Data: Fraud after the Equifax crisis
July 11, 2018 10:30 AM
Michael Nagle/Bloomberg
Actuaries are still tallying the cost of last year’s Equifax breach, but current estimates are up to about $600 million for the costliest breach incident in corporate history. Equifax in September 2017 said attackers exposed the personal data and full names of about 150 million U.S. consumers, and millions more in the U.K. and Canada.
Fallout from the Equifax breach is coming into clearer focus as more companies begin pinpointing its effects over the last several months. What follows are some new e-commerce fraud trends that followed the Equifax breach, and how consumers reacted to the incident.
Fallout from the Equifax breach is coming into clearer focus as more companies begin pinpointing its effects over the last several months. What follows are some new e-commerce fraud trends that followed the Equifax breach, and how consumers reacted to the incident.
Online fraud attack rates have increased by 13% since the start of 2017, according to a new study from e-commerce fraud-prevention provider Forter. Digital goods—including gift cards, gaming and music—experienced the sharpest increase in online fraud in the wake of the Equifax breach, soaring 167% between the first quarter of 2017 and the same period a year later, Forter said. E-commerce sellers of electronics saw a 66% increase in online fraud over the same period, and online fraud in food and beverage also showed a sudden surge.
Ongoing data breaches—including Equifax—were a leading cause of the uptick in online fraud, according to Forter. Other contributing factors include criminals finding new approaches to fraud leveraging mobile devices, identity fraud from direct consumer theft and phishing. Forter derives its data from monitoring $50 billion in transactions annually from 130 million consumers in 188 countries.
Ongoing data breaches—including Equifax—were a leading cause of the uptick in online fraud, according to Forter. Other contributing factors include criminals finding new approaches to fraud leveraging mobile devices, identity fraud from direct consumer theft and phishing. Forter derives its data from monitoring $50 billion in transactions annually from 130 million consumers in 188 countries.
Prior to the Equifax breach, “identity manipulation” fraud was one of the most common types of fraud affecting e-commerce, according to Forter. Not long after the Equifax breach was announced in the third quarter of 2017, account takeover (ATO) fraud rose sharply while identity manipulation fraud began to decline, Forter said.
Forter defines identity fraud as using others’ details such as email sign-on credentials, phone numbers and addresses to steal merchandise and siphon value, while ATO occurs when fraudsters use richer sets of data to hack into existing accounts on a merchant’s website and pose as a returning customer.
“One explanation for the 53% spike in account takeover fraud in Q3 2017 was the flood of high-quality, sensitive information available to fraudsters following the massive Equifax breach,” said Michael Reitblat, Forter’s co-founder and CEO. Identity fraud may be declining because criminals concluded that stealing accounts through ATO can be quicker and more profitable than stealing identities, he speculated.
Forter defines identity fraud as using others’ details such as email sign-on credentials, phone numbers and addresses to steal merchandise and siphon value, while ATO occurs when fraudsters use richer sets of data to hack into existing accounts on a merchant’s website and pose as a returning customer.
“One explanation for the 53% spike in account takeover fraud in Q3 2017 was the flood of high-quality, sensitive information available to fraudsters following the massive Equifax breach,” said Michael Reitblat, Forter’s co-founder and CEO. Identity fraud may be declining because criminals concluded that stealing accounts through ATO can be quicker and more profitable than stealing identities, he speculated.
More than half of consumers are extremely or very concerned about having their personal information exposed in a data breach, and 57% say they’re more concerned than they were a year ago, according to a recent study by IDology.
Four in 10 U.S. consumers (about 90 million) said they have received at least one notification in the last 12 months that their data was breached. But some yawned. About 40% of consumers surveyed had the same level of concern about data breaches this year as last year, and 6% weren’t worried, according to IDology, which conducted its online survey among 1,024 consumers March 7-March 23, 2018.
Four in 10 U.S. consumers (about 90 million) said they have received at least one notification in the last 12 months that their data was breached. But some yawned. About 40% of consumers surveyed had the same level of concern about data breaches this year as last year, and 6% weren’t worried, according to IDology, which conducted its online survey among 1,024 consumers March 7-March 23, 2018.
Despite admitting to rising levels of concern about their personal data being exposed in hacks, fewer than half of consumers took direct action in the wake of a breach, according to IDology’s survey.
Asked what steps they had taken to protect their identities after being notified their personal information was breached, 40% of consumers said they changed their online account passwords. Twenty-three percent had a credit or debit card reissued, and about 20% said they turned on fraud alerts or signed up for credit monitoring or identity protection.
One in five consumers took no action after being notified their personal information had been breached, IDology’s survey suggested. Fewer than 20% enabled two-factor authentication or placed a credit freeze on their account. One reason many consumers took no action could be a lack of understanding of exactly which steps to take and why, IDology said in its report.
Asked what steps they had taken to protect their identities after being notified their personal information was breached, 40% of consumers said they changed their online account passwords. Twenty-three percent had a credit or debit card reissued, and about 20% said they turned on fraud alerts or signed up for credit monitoring or identity protection.
One in five consumers took no action after being notified their personal information had been breached, IDology’s survey suggested. Fewer than 20% enabled two-factor authentication or placed a credit freeze on their account. One reason many consumers took no action could be a lack of understanding of exactly which steps to take and why, IDology said in its report.
Another result of the Equifax breach was a congressional mandate giving consumers the power to block and unblock their own credit lines free of charge, beginning in September 2018.
Equifax, Experian and TransUnion will be required to freeze a consumer’s credit account within one business day of an online or phone request, and within three days after receiving a mailed request. The credit reporting bureaus also must “thaw” consumers’ accounts on demand (free of charge) within the same time parameters. Typically it costs consumers $10 to $30 to freeze a credit file, though it’s already free in some states.
It’s unclear whether consumers will leap to use the free services, based on recent data indicating consumers didn’t take any sudden new interest in their credit scores following the Equifax breach. The percentage of consumers that recently checked their credit score has remained fairly stable, though it’s been climbing gradually for the last five years, according to the Consumer Federation of America. Since 2014, the percentage of consumers who have obtained at least one credit score within the past year rose to about 60% from about 50%, based on a survey the nonprofit organization conducted among 1,005 U.S. adults May 31-June 3, 2018.
Equifax, Experian and TransUnion will be required to freeze a consumer’s credit account within one business day of an online or phone request, and within three days after receiving a mailed request. The credit reporting bureaus also must “thaw” consumers’ accounts on demand (free of charge) within the same time parameters. Typically it costs consumers $10 to $30 to freeze a credit file, though it’s already free in some states.
It’s unclear whether consumers will leap to use the free services, based on recent data indicating consumers didn’t take any sudden new interest in their credit scores following the Equifax breach. The percentage of consumers that recently checked their credit score has remained fairly stable, though it’s been climbing gradually for the last five years, according to the Consumer Federation of America. Since 2014, the percentage of consumers who have obtained at least one credit score within the past year rose to about 60% from about 50%, based on a survey the nonprofit organization conducted among 1,005 U.S. adults May 31-June 3, 2018.
