As cyber fraud evolves, our strategies must advance as well. Outseer’s annual 2024 Global Fraud & Scams Trends Report provides crucial insights for financial institutions.
Based on data from Outseer’s FraudAction 24/7 Anti-Fraud Command Center (AFCC), this report summarizes key cyber threats from the past year. With 20 years of data gathered from hundreds of clients worldwide, we have gained unique insights into the continuously evolving fraud trends.
Outseer’s analysis of global fraud trends across various attack vectors in 2023 reveals the year-over-year changes in the overall volume of attacks. Below you can find a summary the changes and key trends:
Key Trends
Trend 1: Banking Trojans and Malware-as-a-Service (MaaS)
While the volume of fraud observed grew 108%, malware attacks overall grew a staggering 4,000% or 40X growth in volume, partially due to the increase of malware in mobile channels. This surge was driven by the increase in Malware as a Service, where non-technical fraudsters access malicious software for a fee. Notable malware families include Hydra, Cerberus, and Octo, all contributing to increased Command-and-Control (C2) infrastructure.
While phishing saw a moderate attack increase, brand abuse and rogue mobile app attacks saw a decrease in volume. However, Trojan horse attacks saw sizable increases in the volume of attacks. The rise of Android Banking Trojans surged by 120% in the first half of 2023 alone. This resulted in their share of total attacks increasing from 5% to 11% year-over-year.
Hook Leak
The leak of the Hook Android banking Trojan’s APK and Panel source code in 2023 led to significant growth in HookBot Command and Control Centers (C&Cs), with over 200 new C&Cs detected late in the year. Hook leak contributed to the 20% surge in malware attacks.
Post in fraud forum Translated from Russian by DukeEugene advertising Hook
A Rise in Digital Banking Fuels Attacks Through Mobile
Mobile app usage continues to increase, and now comprises 85% in total traffic. Outseer has seen that the increase in this channel was accompanied by a parallel trend in increased mobile fraud, with 62% of detected fraud originating from mobile apps. This underscores the urgent need for implementing tailored and robust security measures to effectively address the escalating threat landscape within the mobile domain.
Trend 2: Instant Payment Scams
Outseer has seen a significant uptick in unauthorized push payments, mule accounts, and account takeovers in markets where faster payment adoption is high. Surveyed financial institutions saw a spike in fraud attacks using real-time rail: 57% reported mule activity was up, 71% reported consumer ATO had increased, and 62% reported APP fraud had increased.
Faster payments have seen global adoption, leading to increased authorized push payments (APP), mule accounts, and account takeovers. The UK reported £485 million ($618 million) in APP scam losses in 2023, with projections of $4.6 billion by 2026. The US saw over $10 billion in fraud losses, a 14% increase from 2022.
With the introduction of FEDNOW in the US and the increasing adoption of instant payment systems across the globe, combined with the success fraudsters are seeing in these types of scams, more opportunities for scams are expected.
Stopping these scams is difficult because the victims authorize the transactions, often without the realization they are a scam target until after the payment clears.
Identifying Mule Accounts Is a Key Step in Stopping Fraudsters
- Leverage a risk-based approach and take advantage of machine learning that profiles the sender and recipient to more accurately detect mule activities
- Update policies to track beneficiary transaction velocity and unusual amounts
- Utilize a data network such as the Outseer Global Data Network to help share mule accounts intelligence with other organizations
- Tap into the timely insights of web intelligence services such as Outseer Fraud Action Services to identify confirmed mule accounts in addition to compromised email addresses that can be tied to accounts
Rising Liability Shifts
With the rapid increase in faster payment fraud, some governments are enacting or are considering legislation to ensure more support for victims, with the discussion centering around liability shift.
The UK & EU Are on the Forefront of Regulation
The UK and EU have been at the forefront of change with the introduction of the Payment Systems Regulator (PSR) and the upcoming Payment Services Directive 3 (PSD3). In late 2024, the specifics of PSD3 and the implementation of the PSR liability shift will be revealed. As these regulatory changes unfold, financial institutions should stay informed and prepare for potential adjustments in compliance requirements based on the finalized PSD3 framework.
