Don't Let the Fraudsters Win

Commentary November 04, 2022 at 10:55 AM
Share & Print

With an escalated focus on leveraging technology and providing better consumer experiences, the carriers and consumers you work with find themselves solidly in the crosshairs of cybercriminals.

Last year was a banner year for cybercrime in the insurance industry, according to Check Point Research, with cyberattacks on the insurance landscape increasing 50% when compared with 2020.

Sure, fraudsters have always been around, but today's bad actors are a different breed. And those bad actors are just as focused on leveraging technology to accomplish their own goals as are the insurers who are their targets.

One scheme that has plagued the financial services arena and has spilled over into the life insurance industry in the last few years is account take over fraud, or ATO fraud, where fraudsters gain access to consumers' accounts — banking, retirement, and insurance, for example — and use that access to withdraw funds, take out loans, or perform other fraudulent actions.

How is it that the fraudsters gain access to the consumers' accounts?

In many cases, they use a tactic called credential stuffing.

Credential stuffing typically begins when a fraudster purchases username and password combinations on the dark web.

With the proliferation of data breaches, consumer usernames and passwords are increasingly available to fraudsters, who then deploy bots to use those combinations of usernames and passwords across a variety of website login pages — especially those related to financial assets.

Using bots in this way automates the fraud attempts and allows the fraudster to attack more sites using more credentials in a short period of time. It is a low-effort, high-reward tactic, and fraudsters are capitalizing on it.

According to the most recent LexisNexis Risk Solutions Cybercrime Report, bot attacks increased by 41% in 2021 when compared to 2020.

Even with an abysmal hit rate, one or two successes could potentially yield access to large-dollar accounts, which makes life insurance and retirement cash values particularly attractive targets.

Some notable items from a recent edition of the Cybercrime Report:

  • As anticipated for some time, fraudsters are now starting to capitalize on the fruits of their bot labors during the pandemic, using them in sophisticated attacks and scams.
  • Although fraudsters are continuing the use of the automated bot attacks seen throughout the pandemic, the human-initiated attack rate seen in a large LexisNexis identity security network rose for the first time since 2019.
  • While fraudulent account creations remain the highest risk, account takeover attempts have been increasing rapidly.
  • For the first time, the mobile share of transactions in the LexisNexis identity security network reached 75%, as app-based companies and industries increased in dominance.

What can be done to protect clients against these emerging attack schemes?

Barriers to Change

First, agents and advisors should encourage their clients to update their login credentials.

Credential stuffing works because so many consumers are creatures of habit.

They often reuse username and passwords across multiple sites, and they neglect to perform basic actions that could provide protection, such as changing their passwords frequently or using more sophisticated passwords.

Even with data breaches as common as they are, many people do not change their behavior to mitigate the risk.

A study by Carnegie Mellon University's CyLab found that about one-third of users typically change their password after an announcement about a breach.

And those who do change often create a similar password or one that is weaker.

Another challenging aspect of credential stuffing is that it is often very difficult for insurers to detect.

In most cases, when a correct username and password are presented, unless the insurer is using more sophisticated tools, credential stuffing is likely to go undetected due to the bots' abilities to mirror authentic consumer behaviors.

What Insurers Can Do

However, there are measures that all insurers should proactively employ to help prevent ATO and minimize the impact of credential stuffing.

First, do no harm. In other words, do not let your own business rules create risk.

For example, when you onboard your customers and they create their usernames and passwords, take steps to require stronger, more complex passwords and force consumers to change their passwords at regular intervals.

When you do this, also be sure to create a strong, secure password recovery utility that will minimize negative customer experiences for those consumers who forget and need assistance.

Next, you will need to layer additional risk management protection throughout your workflow.

Implement multi-factor authentication, captchas, bot detection tools, and other more sophisticated tools to identify device IDs and leverage behavioral biometrics.

These tools stitch together a customer's true digital identity by analyzing the myriad connections between devices, locations, and anonymized personal information.

Given these insights, the third and final step insurers should take is to be vigilant.

Cybercriminals are leveraging technology and are constantly adapting their approaches, often searching for the path of least resistance.

Make sure you evaluate your workflows to identify the "weakest links" and mitigate the risk.

As consumers globally continue to drive demand for a customer-centric digital world, companies are prioritizing their digital customer excellence strategies to retain and acquire new customers.

While advantageous for legitimate consumers, this trend may lead to more opportunities for fraudsters.

Those companies who prioritize fraud prevention and mitigation will need to adopt more sophisticated tools and techniques and must execute a layered strategy to help minimize exposure across all customer journeys and touchpoints.


Jena Kennedy. (Photo: LexisNexis Risk Solutions)Jena Kennedy, FLMI, CLU, is senior director, life insurance, at LexisNexis Risk Solutions. She is past president of the Georgia Association of Home Office Underwriters.

..

..

..

(Image: Shutterstock)

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center