The letter in June sat for a few days before Wendy Schwartz got around to opening it. What she read immediately set off alarm bells. The letter was from her state’s unemployment office confirming her claim for pandemic unemployment assistance. Then came another letter with her monetary determination francepharmacie.fr.
The problem was, Schwartz didn’t file a claim—nor was she unemployed.
From there, Schwartz embarked upon what ended up being a labyrinthine process to deal with the theft of her identity, including filing a fraud claim with the state, completing an ID theft affidavit that had to be notarized and filed with the police, contacting the major consumer credit bureaus, notifying creditors to put fraud alerts on her accounts, and doing a credit freeze.
“It was very time consuming, and I felt very violated,” Schwartz recalls, adding that it took close to a week to deal with the situation. She has no idea how someone got her personal information.
Schwartz says her local police department told her it has received thousands of reports of unemployment scams since the pandemic began and that it is the new big thing. The Federal Trade Commission (FTC) agrees.
Tens of thousands affected
In recent months, “unemployment fraud has risen dramatically because it is so financially advantageous,” especially after Congress instituted the [weekly] $600 payments” under the now-ended Coronavirus Aid, Relief, and Economic Security (CARES) Act, says Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center. “They need a person’s identity credentials, which we believe were derived from previous breaches.”
The FTC has also warned of “a large-scale scam involving phony unemployment benefits claims” by criminals, “possibly based overseas,” who are filing claims for benefits using the names and personal information of people who have not lost their jobs. The investigation is ongoing, the FTC says, “but this much is known: The fraud is affecting tens of thousands of people, slowing the delivery of benefits to people in real need and costing states hundreds of millions of dollars.”
“Over 90% of breaches start with some type of human error.”
KERI PEARLSON EXECUTIVE DIRECTOR OF THE INTERDISCIPLINARY CONSORTIUM FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY AT THE MIT SLOAN SCHOOL OF MANAGEMENT
Like everyone else, fraudsters respond to incentives. A major motivation for enhanced unemployment benefits in response to the pandemic was to get money out into the economy quickly. That means the state agencies disbursing the money may not have been as vigilant in their verification of applications as they usually are. The increase in the level of unemployment benefits created a large incentive for fraud, and—without getting into specifics—it’s quite easy to file such an identity theft-based claim. Whether you are a consumer, small or medium-size business, or enterprise, there is no doubt that bad actors are preying on people’s emotions like never before with highly sophisticated financial cyber-fraud schemes.
The pandemic has created “a perfect storm of fear, uncertainty, doubt … and chaos,” said Keri Pearlson, executive director of cybersecurity at the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3 at the MIT Sloan School of Management, at a virtual roundtable with chief information security officers in July. Over 90 percent of breaches start with some type of human error, she noted.
Among the latest email scams the (IC)3 has seen are fake pharmacies advertising COVID-related remedies, as well as fake websites purporting to sell masks and other personal protective equipment (PPE), Pearlson says.
E-commerce sites targeted
Fake e-commerce websites claiming to sell high-quality COVID-19 essentials like sanitizers and masks are one of two sophisticated financial frauds employees at NuLeaf Naturals have seen, says Ian Kelly, who is vice president of operations and heads up the company’s cybersecurity. “People who turn to these fraudsters end up paying for products they’ll never receive. After a few weeks or days, the entire website gets shut down.”
Kelly says he has also seen cybercriminals share “fake donation links in the name of reputed COVID-19 relief NGOs. They send emotional messages asking for relief funds for the underprivileged in foreign countries. Many large-hearted people end up donating their hard-earned money to scammers instead.”
He notes that his team looks for many red flags to identify such websites, including newly registered domain names and anonymous domain name registrants.
Cyberattacks on social media sites have also made headlines recently after revelations that several prominent public figures, including presidential candidate and former Vice President Joe Biden, Microsoft co-founder Bill Gates, and Tesla CEO Elon Musk had their Twitter accounts hijacked in a cryptocurrency scam that is alleged to have leveraged a spear-phishing attack.
Nearly half of organizations surveyed reported an increase in cyberattacks since mass work from home began, according to Enterprise Strategy Group.
In a sign of the times, the U.S. Secret Service recently launched the Cyber Fraud Task Force to investigate financially motived cybercrime, with 42 domestic and two international locations.
One reason financial scams are so successful now, experts say, is that the world has grown increasingly remote since the coronavirus pandemic began in March. Banks, in particular, have responded by encouraging customers to take advantage of mobile, online, and phone services so they don’t have to walk into a branch.
“We’ve removed a layer of authentication, which is the face-to-face interactions … and that has created an opportunity,” says Velasquez.
The types of fraud that continue to be carried out are what Steven D’Alfonso, research director of worldwide compliance, fraud, and risk analytics at IDC Financial Insights, refers to as the “ings”: phishing, farming, and social engineering.
Regardless of business size, people remain the weak link. “That’s the key. That’s what cybercriminals are going after. They prey on people’s anxieties,” says D’Alfonso. And unlike the typical scams that crop up after a natural disaster, he says, “this is the perfect storm” because the pandemic is affecting everyone.
