The Changing Landscape of Financial Fraud

More attacks, new fraud techniques, and other observations from the front lines

While the recent migration online due to shelter-at-home orders and public closures has heavily affected multiple industries (travel, hospitality, and restaurants, just to name a few), its impact on the financial sector has so far been limited to discussions about the economy. However, financial platforms are — as they have always been — a fierce battleground between risk teams and the most sophisticated fraudsters.

Traffic volume on financial platforms has been relatively consistent over time, although certain types of services such as loan applications have experienced increased volume in recent weeks. This is quite different from other verticals, such as social, mobile gaming, and marketplaces, which have experienced traffic fluctuations in response to COVID-19 and users’ changing lifestyles.

Daily traffic volume observed by DataVisor for bank account openings, transactions, and loan applications.

Fraudsters remain extremely active. The average daily fraud rate is 7% for transactions, 2% for account openings, and 1.8% for loan applications, but can vary widely from day to day.

Some attack types have increased substantially in recent months: Account takeover attempts increased by 20% since the beginning of March, and new account fraud increased by 40%. As governments around the world issue financial aid and stimulus packages to mitigate the financial impact of the coronavirus outbreak on individuals and businesses, fraudsters are already exploiting the situation to cash out. A recent report found a surge in malicious domain registrations associated with stimulus packages. These domains are likely used to perpetrate email phishing campaigns, for example, pretending to be delivering payouts from governments or NGOs. Nearly one-fifth of all phishing emails in Gmail are coronavirus-related.

This type of fraud and others have led to transaction fraud — almost doubling since March. Fake check deposits, external account linking, account draining, and declined transactions signal a variety of ongoing malicious activities. The economy may have slowed for the general population, but not for fraudsters.

In the recent month, DataVisor observed account takeover attempts increase by 20% and transaction fraud increased 100%.

Dynamic Attacks

Fraudsters’ methods are always changing. To evade detection, bad actors “blend in” their activities with those of normal users in different ways:

• They use specialized network proxy services with IP ranges from residential, educational, or other types of networks with “good” or ”neutral” reputation
• They randomize the timing of events to avoid velocity-based bot detectors
• They use fake contact information and scripts to generate realistic email and mailing addresses
• They employ low-volume activities to stay under the radar, often testing in small batches before launching the main attack
• They use emulators, jailbroken devices, or spoofed device information to create the appearance of multiple independent customer accounts and devices

As a proactive anti-fraud solution, DataVisor’s unsupervised approach adapts to changing attack patterns automatically. Analyzing which “features” trigger detection by our unsupervised learning models also gives us a glimpse of recent attack trends.

An example heatmap showing different attack patterns detected by DataVisor’s unsupervised model over time. Each row corresponds to a pattern; cells indicate detection volume.

Naive attacks that launch fake accounts with the same profile information from the same location and device are becoming less frequent, at only around 20% of holiday levels. Instead, we’ve observed increased use of spoofed or emulated device information, particularly in coordinated waves of fraudulent loan applications.

Content manipulation techniques (traditionally a problem for platforms accepting user-generated content, or UGC) have made their way to the financial domain, as well. Emails, usernames, mailing addresses — these are all examples of the user-provided information necessary for using online financial services, and they are ripe for exploitation.

Attacks patterns changing over time, as detected by DataVisor’s unsupervised learning model. Specifically, usage of device spoofing (likely using emulators) is on the rise, as well as third-party fraud. Attacks that manipulate content (usernames, email addresses, and mailing addresses) are also finding their way to the financial domain, with a slight increase in March.

These changing patterns reflect the stricter controls imposed by financial institutions to combat malicious activities, such as rate-limiting the applications or activities per device, tighter rules, and more rigorous background checks to block first-party fraud. Fraudsters are being forced to use real identity information (such as information obtained through phishing or from data breaches) and step up their game to evade detection by current rules. This is evidenced by the increase in third-party fraud.

Application Fraud in Action

A recent application fraud ring detected by DataVisor illustrates how fraudsters are actively changing up their techniques to bypass existing security measures — manipulating the contact information on the applications and switching device identifiers. In this attack, the applications are made up of a mix of synthetic identity and third-party fraud. Although some of the applications are created using fake IDs, others are submitted with real information. This creative mix allows the attack to appear more “random,” similar to isolated, independent applications that would have been submitted by legitimate users.

The table below shows the anonymized details of this attack. Each row corresponds to an application. The highlighted rows in green are related to third-party fraud, where the hashed SSN details appear to match the customer names, phone numbers, addresses, job titles, and other personal information exactly. The rest of the rows are synthetic fraud, with fake user details sharing a common driver’s license number (not shown). However, a subset of the synthetic and third-party fraud applications originate from the same device identifier, indicating a subtle relationship between all of these fake identities.

An anonymized example of a recent application fraud attack detected by DataVisor. This group of coordinated accounts uses device and content manipulation to avoid detection, and contain a mix of fake identities and third-party fraud.

Bigger, Meaner Attacks

In addition to advanced techniques, attacks are also becoming larger — involving a higher number of fraudulent accounts and potentially doing more damage.

Fraudulent money transfers can involve hundreds or even thousands of fake accounts and “money mules.” Even for loan applications (a relatively manual operation), we observed an increase in large attacks in March and April. Large attacks that involve tens of applications make up 45% of all attacks — — a 170% increase since January.

The proportion of attacks that are bigger in size is increasing. Large attacks that involve tens of applications make up 45% of all attacks — — a 170% increase since January.

The fact that attacks are increasing in scale and sophistication shows that fraudsters have developed efficient infrastructure and orchestration methods — -likely facilitated by highly specialized vendors in underground marketplaces, and evolving in response to advances in anti-fraud solutions.

The increasing availability of online banking and financial services has undoubtedly attracted cybercriminals that are familiar with digital attacks. They are adept at manipulating digital identifiers such as email addresses, IP addresses, user-agent strings, and device information, and skilled at bypassing common authentication schemes such as passwords, captchas, and second-factor authentication. The global rippling effect of the coronavirus provides ample opportunities for those looking to take advantage of the crisis for misuse.

While the economy slows and businesses take cautionary measures to battle the virus, one thing is certain: Fraudsters are not taking a break. If businesses aren’t keeping up, they are already behind.