Account Takeover Fraud Prevention

Consumer or Fraudster? A Q&A with Fraud Prevention Experts

As fraudsters continue to evolve their tactics and become more sophisticated in their use of stolen data, fighting fraud is a focus for many organizations who aim to protect their customers, bottom line, and brand. SpyCloud fraud experts Pattie Dillon, Anti-Fraud Solutions Product Manager, and Pete Barker, Director of Fraud & Identity, sat down with Trace Fooshee, Analyst, from Aite-Novarica to discuss:

Here are some highlights from their conversation:

What is Driving Fraud Today?

Trace: We’re seeing new fraudsters in the game as a result of the pandemic, and while they might be unsophisticated in their tactics, they are still able to gain a critical mass of data. I know SpyCloud is constantly analyzing the stolen data you recapture from the criminal underground — what do you see driving fraud these days?

Pete: PII exposures are really driving online fraud. SpyCloud recaptured 15.5 billion credentials and PII assets from the criminal underground last year alone, and these are all pieces of data used to create synthetic identities, open up new accounts, and perpetrate account takeover and online fraud. We also saw that password reuse continues to be a major problem, and unfortunately people’s password habits aren’t getting better. We found 130 million users with the same email address exposed across breaches in 2021 and prior years, as well as a 70% password reuse rate. On average, a user is exposed in 8-10 breaches, so if they’re not taking action, they could continue to get exposed.

Pattie: It really doesn’t even stop with passwords. There’s also a growing threat of malware infections, and malware is one of the most overlooked and hardest to detect types of fraud. It creates a backdoor into systems that logs keystrokes – so when a user is infected, a criminal is able to collect everything they need to steal identities or create identities. It’s a perfect playground for fraud. 

Criminals can also buy malware-as-a-service now, and in our own research, we’ve seen a surge in information stealing malware (or infostealers) like RedLine Stealer, which accounted for 50% of all malware we observed last year. Organizations need to be able to arm themselves with data like malware-infected user records so they negate stolen web sessions, reset passwords, and do the customer outreach that helps level the playing field with criminals for their consumers and themselves. 

What is Fueling ATO and Fraud Attacks?

Trace: Are there any specific data assets a criminal needs to perpetrate an ATO or construct an identity?

Pattie: Knowing who your consumers are is foundational to establishing accounts at financial institutions, and being able to detect and predict what a criminal is going to use to bypass your fraud prevention solutions is really important data to understand. 

Let’s focus on ATO first. The sooner you’re able to detect the signs of account takeover, the more likely you are to prevent it. The more recent the exposure, the more targeted the attacks and the higher the losses. The older the data is, the more likely it is to be on a combolist that would be used for credential stuffing, so still valuable to a criminal. Criminals need stolen credentials (passwords, email addresses, usernames) to be able to take over accounts. They also use a proxy to hide their IP address and location, and then they can bypass fraud solutions with their device. 

Another method is malware and leveraging web session cookies. Most often criminals will use an anti-detect browser that will hide their fingerprint – the criminal appears as the legitimate user and can bypass fraud solutions, even multi-factor authentication (MFA).

 From a synthetic identity perspective, assembling both stolen credentials as well as PII and some forms of fabricated information, criminals construct identities to make fraudulent purchases and build credit profiles. Those identities can be used for a single transaction, or to establish a long-term relationship with an org to build trust and credit lines, and then abandon the account after leaving the merchant or credit issuer with losses.

Why is Loyalty Fraud Top of Mind for Fraud Teams?

Trace: Fraudsters will target anything that is even remotely of tangible value, and loyalty points can easily be converted to monetary value. What are your thoughts on loyalty fraud?

Pete: Loyalty fraud was a big opportunity at my past (retail) company, and most of it was tied to an ATO from previous data breaches that customers were involved in. Poor password hygiene drove this as most customers reuse their passwords across multiple accounts, which I think we’re all guilty of. At the end of the day, this drove many customer service calls and also caused issues with margin erosion due to price adjustments to make the customer happy. And, the challenge is about protecting the brand. From a customer’s perspective, they actually thought the company was involved in a breach, but after further investigation, the customer was always tied back to a previous breach (from an unrelated site) and a reused password. I’m confident that these customers also could have had malware or hijacked sessions, but we didn’t have the tools to identify or detect these types of issues.

How Does Recaptured Data Enhance Fraud Prevention Frameworks?

Trace: We all know there is no silver bullet when it comes to protecting your organization and your consumers from fraud. What are your thoughts on the layers of defense for fraud teams looking to enhance their control framework?

Pete: You’re spot on – there’s no silver bullet out there, and we know that traditional identity verification is not enough. There are definitely unidentified gaps. Identity verification solutions do not account for a consumer’s risk of ATO, nor does it account for potential malware infections on their devices, and it doesn’t provide the confidence that people interacting with your site are legitimate consumers and not criminals leveraging stolen data.

Underground data wasn’t even on the radar of the big fraud platforms until recently, and still today many aren’t using underground data in an actionable way. But SpyCloud does.

Recapturing data from the criminal underground and transforming it into actionable insights and solutions that give enterprises an upperhand is our area of expertise.

Trace: I love that concept of underground data and adding additional data points to your intelligence file of who this persona is that you’re doing business with. We’re having to infer some degree of confidence as to who the identity is we’re having to deal with on the other side of the account or transaction. It’s been my experience that the more layers you’ve got and the better you are at orchestrating all of those signals together and putting them into this meaningful picture of the identity you’re working with, the better off you’ll be. 

The interesting direction that fraud prevention is taking is moving from making inferences about identities that we’re working with to where we can almost predict the WHY a consumer is doing what they’re doing. And it’s a really key destination because it’s one of the most important emerging methods available to fraud executives in terms of combatting and mitigating social engineering or scams. You can discern all day long what consumers are doing, but it’s very difficult to infer why they are doing what they’re doing. And it’s difficult to do that unless you have layer upon layer of context around who that persona is and what their patterns of behavior are. So it sounds like this underground data concept is a great way to add contextual information about that persona, specifically in support of the objective of identifying legitimate users, isolating those folks, and giving them a more frictionless path through the experience.

