Blog article
See all stories »

Why we should avoid fraud shaming breach victims

Throughout the COVID-19 pandemic, we have seen the rapid rise of phishing scams, ID theft and account takeover techniques, as fraud has increased alongside digital activity while consumers shop from the safety of their homes. However, the real fallout of the current fraud ‘boomtown’ will not be felt fully for months to come and the increased levels of fraud we’re experiencing will likely continue into the future now that more and more customers are reliant on shopping online.

Peak sales around the upcoming holiday season will be great for online merchants and for us all. Shopping online will help curb the pandemic with less people rushing into physical stores and the increased spending will promote economic recovery. But this growth of online commerce will also see increases in its pitfalls and we must help not shame those businesses that are tackling them. There are two areas in particular I'd like to highlight.

Firstly, the use of the personal and financial data harvested from the vulnerable throughout the pandemic will be used as we head into the next few months, while we’re all trying to recover from the pandemic. While this is happening, rather than accusing and ‘fraud shaming’ businesses that fall victim to this, we should plan to avert longer-term disasters as the stolen data makes its way back to market.

Secondly, we must look past the holiday season too. We’ll be keeping a close eye on the early months of next year, once it has all ended. The typical February chargeback spike will likely be higher than usual, so businesses must be prepared now to deal with that inevitability as it can cause crippling cash flow issues.  

Here are a few realities we face in today’s fight against fraud, which show just how focussed we need to be in tackling the problem together:

  • Companies in the business of preventing fraud are now the front line against serious criminal organisations. But stopping these organisations is a cat and mouse game and right now they are staying out in front. Recent history shows us that the fraud industry has lost its focus and is quite publicly losing the chase. This needs to change. With businesses from a range of sectors jumping into the digital space as a ‘lifeline’ during COVID-19 – many for the first time – we’ve seen fraud increase in response. These businesses must have effective and efficient tools to combat this spike in fraud.
  • The anonymity movement is creating a safe haven for the criminal organisations that fraud companies are coming up against, and those operating within them, enabling them to collaborate and expand. Not to mention the recent ‘right to be forgotten’ law, which could help them cover their tracks once they have used stolen data to commit the crime.
  • Many think artificial intelligence (AI) and machine learning (ML) are the wonder drugs we need to ‘cure’ fraud and can be left to their own devices to solve problems. In reality, supervision is necessary to stay on top of the latest fraud trends and analyse the data needed to understand how to react to fraud. Those committing fraud understand these trends and are making real-time decisions in response to them. So, the way we use AI and ML is outdated. Fraud managers and employees should use a ‘supervised learning’ model instead – this is a tactic the whole industry needs to catch up with.
  • Across many sectors, there is a level of something we call ‘data breach fatigue’ taking place, which can cause fraud prevention to become a tick box exercise and decreasing budget line. Often this level of ‘mass acceptance’ is used as a weapon against businesses as it leaves them unprepared and wide open for attacks. If the urgency to prevent fraud is not addressed on an emotional level in a business, as well as on a technology level, we will soon be standing at the edge of an unbridgeable chasm.

We must remember that fraud prevention businesses, in-house risk professionals, technology providers and industry consultants are all in the job for one reason – to prevent crime. Fraud concerning financial and identity theft often provides funding for more serious criminal activity – such as the drug trade and terrorism. And that’s not to mention the significant personal impact on members of the public, and reputational and financial damage caused to businesses.

As we address fraud in the coming months, and as businesses recover from lockdowns and a period of reduced cash flow, it is important that we support them – not blame them. With the right tools and help, they’ll be able to emerge from COVID-19 and the subsequent recession, with as little damage done as possible.

 

6209

Comments: (2)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 31 August, 2020, 13:45Be the first to give this comment the thumbs up 0 likes

Good post. Quite often victims get defrauded because they leave a wide "open goal", thus increasing their susceptability to fraud. While it's not wrong to call that out occasionally so that others can avoid getting defrauded, I agree that fraud is a b****y crime and that fraudsters must be punished to the fullest extent of the law.

Brian Foster
Brian Foster - Info Quick UK Ltd - Shrewsbury 31 August, 2020, 23:53Be the first to give this comment the thumbs up 0 likes

What I find most disturbing is how companies across Europe and across the world, are being depicted as footloose and fancy free with their customer’s personal data!

Article after article seems hell bent on exposing companies who have suffered a data leak where this publicity will in many cases irreversibly damage those companies reputations by implying they shouldn’t be trusted with personal data as it will be stolen!

The important point here is the word “stolen” because the “selling” of personal data without a customer’s permission is of course absolutely wrong and it was the introduction of GDPR that made it a very serious offence!

However when data is “stolen”, whilst still a very serious issue it is quite different for blatantly obvious reasons and yet we find company after company being treated in the media in such a way that can place in jeopardy their very existence when in reality it is they, along with their customers, who should be treated as victims.

I’m sure many reading this will be of a mind that it is only because of weak security protocols, outdated IT systems and lack of staff training that leads companies into a serious data breach and I would agree, however if you asked the worlds leading cyber experts “is there any cyber security system that is impenetrable by even the most sophisticated cyber criminals” you will all know what the answer would be… no system is 100% safe… probably not even 90% I would hazard a guess!

So hypothetically if a company had the most advanced cyber security with the most highly trained staff and the most sophisticated IT system in the world and they had a data leak and every single piece of their customers personal data was stolen… what does that say about the regulations!!

In my view it has been a classic case of LAZY LEGISLATION and with the exception of fines for selling personal data without permission, most of the rest is just taxation where little thought is given to the consequences to small businesses who suffer a data breach. Many businesses are unable to afford the cyber security systems they should have and are less likely to survive the financial repercussions of any adverse publicity!

In many ways it is similar to Speed Camera legislation. They will always be defended as instrumental in bringing down the number of accidents and possibly they have but to many it is generally accepted as being yet another form of taxation. I can clearly recall being caught doing 46mph in a 40mh zone at just past midnight on a very quiet country road with nobody around!

After two years of GDPR and the likelihood of continuing growth in cybercrime it is time for a re-think in the legislation. In my view there should be mandatory security specifications set out in the legislation and enforced by the ICO. This would provide every business with a minimum standard of cyber security... a benchmark... they should have in place. At least a business would then know where they stand where failure to have reached that standard when a data breach occurs then they would have to suffer the consequences of failing to take the issue seriously.

At the moment even a minor data breach could bring a catastrophic end to your company!

 

Tamas Kadar

Tamas Kadar

Founder and CEO

SEON

Member since

29 May

Location

London

Blog posts

2

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all