Identity & Fraud

Phishing attacks have become more sophisticated and personal. We are all busy with life – work, family, commute, and dinner plans, along with keeping up on the latest news cycle. Virtually anyone could be inclined to quickly click on a link stating there is an issue with their recent order. But there's more to phishing attacks than just baiting businesses and consumers. During a recent #ExperianLive event, Mike Gross, Head of Global Identity and Fraud Product Innovation, discussed what businesses can do to protect themselves and their customers. ​ Q: You say that phishers would make good digital marketers. What do you mean by that? Mike: Like a great marketer, a good phisher understands people and their tendencies; they know how to get people to take action on their message. Take my most recent “almost phishing" incident. During the holidays, I received an email from a top online retailer stating there was a “problem with my recent order." I knew that any delay would jeopardize my holiday gift delivery. I was just about to click the “Login" button and then stopped. Thankfully, I double-checked the sender and it wasn't my favorite shopping site after all – just a really good fake email from a "phishy" sender. Like a digital marketer, phishers understand how to specifically target the things that people care about. This is why phishing attempts focused around the holidays, tax season, natural disasters, and hot news topics are often so successful. Q: Are phishers counting on the relationship and roles people have in an organization? Mike: Yes. That's the whole nature behind one of the biggest phishing attacks over the past several years – business email compromises. As a phisher, I'm sending you an email that looks like I work with you, say a vendor with a message that reads, “I changed the account that you use to pay me; please update your payment to this new account." If there is urgency behind it, it is taken seriously - for example, to avoid being late on paying a vendor. Human nature is being helpful and reacting, especially in this fast-paced, hyper-connected world – and that's why these scams continue to work. Q: What other phishing trends are you seeing? Mike: They've evolved over time. Take the simple phishing email; it's not so simple anymore. Nowadays, attacks are personalized to both the business and specific person – and phishers are taking advantage of automation and targeting tools so they can get the most reward for their effort. “Smishing" is variant of phishing focused on the phone channel, where attackers target victims with an SMS-based attack; you've probably seen them. You get a text and link from what you think is your friend saying something like “Check out this funny video!" But it isn't legitimate; it's a fraudster that is spoofing your friend's phone number. Then there is “vishing" which is a voice-based attack. This is where a fraudster pretends to be someone they're not (like a consumer's financial institution) and tries to obtain personal information or take over an existing account. Q: Wow! Phishing fraud is sophisticated. What has led to that? Mike: We've seen a tremendous leap in technology used. There is a great example of that last year with a U.K. bank. Their customers expect that if there is an out-of-place transaction, the bank will call them. In this particular vishing scheme, vishers used compromised accountholder usernames and passwords to log into customer accounts and set up money transfers. Knowing that this would alert accountholders to the attempted transfer using the SMS one-time passcode, phishers called legitimate customers, impersonated the bank, and stated that since the customer was a recent fraud attack victim, the bank needed confirmation that they were the accountholder. The vishers told customers they would receive a passcode. While the customer confirmed the code, the vishers submitted the fraudulent transfer. Q: What trends and techniques are you seeing? Mike: Two of the big trends we're seeing is around Artificial Intelligence (AI), machine learning, and SMS to find victims. A big part of phishing is what we call “spear phishing." This targets individuals with access to an organization's financial accounts or internal systems. Another term is “whaling" which targets a specific high-profile individual. The phishers are no longer just sending out blanket lottery scam and Nigerian prince emails with misspellings to millions of people. It's very focused – and phishers can easily do this using machine learning and AI. Q: Do you notice any seasonality, or spikes in phishing based on a certain time of year? Mike: The holidays are one because so many people go to their favorite shopping sites and buy items that are completely out of pattern based on what they usually do online. Another good example is tax season. We saw phishers impersonate top tax and financial management software providers, allowing consumers to “quickly and easily submit their tax forms online." What's worse is that phishers use the knowledge you have about phishing against you. Things like “How do you protect yourself? Click on this link to learn more" or “Click this link to download software and protect your devices." Also, fraudsters pay attention to the news, so whether it's a natural disaster or the cathedral fire that happened in Paris last April, phishers see those as opportunities to prey on victims simply trying to donate to a worthy cause. Q: What advice do you have for businesses and consumers to protect themselves against phishing attacks? Mike: My advice for businesses is to focus on technology and training. Strong technology solutions must be in place at all businesses to block phishing emails that are coming from suspicious sites – and for the most part, large organizations do a great job of that. Smaller businesses can also take advantage of technology solutions from their internet providers. Businesses can implement web blocking software for less secure Internet sites and filter what types of content employees can have access to on business devices. A lot of companies hire outside consultants to talk about the different types of phishing attacks with employees. These are helpful, but the key is to not allow training to become static because attackers evolve so quickly. Both businesses and consumers can use the email filtering option that is available through nearly every email provider. Don't click on any attachments that even remotely look suspicious - especially if they've been texted to you from someone you either don't know or the message appears out of character for someone you know. Q: What activities is your group taking on that will help businesses and their customers fight phishing attacks? Mike: There are several things we're doing that impact businesses and consumers offline and digitally. We help businesses recognize their customers and authenticate them, whether that's helping customers with a new bank account, enabling easy checkout at a favorite retailer app, or protecting account logins. 99% of people trying to access accounts are the legitimate account holder; it's that 1% though that causes a lot of friction for good customers. So, we're trying to make it easier for those consumers to quickly pass through all of the controls so authentication is easier. That translates into consumer loyalty for brands. Q: And that's what it's really all about? Mike: It is. We help businesses recognize their customers and also ensure that they are catching fraudsters on the back end. But we also strive to make that recognition or user experience as seamless as possible, with the right scrutiny for the risk level of that business. Mike Gross leads product innovation strategy for Global Identity and Fraud at Experian. Check out the entire podcast and video on how to protect your business from phishing here.