Pattie: When we talked about identity verification not being enough, recaptured data is a complement to the existing layers organizations already have to bring that added dimension and added context to answer the question of why. Especially with malware we see that as it helps criminals bypass traditional authentication measures, wouldn’t it be nice to know that your customer has  malware on their device before allowing them to transfer funds or make a significant purchase? There’s so much to add to what you already have with recaptured data.

Get More Insights on Fraud Prevention
For the full conversation, watch the on-demand webinar

About Aite-Novarica Group:

Aite-Novarica Group is an advisory firm providing mission-critical insights on technology, regulations, strategy, and operations to hundreds of banks, insurers, payments providers, and investment firms—as well as the technology and service providers that support them. Comprising former senior technology, strategy, and operations executives as well as experienced researchers and consultants, our experts provide actionable advice to our client base, leveraging deep insights developed via our extensive network of clients and other industry contacts. Visit them on the web.

Fraud Prevention

Account Opening Fraud: High Risks and High-Risk Customers

Identity fraud is on the rise, with losses estimated to reach $635 billion by 2023. One form of identity fraud that is a growing concern, especially to the financial services industry, is account opening fraud. 

According to FIVerty, as many as 50% of new US accounts in 2021 were fraudulent.

Unfortunately, numbers may be even higher, since the warning signs of fraudulent new accounts frequently go undetected.  

With so much at stake when it comes to fraud, it’s critical that teams understand the latest criminal  tactics to protect their customers and themselves. To get a better understanding of account opening fraud, let’s dig into what it is and how you can proactively combat it.

What Is Account Opening Fraud?

Account opening fraud, also referred to as “account enrollment fraud” or “new account fraud,” occurs when fraudsters open accounts using stolen or fabricated identities and happens one of two ways: 

True name application fraud 

Synthetic identities

Fraudulent account opening using real, stolen identities is called “true name application fraud.” To open an account with a stolen identity, a fraudster acquires or purchases an identity kit, also known as “fullz,” with the victim’s personal information, including social security number, date of birth, payment information, and address, which they then use to apply for credit cards or loans, or open bank accounts in that person’s name. These accounts are opened to establish credit history and or launder funds. 

Another way account opening fraud is perpetrated is with synthetic identities, which aren’t linked to a specific person because they are constructed using stolen PII and/or other forms of fabricated information to construct identities to open new accounts, launder money, make fraudulent purchases and build credit profiles. Synthetic identities are notorious for using data from children or a deceased person and can fly under the radar for years, since there isn’t a clear victim to alert, as opposed to true name identity fraud in which the victim is evident.

The Importance of Know Your Customer (KYC)

The financial services industry faces the greatest risk from account opening fraud. Every financial organization is responsible by law for making sure that its customers are who they say they are. The Know Your Customer (KYC) regulations were established by the US Financial Crimes Enforcement Network (FinCEN) and “prescribes minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution.” Failure to comply with these regulations can lead to strict penalties. For example, from January 2021 to March 2022, FinCEN imposed more than $600 million in fines for anti-money laundering violations in which banks’ failed to properly assess the risk of customers and follow up on suspicious transactions.

Per FinCEN, financial companies need to have an anti-money laundering program with strict rules related to Customer Due Diligence (CDD) to verify the identity of all customers and clients who own, control, or profit when an account is opened. For high-risk customers, the requirements for KYC go beyond CDD to Enhanced Due Diligence (EDD), which requires further verifications and ongoing checks. In these cases, it’s even more important to remain in compliance.

For CDD, companies have to classify customers according to risk profiles and be ready to report on suspicion of fraud. According to PYMNTS, the lack of adequate CDD processes contributed to every case where FinCEN levied a fine during the January 2021 to March 2022 time period.

This includes a $140 million fine for a bank that failed to report thousands of suspicious transactions. FinCEN determined that this bank’s CDD process at account opening was insufficient to collect the necessary information to be able to effectively evaluate a customer’s risk and provide active risk monitoring. 

Another bank was fined $390 million when it failed to comply with minimum requirements. In this case, the bank took a risk-based approach to identifying high-risk customers, but the system established by the bank didn’t allow the bank to get the complete understanding it needed of its customers’ activity and patterns in order to identify illegitimate behavior.

It’s clear that being able to fulfill the requirements of KYC and CDD is essential to maintain a trusted environment for customers, not to mention avoiding steep fines from FinCEN. In order to move forward, you need to know that you have KYC and CDD covered to prevent account opening fraud. And you need to be ready to act before the damage is done.

How to Stop Account Opening Fraud

Being able to distinguish between fraudsters and legitimate customers early is imperative in preventing account opening fraud. And SpyCloud Identity Risk Engine is designed to do just that – making it an essential addition to your KYC and CDD processes. What separates SpyCloud Identity Risk Engine from other anti-fraud solutions is that it can assess risk based on data that is normally only available to fraudsters in the criminal underground.

By querying as little as an email or phone number, SpyCloud links and analyzes billions of recaptured data points from breaches and malware logs, to correlate the risk associated with a user’s identity. We can identify anomalies within a user’s information, like multiple unique counts of SSN, DOB, government IDs, names, addresses, etc., to highlight illegitimate accounts created by criminals using stolen data. Identity Risk Engine also has the ability to detect emails that have not appeared in any (or in limited) breaches, which is another high indicator that the email was just created for the purpose of opening an account using a synthetic identity

Paired with existing anti-fraud and identity verification solutions, this gives you the ability to intervene and prevent fraud before it can happen.

Furthermore, once you know who your high-risk customers are, you can focus your resources on them for a more efficient and cost-effective KYC process.

Aside from alerting to synthetic identities, Identity Risk Engine can provide actionable insights into a user’s security posture, like recency of breach and password hygiene, and even detect malware- infected users. For financial institutions, these underground insights placed at vulnerable points of fraud like new account creation, application submission, account modifications, or money transfers can provide them with real-time, comprehensive data to prevent fraud.  

