for tenure and likeness to the account holder name.
19. Scraping: Piggybacking off hard work
F5’s Woods worked with one luxury brand in the US whose site was completely scraped and recreated in Russia. If someone in Russia placed an order, someone on the back-end created it in the US, jacked up the price, then shipped the order to the purchaser.
Ripped-off retailers lose their relationship with the customer. “A lot of large retailers in the US would love a lot of Russian customers, but they can’t, because this intermediate step has taken over the relationship,” Woods noted.
You can find various guides to stopping web scraping online: here’s one.
20. Sextortion: No, nobody filmed you watching porn
These emails claim that hackers have videos of you watching porn. Fork over the Bitcoin, lest they share the embarrassing content with your friends and family, they threaten.
The reality: Somebody’s pants are on fire. If the hacker actually did have such a video, they’d show it to you instead of jumping through hoops to convince you they do. The first, most important piece of advice from the Electronic Frontier Foundation (EFF): don’t pay the ransom.
So what if the hacker sent you a password that they claim is yours, and it actually is? They could have gotten it from a years-old breach. If you still use the password they mailed you, stop, immediately. Change it. And whether or not you still use that password, it’s a fine idea to use a password manager. Enable it wherever you have the option.
Conclusion: Fraud keeps innovating
As wide a variety of digital fraud that we’ve enumerated here, we’ve barely scratched the surface. Stay sharp. The crooks keep innovating, so this list has only one way to go: namely, as long as Pinocchio’s nose.