Across the globe, fraud risks continue to grow and businesses continue to invest more to combat potential threats. According to Experian's 2019 Global Fraud and Identity Report, which was published this past January, more than half of businesses across the world have increased their fraud management budget in the past twelve months. I recently had the opportunity to discuss this very topic with Forbes.com. In the article I raised the issue of whether businesses are investing in the right places. Our research shows that businesses may sometimes be investing in the wrong capabilities or point solutions that are materially less effective than if they were to take a layered approach to fraud detection. To provide consumers with both security and convenient online experiences, companies must have a complete understanding by looking at the problem holistically. By layering multiple approaches such as digital risk assessments leveraging device intelligence, behavioural biometrics together with more traditional measures – businesses can focus their resources where it matters most – providing a safe yet convenient online environment for their customers. The Forbes article also looked at the issue of trust. The anonymous nature of digital interactions makes creating trusted and meaningful relationships with digital consumers difficult. Unlike face-to-face interactions where people rely on visual cues, and relationships developed over time, businesses must find other ways to quickly recognize their customers online and deliver personalized experiences. At Experian, we believe trust is extremely important. In fact, the report found that nearly eighty percent of consumers say the more transparent a business is about the use of their information, the greater trust they have in that business. And fifty-six percent of businesses plan to invest more in transparency-inspired programs such as educating consumers, communicating terms more concisely and helping consumers be in control of their data. There is no doubt about it, businesses who want to continue to thrive and lead in the digital economy will find ways to offer their customers both security and convenience whilst building trust with their audience. Learn more the state of fraud and how trust plays a role by downloading our 2019 report: Consumer trust: Building meaningful relationships online.  

Fraud attacks continue to increase, and businesses and consumers alike are recognizing the need for more effective preventative measures. In June 2016, we launched the industry’s first open platform designed to catch fraud faster, improve compliance, and enhance the customer experience. Experian CrossCoreTM has put more control in the hands of fraud teams and it continues to receive global recognition for its impact in the industry. We are proud to announce that CrossCoreTM has been named a market leader for fraud prevention by Cyber Defense Magazine’s 7th Annual InfoSec Awards. Judged by an independent panel of certified security professionals, the InfoSec Awards recognize the best ideas, products and services in the information technology industry. In the past year, the platform was also named best fraud prevention innovation by Cybersecurity Breakthrough and as best cybersecurity initiative of the year by CIR Magazine. Since 2016, Experian has been proud to serve organizations looking for better ways to get more out of their existing fraud and identity systems and to more effectively deploy new products and offers, while improving the customer experience and minimizing risk. According to Experian’s 2019 Global Identity & Fraud Report, 55% of businesses reported an increase in online fraud-related losses over the past 12 months, predominantly around account origination and account takeover attacks. Our study shows that consumers value security and convenience. They also expect to be recognized and met with a personalized experience. Businesses can deliver both security and convenience, but to do so, they need to apply the right tools and relevant information. CrossCoreTM is helping fraud teams around the world accomplish this by adapting and deploying strategies that keep up with the pace of fraud while reducing burdens on IT and data science teams. Learn more about CrossCore.