The most important part of the liability changes is that financial institutions and payment service providers must reimburse all in-scope customers that are victims of APP scams, within certain limits. The sending and receiving financial institutions and payment service providers will share the cost of reimbursements to victims 50-50.
Strategic objectives of the PSR reimbursement:
- Decrease the instances of APP fraud
- Improve protection of payment system users
- Incentivize payment service providers to focus on resources to prevent scams
- Increase confidence in the Faster Payment Scheme (FPS)
- Create agile rules to enable the operator to manage evolving fraud threats
While not mandated to adopt any regulation, those outside of the UK and EU could benefit from the learnings.
Trend 3: AI-Powered Scams
AI Fueling Scam Growth
AI has dominated the headlines over the past year and fraudsters have already begun to exploit this technology, with several major scams reported globally. With new AI tools and technology at their disposal, fraudsters are creating varied phishing emails that defeat existing scam and spam email filters. In addition to improving tried-and-true techniques, fraudsters are using AI more often on deepfakes, voice cloning, verification fraud, and authorized push payment (APP) fraud.
While Outseer didn’t see direct fraud losses from generative AI in 2023, we predict that the scams and corresponding losses will continue to grow. Given the goal of generative AI scams is to trick people into believing what fraudsters put out there, Outseer does believe that generative AI contributed to the increased effectiveness of phishing tactics that fueled an even larger increase in Trojan attacks and malware attacks.
Generative AI is enhancing phishing tactics, making scams more convincing. Tools like OpenAI’s Sora can produce hyper-realistic videos, raising concerns about deepfakes and misinformation. The ethical implications and risks of such powerful software are under scrutiny as new Generative AI capabilities are released.
Screenshot from “Beyond Our Reality” (Sora & Donald Allen Stevenson III)
Despite the ways generative AI is being manipulated, predictive AI has also played a pivotal role in detecting cyber threats such as brand abuse, phishing, Trojans, and rogue mobile apps. The strength of AI and machine learning in combating these threats lies in their ability to continuously learn, adapt, and detect evolving patterns of malicious behavior across various digital landscapes. These technologies enable proactive and adaptive security measures, ultimately contributing to a more robust defense against cyber threats.
How Can Financial Institutions & Payment Service Providers Mitigate APP Fraud?
Financial institutions and payment service providers that enhance internal controls can shield themselves from liability-shift losses. Implementing controls can mitigate risk while protecting customers from fraudsters who seek to circumvent an FI’s internal controls by using money mules and executing APP frauds.
Strategic Recommendations
In implementing a robust defense against scams, a multi-layered approach is essential. First, limiting fraudsters’ access to customer credentials and Personally Identifiable Information (PII) is paramount. And while many organizations may overlook actively tracking scams, it’s crucial to track and tag scam attacks for analysis. By tracking scams, businesses can analyze data and refine their mitigation strategies accordingly. This enables a more proactive stance in identifying and countering fraudulent activities effectively.
Data Network Consortium
Join a data network like Outseer’s Global Data Network for better detection control. Using a broad dataset helps identify risk signals more effectively. “These controls are exceptionally well positioned to be among the most effective scam detection solutions” says Datos Insights.
AI and Predictive Analytics
Implement AI and predictive analytics for receive-side detection control. These tools can facilitate risk-based transaction monitoring, slowing down risky real-time payments.
Policy Management Solutions
Regularly update your policy management solutions to adapt to new fraud tactics and regulatory requirements. Clearly defined policies help manage high-risk payments and suspect money mules within regulatory constraints.
Internal Processes
Enhance internal controls with proactive prevention measures, such as customer education and “break the spell” teams for APP scams. Monitor both incoming and outgoing transactions to catch fraudsters in action.
To dive deeper into these insights and equip your institution with the latest strategies, download the full report and watch the accompanying webinar.