Alternatively, FIs can easily identify users at low risk of synthetic identity or account takeover, preventing negative user experiences and friction, along with decreasing unnecessary time and resources allocated to manual review.  With this increased ability to identify legitimate users versus threats, companies can feel confident that they’re doing all they can to know their customers – and not risking millions in fines.

Learn how you can use recaptured data to prevent account opening fraud with SpyCloud Identity Risk Engine
Cybersecurity Best Practices Malware Ransomware

CISOs Sound Off: Survey Shows CISO Challenges and Priorities

In the past 12 months, 75% of organizations have been hit by at least one cyber attack that caused real, material damage. Right now, 67% of Chief Information Security Officers (CISOs) say that the threat landscape is worse than it was a year ago. That’s according to “The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond,” which outlines the biggest challenges for cybersecurity leaders and how they plan to defend their organization from an increasingly hostile threat landscape. The report, based on a survey of 400+ CISOs, identified several key issues facing security leaders and how they plan to address them.

Ransomware is Top of Mind for CISOs

Ransomware is one of the “most concerning” issues in cybersecurity today, with CISOs ranking it the highest out of the significant cybersecurity attack methods. That’s not a big surprise, with the average downtime from ransomware coming in at 23 days and the average loss racking up to $1.85 million. Ransomware is a global crisis, with over 600 million attempted attacks last year.

CISOs Report Graph-1

Weak or stolen credentials make a very common entry point for ransomware attacks and are considered one of the top riskiest vectors involved in security incidents, according to the SpyCloud Ransomware Defense Report. With Verizon’s 2022 Data Breach Investigations Report showing ransomware was present in 25% of breaches last year, remediating stolen passwords for users in your network makes them useless to criminals who seek easy entry into your systems.

Identifying these compromised user accounts and locking them down early helps you get in front of not only the ransomware threat, but also malware as a whole, as cybercriminals are increasingly using malware to siphon user information and use it for ransomware attacks. Having the ability to thwart ransomware and remediate infected users helps organizations prevent financial loss and brand damage.

CISOs are Going All In on Zero Trust

Zero Trust models have moved from hype to a critical priority, with CISOs rating the Zero Trust model as their top security investment for the next 12 months . In fact, 79% of CISOs indicated that they are already underway with their Zero Trust implementation and another 18% are actively planning it.

Older cybersecurity frameworks tended to assume that known networks were safe, threats came from outside the perimeter, and that knowing the location of a network or provider was enough to make it trustworthy. With its motto being, “Verify everything. Trust nothing,” the Zero Trust model understands that threats can come from anywhere and instead focuses on strictly controlling access through authentication for every device, user, and network flow. 

Zero Trust continuously verifies the identities of users both inside and outside the perimeter – essentially making identity the new perimeter. With identity at the forefront of Zero Trust, data and insights into compromised identity information recaptured from the criminal underground are crucial for a successful Zero Trust implementation.

CISOs Seek Automated Solutions with Actionable Data

According to the survey, 41% of CISOs consider automation to be one of their top three goals, a statistic that has been steadily climbing over the past few years. Automation is valuable to these leaders as it allows for predetermined actions to be approved or denied and with a proactive lens on prevention and protection while minimizing the impact on security teams and other resources.

Automation is especially important because one of the major hindrances to getting the Zero Trust security model up and running is that there aren’t enough skilled cybersecurity professionals available. And the ones organizations have are frequently overwhelmed with constant alerts, irrelevant data, and labor-intensive tools. In fact, the top priorities when buying new security technology – ease of deployment, ease of use, high fidelity alerts and analysis, and automation – all focus on simplifying and streamlining cybersecurity. 

CISOs Report Graph-3

The problem isn’t just the people or the tools. Some aren’t accessing truly actionable data when they need it most. The earlier security practitioners and decision makers can get access to data recaptured from the criminal underground (the same data fraudsters have access to), the more likely it is that they can get ahead of cyber attackers before they get too far. One of the things many CISOs find they need is a security solution that can provide the tailored security data that they actually need to have a proactive, automated response.


From increasing cyber attacks to the seemingly endless number of cybersecurity solutions on the market, CISOs have a lot that keeps them up at night, but there is hope. As bad actors continue to threaten organizations with ransomware, CISOs recognize the need to take a proactive approach to defending against it, and we find the best way to do that is by stopping precursor attacks like data breaches and account takeover, which stem from the use of stolen data (including compromised credentials). The implementation of Zero Trust models will help address concerns about defending identity as the perimeter while the use of automated solutions that offer actionable intelligence will alleviate the talent shortage challenge.

In addition to these key priorities, the survey found that CISOs are also focused on the following in the next 12 months:

    • Ensuring the privacy of customer data
    • Better addressing partner risk
    • Measuring their security program’s effectiveness
Get more insights from the more than 400 CISOs surveyed – download the full report here: “The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond.”
Account Takeover Business Email Compromise Data Breaches Fraud Prevention Ransomware

2022 Cybersecurity Industry Statistics: Account Takeover, Ransomware, Data Breaches, BEC & Fraud

With cybersecurity and fraud studies and reports launching almost weekly, who can keep up with all the stats related to account takeover, ransomware, BEC, fraud, and identity theft? We keep a tally ourselves and thought our readers might want access to help bolster their business case to invest in solutions to combat cybercrime and protect their employees, vendors, and consumers from the ever-evolving tactics of cybercriminals.

