Account takeover attacks spiked in 2020, Kaspersky says

The surge gives further credence to the idea that cybercrime is less about tech know-how and more about social engineering, according to its fraud report.

istock-891341524.jpg

Kocheguraa, Getty Images/iStockphoto

Kaspersky has released the results of research into fraud detected by its Fraud Prevention platform in 2020, and the results further reinforce what we already knew: 2020 was a banner year for online fraudsters, with account takeovers dominating as the method of choice. 

More about cybersecurity

Occurring whenever a bad actor is able to steal login credentials and seize control of an online account, takeover attacks rose from 34% of fraud detected by Kaspersky in 2019 to 54% by the end of December 2020. Other methods of fraud were blips on the radar compared to account takeovers: The next most popular method, at just 16% of detected fraud, was money laundering/mule transactions, followed by new account fraud (14%), and a mere 12% of instances used remote access or hacking tools to accomplish their goals. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

In short, when it comes to fraud, account takeovers should be the No. 1 concern for individuals and businesses heading into 2021, especially as social distancing and remote work continue to be the norm.

“The importance of digital financial services and e-commerce increased last year with people spending more time at home as a result of the pandemic. Kaspersky experts suggest that this caused a spike in social engineering techniques being exploited by cybercriminals,” Kaspersky said in a blog post about the report.

Two of the most popular methods of committing account takeover, according to Kaspersky, are rescuer and investor scams, and both involve voice phishing by directly calling victims, something that the FBI recently warned was a growing trend.  

Both investor and rescuer scams involve calling targets and posing as security experts or investment consultants, usually from a bank that the target (hopefully) has an account at. The attacker warns of fraudulent charges, or a new investment scheme the bank has started, convinces the target to turn over an SMS second factor code, as well as a bank card number or login details. Once the attacker has that data they are able to log in to the victim’s account, drain it of funds, apply for loans, change passwords and 2FA details, and more. 

Phishing attacks like these, which rely on social engineering rather than technical skill, have been on the rise for some time, and it’s unlikely they’ll cease to be a threat anytime soon. Gartner warned that 80% of employees surveyed reported being targeted by phishing attacks in 2020, up from 73% in 2019, and that the rate of people falling for them is increasing as well.

SEE: Identity theft protection policy (TechRepublic Premium)

Kaspersky makes six recommendations it said all online services and retailers should adopt to help stem the tide of account takeovers:

  • Limit the number of times a transaction, such as logging in, can be attempted. Account takeovers often involve multiple bad logins before attackers get it right.
  • Send out regular emails to customers warning them of the latest fraud trends, how to identify them, and what to do if they think someone is attempting one on them.
  • Annual security audits, along with penetration tests, should become standard practice.
  • Have a team dedicated to fraud analysis that can keep up on trends and analyze attacks to find solutions.
  • Implement multifactor authentication on all accounts.
  • Install fraud prevention software that can recognize patterns of behavior that appear suspicions and lock down accounts before an attacker can withdraw funds. 

Also see