Data breaches occur when a cybercriminal manages to steal sensitive information by successfully infiltrating a data source. They can do it remotely by bypassing the security of an application, network, or server. They can also access data directly from a database, email, or from local storage. There are many ways for cybercriminals to get access to data, which makes Enterprise security a tough challenge.
Enterprises across a wide range of industries are investing small fortunes in cybersecurity technologies and tools – an average of about $18 million annually on cybersecurity measures. However, the 2019 report by the Ponemon Institute and AttackIQ say that about 53% of IT professionals are clueless whether the security measures they deployed are actually working.
In this article, we present you with our complete guide to security breaches and financial fraud – find out why and how breaches occur, what happens with stolen information, and whether you can get reimbursed after falling victim to financial fraud.
Why Do Breaches Occur?
It is 2020, and cybersecurity issues are still on a steady rise. Data breaches are a daily struggle for businesses that get compromised and individuals whose personal information is stolen. According to the Identity Theft Resource Center (ITRC), the number of reported data breaches jumped from 1,257 in 2018 to 1,473 in 2019. There has been a spike in breached data from sources that are becoming increasingly common in the workplace, such as IoT and mobile devices. RiskBased reports that 4.1 billion records were exposed through data breaches in just the first half of 2019.
Since the beginning of the COVID-19 pandemic, instances of cybercrime have jumped by about 300% (according to the FBI). Since February, billions across the world have moved to the online world where they spend much of their time communicating or searching for coronavirus-related news. Also, many workers who began working from home for the first time were unaware of basic security measures for remote work.
Data breaches are financially-driven in most cases. Once a cybercriminal steals sensitive information, they can monetize the information in multiple ways. They can either use stolen information like credit card or Social Security Numbers themselves, or sell the information on the online black market (aka the dark web). Examples of monetized Personally Identifiable Information (PII) are: credit card numbers, Social Security Numbers, Driver’s License Numbers, tax returns, passports, or “packages” that include all the information someone would need to successfully steal an identity.
However, not all hackers are out for financial gain. Some hackers have personal reasons (hacktivism, ideology, and political motivation). These are self-proclaimed “digital” vigilantes who work to expose the practices of oppressive regimes, child abuse, and terrorist groups. Some hackers have no intention of stealing data or making money, but just want to show off their skills.
How can cybercriminals monetize stolen data?
Once hackers lay their hands on stolen data records, they will first take an inventory of what was stolen. They’ll look through the files to find personal information, authentication credentials, and financial information that they could sell or use for future attacks. The most lucrative information includes emails and passwords of online accounts or of large companies, as well as the military and the government. Cybercriminals can:
- Use the stolen data themselves. This is a relatively rare occurrence (because it can attract the attention of the authorities), but it still happens. Hackers can use the stolen data to transfer money from your bank account, buy things online, apply for credit cards and bank loans, pay off debt, and make fraudulent health insurance claims.
- Sell the data on the online black market. Stolen data is often packaged and sold on dark web marketplaces. Typically, they’re sold in bulk so hackers can maximize their profits. The more recent the information, the more valuable it is on the black market. Hackers make the most from credit card information – with the right connections on the black market, they can easily sell credit card information in batches of tens or hundreds of stolen accounts. The buyers usually go through a series of phony purchases to avoid being detected. They use the stolen information to buy gift cards for Amazon.com or other stores, then use those cards to purchase physical items like Passports and eventually sell the items through legitimate channels.
- Opening fake medical practice accounts and filing fraudulent claims. The misuse of stolen healthcare information is a growing problem. According to Trustwave, one medical record is worth about $250 on the dark web. Imagine how much money a criminal can make by selling hundreds of medical records. They often prey on elderly citizens and submit false claims using the stolen information. When receiving bills for smaller amounts, people usually don’t pay much attention and assume they need to pay them. Smaller incremental payments add up quickly and don’t require a lot of work on the criminal’s part.
- Refunds on fake tax returns. Once they have enough data, criminals can file fraudulent tax returns to receive tax refunds from both the IRS and state government treasuries.
- Hold data for ransom. Hackers can steal data and encrypt it so you cannot access it. Then, they ask you to pay a ransom to unlock the encryption and give you access to your data. In many cases, the encryption key doesn’t work or they delete your data anyway.
How Do Breaches Occur?
Let’s take a look at the most common causes of data breaches to find out how they work.