Account Takeover (ATO) Statistics:

Ransomware Statistics:

  • There were 623.3 million ransomware attacks globally in 2021, up 105 percent in total year over year. In the US, the number of ransomware attacks increased 98% and in the UK 227%. 2022 Sonicwall Cyber Threat Report
  • In 2021 there was an almost 13% increase in ransomware in breaches, accounting for ransomware being present in 25% of breaches – a jump as big as the last five years combined! Verizon 2022 Data Breach Investigations Report
  • 72% of organizations surveyed said they have been affected by ransomware in the past 12 months. 13% of organizations were affected by ransomware 6-10 times within that period, with 5% getting hit more than ten times. SpyCloud 2021 Ransomware Defense Report
  • The IC3 received 3,729 complaints in 2021 identified as ransomware, reflecting losses of more than $49.2 million. FBI Internet Crime Report 2021 [PDF]
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that 14 of 16 critical infrastructure sectors were hit with ransomware in 2021. CISA Alert
  • A survey of more than 400 CISOs found that ransomware is the top cyber threat most concerning to respondents. The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond
  • 79% of IT security leaders agree that high-profile ransomware attacks such as Colonial Pipeline have “significantly elevated” their organization’s concerns about weak or stolen credentials used by customers and employees. Participants identified phishing as the #1 entry point and compromised credentials as #2. SpyCloud 2021 Ransomware Defense Report

Data Breach Statistics:

Business Email Compromise Statistics:

Fraud & Identity Theft Statistics:

About SpyCloud: We transform recaptured data to protect businesses from cyberattacks. Our products leverage a proprietary engine that collects, curates, enriches and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Our unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

Data Breaches Malware Ransomware

Stolen Credentials, Ransomware & Human Error, Oh My: Key Takeaways from the Verizon 2022 Data Breach Investigations Report

“The more things change, the more they stay the same.”

In its 15th annual report, the Verizon 2022 Data Breach Investigations Report analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches, to provide key insights into the data breach problem. Not only did this year’s report include the annual analysis, in a nod to the report’s 15-year “anniversary,” Verizon also offered insights from past years, sprinkling the report with throwback references and data points to show how far we’ve come in some regards, but also how things may still be the same in others.

We eagerly anticipated the report drop, and as per usual the analysis did not disappoint. Here are the key takeaways we found most insightful.

Stolen Credentials: The #1 Entry Point

Similar to last year’s report, Verizon reiterated its belief that criminals prefer credentials, as they represent “one of the most tried-and-true methods to gain access to an organization for the past four years.”

We’ve long held that Credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system. There is also a large market for their resale, which means they are truly the ‘gift’ that keeps on giving.

Stolen credentials are pervasive throughout the report, with the need for proper password security highlighted most explicitly with regards to Basic Web Application Attacks (BWAA), or attacks on an organization’s most exposed infrastructure, such as a web server. A whopping 80% of these breaches result from the use of compromised credentials, with exploiting vulnerabilities and brute force attacks a distant second and third, respectively. Closing off this pathway into an organization involves both robust password standards and proactive monitoring for exposed credentials to prevent account takeovers (ATO).

Figure 19 from the Verizon 2022 Data Breach Investigations Report shows stolen credentials as the top action variety in breaches in a green bar chart
Source: Verizon 2022 Data Breach Investigations Report, pg 15

The report indicated an almost 30% increase in stolen credentials since 2017, and we’ve observed the same trend. In our 2022 Annual Identity Exposure Report, we analyzed more than 1.7 billion credential pairs (combinations of email address/username and password) recaptured from the criminal underground and found that credential exposure increased 15% year over year. Exposed credentials fuel ATO, which is often a precursor to ransomware. Therefore the rise in exposed credential data is intimately tied to the rise in ransomware.

Ransomware (and Malware In General) Runs Rampant 

According to the report, ransomware has unsurprisingly continued its upward trend over the years. But shockingly in 2021, there was an almost 13% increase, accounting for ransomware being present in 25% of breaches – a jump as big as the last five years combined! SpyCloud’s own 2021 Ransomware Defense Report backs up these findings, with 72% of organizations surveyed saying they have been affected by ransomware in the past 12 months.

Figure 38 from the Verizon 2022 Data Breach Investigations Report shows the upward trend of ransomware attacks with a green line graph

Ransomware was present in 25% of breaches in 2021, according to Verizon’s analysis. Source: Verizon 2022 Data Breach Investigations Report, pg 27.

So what makes ransomware so prevalent? We’d argue the minimal cost of access has a lot to do with it. Credentials, vulnerabilities, and botnet access needed to execute ransomware attacks can be purchased from initial access brokers relatively cheaply, and successful attacks can garner six- or seven-figure profits.

“Once attackers are inside the victim’s network they often install malware, which violates the Integrity of a system (as does any other illicit change)…The installation of malware was already quite common back in the day, and our data shows that this year is no exception, with over 30% of breach cases involving some type of malware.”

Malware remains the second highest breach action, coming behind only hacking via stolen credentials, a trend that has remained steady since the initial 2008 report’s findings. The key difference today is that malware has now evolved to the point where it can siphon all the data that’s needed to impersonate an employee beyond credentials, including browser fingerprints and web session cookies – and when malware is on a personal device the employee is using to access work applications, it poses an invisible threat to enterprises.

To Err is Human

Figure 9 from the Verizon Data Breach Investigations Report shows human icons where 82% are highlighted green to represent the impact of the human element on breaches

Source: Verizon 2022 Data Breach Investigations Report, pg 8

The human element remains a significant driver for breaches: “This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.”

People and their unfortunate poor habits, that is. Bad password hygiene makes it all too easy for criminals. Our analysis found a 64% password reuse rate for users with more than one password exposed in the last year.

Despite an organization’s best efforts to empower employees with enhanced password requirements and robust security training, the fact remains that people continue to be a weak link in an organization’s security framework.

The supply chain is no exception. Within third-party breaches, the use of stolen credentials was the top action variety (followed by ransomware). Our take? It’s not enough for enterprises to monitor and remediate only their own employees’ risk of account takeover; they must also have an eye on their partners’ ATO risk.


The report is clear: stolen credentials, ransomware (and malware in general), and human behavior all pose problems when it comes to preventing data breaches. But there’s hope. This year’s report offers proactive steps to protect your organization and enhance your security posture that we can get behind:

  • Use antivirus and anti-malware solutions
  • Implement patching, filtering and asset management to prevent exposed vulnerabilities
  • Standardize multi-factor authentication (MFA) and password managers to minimize credential exposure
  • Enable email and web filtering, along with security awareness training
The report acknowledges that trying to change human behavior is “quite an undertaking.” Our customers know that the #1 way to level the playing field is having access to the same data bad actors use to try to gain entry into the enterprise. Request a demo to see our solutions in action – and how we can help you avoid becoming a statistic in a future Verizon’s Data Breach Investigations Report.
Account Takeover Ransomware

The Critical Need to Protect Critical Infrastructure: Spotlight on Utilities

Critical infrastructure is what keeps countries running – from transportation to energy to manufacturing, these sectors are vital to a nation’s economy and national security. Protecting these organizations is a great responsibility as the consequences for negative impacts or outages can put public safety and health at risk.

