Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
Fraudsters Are Getting Smarter, But So Are Businesses
By Michelle Hafner, chief operating officer at NuData Security
Companies have no time to slow down cybersecurity measures in
2022. In fact, based on 2021 trends, businesses will likely face more cyber threats this year than
ever before.
Couple that reality with ever-rising expectations for improved
customer experiences and organizations really do have their hands full - they
must delight shoppers with new and helpful digital capabilities, while ensuring
that tech add-ons don't diminish security standards. Factor in the dramatic
evolution of our online identities over recent years and unprepared businesses
are left grappling with how to effectively move beyond passwords and usernames
to adopt modern (and more secure) cybersecurity measures.
Expanding
digital identities will shape 2022 trends for fraudsters and brands
As online touchpoints with customers increase, businesses must
contend with more signifiers of digital identity - from actions and physical
characteristics, to device data, personally identifiable information (PII), and
other contextual clues like customers' transaction and interaction histories.
Thankfully, with the right tools and mindset, 2022 can be the
year organizations reign in vulnerabilities across their networks - and fully
leverage shoppers' multi-layered online identities to improve security measures
and demonstrate how well they know their customers. This approach ensures that
businesses can connect various tools to uncover how users behave across
platforms, offering shoppers better experiences without asking them to share
more of their data (and put themselves at greater risk of fraud as a result).
As a starting point, consider three trends that we expect to see
this year, and what those predictions mean for your company's cybersecurity
strategies:
1. Stolen credential quality will continue to climb unless
organizations intervene - and fast.
Throughout the pandemic, attackers have refined and specialized
their approaches in response to our evolving digital ecosystem. Today's
fraudsters increasingly evade standard bot-detection tools by turning to
tactics that imitate human behaviors - what we call sophisticated attacks.
In 2022, bad actors will continue to brainstorm creative ways to
boost their success rates and bypass defenses, particularly by increasing the
quality of the stolen credentials they wield. Consider that the average percentage
of valid credentials used by fraudsters during attacks spiked to nearly 10% by the end of last year, up from around 2% in 2020. Why? Because fraudsters are getting
smarter, and they're leveraging more advanced methods to steal and test
credentials, and ensure success. For example, card cycling - a common method
for testing the validity of stolen card details - increased by 54% in 2021.
Brands will work hard this
year to fill security gaps for customers, understanding that digital
experiences aren't going anywhere - and neither is fraudsters' ability to
circumvent traditional cybersecurity measures. There's no denying the pandemic
propelled many more shoppers toward eCommerce, some we can expect for the first
time. Take the fact that based on Mastercard SpendingPulseTM
from December 2021, holiday retail sales increased 8.5% year-over-year during the 2021
holiday season (excluding automotive). Powering that growth was an 11% increase
in eCommerce sales, compared to just an 8.1% increase for in-store sales. This
underscores an even larger divide started in 2019 between the boom of online
versus in-store holiday retails sales, 61.4% to 2.4% respectively through the
end of the 2021 holiday season.
However, rising online
shopping trends also help generate an ever-growing pool of consumers who may
prove - and too often do prove - less adept at recognizing phishing attempts
whether through email, phone, or malicious websites.
And fraudsters are waiting
for those shoppers: In 2020, Google registered a record 2 million phishing websites, an almost 20% increase
over 2019.
2. Businesses will continue to prioritize seamless customer
experiences, which could create vulnerabilities for unprepared brands.
The drive to improve digital user experiences as more people
shop online is great for everyone - including
fraudsters.
As new and enhanced manners of providing services online emerge,
digital and hybrid experiences like Buy Online Pick Up In Store (BOPIS)
represent important improvements for consumers. These capabilities
simultaneously allow bad actors to take advantage of existing systems when all
customer touchpoints are not thoroughly protected, and also add complexity for
companies that are unable to assess the risks of traffic coming through each
channel in real time. By increasing the number of manual reviews involved
in validated online purchases, for example, trends like BOPIS can overburden
workers tasked with verifying customers' actions. Although manual reviews help
prevent some instances of fraud, the process also undermines the seamless
customer experiences that users now require.
