Tag: fraud prevention

Synthetic identity fraud is on the rise across financial services, ecommerce, public sector, health and utilities markets. The long-term impact of synthetic identity remains to be seen and will hinge largely upon forthcoming efforts across the identity ecosystem made up of service providers, institutions and agencies, data aggregators and consumers themselves. Making measurement more challenging is the fact that much of the assumed and confirmed losses are associated with credit risk and charge offs, and lack of common and consistent definitions and confirmation criteria. Here are some estimates on the scope of the problem: Losses due to synthetic identity fraud are projected to reach more than $800 million in 2017.* Average loss per account is more than $10,000.* U.S. synthetic credit card fraud is estimated to reach $1.257 billion in 2020.* As with most fraud, there is no miracle cure. But there are best practices, and topping that list is addressing both front- and back-end controls within your organization. Synthetic identity fraud webinar> *Aite Research Group

Evolution of first-party fraud to third Third-party and first-party schemes are now interchangeable, and traditional fraud detection practices are less effective in fighting these evolving fraud types. Fighting this shifting problem is a challenge, but it isn’t impossible. To start, incorporate new and more robust data into your identity verification program and provide consistent fraud classification and tagging. Learn more>

Businesses may be increasingly aware of identity theft threats to their customers, but an Experian survey shows that many consumers still seriously underestimate their risk of falling victim to identity thieves. In fact, the persistent and harmful myth that the majority of consumers are not vulnerable to identity theft is badly in need of debunking. Consumer misconceptions The online Experian survey of 1,000 Americans, age 18 and older, found many consumers have a false sense of security about identity theft, even those who regularly engage in behaviors that can dramatically elevate their risk of having their identities stolen. For example: Sixty-two percent of consumers said the security of their personal information online is a minor concern that doesn’t worry them much, and 17 percent never worry about it at all. The top reason for their lack of concern? Twenty-seven percent said it was because they didn’t share that much personal identifiable information (PII) online. Yet consumers store an average of 3.4 types of PII online, and have a large digital footprint that can make it easy for cybercrooks to track and steal their information. Half believe poor credit means identity thieves won’t be interested in stealing their PII. Twelve percent believe they’re safe because they take security precautions, and 9 percent think using only secure websites insulates them from identity theft risks. Risky behaviors When identity theft occurs, consumers are likely to blame any business they associate with the theft. A Gemalto survey found that consumers said protecting their data is 70 percent the responsibility of the companies they do business with, and just 30 percent their own responsibility, Infosecurity Magazine reports. What’s more, 29 percent said they don’t think businesses take their responsibilities seriously enough when it comes to protecting consumer data. Yet the survey found consumers are probably far more responsible for identity theft than they think because they continue to engage in behaviors that put them at greater risk. These include: Shopping online over a public Wi-Fi connection (43 percent) Allowing others to use online account names and passwords (33 percent) Letting others know their mobile device passwords (29 percent) Sharing payment card numbers and/or PINs (25 percent) Letting others use their PII to secure a job or credit (20 percent) Failing to enroll in credit monitoring or identity theft protection services (82 percent) Leaving it up to their banks and credit card companies to catch signs of fraud (81 percent) These dangerous habits can expose consumers’ PII to cybercriminals, even though half of those we surveyed didn’t think they were likely to become victims of identity theft. Impact of identity theft When consumers become identity theft victims, they experience a range of negative emotions and real consequences that affect them personally and financially. According to a survey by the Identity Theft Resource Center, identity theft victims reported feeling frustrated, fearful, angry and stressed. Many had trouble concentrating, lost sleep and felt physically ill because of the crime. They also reported the identity theft overshadowed their personal relationships, their personal and professional credibility, and even affected their ability to get jobs. Some even lost their jobs as a result. What companies can do Clearly, identity theft can be devastating and consumers need to do more to protect themselves. When it occurs, identity theft also undermines the consumer’s trust in companies and institutions, especially if the identity theft occurred in connection to or following a data breach. Helping consumers protect themselves from identity theft benefits everyone. Consumers can avoid the financial and emotional turmoil identity theft causes, and companies can help preserve their relationship with customers. As part of an effective data breach response plan, companies should include a consumer care element that provides breached consumers with: Free identity theft protection and credit monitoring services Dark web and internet records scanning Fraud resolution services Identity theft insurance Myth debunked Year after year, identity theft statistics demonstrate that most consumers are at risk of falling prey to identity thieves, no matter what they believe to the contrary. Unfortunately, consumers continue to take actions that can place their identities at risk. While you can’t force your customers to stop accessing their bank accounts over airport Wi-Fi or using the same password for all their financial accounts, you can take steps to reduce the risk they’ll experience identity theft because of something your organization did or didn’t do. Helping consumers protect themselves from identity theft makes good business sense, and it’s the right thing to do. Plus, consumers expect it; according to the Ponemon Institute’s “Mega Data Breach: Consumer Sentiment” survey, 63 percent of consumers believe a company that experiences a data breach should offer free identity protection to customers affected by the breach. Learn more about our Data Breach solutions