CISA describes critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The Nation’s critical infrastructure provides the essential services that underpin American society.”

The State of Securing Critical Infrastructure Sectors

In the U.S., the mission of the Cybersecurity and Infrastructure Security Agency (CISA) includes collaborating with businesses, communities, and government at every level to make the nation’s critical infrastructure more secure, functioning, and resilient to defend against today’s threats as well as those “just over the horizon.”

CISA recently put out an advisory regarding malware targeting the energy sector, deployed by advanced persistent threat groups (APTs) intent on disrupting key infrastructure. The agency provided recommendations on how organizations can protect their data, networks and devices. Included in the guidance was changing passwords on a regular schedule and monitoring systems to identify potential threat actors. While CISA already has security standards in place, its latest recommendations reinforce the need for heightened security for critical infrastructure sectors to prevent bad actors from disrupting service and potentially threatening national security.

Recently, the U.S. government has strengthened its stance on cyber incident reporting laws and passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which puts stricter guidance on reporting cybersecurity incidents and disclosing ransomware payments to the government. Other key aspects of the legislation include the creation of a Joint Ransomware Taskforce and a Cyber Incidence Reporting Council to increase cybersecurity efforts across public and private sectors.

The current state of global affairs also illuminates the need for securing critical infrastructure, with public and private organizations working together to monitor potential threats. For example, as potential attacks on critical infrastructure become more of a concern for state and local CISOs, the Commonwealth of Virginia is partnering with private sector enterprises on enhanced threat intelligence and monitoring of its energy grid as the threat of cyberattacks looms.

Spotlight On Utilities

From coast to coast, local governments are being attacked, causing significant impacts on utilities.

In Florida, a threat actor breached a city’s water treatment system and adjusted chemical levels to such a degree that the public could have been harmed. Luckily, the fraudulent and dangerous adjustment was caught and changed before any damage was done. Ultimately, the investigation concluded that a computer at the plant visited a contractor’s website that had been injected with malicious code which siphoned data including the operating system, browser type, and other kinds of information used by malware to impersonate legitimate web activity.

After the highly publicized attack in Florida, three other water treatment plant breaches in Maine, Nevada, and California came to light. Previously unreported, the attacks were included in an advisory by CISA, the FBI, National Security Agency (NSA) and the Environmental Protection Agency (EPA) about how bad actors took over the plants’ supervisory control and data acquisition systems (SCADA). The agencies warned water treatment plant leaders to be vigilant for suspicious activity and to prevent fraudulent logins by enabling multi-factor authentication (MFA) on devices with remote access to facilities.

And in March, the Brownsville Public Utilities Board (BPUB), which provides water and power to Brownsville, Texas, announced that its systems were impacted by a data security incident in which it was listed as a victim of the LockBit ransomware known for gaining access to systems via phishing emails. The attack caused a delay in showing accurate balances in customer accounts.

Attacks can not only impact operations, but also the systems that support the utility companies. For example, a ransomware attack on Baltimore city government systems disrupted customer service options including water bill payment, creating not only an organizational headache, but also causing confusion and frustration for citizens.

Unfortunately, there is a seemingly endless stream of news stories of state and local organizations that find themselves scrambling to pick up the pieces after a breach – leaving no doubt that the number of attacks on utilities (and critical infrastructure as a whole) is a major (and ongoing) concern.

How To Protect Critical Infrastructure Against Cyberattacks

CISA reported that 14 of 16 critical infrastructure sectors were hit with ransomware in 2021. It called for essential mitigations, including:

  • Restricting RDP unless operationally necessary, and if so, requiring MFA “to mitigate credential theft and reuse”
  • Reviewing the security posture of third-party vendors
  • User training to limit clicking on suspicious links and and opening suspicious attachments
  • The use of strong, unique, and safely stored passwords

On this last point, it truly is simple bad habits like employees maintaining poor password hygiene that make organizations vulnerable to ransomware attacks and the account takeovers that often precede them.

Because despite most organizations having strong password policies in place, SpyCloud’s analysis of exposed data tied to Fortune 1000 companies found that 64% of employees are reusing passwords. Critical infrastructure companies topped the list of industries with poor password hygiene; we identified four critical infrastructure industries where company names are one of the top 3-5 most popular passwords:

  • Aerospace & defense
  • Chemicals
  • Energy
  • Industrials

It’s too soon to forget that one of the worst cyberattacks in history stemmed (in part, at least) to the use of a company name in a critical password.

Weak passwords make enterprises susceptible to ATO and ransomware, and with the stakes so high with critical infrastructure, ensuring strong password hygiene is of the utmost importance. However, keeping tabs on employees’ account security poses a substantial burden for security and IT teams.

SpyCloud’s expertise is in recapturing compromised data from the criminal underground – data from breaches, malware-infected devices, and other covert sources that no other provider has access to – and transforming that data into actionable insights for organizations to protect themselves from cyberattacks.

In our Ransomware Defense Survey of enterprises late last year, 79% of security leaders agree that news of major attacks like the one on Colonial Pipeline (which stemmed from 1 compromised password) have “significantly elevated” their organization’s concerns about weak or stolen credentials. The magnitude of the problem is huge, but there is increasing recognition of one key way to prevent ransomware: remediating credentials that have been exposed through data breaches and malware infections.

With access to exposed data from the criminal underground, SpyCloud provides the critical difference in proactively protecting infrastructure and national security. This information levels the playing field against cybercriminals who are determined to wreak havoc on the services we rely on the most.

