With an escalated focus on leveraging technology and providing better consumer experiences, the carriers and consumers you work with find themselves solidly in the crosshairs of cybercriminals.
Last year was a banner year for cybercrime in the insurance industry, according to Check Point Research, with cyberattacks on the insurance landscape increasing 50% when compared with 2020.
Sure, fraudsters have always been around, but today's bad actors are a different breed. And those bad actors are just as focused on leveraging technology to accomplish their own goals as are the insurers who are their targets.
One scheme that has plagued the financial services arena and has spilled over into the life insurance industry in the last few years is account take over fraud, or ATO fraud, where fraudsters gain access to consumers' accounts — banking, retirement, and insurance, for example — and use that access to withdraw funds, take out loans, or perform other fraudulent actions.
How is it that the fraudsters gain access to the consumers' accounts?
In many cases, they use a tactic called credential stuffing.
Credential stuffing typically begins when a fraudster purchases username and password combinations on the dark web.
With the proliferation of data breaches, consumer usernames and passwords are increasingly available to fraudsters, who then deploy bots to use those combinations of usernames and passwords across a variety of website login pages — especially those related to financial assets.
Using bots in this way automates the fraud attempts and allows the fraudster to attack more sites using more credentials in a short period of time. It is a low-effort, high-reward tactic, and fraudsters are capitalizing on it.
According to the most recent LexisNexis Risk Solutions Cybercrime Report, bot attacks increased by 41% in 2021 when compared to 2020.
Even with an abysmal hit rate, one or two successes could potentially yield access to large-dollar accounts, which makes life insurance and retirement cash values particularly attractive targets.
Some notable items from a recent edition of the Cybercrime Report:
- As anticipated for some time, fraudsters are now starting to capitalize on the fruits of their bot labors during the pandemic, using them in sophisticated attacks and scams.
- Although fraudsters are continuing the use of the automated bot attacks seen throughout the pandemic, the human-initiated attack rate seen in a large LexisNexis identity security network rose for the first time since 2019.
- While fraudulent account creations remain the highest risk, account takeover attempts have been increasing rapidly.
- For the first time, the mobile share of transactions in the LexisNexis identity security network reached 75%, as app-based companies and industries increased in dominance.
What can be done to protect clients against these emerging attack schemes?
Barriers to Change
First, agents and advisors should encourage their clients to update their login credentials.
Credential stuffing works because so many consumers are creatures of habit.
They often reuse username and passwords across multiple sites, and they neglect to perform basic actions that could provide protection, such as changing their passwords frequently or using more sophisticated passwords.
Even with data breaches as common as they are, many people do not change their behavior to mitigate the risk.
A study by Carnegie Mellon University's CyLab found that about one-third of users typically change their password after an announcement about a breach.
And those who do change often create a similar password or one that is weaker.
Another challenging aspect of credential stuffing is that it is often very difficult for insurers to detect.