Most companies aren’t prepared to respond to a global data breach, and aren’t yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), even though it takes effect in less than a year, according to the latest Ponemon Institute report sponsored by Experian® Data Breach Resolution. Nearly a third of the 588 information security and compliance professionals interviewed for the survey said their organizations had no global incident response plan in place, and 38 percent have a single plan that’s applied around the world. Just 27 percent reported having separate plans at the country or regional level, but even those who had a plan weren’t confident about its efficacy. The global scope of data breaches The number of data breaches reached a record high in 2016 — 4,149 incidents in 102 countries around the world exposed more than 4.2 billion records, according to cybersecurity company Risk Based Security. Ponemon’s survey underscores the scope of global data breaches; 51 percent of respondents reported their companies experienced a global data breach in the past five years, and 56 percent of breached companies had more than one incident. When the GDPR goes into effect in May 2018, any company that processes and/or holds the personal data of European Union consumers will be required to comply with the regulation, regardless of where the company is located. Failure to comply can lead to fines ranging from 2 percent to 4 percent of a company’s annual global turnover. Despite the escalating risks of falling victim to a global data breach and the possible repercussions of not complying with the GDPR, Ponemon’s survey shows a widespread lack of preparedness among companies. Levels of unpreparedness When it comes to preventing and responding to a global data breach, and ensuring they comply with the GDPR’s strict notification rules, many survey respondents expressed significant shortfalls in preparedness: Outdated and inadequate security solutions would hinder the ability of 49 percent to cope with a global data breach. Just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas, and only 39 percent said they had the right policies and procedures to do so. Slightly more than a third thought their companies could successfully manage cultural differences and privacy and data security expectations in different areas of the world. A majority of respondents (89 percent) predicted the GDPR will significantly affect their data protection practices, and 69 percent felt non-compliance would hinder their companies’ ability to do business globally. Yet only a quarter said their companies were ready to comply with the new regulation. While most understand GDPR is something they need to worry about, many aren’t sure what to do. The survey reveals some companies may be feeling desperate enough about the looming regulation to take drastic measures; 34 percent said their preparations include closing operations in countries with high non-compliance rates. Timely notification of regulators and EU citizens affected by a data breach is a key component of the GDPR, yet the majority of our survey respondents (69 percent) said they would have trouble meeting the time limitations. The GDPR requires breached companies to notify regulators within 72 hours of discovering a breach, and affected consumers “without undue delay.” Half of our survey respondents said they experienced a global breach that required notification of victims. Only 10 percent were able to do so within the GDPR’s 72-hour window; 38 percent reported notification took two to five months to complete. Obstacles to preparedness The years-long evolution of the GDPR, which will replace older regulations, is evidence that world governments are taking data breach risks seriously. Unfortunately, our study indicates not all C-suite decision-makers are as concerned about global data breach risks as they should be and their antipathy is impairing their organizations’ ability to prepare for a global data breach. While the security professionals surveyed cited high-volume breaches (65 percent) and breaches involving high-value information (50 percent) as the data risks that concern them the most, only 30 percent said their organization’s C-suite was fully aware of the company’s compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority. Technology limitations and lack of executive support are significant obstacles to preparedness and compliance, but they’re not the only ones. Additionally, survey respondents cited: Reluctance to make needed comprehensive changes in business practices (60 percent) Not enough budget to hire staff (37 percent) Unrealistic demands from regulators/regulations (35 percent) Not enough money for appropriate security technology (34 percent) Lack of knowledge about global data breach response (29 percent) What companies must do Some survey respondents indicated their organizations are taking the right steps toward preparedness and compliance. They are putting in place security technologies to quickly detect a data breach (48 percent), have tested and proven response plans (44 percent), can quickly identify whether a breach will require notification (15 percent) and are prepared to notify regulators within 72 hours of breach discovery (13 percent). However, many organizations could be doing more to prepare for a global data breach and to comply with the GDPR. Global data breach risks continue to increase in number, scope and impact, and the potential loss of business and financial impact of a breach could prove catastrophic for affected companies. With less than a year to go until the GDPR takes effect, any company that conducts business internationally needs to act now to ensure it will be ready to deal with a global data breach when it occurs. Learn more about our Data Breach solutions

