2022 and the evolving landscape of fraud

The last two years have seen fundamental changes in online behaviour for businesses, customers, and criminals. With the trend set to continue, Callsign’s Andreas Eliasson looks to the year ahead.

In a recent webinar that I hosted, we looked at the fraud trends that we’re likely to see in 2022.  Behaviours, attitudes, and technologies are all changing; and one change that’s particularly unwelcome is the ever-rising cost of fraud – to the extent that cybercrime is estimated to cost the world USD 10.5 trillion annually within the next three years.

Unfortunately, the bad actors responsible for driving up this cost are as determined as they are ruthless, and they’re not slow to adopt new technologies and attack vectors to ply their trade. But very often these new approaches are, at the core, new twists on old tricks.

And that’s a positive ray of light. It means that the threats that are emerging now, and the ones that will emerge in 2022 – there are defences against them.

There’s always a bigger phish

There is an increased sophistication across all scam vectors, with Remote Access Trojans (RATs) and automation such as auto-diallers being used to improve scale. An increase in the proportion of scammers being based domestically reduces the effectiveness of the source country as an indicator.

Phishing is likely to stay endemic, purely because it’s so cost-effective for the fraudsters. Phishing kits are cheap and widely available, containing everything a fraudster needs to get up and running, and PhaaS (Phishing as a Service) provides scammers with a sophisticated subscription-based fraud model.

Phishing has become a significant problem in the corporate arena too: CEO fraud, Business E-mail Compromise (BEC), and invoice redirection scams are rife. The latter is costing businesses upwards of GBP 92 million a year in the UK alone. 

The continuing problem of ATO

A huge asset for the fraudsters is a lack of user education around scam attacks and the severity of being taken in with them. It’s one of the reasons why Account Takeover (ATO) fraud continues to be a serious issue right across the board.

The ROI on ATO is high for bad actors. Credentials are easy to come by: either from phishing attacks or cheaply purchased from the dark web. With many accounts reliant on little more than a username/password combination, credential stuffing attacks are also likely to yield results.

Ever following the path of least resistance, fraudsters are lately shifting their aim to less-obvious targets such as loyalty schemes, where the value of unspent points is estimated to be well over USD 150 billion.

A chip off the new blockchain

2021 was a pivotal year for cryptocurrencies, but the headlines around bull runs were overshadowed by the vast number of scams in the crypto space. While the European banking sector is still working on enabling real-time payments, the fraudsters have moved to real-time transfers with crypto.

But once more, they are cases of old techniques finding new leases of life. At the heart of most crypto scams are variations on established techniques – from social engineering approaches to straightforward phishing, to malware-led attacks such as RATs.

Old technologies, old problems

Fraudsters rapidly adjust to new opportunities and avenues of approach. However, the tools, baits, and pretexts may be new, but they’re underpinned by established techniques – and that means that there are always signals that can be spotted. By being agile, organisations can adapt, bring in those signals, and spot anomalies.

But a great many businesses are still relying on outdated and insecure authentication and online fraud prevention technologies. An over-reliance on static authentication such as passwords and SMS OTPs is endemic across every sector – not only are these simple to bypass, but it also means that organisations are authenticating in the very same channel where the phishers are casting their nets.

Putting future threats into past tense

Preventing fraud and scams in earnest means moving beyond static authentication. By taking a layered intelligence approach, businesses can positively identify genuine users and block fraudsters. It’s an intuitive shift upwards from relying solely on fraud detection – an approach that’s prone to false positives and can leave the customer feeling that they’re being treated like a criminal.

The adoption of a robust Orchestration Layer brings further dividends and allows for a holistic customer view across the web and mobile channels. Real-time changes can then be made to bring in new signals and strategies quicker than the fraudsters.

The social engineering tactics used by bad actors can be tackled by AI- and ML-driven dynamic interventions that can recognise the signs of a scam taking place and warn genuine customers in real-time – stopping the scammers in their tracks.

An authentication and online fraud prevention platform such as Callsign, with behavioural biometrics layered with device ID and device fingerprinting, makes life tough for fraudsters, regardless of their approach. And if there’s one thing that’s not likely to change, it’s this: in the face of tough security, bad actors will swiftly move onto an easier target.

About Andreas Eliasson

Andreas Eliasson has been working with fraud prevention and security for 10 years and is passionate about helping organisations protect their users. He is a Certified Information Systems Security Professional (CISSP) and has two patent applications for how to improve the usability and effectiveness of authentication and online fraud prevention systems.

About Callsign

Callsign has a simple vision: we want to make digital identification seamless and secure. Our unique positive identification approach balances high security and user experience, allowing customers to interact online safely, with minimal friction, while ensuring that bad actors are blocked to protect customers’ identities and business interests.