The bottom line is that in 2022, more seamless customer
experiences are not beneficial to
shoppers if those perks come with increased levels of risk and vice versa.
However, brands can implement anti-fraud tools to prioritize security and
maximize the shift toward seamless shopping experiences. In fact, with more
users buying more online - once proper security measures are in place -
companies can leverage the increased behavioral data this brings to:
- Design more personalized,
streamlined experiences, and remove user friction points
- Enable more accurate fraud
detection, countering sophisticated attacks and other threats
- Impress first-time shoppers with
safe and easy digital experiences, helping turn them into repeat customers
3. Companies will critically evaluate their overall fraud detection
strategies - with behavioral biometrics taking center stage.
As attacks have grown more sophisticated, companies are
increasingly motivated to step back and review their overall fraud detection
strategy. A key shift within this evaluation process throughout 2022 will be
working to identify threats via behaviors
rather than credentials, largely
thanks to behavioral biometric tools.
Let's review how we got here. First, with sophisticated bad
actors now better at emulating humans, standard security measures like
bot-detection tools and traditional password authentication are not enough.
Across the board, fraudsters
are better prepared with valid credentials and data on their victims thanks to
social engineering techniques, such as card cycling mentioned earlier.
At the same time, common supplementary security methods that
require more end-user input like two-factor authentication add unwanted
friction to digital interactions, and may push away valuable customers. For
example, shoppers may find it frustrating to input a code from their phone when
at work or without cellular service and instead take their business to a brand
that doesn't require this verification step to protect their account.
Thanks to behavioral biometrics, organizations can prioritize
both customer security and experience.
Behavioral biometrics are effective because they rely on a deep
understanding of your customers. Rather than looking for behaviors that scream
"fraud" (although this is possible as well), behavioral biometrics flag
occurrences that deviate from an individual shopper's typical ways of
interacting. For example, if a customer traditionally shops with a brand from
the West Coast using the Chrome browser on their phone, but suddenly logs on
via desktop using Safari from a different location, behavioral biometrics could
consider this cause for concern. Other behaviors tracked include the type of
device, how many times per day someone enters (or fails to correctly enter)
their password, keystroke dynamics, mouse-use characteristics, and more.
Not only will this strategy help brands identify and stop fraud
before it takes place in 2022, but the emphasis on knowing your customers also
empowers decision-makers to improve future digital experiences for good actors
based on customers' own legacy behaviors and data. Armed with behavioral
biometric strategies, businesses can then strategically invoke friction based
on suspicious activity - for example, reducing hoops to jump through for a
customer who behaves as expected, while introducing security challenges to
double-check dubious interactions. We will witness more brands introduce this
strategy - referred to as intelligent interdiction - in 2022.
Elevated
customer expectations are here to stay, and so are smart fraudsters
In 2022, businesses have a tough task ahead of them - staying
one step ahead of bad actors without sacrificing top-notch user experiences.
While this responsibility can feel daunting at times, remember that while
fraudsters are getting smarter, so is your business. By paying close attention
to the trends and solutions outlined above, you can circumvent bad actors while
avoiding adding unnecessary friction online and downgrading customer
experiences.
Are you ready for 2022? Because you better believe users and
fraudsters are.
##
ABOUT THE AUTHOR
Michelle Hafner is chief operating officer at NuData Security, a Mastercard Company. She oversees innovation and product development, including the integration of NuData Security’s suite of fraud management and security products. Michelle is also part of several industry forums and serves on the Merchant Risk Council (MRC) Americas Advisory Board. She has also led MasterCard’s Card Not Present advisory group responsible for recruiting participants, collaborating with merchants, issuers and acquirers to discuss topics aimed at driving industry innovation and change.