Mitigating synthetic identities Synthetic identity fraud is an epidemic that does more than negatively affect portfolio performance. It can hurt your reputation as a trusted organization. Here is our suggested 4-pronged approach that will help you mitigate this type of fraud: Identify how much you could lose or are losing today to synthetic fraud. Review and analyze your identity screening operational processes and procedures. Incorporate data, analytics and cutting-edge tools to enable fraud detection through consumer authentication. Analyze your portfolio data quality as reported to credit reporting agencies. Reduce synthetic identity fraud losses through a multi-layer methodology design that combats both the rise in synthetic identity creation and use in fraud schemes. Mitigating synthetic identity fraud>  

Like an unimmunized person in a roomful of flu patients, the healthcare sector continues to be at high risk of catching something unpleasant. Cyberattacks and data breaches jeopardize the well-being of healthcare organizations of every size, and too often their exposure is a result of not doing everything they can to immunize themselves against attack. In our 2017 Data Breach Industry Forecast, we predicted the profitability and uneven defenses of the healthcare sector would cause cybercriminals to continue to focus attacks on healthcare organizations. Numbers from the Identity Theft Resource Center indicate our prediction was right; by mid-year, 151 healthcare breaches have compromised more than 1.9 million records, accounting for nearly 22 percent of all 2017 breaches thus far. We also predicted: Ransomware would emerge as a top threat for healthcare organizations. Cybercriminals would expand their range of targets within the sector, causing mega breaches to broaden their focus from insurers to other organizations, including hospital networks. Electronic health records and mobile applications would increasingly be targeted. The year so far In mid-May the WannaCry ransomware cyberattack became the largest ever, affecting computer systems in more than 150 countries. Ransomware uses malicious code to infect systems, seize control and shut down user access until the affected organization or individual pays a ransom to unlock their systems. Britain’s National Health Service (NHS) was one of the largest victims of WannaCry, which infected medical devices as well as administrative PCs. The impact was widespread, affecting critical operations and causing hospitals to reject patients, doctor’s offices to shut down and emergency rooms to divert patients. Like a patient with a compromised immune system who ignores his doctor’s advice to get an annual flu shot, the NHS allegedly disregarded multiple security warnings to update and protect its systems. Cybercriminals have also expanded their targets for mega breaches beyond insurers. So far in 2017, the largest known healthcare breach in terms of number of compromised records occurred at a urology practice in Austin, Texas. ITRC statistics show nearly 280,000 records were compromised through the breach of the practice, which has eight locations in the greater Austin area. According to the practice’s official data breach notice, a ransomware attack encrypted data stored on the organization’s servers. Electronic health records were the target of cyberattacks at numerous healthcare organizations, including a fertility and menopause clinic in New Jersey, where more than 17,000 records were compromised, ITRC reports. The number, scope and impact of healthcare cyberattacks will only grow. The industry that focuses on taking care of Americans’ physical and mental health should proactively take steps to safeguard its own health by updating security measures and data breach response plans. Learn more about our Data Breach solutions

Turns out, Americans still don’t know much about CyberSecurity. That’s according to new research from the Pew Data Center, which conducted a cybersecurity knowledge quiz. The 13 question quiz was designed to test American’s knowledge on a number of cybersecurity issues and terms. A majority of online adults can identify a strong password and recognize the dangers of using public Wi-Fi. However, many struggle with more technical cybersecurity concepts, such as how to identify true two-factor authentication or determine if a webpage they are using is encrypted. As we in the industry know, cybersecurity is a complicated and diverse subject, but given the pervasiveness of news around cybersecurity, I was still a little surprised by the lack of knowledge. The typical (median) respondent answered only five of the 13 questions correctly (with a mean of 5.5 correct answers). 20% answered more than eight questions accurately, and just 1% received a “perfect score” by correctly answering all 13 questions. The study showed that public knowledge of cybersecurity is low on some relatively technical issues, like identifying the correct example of multi-factor authentication, understanding how VPNs minimize risk and knowing what a botnet is. On the flip side, the two questions that the majority of respondents answered correctly included identifying the strongest password from a list of four options and understanding that public Wi-Fi networks have risk even when they are password protected. Given the median scores, I was proud of missing only one question – guess I have more reading to do on Botnets. As an industry, it is our duty to not only create systems and securities to improve the tactical effectiveness of fraud prevention, but to educate consumers on many of these topics as well. They often are the first line of defense in stopping fraud and reducing the threat of breaches.

