While data breaches have become a nearly daily occurrence in news headlines — most recently, Drizly and the Ritz Hotel — it's important that businesses and security professionals understand the cascading effect these incidents have on the broader online landscape. Regardless of the size of the business reporting a breach or amount of consumer data exposed, all businesses are threatened by a "fraud supply chain" that feeds off these types of breaches.
The fraud supply chain is an interconnected ecosystem that allows cybercriminals to use different attack vectors to steal from consumers and businesses, often through more complex ways than merely buying stolen credit cards to make large purchases. Therefore, fraudsters can feed off any type of data to provide both a bridge for gaining further personal information from existing victims and a springboard for executing larger attacks.
Even the Smallest Breaches Cause Ripple Effects
Data breaches are almost always a means to an end. For example, seemingly minor information such as usernames or passwords can arm fraudsters with enough to execute more sophisticated attacks. Often, bad actors will harvest user information obtained from various data breaches to develop complete user profiles. Additionally, typical consumer behaviors can often make this easier for fraudsters; studies have shown 65% of users repurpose their passwords across multiple platforms. Data breaches provide attackers with the credentials needed to execute more widespread attacks such as:
- Accumulating More Personal Information Through Phishing Scams
Often, a minor data breach is not enough for fraudsters to execute immediate attacks on an individual. However, simple credentials such as an email address offer a direct line of communication for fraudsters to initiate phishing schemes. Through this tactic, they'll often impersonate a trusted source to convince consumers to share further personal data such as credit card information, passwords, etc. While most people may think it's easy to recognize a phishing scheme, sophisticated fraudsters will use additional information garnered through previous data breaches to personalize content that demonstrates potential legitimacy.
For security teams, email protection is critical and must lean on a layered approach. The foundation must be set with standards such as email authentication and domain-based message authentication, reporting and conformance (DMARC) to protect employees, stakeholders, and customers from unauthorized usage.
Alongside these measures, secure email gateways (SEGs) and phishing awareness/training can help avoid external threats. For example, fraudsters often play to consumer emotions and fears, a reason why we've seen phishing attacks accelerate amid the pandemic. Recent phishing schemes have included cybercriminals impersonating health officials and agencies seeking consumer information to facilitate fake virus testing or contact-tracing initiatives.
- Coordinating Account Takeovers With Compromised Credentials
Once fraudsters have enough information, they'll use these credentials to access and take over victims' accounts. This opens the door to a variety of opportunities, including exposure to payment information, ability to open new accounts with similar credentials, and access to post fake or malicious content to victims' personal networks.
There's little you can do about users falling victim to social engineering tactics outside of your platform. However, you can empower your team to act accordingly when these bad actors show up on your platform. Two-factor authentication (2FA) can address this by adding friction when someone is trying to gain unauthorized access into an account, and also notifying users when suspicious account access has been detected.
There are also internal measures you can take for schemes in which a user has been tricked into willingly handing over their credentials to a bad actor. For example, businesses dealing with payments can leverage a holding period before funds can be transferred, and review transactions that seem anomalous (such as amounts outside of the user's normal activity or transfers into a new account).
Lastly, you may also want to consider educational outreach (for example, a newsletter, FAQ, or help center) that informs users of common tactics. Let them know that your organization will never ask them to share a verification code, for instance.
- Siphoning Money and Assets Through Payment Fraud Schemes
Payment information is often the holy grail for fraudsters. Payment fraud typically begins with card testing through the purchase of typically low-value, low-effort items. If the purchase is successful, they know the payment information is valid. Funds can then be used to buy goods to keep or resell, or to buy more data on the Dark Web.
While account and payment protection is paramount, users also demand seamless experiences. Therefore, security professionals should implement risk assessments based on user trustworthiness. This dynamic friction will help eliminate friction for trusted users, block risky interactions, and implement verification for suspicious activities.
Every business needs to face the repercussions of breaches, whether they are directly involved or not. Simply put, every data breach is every business's problem. That means fraud prevention needs to be an ecosystemwide effort, so that user data is rendered useless — thus breaking the most important link in the fraud supply chain.