Digital commerce has changed the way consumers interact with businesses. More people are transacting online versus going into retail stores, and more than half of banking is done via mobile channels. Yet both businesses and consumers still want convenience and security, without increased fraud risk. And as interactions have become more anonymous in an online space, trust is based on businesses protecting consumers from fraud while still providing a great customer experience. So, what does it take to build trusted relationships online? New research from our 2019 Global Identity and Fraud Report shows that 74% of consumers see security as the most important element of their online experience, followed by convenience. In the past, businesses have often invested in one at the expense of the other, and our research suggests that consumers can expect both security and convenience without the trade-off. The availability of information consumers share with businesses make this possible, and consumers are willing to share more personal information if they believe it means greater online security and convenience. In fact, our research found that 70 percent of consumers are willing to share more personal data, particularly when they see a benefit. However, this value exchange of more personal information for a better online experience is the same information that puts consumers at a greater risk for fraud. Instead, businesses need to demand more from the information they already have access to and use more sophisticated authentication strategies and advanced technologies to better identify their customers and deliver tailored, streamlined experiences without increasing their risk exposure. Findings from the study reveal that consumers and business leaders agree that security methods enabled by new technologies and advanced authentication methods instill online trust. In fact, consumer confidence grew from 43 percent to 74 percent when physical biometrics was used to protect their accounts.  The report also found that businesses are beginning to embrace the changing technology, while half of organizations globally reported an increase in their fraud management budget over the past twelve months. And lastly, the report looked at transparency and how that impacts consumer trust. In order to create even more trust online, many businesses are proactively sharing with customers how they use their personal information. The report found that nearly 80 percent of consumers say the more transparent a business is about the use of their information, the greater trust they have in that business. And the good news is that 56 percent of businesses plan to invest more in transparency-inspired programs such as – consumer education, communicating terms more concisely, and helping consumers feel in control of their personal data. Fraud remains a constant threat and it should come as no surprise that nearly 60 percent of consumers worldwide have experienced online fraud at some point. However, both business and consumers are getting smarter about how they manage fraud and it comes down to the important theme of trust. In order for consumers to trust businesses, they need to feel secure. And by adopting better security measures, businesses can embrace the important role of protecting customers and giving them the experience they want and deserve. Download the new Experian 2019 Fraud & Identity report here.

Experian Health has announced a partnership with Change Healthcare, a leading revenue cycle management provider, to jointly provide an identity management solution to solve patient identification and duplication challenges most often occurring during the patient registration process. Accurate identification of patients across care settings is one of the most common challenges in healthcare today. Improper identity management plagues multiple aspects of the healthcare system and all stakeholders, including providers, payers, pharmacies, employers, and consumers. Without accurate record matching, patients can be put at risk. According to statistics cited by Pew Research Center up to 20 percent of patient records are not accurately matched within the same healthcare system—driving up costs, creating inefficiency, and risking patient safety. The solution delivered to the market will leverage Experian Health’s robust identity management capabilities, along with Change Healthcare’s Intelligent Healthcare NetworkTM connecting providers and payers, to accurately identify patients and match records within and across disparate healthcare organizations. With the companies’ extensive footprint across healthcare providers, and Change Healthcare’s ecosystem of over 700 channel partners, the partnership will aim to deliver trusted identity management capabilities that are integrated with healthcare workflow applications across the continuum. “It’s imperative the healthcare industry focus on accurate patient identification and data management to improve overall patient safety,” said Jennifer Schulz, group president, Experian Health. “This new partnership aligns with our commitment to connect and simplify healthcare in a data-driven world, and ultimately deliver an optimal consumer experience.” At launch, the solution is expected to be available to all providers and payers in the United States.  Currently, Experian’s Universal Identity Management solution, in particular, now includes 136.3 million people, representing 42.6% coverage of the U.S. population, and that number continues to grow every month. This partnership will expand the company’s reach even more with partners such as payers and smaller clinics to scale its identity solutions at a quicker pace and benefit the entire industry. “We are pleased to be able to move our business forward with key collaborations that will help us deliver a seamless and scalable identity management solution to more organizations,” added Schulz. “We look forward to working with Change Healthcare and exploring more partnership opportunities with them that can continue to address the healthcare industry’s most pressing operational issues through the power of data and analytics.”