Has the EMV liability shift caused e-commerce fraud to increase 33% in 2016? According to Experian data, CNP fraud increased with Florida, Delaware, Oregon and New York ranked as the riskiest states. Miami accounted for the most fraudulent ZIP™ Codes in the US for shipping and billing fraud.

Technology sharing can unlock a more effective strategy in fighting fraud. Experian’s multi-layered and risk-based approach to fraud management is discussed as many businesses are learning that combining data and technology to strengthen their fraud risk strategies can help reduce losses. Evolving fraud schemes, changes in regulatory requirements and the advent of new digital initiatives make it difficult for businesses to manage all of the tools needed to keep up with the relentless pace of change.

Experian is recognized as a leading security solution provider for fraud and identity solutions in order to protect customers and financial institutions

Unfortunately, identity theft can happen to anyone and has far-reaching consequences for its victims. According to the US Department of Justice (DOJ)’s most recent study, 17.6 million people in the US experience some form of identity theft each year. This includes activities such as fraudulent credit card transactions or personal information being used to open unauthorized accounts. The most obvious consequence that identity theft victims encounter is financial loss, which comes in two forms: direct and indirect. Direct financial loss refers to the amount of money stolen or misused by the identity theft offender. Indirect financial loss includes any outside costs associated with identity theft, like legal fees or overdraft charges. The DOJ’s study found that victims experienced a combined average loss of $1,343. In total, identity theft victims lost a whopping $15.4 billion in 2014. Beyond money lost, identity theft can negatively impact credit scores. While credit card companies detect a majority of credit card fraud cases, the rest can go undetected for extended periods of time. A criminal’s delinquent payments, cash loans, or even foreclosures slowly manifest into weakened credit scores. Victims often only discover the problem when they are denied for a loan or credit card application. Last year, Experian found that these types of fraud take the longest time to resolve. Identity theft doesn’t just impact victims financially; it also often takes a significant emotional toll. A survey from the Identity Theft Research Center found that 69 percent felt fear for their personal financial security, and 65 percent felt rage or anger. And, almost 40 percent reported some sleep disruption. These feelings increased over time when victims were unable to settle the issue on their own, according to the report, which can result in problem as work or school, and add stress to relationships with friends and family. Thankfully, consumers are getting smarter about the best ways to protect their information, like using monitoring services or following security best practices. How are you protecting yourself against identity theft? Learn more about our Identity Protection Services

Experian has been selected as one of the leading players in the fraud detection and prevention space in Juniper Research’s Online Payment Fraud strategies report.

Adam Fingersh, senior vice president and general manager of Experian’s fraud and identity business, shared several fraud prevention strategies that businesses and consumers can use to manage risk and increase security while using Internet-enabled products, also known as the Internet of Things (IoT).