Learn more insights about the threat of exposed employee data on critical infrastructure organizations in SpyCloud’s 2022 Fortune 1000 Identity Exposure Report.
Account Takeover Cybersecurity Research Fraud Prevention

Shining a Light on the Identity Exposure of Fortune 1000 and FTSE 100 Enterprises

Organizations around the world are ready to put the pandemic behind them, but as we know, it fundamentally changed much about our world. The momentum that propelled the digital age forward during that time meant workplaces went hybrid and employees juggled a growing number of logins. What hasn’t changed is employees’ bad passwords habits – and the crimeware tools explosion that continues to reward cybercriminals while leaving organizations more exposed.

For the third year in a row, SpyCloud has analyzed our entire database of more than 200 billion assets recaptured from the criminal underground to understand the scope of exposure among the world’s largest and most sophisticated organizations: the Fortune 1000 and London’s FTSE 100 organizations (and their subsidiaries). Our two separate 2022 reports uncovered that bad cyber hygiene crosses cultural and geographic borders.

We found some of the same patterns on both sides of the pond. Let’s take a look at some of the key findings across Fortune 1000 and FTSE 100 employees.

Rampant Password Reuse is a Shared Problem

Among both Fortune 1000 and FTSE 100 companies, we found a 64% average password reuse rate. (We calculated this rate separately for each dataset by taking the number of employees using the same exposed plaintext password across multiple sites, then dividing it by the number of all employees with exposed passwords.)

This rate is 4 points higher than the 60% reuse rate across our entire database – and a reminder why old exposures are just as damaging as new ones. For months and even years, cybercriminals can leverage these leaked credentials to launch ransomware attacks and perpetrate fraud schemes. Which explains why CISOs, in particular, are growing more concerned about the high password recycling rates among their employees.

Graphic of 64% password reuse rate

Exposure From Data Breaches is Growing by Double Digits

One of the key data points we look at is the number of breach assets we’ve recaptured, which tells us the magnitude of the corporate exposure. A breach asset is an individual piece of data tied to a user that has been exposed in a breach, such as their password, phone number, or even credit rating. Cybercriminals use these bits of information in phishing and social engineering schemes to gain access into the corporate network or in fraud schemes to take over accounts and impersonate employees.

We can tie 687.23 million breach assets directly to Fortune 1000 employees and 51 million breach assets to employees of FTSE 100 companies and their subsidiaries. Each of these numbers represents double-digit growth from the previous year (26% and 29%, respectively).

We also found a staggering number of corporate email addresses and plaintext passwords in our dataset – 27.36 million pairs of credentials associated with Fortune 1000 employees and 2.75 million credential pairs associated with FTSE 100 and subsidiary employees. 

Cybersecurity experts often warn that cybercriminals’ techniques grow more sophisticated every year. While that’s true, the staggering exposure numbers indicate that malicious actors don’t need sophisticated techniques to breach corporations – why bother when they have such a bountiful cache of compromised logins.

The Financial Sector Leads the Way in PII Exposure 

Human behavior and criminal activity are not beholden to a certain geographical region, and unfortunately financial companies are giving cybercriminals equally rich opportunities to steal sensitive data and gain corporate access – thanks to their employees’ growing PII exposure.

Among Fortune 1000 companies, the financial industry has the highest PII asset exposure. The 70.78 million PII assets tied to financial companies comprise nearly 18% of the entire PII exposure of the Fortune 1000. On the other side of the pond, financials’ slice of the pie is even bigger – with the nearly 6.13 million PII assets tied to financial sector employees comprising almost 22% of total FTSE 100 PII exposure numbers.

The implications of these findings are concerning. Consumers trust financial companies with a lot of their PII and financial data, and guarding this information is a difficult task when your employees themselves have so much of their PII widely available to malicious actors who can use this information to craft detailed, credible spear phishing messages or answer security questions to reset MFA.

The More They’re Different, the More They’re the Same

We’d be remiss not to note that we did see some cultural differences reflected in our analysis. When it comes to their passwords, some Fortune 1000 employees’ favorites include variations of a certain four-letter word that’s not fit for print (which is ironic as it’s particularly popular among media companies). Their UK counterparts may be too polite, as that word doesn’t make it onto their most popular passwords list. 

What FTSE 100 employees do have an affinity for, apparently, is their royals. Their #1 password? George. (For those not up on the latest royal gossip, the adorable 8-year-old Prince George is the firstborn of The Duke and Duchess of Cambridge, otherwise known as Prince William and wife Kate).

Despite those differences, we discovered that people’s habits are people’s habits wherever they live and work. “Password” and “123456” remain equally beloved passwords on both sides. And the use of their company’s name in their passwords is out of control among both Fortune 1000 and FTSE 100 employees. This is one of the worst shortcuts employees can take – and one of the first things criminals check for when trying to guess or crack passwords with their automated tools.

The Dangers of Malware Infections

Another trend worth mentioning in both reports is the growing number malware infections among these employees and the consumers of their companies, as data siphoned from infostealer malware is both extreme and highly valuable on the underground. We found nearly 70,000 infected employees of Fortune 1000 companies, and over 9,500 from the FTSE 100. 

Malware infections pose severe risk for companies because they continuously expose data as long as the device is not remediated. Beyond account credentials, we’re talking browser history, autocomplete data, web session cookies, screenshots, system information, and more.

While the risks of an infection on a company-owned device are obvious, an infected system at home has the potential to expose work login credentials and data — and they typically aren’t monitored by corporate security.

Final Thoughts

The trends in our reports tells us that digital identity exposure is a growing, serious problem across the globe. The most effective way of protecting your enterprise from the risks posed by exposed employee data is by protecting employees from themselves – using technology to turn recaptured data from the criminal underground to your advantage. This is especially important since hybrid remote work now is commonplace and the lines between personal and work lives continue to blur.

For more details on our findings, download the 2022 Fortune 1000 Identity Exposure Report and the 2022 London FTSE Identity Exposure Report.
Fraud Prevention

Too Much, Too Little, or Just Right: How to Spot the Signs of Synthetic Identity Fraud

Synthetic identity fraud is a steadily growing risk that proves costly. The financial services industry has been hit hard, with institutions enduring $20 billion in synthetic identity losses. And with Forbes rating synthetic identity fraud as a top five cybersecurity trend to watch in 2022, it’s high time to address this threat.