I nearly made a bad mistake a couple of weeks ago after I received an email from a top online retailer stating there was a “problem with my recent order.” I had recently purchased several items and knew that any delay would jeopardize my holiday gift delivery. I was just about to click the “Login” button and then stopped. Thankfully, I had the presence of mind to double-check the sender, and, it wasn’t my favorite shopping site after all – just a really good fake email from a phishy sender. I had almost fallen victim to one of the oldest and most common fraud scams in the books — a phishing email. Phishing is the fraudulent practice of sending emails claiming to be from reputable companies. Fraudsters do this to get recipients to click a link and reveal personal information, like passwords and credit card numbers. Sometimes, they will even install malware on your mobile device or computer, directing you to a fake storefront to pilfer information like bank accounts or create new fraudulent accounts using your identity information. First, I thought, “Wow, what a dumb mistake, especially given our focus at work.” But phishing scams today have become more sophisticated and personal. We are all busy with life – our work, family, commute, and dinner plans, along with keeping up on the latest news cycle. Virtually anyone could be inclined to quickly click on a link stating there is an issue with their recent order. The best phishing scams are those that appear to come from a trusted source and reference real information about you, one of your recent shopping orders, or your personal preferences. Sometimes, a scam can even take the form of an “update” on the delivery of your recent orders, and you might rush into clicking links to resolve the problem. Know then trust What is it about phishing scams that make them so effective? It is the personal nature of the attack. The best ones are those that appear to come from a trusted source and discuss information about you, a recent order, your personal preferences, or even just to provide an “update” on delivery to rush you into clicking based on an issue or delay. One extremely lucrative attack that comes to mind is a recent UK bank attack where fraudsters obtained banking login credentials and accessed accounts in an attempt to submit fraudulent wire transfers. Posing as bank employees, the fraudsters contacted the accountholders to let them know that a fraudulent wire transfer attempt had been made on their account. And in order for the bank to cancel the wire, they needed the accountholders to provide a confirmation code that they would receive instantaneously through their mobile device to confirm their identity. What the accountholders didn’t realize is that the bank’s standard process for any wire transfer was to send a one-time password to the mobile phone number on file to confirm an abnormal transfer’s authenticity – not to stop fraudulent attempts. So, when the accountholders received the passcode, they unknowingly provided them to the fraudsters over the phone, effectively authenticating the transfers with the bank. Oh phishing fraud… Oh phishing fraud… But what about the holidays, you ask? Given our chaotic lives, fraudsters love to use phishing during the holidays. Attackers generally focus on major online retailers to enable the largest possible attack. Many consumers have established two-factor verification for accounts with top online retailers, but fraudsters can use this to their advantage if you’re not vigilant. For example, a scammer might send an email to suggest there is a problem with your recent order, then when you click on a link in the email to check on the issue, you might see a pop-up indicating that you’re using a different device than previously seen in the account. Without thinking too far into it, you’re given a one-time passcode that you enter to confirm your identity. The attacker can use your credentials and passcode to successfully log in as you, purchase goods using on-file payment information, and have the goods shipped to an alternate address. Another effective method for fraudsters is to leverage mediums that billions of consumers around the world use daily, like social media. This is the time of year where everyone is sharing photos and links with their friends and family – which is a prime opportunity for fraudsters to use malware or keyloggers to access social media accounts, masquerade as you, and amplify attacks by reaching out to all of your connections. And since fraudsters can just as easily take advantage of the latest AI and machine learning advances, scams are more sophisticated than ever before. Today’s attacks often use millions of servers worldwide to make attacks appear personal – to look like messages from a friend, family member, or other connection. They know your name, mention something personal that they found on one of your social media posts and ask you to do something – like click on the latest viral video or picture. This can all be done automatically and be sent to millions of people at the touch of a button. Send phishing scams on their way I know this all seems unsurmountable, but there are things that businesses and consumers can do to identify if they’ve been a victim and to avoid becoming a victim in these types of schemes. From a business perspective, the most effective approach is to assess users’ historical behavior. Are you seeing a large number of customers trying to move similar amounts to recently linked accounts or purchasing huge volumes of in-demand items? Perhaps the contact center is getting a lot of calls claiming fraud, which can be a sign of recent fraud attacks. Businesses can closely monitor transactions, educate their employees and customers to not click on untrusted links, and make sure there is more than one person to sign off on any account changes or large money transfers. For consumers, the number one thing you can do is to immediately contact the organization or financial institution where you were victimized. I know this takes time out of an already busy day, but it provides the best chance of recouping any lost funds. The other thing you can do is to immediately notify your social contacts about the scam if you’ve fallen victim. That way, others can protect themselves and help limit the damage and spread of any phishing incident. My experience with an “almost” phishing scam is that no one is immune. But the more everyone is aware of the potential consequences and how they can protect themselves, the less likely phishing attempts will be successful. Check out the Experian Insights blog to learn more about how Experian helps businesses and consumers during the holidays and throughout the year.