What difference does $4.40 make? It can’t buy you much on its own, but it can make a world of difference when you’re handling the aftermath of a data breach or other cyberattack. That’s how much cyber insurance protection reduces the per-record cost of a data breach, according to the Ponemon Institute’s 2015 Cost of a Data Breach report. Whether you’re a small business owner with just a few hundred customers or a global corporation with records in the millions, the cost of being without cyber insurance in the wake of an incident can be extreme. When you consider the sheer number of records involved in recent mega-breaches — more than 78 million in the Anthem breach alone — the cost reduction can easily soar into hundreds of million dollars saved. And while smaller businesses may have fewer records to be breached, the impact of an attack can be even more devastating to them than to global entities when they experience a mega-breach. Yet less than one-third (32 percent) of businesses surveyed for Ponemon’s study reported having cyber insurance. The percentage was a bit better when the Risk Management Society (RIMS) asked 284 of its members about cyber insurance; 51 percent reported having stand-alone cyber insurance policies. Even fewer small businesses report having cyber insurance. Just 5 percent of small business owners surveyed by Endurance International Group said they carried cyber insurance, despite 81 percent believing cybersecurity is a concern for small business. Those who have cyber insurance clearly understand its value. RIMS members said they bought policies to: Reduce the risk of an incident damaging their company’s reputation (79 percent). Minimize the potential impact of business interruption (78 percent). Aid in data breach response and notification (73 percent). What’s more, of the RIMS members who didn’t have cyber insurance, 74 percent said they were considering buying it within the next 12–24 months. While small business owners also appear aware of the risk, they seem less cognizant of the benefits of cyber insurance and other cybersecurity measures. Endurance found that although 94 percent of small business owners said they do think about cybersecurity issues, and nearly a third have experienced an attack or an attempt, just 42 percent have invested in cybersecurity in the past year. A widely reported study by the National Cyber Security Alliance asserts that 60 percent of small businesses that experience a data breach go out of business within six months. Cyber insurance premiums vary widely and are largely tied to a company’s revenues and exposure. Policies typically aim to address risks commonly associated with a cyberattack, including: Liability for loss of confidential information that occurs through unauthorized access to a company’s computer systems. Data breach costs including notification of affected consumers, customer support and providing credit monitoring to affected customers. The costs of restoring, improving or replacing compromised technologies. Regulatory compliance costs. Business interruption expenses. Of course, like virtually any other type of insurance, cyber insurance policies can be customized to address the risks facing the individual policy holder. Many in the insurance industry feel that cyber insurance products have matured, evolving into a type of protection that businesses both large and small simply can’t afford to do without. When you consider the devastating risk of facing a cyberattack without insurance, that simple per-record cost savings of just $4.40 takes on a much deeper meaning. While more large companies are seeing the value of cyber insurance, small business owners need to begin incorporating this valuable type of protection into their overall cyber security plans. Learn more about our Data Breach solutions

Loyalty fraud and the customer experience Criminals continue to amaze me. Not surprise me, but amaze me with their ingenuity. I previously wrote about fraudsters’ primary targets being those where they easily can convert credentials to cash. Since then, a large U.S. retailer’s rewards program was attacked – bilking money from the business and causing consumers confusion and extra work. This attack was a new spin on loyalty fraud. It is yet another example of the impact of not “thinking like a fraudster” when developing a program and process, which a fraudster can exploit. As it embarks on new projects, every organization should consider how it can be exploited by criminals. Too often, the focus is on the customer experience (CX) alone, and many organizations will tolerate fraud losses to improve the CX. In fact, some organization build fraud losses into their budgets and price products accordingly — effectively passing the cost of fraud onto the consumers. Let’s look into how this type of loyalty fraud works. The criminal obtains your login credentials (either through breach, malware, phishing, brute force, etc.) and uses the existing customer profile to purchase goods using the payment method on file for the account. In this type of attack, the motivation isn’t to receive physical goods; instead, it’s to accumulate rewards points — which can then be used or sold. The points (or any other form of digital currency) are instant — on demand, if you will — and much easier to fence. Once the points are credited to the account, the criminal cashes them out either by selling them online to unsuspecting buyers or by walking into a store, purchasing goods and walking right out after paying with the digital currency. A quick check of some underground forums validates the theory that fraudsters are selling retailer points online for a reduced rate — up to 70 percent off. Please don’t be tempted to buy these! The money you spend will no doubt end up doing harm, one way or another. Now, back to the customer experience. Does having lax controls really represent a good customer experience? Is building fraud losses into the cost of your products fair to your customers? The people whose accounts have been hacked most likely are some of your best customers. They now have to deal with returning merchandise they didn’t purchase, making calls to rectify the situation, having their personally identifiable information further compromised and having to pay for the loss. All in all, not a great customer experience. All businesses have a fiduciary responsibility to protect customer data with which they have been entrusted — even if the consumer is a victim of malware, phishing or password reuse. What are you doing to protect your customers? Simple authentication technologies, while nice for the CX, easily can fail if the criminal has access to the login credentials. And fraud is not a single event. There are patterns and surveillance activities that can help to detect fraud at every phase of your loyalty program — from new account opening to account logins and updates to transactions that involve the purchase of goods or the movement of currency. As fraudsters continue to evolve and look for the least-protected targets, loyalty programs have come to the forefront of the battleground. Take the time to understand your vulnerability and how you can be attacked. Then take the necessary steps to protect your most profitable customers — your loyalty program members. If you want to learn more, join us MRC Vegas 16 for our session “Loyalty Fraud; It’s Brand Protection, Not Just Loss Prevention” and hear our industry experts discuss loyalty fraud, why it’s lucrative, and what organizations can do to protect their brand from this grey-area type of fraud.