- Criminal hacking. The top cause of breaches is criminal hacking because it is necessary to perform a specific type of attack. The most common cybercriminal hacking techniques involve either stolen credentials or a technique known as SQL injection. SQL injection is an application level problem that is caused by poor input validation controls. It typically means that a SQL statement that connects the web application to a database can be hijacked for the hacker’s purposes instead of the one for which it was designed. If criminals are not tech-savvy enough to steal the info themselves, they can purchase it on the black market and then perform malicious activities and financial frauds.
- Social engineering. One of the most common social engineering methods for conducting a data breach is phishing – cybercriminals send malicious emails that appear legitimate. Financial pretexting is similar to phishing, and it’s when criminals contact targeted people under false pretenses to get to their financial information. They can contact their victims via email and phone.
- Malware. Malware is versatile and can be used for many purposes. The most prominent types include RAM scrapers that collect sensitive information by scanning the memory of digital devices. Keyloggers, Remote Access Trojans (RATs), and ransomware are also quite common.
- Physical actions. Physical incidents involve the theft of devices (laptops, storage devices, and phones) and paperwork containing personal credentials. One of the most prevalent physical actions is credit card skimming, which is when a criminal inserts a device into ATMs and card readers to collect card information.
- Human error. Setting simple and easy-to-break passwords on accounts, leaving a database containing personal information unprotected, or simply sending the info to the wrong person via email are the most common consequences of human error.
The Biggest Breaches to This Date
When an organization suffers a data breach, how much does that cost it? When they add up all the expenses, including investigation, repairs, damage control, lawsuits, and fines – the bill can run up to $4 million. These are some of the biggest data breaches in history.
- Marriott International (2014-2018)
Cybercriminals had been stealing data from 2014 to 2018, and the estimated number of stolen data records topped out at 500 million. After they acquired Starwood Hotels & Resorts Worldwide, the attackers stayed in their system, remaining undiscovered until September 2018. The criminals collected contact information, travel information, passport numbers, credit card numbers and expiration dates, and other personal information. Eventually, the breach was attributed to a Chinese intelligence group that was gathering data on U.S. citizens.
- Canva (2019)
Canva, the Australian graphic design tool site, notified its users about the breach in May 2019. The attackers managed to view names, email addresses, usernames, cities of residence, and other information of 137 million users. Canva claimed that the hackers didn’t steal the information, but managed to view files with partial payment and credit card data. However, a list of about 4 million accounts was later shared online.
- Equifax (2017)
Equifax, one of three large Credit Bureaus in the US and worldwide had an application vulnerability that exposed about 147.9 million consumers. The breach included SSNs, birthdates, addresses and in some cases Driver’s License numbers. The biggest issue was that the exploited vulnerability had a patch available that Equifax had not applied.
- Adult Friend Finder (2016)
The FriendFinder Network, which included Adult Friend Finder, Penthouse,com, Cams.com, and more were breached in October of 2016. There were approximately 41.2 million accounts affected. The stolen data included names, email addresses, and passwords.
- eBay (2014)
One of the world’s largest online marketplaces, eBay, suffered a breach in May 2014 when personal information of 145 million users was compromised. According to eBay officials, the attackers accessed the company’s network by using the credentials of three employees. They had access to their database for 229 days. Luckily, credit card information was not compromised because it was stored separately.
- LinkedIn (2012)
The LinkedIn data breach in 2012 affected 165 million users. First, LinkedIn announced in 2012 that 6.5 million passwords were stolen and posted onto a Russian hacker forum. However, the full extent of the breach was revealed in 2016 – the same attacker who was selling MySpace’s data was offering the personal information of 165 million LinkedIn users.
- Yahoo (2013-2014)
Last but definitely not least – in September 2016, Yahoo announced that the company had fallen victim to a data breach in 2014 where information of 500 million accounts was exposed. However, in December 2016, the company revealed that another breach occurred in 2013, where attackers gained access to 1 billion user accounts. According to their revised estimates from October 2017, a total of 3 billion user accounts were compromised, making this breach the biggest one in history.
Types of Crimeware
Crimeware is an umbrella term for all malware that share a common objective – obtaining confidential information or money. We can define it as programs and social engineering used for fraudulently obtaining money from affected users. Crimeware victims can be both individuals and businesses – anyone with an Internet connection could be attacked at any time.
The damaging effects of crimeware include:
- Identity theft
- Private data theft
- Intrusion of privacy
- Financial losses
- Legal problems (when a compromised device is used by third parties for malicious activities)
- Unwanted advertising
- Loss of productivity due to operating system errors, system slowdowns, etc.
