Fraudster Motivations and Business Tactics to Address Corporate Identity Fraud

Fraudster Motivations and Business Tactics to Address Corporate Identity Fraud

Business identity fraud is a major issue for security teams, product managers, developers, and even marketers. When fraudsters exploit gaps in the information security armor, organizations end up with terrible user experiences, a loss of trust, and lower quality leads (which means poor conversion rates).

When it comes to corporate identity fraud, it’s always a balance between fortifying the doorways into your business while not keeping them so protected that your legitimate new or returning users can’t easily get in. Protecting those passage ways is protecting the growth and sustainability of your business. And in order to build strategies and implement tools to combat corporate identity fraud, you need to understand the motivation behind a fraudster’s actions. Let’s talk about it.

Exploring the Motivations Behind Identity Fraud

The reasons behind fraud may seem relatively obvious, but the psychology behind a bad actor’s behavior is fascinating. Sometimes the pressures of life drive people to think about personal motivations versus ethical ones, leading to even what we would consider “good and upstanding” citizens making questionable choices. Unsurprisingly, most instances of fraud around the globe are largely driven by money. Cybercrime is no different. In addition to financial gain, corporate digital identity fraud can be motivated by power abuse, revenge, malicious intent.

Monetary motivation

Although data on the geographic source of cybercrime and identity fraud is difficult to come by, a recent paper from the Journal for Humanities & Social Sciences Communications acknowledges that clusters of geographies can be connected to increases in cybercrimes. In addition, those clusters can be correlated with socioeconomic disparity. It seems that cybercrime, like most crime, “is a complex social phenomenon driven by the compound interactions of underlying socioeconomic factors.”

An example of identity fraud driven by monetary gain, would be the September 2022 Uber hack. A contractor’s device was infected with malware and their login details were sold on the dark web.

Revenge

Revenge hacks have been on the rise over the last few years. In some cases, they are acts of what is called “hacktivism.” In the case of Anonymous claiming to hack over 700GB of leaked government data after Russia  attacked Ukraine, it was an act of defiance against Russian. In other cases, these revenge hacks can just be an example of employee rage as was seen in the 2017 C.I.A attack. In that case, more than 34 terabytes of classified information were stolen and released from the agency by a disgruntled employee. This was considered the single largest leak of classified information in the agency’s history.

Power abuse and malicious intent

Power abuse and malicious intent are two distinct concepts that are often confused. Power abuse is the misuse of power, authority, or influence for one's own benefit, while malicious intent is the intention to cause harm or injury to someone or something.

An example of power abuse in the context of corporate identity fraud can be demonstrated by the 2022 Twitter breach, where 5.4 million accounts were stolen from “celebrities, companies, randoms, OGs, etc” according to the hacker that goes by the alias ‘devil.”

Whereas an example of malicious intent was demonstrated in the Uber hack above. In that case, the hacker also got access to internal employee tools and reconfigured Uber’s Open DNS to display graphic images to employees on some internal sites. This was clearly tasteless and malicious, by our standards.

Examining Possible Solutions to Reduce the Risk of Identity Fraud in Companies

To help reduce the risk of corporate identity fraud, organizations need to take action. Considering the examples above, it may seem like solving global poverty, rehabilitating criminals, and getting a generation of hackers therapy is the right answer. Doing that at scale can be tricky. Instead, organizations can balance defense with ease of use for their customers as a more effective and scalable strategy for warding off cyber-danger. Enhancing security measures to allow customers and employees to safely log in to their accounts while giving an organization the ability to defend access to the data behind login barriers is the key to long term resilience.

Invisible, largely foolproof tactics where identity information is checked against verified sources will offer easy, necessary layers of security. Organizations also have an opportunity to tap into information that is embedded in the hardware (like a mobile phone) that can help suss out potential points of threat. When engineered carefully, your security measures can simultaneously keep your business and data safe, while still delivering a good user experience.

How Organizations Can Use Technology to Prevent and Respond to Identity Fraud

Mobile phones are a nearly ubiquitous global tool. There are 6 billion mobile phone subscribers, and approximately 7.8 billion people in the world. Each phone has a digital fingerprint (literally and figuratively if you have a biometric authentication system on your phone!) that identifies a user using verified credentials provided by the phone carriers. Organizations can use these handheld devices to help them ensure that a person is who they say they are when they create a new account or try to login to an existing account.

Two ways you can use this information to your advantage:

• Silent Network Authorization (SNA) - SNA combines deterministic SIM data from a partner network of mobile carriers with authoritative data signals to verify whether a user is genuine. This means companies can automatically weed out fake users with no input required by genuine users themselves. It provides a completely passwordless, pain-free, and more secure way to sign up or sign back on.
• SIM-Swap Detection - Swapping a SIM before a transaction can indicate that a user got a new phone or a fraudster stole a SIM. Typically, SIM swaps are not a normal activity before transferring large external funds or conducting other high value transactions. SIM swap detection gives you the tools to reduce fraud and keep your customers secure while still taking advantage of one of the most user friendly 2FA solutions.

What is the state of digital identity fraud?

From the creation of fraudulent bot-generated user accounts to costly account takeovers of high-value customers to identity hijacking during the account recovery process, online fraudsters continue to exploit every gap in the security of online accounts. There’s good news, however. Advancing technology is making it easier to offer protection against fraud without compromising the user experience.