Despite renewed efforts to combat the spread of identity fraud, businesses in 2017 saw fraudsters steal even more records compared to the previous year. Cybercriminals made off with a whopping $16.8 billion worth of personal data, according to researchers.
A recent identity fraud study reveals that the number of victims increased by eight percent in the last year, reaching 16.7 million in 2017 – the highest recorded since the firm began measuring the phenomenon some 15 years ago.
ID fraud growth outstrips countermeasures
Fraud is also growing in complexity, and EMV (embedded chip) cards have shifted fraud online and away from physical stores. Cybercriminals are adapting faster than the industry can stop them, constantly opening more accounts and improving their techniques.
In its survey, Javelin Strategy & Research found a notable change in the way fraud was committed in 2017: fraudsters opened a significantly higher number of intermediary accounts, such as email payments (PayPal) and e-commerce services (Amazon).
“Although not as easily monetized alone, these account types are invaluable in helping fraudsters transfer funds from the existing accounts of their victims,” says the research firm.
Data breaches are the culprit
The top-ranking identity-related threat comes from data breaches. And victims seem quite aware of this: 63% are ‘very’ or ‘extremely’ concerned about the threat of breaches. Meanwhile, 64% of victims believe breach notifications are useless in protecting them, and serve as a mere legal cover for the breached company.
Other notable findings from the study include:
- 30% of US consumers were notified of a breach in the past year, up from 12% in 2016
- For the first time ever, more Social Security numbers (35%) were compromised than credit card numbers (30%) in breaches
- 6.64% of consumers fell victim to identity fraud, almost 1 million victims more than the previous year
- Account takeover tripled over the past year, reaching a four-year high, with victims paying an average of $290 in out-of-pocket costs and spending 16 hours on average to resolve
- Fraudsters are getting more sophisticated in their attacks, using more complex methods to devise monetization schemes
- Data breaches are causing consumers to lose trust in institutions
The Equifax breach – an unsettling precedent
One could easily suspect the Equifax data breach had something to do with that last bullet. Javelin’s survey indeed confirms it. The proportion of consumers who are concerned about fraud rose from 51% in 2016 to 69% in 2017. The reason cited in the paper? “Rising fraud incidence and extensive media coverage of the Equifax breach.”
The Equifax breach was (and still is) particularly dangerous for those affected, because fraudsters can use the stolen information to craft more-convincing campaigns for phishing, which is blamed for 9 out of 10 data breaches.
Moneysavingexpert.com offers a good example of how a convincing phishing email may read:
"To show this is not a phishing email, we have included the month of your birth and the last three digits of your phone number."
After all, no matter how many security layers are set in place by your data processor, they won’t change your birth date.
Perhaps the most striking finding in the Javelin study is identity fraud’s financial impact on the industry in a 12-month interval – nearly $17 billion.
And the damage doesn’t stop there. In the case of Equifax, two top-ranking executives were fired after the incident compromised the personal information of 143 million U.S. consumers. Furthermore, Equifax handled the breach poorly, attracting public outcry and numerous lawsuits. One law firm sought up to $70 billion in damages for its clients, boasting that it would be the largest class-action suit settlement in the history of the United States if successful.
A ThreatMetrix report from January offers a similar view of the ID fraud spectacle. Their data shows that cybercriminals have switched from stealing individual credit cards to leveraging entire sets of leaked identity data from large breaches. And out of nine new accounts opened in 2017, at least one was fraudulent.
Lax security budgets
Data breaches, as exemplified by the WannaCry contagion in May of 2017 and GoldenEye/Petya just months later, have become the norm. GoldenEye alone dealt $1 billion worth of damages to the corporate sector globally.
A Bitdefender survey of 250 IT decision makers in the U.S. showed that most companies have less-than-ideal budgets for cybersecurity. Ironically, two-thirds of companies would pay an average of $124,000 each to avoid public-shaming scandals after a breach, and around 14 percent would pay more than $500,000.
With the General Data Protection Regulation taking effect in just three months, businesses everywhere have every reason to start spending more on IT security.