“So you’ve got a highly anxious population, you’ve got the government infusing or introducing cash into the system through stimulus payments and PPP loans, and at the same time, more people are engaging with their banks and retailers and doing everything online,” many for the first time, he adds.
Even people who are more cyber-savvy may have lowered their defenses if they are unemployed and may be more vulnerable to social engineering if they are in a tough situation financially, D’Alfonso says.
“The pool of victims is everyone,” agrees Velasquez. “There is so much uncertainty right now, and it’s so confusing trying to understand which programs are legitimate. … Scammers prey on fears.”
Voice apps are susceptible
The issue now is not that attacks have continued to grow in sophistication during the pandemic; it’s that the attack vectors continue to grow and both sides are using AI as a weapon, says Chris Ibbitson, chief technologist for the financial services industry at Hewlett Packard Enterprise.
For example, in the U.K., where he is based, people have been getting calls saying they were reported as being in contact with someone who tested positive for the coronavirus and they have to give their financial information to pay to get a test, Ibbitson says.
There are also more targeted spear-phishing attacks aimed at certain individuals as well as automated attempts to go after more people at once, he says. “We’re spending more of our lives online and using services … we didn’t use a year ago,” like Zoom and Office 365, he says.
Bad actors are creating fake sign-in pages, and many users are getting random pop-ups asking them to re-sign in, Ibbitson says.
“We’re starting to see more elements of fake authentication pages, and we’re continuing to see much more multifaceted phishing, where [bad actors are] not just phishing with email to get into your details but to get you to click to install malware on Facebook or Twitter,” he says.
The coronavirus and the growing dependency on mobile devices are incenting cyberattackers to branch out, Ibbitson says. He believes the next target will be AI-embedded voice systems like Alexa and Siri as people spending more time at home invest in these technologies and financial institutions keep making it easier for people to interact with them.
“A number of banks in Europe and the U.S. enable you to link to your Alexa and similar devices to say, “Hey, Alexa, what’s my balance?’ or ‘Hey, Alexa, pay $1,000 pounds on my Amex,” Ibbitson says. “As people get used to that type of transaction, the fear is we’ll start to see bad actors build their own apps and compromise banking apps on devices or install some sort of malware to act as the man in the middle.” Already, smart voice systems have proved vulnerable to hackings.
Another sophisticated scam technique is bank transfer fraud or authorized push payment, where people are tricked into making fraudulent payments through impersonation, he says.
In an effort to combat this, in the U.K., there’s a directive called Confirmation of Payee, under which banks will start to check that the payee’s name entered matches that person’s account details. In addition, across Europe, Strong Customer Authentication (SCA) is also being rolled out. With SCA, customers will be required to authenticate for certain types of online transactions, Ibbitson says. “If I’m on the British Airways website booking a flight to the U.S., sometimes it may prompt me to authenticate the transaction using some form of second-factor authentication such as approving the transaction in the mobile app of my bank or credit card provider.”
Ibbitson also cites stress and distraction as factors in helping criminals be more successful now. “You’ve got general uncertainty … and all of us are still working and typically from home full time, and we’re actually busier than before,” he says, since people tend to work longer hours from home and don’t have commuting time to break up the day.
Leveraging AI on both sides
Advances in artificial intelligence and algorithms are enabling new forms of financial deception to produce realistic deepfake videos, photos, and writings in what is sometimes referred to as synthetic media.
IDC’s D’Alfonso thinks there will be an uptick in synthetic identity fraud. “It’s definitely a fast-growing fraud that affects banks, merchants, retailers—anyone setting up or offering credit,” he says. “Synthetic identities have been used to fraudulently get auto loans.”
But as cybercriminals are using AI to increase their reach and the sophistication of attacks, so too are businesses and financial services institutions to combat them by spotting patterns and detecting fraudulent behavior, Ibbitson says.
The good news is that banks and other financial institutions are already leveraging some form of AI today, “but they must leverage more … to give you real-time insights so you’ll be able to take action almost immediately,” he says.
Exercise common sense, D’Alfonso stresses, bearing in mind that banks and other financial companies you deal with are typically not going to send emails with links they ask you to click on. And if you receive an email from subscription services like Netflix saying your account needs updating, be suspicious, he says.
“Go directly to the website outside of email,” and set up alerts so you’ll be notified of any account changes, he advises. Also set up two-factor authentication whenever possible, he adds, since that will require a higher level of security when logging into your various online accounts.
Credit reports are available for free from all credit bureaus until April 2021, D’Alfonso says, so there’s no reason not to check them frequently.
And, of course, the experts advise following the two Vs: verification and vigilance.
“Have your wits about you with what’s going on, and if it looks too good to be true, it probably is,” Ibbitson says.
FINANCIAL FRAUD: LESSONS FOR LEADERS
- You, your company, and your customers are more at risk of fraud than in the past.
- Criminals are using AI and other cutting-edge tools.
- Vigilance and verification are the best ways to avoid trouble.