The Veda 2015 Cybercrime and Fraud Report
Veda is a data analytics company and the leading provider of credit information and analysis in Australia and
In 2015 Veda compiled a report outlining the frequency, types and trends of cybercrime and fraud in Australia in 2015.
The report demonstrated that Cybercrime constantly evolves as cyber criminals respond to security and technology improvements.
This is clearly seen when comparing statistics relating to cybercrime between 2014 and 2015 which are further discussed below.
What are the most common types of cybercrime / computer crimes in Australia?
Common types of cybercrime include
- identity theft,
- online scams,
- fraud involving the buying or selling of goods online (card not present) and
- hacking into online accounts.
The commonality in cybercrime is the criminal’s objective to steal information from victims for their own benefit.
Stealing personal information from individuals allows criminals to do more than just steal money. They may also create rumours, conduct illegal activities, perform blackmail or expose sensitive facts about individuals, firms or governments. They may use a victim’s account as a mule account to launder money or finance terrorism.
The credit industry is a particularly high profile target for cyber-criminals because of the potential direct access to financial gain.
The mechanism to extract financial advantage depends on the sophistication of the criminal. Through phishing or a direct hack, a criminal may access a password and username that allows them to operate a victim’s online account for the purposes of transferring funds or buying goods and services.
A more sophisticated crime might involve the theft of a person’s identity, so criminals can buy and sell assets or apply for credit in the victim’s name.
Cybercrime and fraud in 2015 Statistics
- 1 in 4 Australians have been a victim of identity theft – 25% reported having been a victim (up 7% 2014/15 compared to 2013/14) (Source: Veda Consumer Survey)
- 12.6% Reported volume of online credit application fraud incidents by Veda Shared Fraud Database members up 12.6% 2014/15 compared to 2013/14
- 50% of credit application fraud in Australia now occurring online – an increase of 33% compared to the previous financial year. This compares with a 23% fall in credit application fraud incidents occurring at bank branches in 2014-15 compared to 2013-14 (Source: Veda Shared Fraud Database)
- 59% Fraudulent credit applications involving identity takeovers in Australia rose 59% in the past two years – and 17% in the past 12 months (Source: Veda Shared Fraud Database)
How is cybercrime being used in credit application fraud?
Veda’s database has revealed that fraudsters are now more likely to apply for credit online than fill in an application form in a bank branch, a move being driven by the credit industry moving to online applications. A second key trend is that as credit providers tighten up rules and technology for the verification of identity, providing a false identity has become less viable for fraudsters.
Instead, identity takeover, where the bona fide identity of an individual or entity is stolen and operated for the purpose of applying for credit, is becoming more attractive for criminals.
This type of fraud has grown 59% in the past two years. The opportunities for criminals to use real identities instead of fictitious identities is being aided by the number of data breaches seen in Australia with well-known dating, retail and government databases being compromised.
Veda’s database has further revealed that in 2014/15, identify takeovers accounted for 22% of all confirmed fraudulent credit applications. Driver’s licences were the most common document utilised by fraudsters in attempting an identity takeover.
To meet application criteria, payslips, bank statements and utility bills in the name of an acquired identity were commonly used as part of identity takeover fraud.
50% of credit application fraud incidents occur online, as opposed to 11% occurring at bank branches.
Consumer credit cards are the target of the majority of fraudulent credit applications, up 28% in 2014/15 and now representing 49% of all credit fraud.
The most common fraudulent activity with cards was the presentation of false personal details, but it is important to note that cards had a high proportion of fraud involving identity takeover (37%).
What is a “card not present” transaction fraud?
The Australian Payments Clearing Association (APCA) provides specific estimates of the cost of online fraud in relation to cards and cheques. The APCA defines online fraud as “card-not-present”; i.e., non-face to face transactions.
ACPA data for 2014 shows that fraud on Australian payment cards continued to increase in the card-not-present category, reflecting a global trend both in online card fraud and cybercrime generally. Card fraud rates over the last year have grown from 46.6 to 58.8 cents for every $1,000 spent.
The APCA found card fraud was costing Australia $299.5 million a year (2014). Two thirds of this card fraud was occurring overseas ($200.6 million).
