“Account takeover (ATO) is the process by which criminals use a variety of methods, including purchasing stolen information from the dark web, social engineering, phishing, password cracking or credential stuffing to take ownership of online accounts that do not belong to them for a variety of nefarious purposes.  Unfortunately, this attack method has seen an uptick during these turbulent times. In the last year, 27% of the global merchants that participated in the 2022 Global Payments and Fraud Report experienced some form of ATO fraud, and this attack method now ranks as the fifth most prevalent for North American merchants.”

“A system to transfer money online — used over a million times a day in Canada — is not as safe as it advertises, says a Royal Bank customer who had $1,734 stolen during an e-transfer. The theft occurred after Anne Hoover of Peterborough, Ont., e-transferred money from her RBC account to her friend Fran Fearnley, only to have a fraudster intercept the transaction and divert the money to his own account at another bank. “I always use e-transfer,” says Hoover. “I thought it was a safe way to send money.” An RBC manager says an internal investigation indicated that Fearnley’s email account had been hacked, and when Hoover sent the e-transfer, the fraudster figured out the answer for the security question necessary to deposit the money, and then redirected it to a different bank account.”

“In the Web-services provider’s most recent “State of the Internet Security” report released Wednesday, Akamai says criminals like credential stuffingbecause it’s a numbers game. It’s an integral element in taking over a legitimate account to appear as the bona fide customer, thus skirting anti-fraud measures. In credential stuffing, criminals pull data from a database containing valid passwords and user names and attempt to get into a consumer’s online accounts, without much operator action.”

“In the second quarter, location spoofing became the fastest growing attack vector in the space, increasing 257% year-on-year. This is due to the availability of more sophisticated location spoofing tools, which fraudsters use to attempt to disguise their true location to launder money. From collusive play and self-excluders, to malicious account takeovers (ATOs), operators must always be able to differentiate trusted users from fraudsters.”

“I recently had the pleasure of bumping into some of my Canadian friends at a Law Enforcement conference.  So when I saw someone mention a “National Bank of Canada” phish, I thought I would pull on the string a bit and see if it was actually an “Interac” phish.   Interac is a system for easily sending money between different Canadian banks. The phishers love it, because by imitating Interac, they can steal login information from any Canadian, regardless of where they bank. By walking up to a higher directory, sure enough, the National Bank of Canada phish was just a tiny part of an underlying Interac phish hosted at 178.128.125[.]127, a Digital Ocean box in Kalívia, Attiki, Greece.”

“Synthetic identity fraud differs from tradition identity theft in that the perpetrator creates a new synthetic identity rather than stealing an existing one. The process starts with someone stealing real social security numbers that aren’t actively being used — think children and elderly people who use little, if any, credit — and then creating identities by adding fake addresses.”