According to the latest quarterly analysis from Outseer’s FraudAction team, brand impersonation scams continue to exploit the sharp rise in digital banking and ecommerce during the pandemic.
While fraudsters have long masqueraded as Chase, Wells Fargo, Amazon, Microsoft and other trusted brands in attacks targeting consumers and businesses, these companies are hardly alone. As captured in our Q3 2021 Fraud & Payments Report, brand abuse is the fastest growing attack vector for transaction fraud for the third quarter in a row as threat actors switch up the tactics they use to impersonate brands both large and small.
The report features our analysis of more than 49,000 payments fraud attacks from April through June 2021. And it documents a troubling rise in the use of email and text phishing scams, fraudulent social media pages, and rogue mobile apps to impersonate trusted brands in order to harvest login and payment credentials from victims. So far this year, our data indicates brand abuse is a factor in nearly half (49%) of all cyberattacks worldwide.
Among our latest findings:
Phishing’s the Lure in Nearly 1 in 5 Attacks
Phishing accounted for more than 18% of all fraud attacks in Q2. In these social engineering attacks, perfect replicas of a brand’s password-change alerts to past-due notices are sent by email or text message. By activating our “lizard brain,” these seemingly urgent messages bamboozle recipients into clicking through to a fraudulent login screen and enter their login credentials. In Q2, a growing number of attacks involved phony social media pages (some created by bots) to lure consumers with phony sweepstakes and offers. Nearly 3 in 4 (72.5%) of these attacks were launched from US-based hosting services.
Counterfeit Apps Climb 66%
Cybercriminals increasingly distribute lookalike apps through the app stores run by Google, Apple, and other official app stores. Almost a third (30%) of all cyberattacks in the financial services sector during the second quarter of 2021 came from fraudulent banking apps. That’s a 66% increase in just 90 days. It’s also up 140% from the same period last year (Q2 2020). Malicious banking apps are often used to harvest login credentials for use in account takeover and new account creation schemes.
70% of Fraudulent Banking Transactions Are Mobile
The mobile channel is now the preferred choice for 77% of all digital banking transactions, whether via app or mobile web. But mobile transaction fraud is growing almost as quickly. During Q2, 70% of all fraudulent digital banking transactions originated in the mobile channel—mostly through mobile apps.
The High Cost of Brand Abuse
Brand abuse is big business. In 2020, the FBI received a record number of cyber-fraud complaints from US consumers and businesses, with reported losses exceeding $4.1 billion—a 69% increase in one year. Worldwide, losses may have topped $1 trillion. But if our data is any indication, that may have been just a warm-up act.
According to our analysis, the average value of a fraudulent banking transaction (money transfer, ACH, P2P, Wire) was $1,616 for the mobile channel and $5,158 for the desktop web during the second quarter. Which helps explain all the effort bad actors are putting into monetizing compromised credentials.
What’s worse: Those are just global averages. According to the Financial Times, individuals who fall prey to imposters posing as investment firms lose an average $61,278. But the price tag can go up astronomically from there. In attacks targeting businesses, for instances, harvested login credentials that lead to data breach can cost an average of $9.01 million per incident for US-based companies, according to Ponemon Institute’s 2021 Cost of a Data Breach Report.
Innocence May Not Matter
Oh, and if it’s your brand that gets impersonated through email or SMS phishing, social media, or bogus apps, don’t think innocence will spare you from paying a price, too. Reputational damage and loss of consumer trust can obliterate revenues generated from your own legitimate digital channels at the exact time you need them most.
In an economy where as much as 80% of market value stems from intangibles like brand equity and goodwill, organizations need to look beyond their perimeters to protect against reputational damage. Our own intelligence and cyberattack takedown service, for example, monitors the web, app stores, and social media platforms 24/7 to detect and shut down brandjacking attacks before they cause serious harm. Along with anti-fraud products leveraging the EMV® 3-D Secure (3DS) protocol, companies can equip themselves against fraudulent transactions stemming from these attacks as well.
If the trend lines in our Q3 report any indication, brand is the new perimeter—and it better be well protected.