In 2014/15, the Office of the Australian Information Commissioner reported a record high number of 117 notified data breaches in Australia. A data breach is defined as when personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
A data breach usually involves the unauthorised access of hundreds, thousands and sometimes millions of records containing personal information.
At least one data breach occurs weekly in Australia, with an average of 20,073 records lost or stolen per incident.
In Australia, there are currently no laws requiring mandatory reporting of data breaches by organisations, therefore the figure of 117 is likely to under-represent the scale of the issue. Proposed privacy laws are expected to compel organisations to report breaches of customer data, imposing stronger obligations on businesses to respond to hacking, stealing or accidental release of personal information.
A Veda survey of 1,000 Australian consumers in September 2015 found that 79% believed that corporations should have to tell them if their data has been compromised from a breach and of this group a further 33% believed corporations should provide advice on how consumers should protect themselves as result of a breach and offer an identity protection alert service to minimise risk post-breach.
Data breach case study
In late October 2015 an Australian insurance company had their accounting system compromised. Criminals accessed the system and collected a variety of personal information including the payroll details of all the companies’ employees. Within days the criminals used this information to log into a government website where they changed the employees’ bank details for tax returns and then lodged false tax returns in over 20% of the employees’ names with the resulting financial benefit deposited to an unknown bank account. Clearly the criminals knew which systems they needed to access in both the company and the government to obtain the financial benefit. All employees were provided credit and identity protection services by Veda and provided Veda with positive feedback.
How is cybercrime being combated?
Cybercrime has been around since the beginning of the internet when in 1978 the first spam message was sent. Many early threats relied on problems with technology; loop holes in operating systems or browsers through which criminals could take advantage.
As modern day software providers establish robust security features, criminals are increasingly utilising tactics which involve targeting the weakest link in those security systems – humans, who have proven susceptible to clicking on phishing emails, propagating viruses in internet posts or being interested in advertising with malware (malvertising).
Veda’s research from 2015 found that 95% of Australians were taking some kind of active precaution to protect their identity.
Veda, for example, offers a credit file alert service in which subscribers are notified if anyone applies for credit in their name, allowing the subscriber to take immediate steps to stop the fraud,. Veda also offers an Identity Watch Service which monitors and detects fraudulent activity by constantly looking for information provided by subscribers which they would like to be monitored– such as credit and debit card numbers, phone numbers and email addresses – in places on the internet where information is known to be illegally traded.
Veda stores this information securely and uses tools such as web crawlers and forum extraction to locate compromised data online. If an identity monitored item has been compromised, Veda sends an email alert to the subscriber so they can take action.
Veda offers a number of other services and technologies to combat Cybercrime, including:
- Operating a Shared Fraud Database, members of which are called the Veda Fraud Focus Group and include Australia’s “big four” banks, international financial institutions, telecommunications providers, motor vehicle financiers and other credit providers. Members contribute and benefit from data in the database, such as information in relation to confirmed fraud events and intelligence material highlighting trends, patterns and market insights. Each year, Veda identifies approximately $1 billion in fraudulent credit applications. Fraudsters can be banned from applying for credit, devices used for previous fraudulent applications can be red-flagged.
- IDMatrix technology which provides companies and government agencies an online solution to verifying an individual’s identity. Veda’s IDMatrix electronically verifies identity details at the point of application – whether that be online, face-to-face, in a retail setting, or through a call centre or back-office processing centre. In a matter of seconds, Veda’s system will search through up to 22 independent database sources. This enables organisations to immediately verify a customer’s identity without relying on the sighting of paperwork and ID documents. Knowledge Based Authentication (KBA) is a feature of IDMatrix designed to present out-of-wallet questions. An out of wallet question is literally information that cannot be found in a stolen wallet or easily discoverable online. The system asks dynamically generated questions only the applicant should know.
Nyman Gibson Miralis provides expert advice and representation in complex international cybercrime investigations. Our expertise includes dealing with malware, phishing and computer hacking offences, bootlegging and tripping, Bitcoin and crypto-currency fraud, as well as offences relating to identity theft, spreading computer viruses and DDoS attacks.
Contact us if you require assistance.