Most of us have experienced the feeling of frustration when it comes to online security protocols. You need to log-in to an account, but you’ve forgotten your password. When you choose an option to reset your password, you are asked to answer one of your security questions. But you forget which movie you said was your favorite while you were growing up. You take a guess, but unfortunately it’s the wrong one and you find yourself locked out of your account. At this point, you’re annoyed and wonder why accessing your account is so difficult in the first place. Historically, the attempt to balance customer security and convenience has been one of the biggest challenges online businesses have faced. As consumer expectations for smooth online experiences increase, businesses aim to deliver security protocols that make customers feel safe and protected, while allowing for easy and convenient access. According to our recent Global Fraud and Identity Report, 66 percent of consumers like security protocols when they transact online because it makes them feel protected. In fact, the lack of visible security was the number one reason customers abandoned a transaction. However, while consumers may tolerate the nuisance of common barriers to accessing their accounts, including forgetting their password or having to re-renter other security controls like CAPTCHA or two-factor authentication, higher friction doesn’t necessarily mean better security or a better overall experience. If businesses were able to offer a frictionless customer experience that was as secure, if not more secure, than the experience today, they could potentially increase overall revenue and growth. One-third of the consumers we surveyed said they would do more transactions online if there weren't so many security hurdles to overcome. And the number rose even higher in different age groups. For instance, the percentage rose to 42 percent when it came to millennials. We believe that a fundamental shift in the thinking is required. No longer, should businesses attempt to balance security against consumer convenience, but rather, we believe that with the right use of technology, analytics and data, both goals can be simultaneously achieved. In the name of both security and convenience independently, we are already seeing data-driven, artificial-intelligence powered systems operating behind the scenes. We believe that a merging of these two functions will yield significant benefits for the business as a whole. For this to work, businesses will need to gain and maintain the customer's trust without the familiar perception of security. Customers want to be recognized and businesses want to address the growing fraud they are experiencing. Solutions that combine device and behavioral intelligence with other data points such as biometrics, processed via advanced machine-learning, could help businesses in the future, simultaneously recognize their customers more accurately, and do so without challenging them. Winning companies will move from balancing security against convenience, to achieving both goals via a synergistic approach, and ultimately will evolve trust through technology, data and analytics.      

As businesses, we want to know our consumers and their habits so we can offer the best customer experience possible, whether in store or online.

Identity fraud is at an all-time high, and it can have devastating consequences on a person’s life. Victims of identity fraud may have to file for bankruptcy or deal with debt, which can sometimes cause personal relationships to suffer. Elderly people in particular are at the greatest risk of fraud out of any age group, as they tend to more trusting of phone calls, house calls and email scams. It’s my job at Experian to arm them with the tools they need to prevent identity fraud. The number one challenge in helping prevent identity fraud is lack of awareness. People simply don’t know all the risks, so education is a paramount priority. At Experian, we conducted research on the best way to educate different age groups, and found that it varied widely. While younger people are best reached online, older people are more responsive to face-to-face activities, which is part of the reason they are more susceptible to doorstep scams. To help educate elderly people, we found we needed to go out into the community and literally put useful information into people’s hands. As part of these efforts, my team at Experian first worked with the Outreach Solutions organization to help older people in Nottinghamshire, England, understand the dangers of fraud. The pilot campaign, “Tackling Fraud,” reached 15,000 U.K. residents over age 55, teaching them how to tackle the threat of fraud. We armed these individuals with expert advice on how to spot suspicious activity and stop it from happening to them or the people they care about. Given the success and great reception we had in Nottinghamshire, it was clear that this movement could continue growing. According to Experian research, Glasgow is one of the areas with the highest number of identity fraud cases in Scotland. We’d been testing a new television advertisement in Glasgow – marking the first time that identity fraud has ever been advertised on TV in the U.K. – so I made the case to run the next iteration of our Tackling Fraud campaign there, too. In partnership with the Glasgow Council for the Voluntary Sector, we worked with a range of individuals and community groups to provide fraud prevention training to more than 30,000 elderly people in the city.\ We’re dedicated to helping the elderly with our Tackling Fraud campaign, putting people in control of their lives by giving them the information they need to help them protect themselves. I hope that one day we can take this project throughout the U.K. Written by: Phil Rance, Director of Product Identity, Experian Consumer Services