Let’s dig into synthetic identity fraud, telltale signs to identify it, and how you (and your business) can detect and avoid this activity.

What Is Synthetic Identity Fraud?

Fraudsters create synthetic identities by piecing together personal information from multiple sources. These identities are a Frankenstein-like mixture of stolen or made-up Social Security Numbers combined with various addresses, names, phone numbers and a date of birth. Once they’ve created these synthetic identities, fraudsters can open new accounts, apply for credit, make big purchases, or do anything else that might establish these identities as real consumers.

It may take months or even years for a bad actor to build up their credit line based on the synthetic identity. Once they’ve reached a high enough credit limit to make large dollar purchases, they max out the credit line, stop making payments, and abandon the account. Enterprises become the victim as they attempt to recover funds in collections, only to find there is no one to contact for payment. The fraudster will move on to other synthetic identities to repeat this pattern. 

Organizations striving to increase legitimate account openings struggle to proactively detect indicators of synthetic identities which is critical to avoiding regulatory fines from excessive fraud and money laundering attacks.

Top Signs of Synthetic Identity Fraud

The key identifying synthetic identity fraud lies in all of the details fraudsters patch together to create their fake profiles. Here are key signs to look for to spot false identities:

Not enough information:
Just about everyone has appeared in one – or more likely – multiple data breaches at some point in their life. Analysis of SpyCloud’s data shows that the average person, if exposed in one data breach, will be included in 8-10 others, and 3-4 of those could be within a given year. These breaches expose, at minimum, an email address but often expose what criminals call “fullz” – a whole profile of personally identifiable information (PII) for an individual.

Financial institutions rely on historical evidence to validate that an account being opened or a credit application being submitted is legitimate in order to avoid potential financial losses. Uncirculated or newly created consumer emails that have never been exposed on the criminal underground can easily bypass fraud solutions with no negative history. But they should be flagged as suspicious with the potential to be part of a synthetic identity.

Too much information:
Consumers having multiple identifiers like several email addresses, a few past physical addresses, and an old phone number are not uncommon, and can be viewed as a part of a timeline of a digital identity’s lifecycle.

What causes concern is when someone can be associated with not just three email addresses but 30, and not just a mobile and home phone number but 10 phone numbers. This could be an indication that a criminal is using many different emails and burner phones, instead of a reasonable number of email addresses and phone numbers. Same goes for social security numbers (SSN) – an identifier that should be one constant number for an individual.

Too much (or inconsistent) information is just as suspicious as not enough when it comes to detecting constructed identities.

How SpyCloud Identity Risk Engine Detects Synthetic Identity Fraud

Synthetic identity fraud isn’t going anywhere and is on the rise. As criminal tactics continue to evolve, it remains one of the hardest types of fraud for organizations and their anti-fraud solutions to detect. SpyCloud Identity Risk Engine is designed to do exactly this.

What separates Identity Risk Engine from other solutions is that its user risk analysis is based on information that is not available anywhere else – data that otherwise only fraudsters have access to and share. SpyCloud rapidly recaptures data from the criminal underground, and then links billions of assets from data breaches, malware-infected devices, and other underground sources to individuals across their multiple online personas. This enables the solution to detect anomalies within a user’s information that indicate you’re dealing with a synthetic identity.

When used at entry points vulnerable to fraud in a customer account lifecycle, this API-delivered solution can be queried with as little input as an email address or phone number and provide actionable fraud risk assessments without revealing PII. The real-time or off-line/out-of-band delivery of the service delivers a risk score and is supported by reason codes, key risk indicators, and security behavioral information such as password reuse percentages, malware infections, unique counts of emails, phone numbers and name included in the digital identity, along with breach type, recency, and severity to aid in confidently distinguishing real consumers from bad actors.

Identity Risk Engine can serve as a complement to your control framework or can be built into an existing risk engine to help organizations illuminate stolen or constructed identities, as well as predict account takeover, detect malware-infected users, and defend against account new account fraud. SpyCloud helps you stay ahead of criminals, protecting your organization from avoidable, devastating fraudulent attacks that can stem from tactics including synthetic identity fraud.

Learn how you can use recaptured data to prevent synthetic identity fraud with SpyCloud Identity Risk Engine – request a demo today.
Account Takeover Compliance Password Security

Keeping Up with Compliance: New PCI DSS 4.0 Authentication Standards and What They Mean for You

The Payment Card Industry (PCI) Security Standards Council recently released its Data Security Standards (DSS) version 4.0, which is “a global standard that provides a baseline of technical and operational requirements designated to protect payment data.”

Version 3 of the standards was released six years ago, and while there have been updates along the way, a lot has changed in the industry from a technology and security perspective; hence the need for a full version update of the standards.

Any organization that accepts, transmits or stores any cardholder data falls within the purview of PCI, and must comply with the new standards within the proper transition period. The previous version (PCI DSS v3.2.1) will be retired on March 31, 2024, and some new requirements from v4.0 will go into effect on March 31, 2025.

No matter the timing, awareness of these updates and how they apply to your organization is important to ensure both regulatory compliance and secure transactions for your customers.

What’s New in PCI DSS v4.0?

The newest version of the PCI DSS standards are designed to meet the continually changing needs of the payments industry, especially when it comes to protecting and securing transactions. As the industry evolves, so do security threats, and the updated standards are meant to enhance current security measures.

Two intriguing updated requirements – #2 and #8 – are ones we want to shed light on in particular.

Requirement 2 concerns applying secure configurations to all system components. Acknowledging that bad actors use well-known “default passwords” to easily compromise systems, the new standards now require organizations to have security standards that will “help reduce the potential attack surface.” PCI states that changing default passwords and removing unnecessary software can address this vulnerability.

With regard to Requirement 8, PCI updated the standard to help identify users and authenticate access to system components. This requirement is meant to protect against attacks by requiring strong authentication factors and providing updated guidance on password complexity. Now, the standards body’s minimum requirements for passwords/passphrases are 12+ characters (up from 7 in previous versions), including both alphabetic and numeric characters. Service providers that use passwords as consumers’ only authentication factor are also advised to update passwords every 90 days.