The most concerning aspect of crimeware is the fact that it’s been designed to compromise systems silently. Also, the attacks are often customized, which makes it difficult for traditional antivirus systems to detect them.
The categories of malware that are considered crimeware because of their characteristics include:
Most crimeware consists of programs that are designed to register keystrokes made on a computer, gather confidential information, and take control of a device to execute remote commands. Social engineering involves any attempt to obtain sensitive information from people by tricking them into dropping their guard and providing personal information. The combination of malicious programs and a carefully crafted social engineering ploy is the perfect recipe for conducting a data breach – the social engineering ploy convinces the victim to install a program that captures information or simply hand over their data right into the hands of fraudsters. The purpose of all crimeware is to obtain financial returns, either directly or indirectly.
Is Financial Fraud Reimbursable?
For this matter, it is important to understand the subtle differences between scams and frauds (the two terms are often used interchangeably, but they are not the same). Fraud is a much more severe crime than a scam, and it includes activities such as consumer financial frauds, money laundering, Ponzi schemes, credit card fraud, bribery, and stealing money. These types of crimes are usually perpetrated by employees, vendors, management, and bankers. Scams are a type of fraud – smaller in size and typically targeted at specific categories.
Financial institutions typically won’t reimburse financial scam victims. However, financial frauds are usually reimbursable. For example, if someone gains unauthorized access to your financial data and credit card information, financial institutions and major credit bureaus have a duty to prevent those types of fraud.
There is a concept known as Identity Theft Insurance, which doesn’t cost much and is typically included in identity protection and credit monitoring services like ours. However, in the case of financial fraud, you won’t get reimbursed for the full amount stolen from your account or credit card. You will be covered when it comes to paying for phone bills, notary fees, and legal costs that come up as a result of the fraud. The truth is that you will not recover the total amount of money you lost.
Avoiding Breaches and Financial Frauds
If your company’s database has been exposed, there is nothing you could do to prevent your personal and financial info from reaching the black market. However, there are things you could do to reduce the risk of financial fraud, especially if you work remotely or frequently purchase things online.
- Educate yourself. You need to be able to recognize a fraud or scam, which is why you should educate yourself on the most common types of frauds and methods fraudsters use to get to your personal data.
- Never wire money to strangers. Everyone has received an email (at some point in their lives) from a Nigerian prince asking us to help him transfer money (millions of dollars) from a U.S. account. In return, he offers us a reward of hundreds of thousands of dollars. All you have to do is wire a few thousand dollars to him. If you receive an email from a friend who claims to be stuck in Uganda and asks for money to help him or her come back home, you had better call their phone to ask them first. Their email account has probably been hacked and used for fraudulent activity.
- Never give out sensitive information to people you don’t know. This goes for anything from your name, date of birth, and email address to credit card info, bank account info, and Social Security number. Fraudsters will sometimes reach out to you via phone or email, claiming to be from a government agency, financial institution, or retailer. These institutions or agencies would never ask you to provide personal information via phone or email.
- Create complex passwords. If your financial account passwords are your date of birth or “12345,” they will be easy to crack. Instead, create passwords that are 6-8 characters long, include lowercase and uppercase letters, special characters, and numbers. Also, use a different password for each site you visit. Install a good password manager in order to keep track of all your passwords. When you can, use password manager programs like Keeper.
- Spyware and antivirus protection. Protect the information stored on your computer by installing spyware, firewall, and antivirus protection.
- Patches. Keep your system updated with security patches and system updates.
- Credit monitoring. Tools like Split Credit Monitoring can track down every single change that occurs on your credit reports, such as someone taking out payday loans or financial accounts in your name, use of your SSN, or a sudden change of address. These tools cannot protect you from fraud but can help detect it early on.
- Automated fraud alerts. Placing an alert on credit card transactions or your credit report means that you will receive a notification the moment a change occurs. It’s the best early warning system for financial fraud.
We live in an increasingly digital world, and most of us interact with other people and companies via the Internet. On the one hand, the technology at our fingertips is making our lives easier and more convenient, improving human life in various aspects. But on the other hand, it also allows malicious hackers to deceive others for financial gain. Every online interaction could place you at risk of losing your personal information, losing money, or damaging your life. Stay vigilant and cautious and take all the necessary steps to protect yourself from identity theft.
Split Credit Monitoring is a great tool that comes with features such as 24x7x365 Alert Notifications, identity theft insurance, identity restoration services, lost wallet contents restoration, and more. It is an innovative Identity Theft and Credit Monitoring solution that also has built a community for people interested in being informed and educated about frauds, Internet threats, and viruses.