However, 90-day password rotation is something we at SpyCloud hoped would fade away years ago since it’s actually beneficial to criminals. When forced to create a new password every three months, human behavior defaults to reusing passwords or similar variations of the same password, which creates vulnerabilities that criminals are waiting to exploit. Therefore this requirement is one that we can’t say we agree with.

Recognizing the industry’s move to the cloud, PCI DSS v4 puts more emphasis on multi-factor authentication (MFA) and lifecycle management to incorporate additional layers of security to online payments. Key updates include requiring MFA for all accounts that have access to cardholder information, comparing prospective passwords to the list of known bad passwords, and reviewing access privileges at least once every six months.

Also of note with the updated requirements is the repeated reference to malware and malicious actors. PCI specifically states the updates were made “to address emerging threats and technologies and enable innovative methods to combat new threats.” The updated standards require the use of anti-malware solutions on all systems that are at risk from it; a critical step in protecting cardholder data from hard-to-detect threats.

PCI says it best: “Criminals never sleep. Ongoing security is crucial to protect payment data.” Learn how to better protect your customers from ATO and fraud with SpyCloud: request a demo today.

Enhance Payment Security with SpyCloud

At SpyCloud, we understand the importance of password security when it comes to online accounts and transactions. Our 2022 Annual Identity Exposure Report, in which we analyze the more than 15 billion credentials and PII assets recaptured from the criminal underground in 2021, uncovered a 64% password reuse rate for users with more than one password exposed in the last year.

When your consumers reuse passwords, they become easy targets for cybercriminals. Since reused passwords have been the leading vector in cyberattacks in the last few years, the PCI DSS updated guidelines putting more stringent requirements around password length and security is something we can get behind.

Account takeover (ATO) is a common form of fraud in which criminals use stolen credentials to gain illegitimate access to a victim’s accounts, often using credentials that have been exposed in previous data breaches. When consumers use weak or compromised passwords, criminals jump at the chance to take over their accounts and steal funds, drain loyalty accounts, and make fraudulent purchases. These activities can not only damage your brand and your bottom line, but also put you at risk for noncompliance with PCI DSS v4.0.

With Consumer ATO Prevention, you can match your consumer logins against SpyCloud’s robust database of stolen credentials and reset passwords before criminals can profit from your consumers’ accounts.

We also appreciate PCI DSS v4.0’s focus on malware, as we are seeing an increase in malware logs in our recaptured data. Information pilfered by malware-infected devices is shared in small criminal circles, private chat groups, and also posted on underground web forums. SpyCloud is able to recover this data and deliver malware intelligence to enterprises – automated feeds of infected victims’ usernames, URLs, passwords, and session cookies. This helps consumers and organizations protect themselves before criminals can leverage their stolen data for ATO, identity theft, and online fraud.

The increase in online transactions over the last few years lent itself to an explosion in online fraud, resulting in a 140% increase in the volume of fraud attacks last year compared to pre-pandemic levels. To combat this, the evolution of compliance standards to take into account the impacts of exposed passwords and other information can help protect enterprises and consumers alike. 

Proper password hygiene is paramount to a successful individual and organizational security program. To learn more about how it plays into ATO and what you can do to combat it, check out Account Takeover 101
Account Takeover Fraud Prevention Password Security

What To Do If My Password Was Found in a Data Breach

What should you do if your password is stolen? At SpyCloud, that’s something we think about a lot.

SpyCloud maintains the largest and most up-to-date collection of recaptured data from breaches, malware-infected devices, and other underground sources. A portion of these credentials are found in the same combo lists that criminals are using today in successful credential stuffing attacks. Others are from sources that only SpyCloud has obtained access to that help thwart account takeover (ATO) and prevent fraud before the assets are available as commodities on the criminal underground. Should your credentials ever appear in our datasets, we recommend you take immediate action to protect yourself.

But how do you know if your data has been exposed? Check your exposure here – simply enter your email address and we can tell you how many times your credentials have been found in third-party data breaches recaptured by SpyCloud on the criminal underground, as well as how recently your data was exposed.

Four Steps to Take After Your Password is Stolen

In terms of remediation, your first order of business is to change your exposed password. But that’s not all you need to do in order to contain the damage. Failure to act quickly may result in the compromise of additional accounts, especially if you reuse passwords. Even if you don’t reuse passwords, your compromised information may be enough for criminals to pivot off of to then target other accounts. We suggest following this checklist to protect yourself from potential future attacks.

Here is what to do when your password is stolen:

  1. Change the compromised password immediately. We highly recommend the use of a long, complex password containing random letters, numbers and special characters.
  2. Change all variations of the compromised password on any of your accounts and never use it again. It’s not enough to monitor other accounts using the same or a similar password for suspicious activity. 
  3. Enable multi-factor authentication (MFA) for all of your accounts where MFA is an option.
  4. Implement a password manager so all of your passwords are unique and easily managed. It’s common for people to have more than 100 online accounts, each requiring their own unique password. Most password managers auto-generate complex passwords. Any password that is easy to remember is also easy to guess – this is why the strongest passwords are generated automatically using a password manager.

Top Tips for Stronger Passwords

Password hygiene seems like a simple concept, but SpyCloud research shows a 64% password reuse rate for users with more than one password exposed in the last year. To avoid your password being compromised, follow our recommendations for stronger passwords and stronger account protection overall:

    • Choose a complex, 16+ character password or passphraseOur testing revealed that passwords with 16+ random letters, numbers and characters, regardless of hashing algorithm used, would require centuries to crack.
    • Make passwords unique across accounts – Use a different, complex password for every online account.
    • Don’t mix business logins with personal accounts – Mixing business with pleasure means that a breach of a work site can jeopardize your personal life and vice versa.
    • Use multi-factor authentication (MFA) whenever promptedThough MFA is not unhackable, providing something you know (a password) plus something you are (biometrics) or something you have (smartphone token) will deter most criminals.

The SpyCloud Difference

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

See SpyCloud in action – request a demo today.