Payment Security 101
Learn about payment fraud and how to prevent it
Data privacy holds unprecedented significance for consumers and organisations in 2023. Cyber-criminals persistently seek innovative ways to breach sensitive information like credit card information or driver’s licenses.
What does this mean for finance leaders? Financial leaders need to stay vigilant around cyber-risks and adopt proactive measures that safeguard their organisations and consumers alike. By embracing cutting-edge technologies like machine learning and AI, financial leaders can fortify their defences.
One of the major cornerstones of cybersecurity reports used in this statistics article is the 2023 CERT NZ Data Landscape Report. The national computer emergency response team (CERT) in New Zealand provides meaningful insights and trends of identity theft that affect thousands of Kiwis each year.
In this article, we delve into crucial identity theft statistics in New Zealand, shedding light on the common techniques used and what organisations can do to combat them.
Of those who experienced identity theft, the report dives into how the respondents first discovered the theft. For example, 18% of respondents discovered their identities were stolen via monitoring their financial accounts. In addition, more than one (36%) in three were notified about their identity theft by an external source.
Identity theft statistics reveal that cyber-criminals often engage in identity theft for financial gain. Once they gain access to an organisation or individual’s bank account, their initial step is usually to make fraudulent purchases or apply for a loan. In more severe cases, these cyber-criminals may even resort to attempted blackmail.
Once an identity vulnerability is exploited, threat actors can move laterally through systems and networks, amassing intelligence, distributing malicious payloads and exfiltrating data. The longer any malicious actor lies undetected the greater their opportunity to traverse through identities.
The Australian Institute of Criminology sheds light that fraud often involves the misrepresentation of one’s identity without being caught out by the authorities or creditors. They further suggest that there are three categories of identity-related fraud. For example, fictitious identities, stolen identities or changed identities (a declaration of change of name). The figure used to demonstrate which type was commonly used shows that the names changed by deed poll were the most common type with 144 files recorded.
The primary reason why cyber-criminals clone an individual’s mobile number is to provide them greater access to personal information and sensitive data. By cloning a mobile phone, they can essentially replicate the victim’s device. This includes contacts, messages, call logs and at times even authentication credentials.
One key takeaway is about 80% of identity scams are detected by the victims themselves. However, for organisations, it can take twice as long to detect a breach. According to the newsroom, New Zealand organisations are not required to inform their customers if their information has been compromised or breached.
In New Zealand, privacy and data retention has merged as a major issue with a recent high-profile data breach that saw over one million NZ records being obtained by cyber-criminals. The 2023 Phishing reports further demonstrates that the top cybersecurity incident that NZ organisations faced were phishing and credential stuffing. A 16% increase from the previous year.
One of the key takeaways for financial leaders is to work with IT leaders in order to do the following. Educate staff on basic cyber hygiene, providing consistent guidance and support as well as implementing ongoing and engaging security awareness training. By staying vigilant and implementing robust security controls, financial leaders can minimise the risk of cyber-crime.
Cyber-criminals use various phishing and credential harvesting techniques to commit identity theft. Their attacks may include email phishing, spear phishing, whaling or business email compromise (BEC), vishing, smishing and more. One of their most notable attacks is the BEC attack. This attack involves targeting an organisation via email in an attempt to obtain access to the organisation’s bank account to steal funds.
If cyber-criminals fail at phishing, then they may target other company vulnerabilities. Their likelihood of success increases significantly when they target more than one company vulnerability like servers, applications or networks. When attackers shift their focus to exploit technical vulnerabilities, the level of sophistication and potential impact of the attack can be higher.
Digital Identity New Zealand (DINZ), a not-for-profit member association of the New Zealand Tech Alliance, presents the latest research findings. According to the 2023 digital identity report, a significant number of Kiwis express concerns about the challenges of safeguarding their information online. An overwhelming nine out of ten New Zealanders are keen on having more control over their digital identity, finding it an appealing prospect. Organisations that can deliver on this front will be better positioned to fulfil their customers’ desires.
Organisations have been severely impacted, with cyber-crime inflicting substantial financial losses. These losses, however, do not even account for the additional indirect damages, including data loss, reputational harm, and operational expenses. As we closely monitor the prevailing trends, it becomes evident that the financial losses from cyber-crime continue to escalate each year.
As a financial leader, if you suspect that your organisation has fallen victim to identity fraud, swift action is imperative. First and foremost, isolate and secure the organisation’s bank accounts without delay. Additionally, if the identity theft involved targeting a specific user account, promptly get in touch with your bank or financial institution to isolate the affected bank account.
New Zealand and Australia stand out as countries that have experienced significant financial losses from serious fraud. Cyber-criminals often target nations that have large digital infrastructures and are heavily reliant on technology. Such countries become enticing targets due to the abundance of opportunities they present for cyber-criminals to exploit vulnerabilities. Moreover, the lure of substantial financial rewards in the event of a successful attack further amplifies their desirability as targets for these criminals.
According to David Lacey, founder and managing director of IDCARE, the average victim of identity theft in New Zealand suffered a financial loss of $12,213. Cyber-criminals predominantly targeted identity documents, such as passports and driver’s licenses. Shockingly, only about 80% of identity scams were detected by the victims themselves. When it comes to organisations, the detection process can be even slower, taking up to twice as long to identify and address identity theft incidents.
In addition to the statistics, 23% of the 350 recorded incidents showed indications of a connection to criminal or financially motivated actors. This included scams like phishing and credential stuffing, unauthorised access and malware. Jacqueline Jayne, the security awareness advocate for KnowBe4 points out that organisations ought to reduce their single biggest cyber risk: the human element.
In reference to the CERT NZ 2023 report, organisations faced various types of losses due to cyber-crime, including direct technical damages, such as compromised emails, disrupted phone systems, and compromised websites. Additionally, they experienced indirect losses, such as higher insurance premiums and reduced staff morale, which can have long-term impacts on the organization’s well-being. The financial burden of cyber-crime proves to be overwhelming for any organisation.
Other sectors involved that were affected were the technology sector, education and training, manufacturing, construction and many others. Figure 11 demonstrates the breakdown by sector and incident category. One highlight is that the media and telecommunications sector reported that over 50% of their incidents were related to phishing and credential harvesting. These techniques are used to steal organisation login credentials such as usernames and passwords, in order to commit identity theft.
Mark Gorrie, Senior Director of Norton LifeLock says “It’s so important to maintain good digital hygiene – keep your devices updated with the latest operating system, use strong passwords combined with multifactor authentication”. MFA is not only a great tool for individuals but also for corporate accounts like email or software.
According to identity theft statistics, the majority of businesses are either not prepared to protect their customer data or unsure. In addition, 37% of organisations believe that erasing personal data that is no longer needed find a great measure to protect their consumer’s data. Followed by 36% of organisations restricting access to personal data within the business.
Whether a privacy breach is caused by accident or malicious intent, the impact on those affected can be devastating. Organisations no matter the size, need to ensure that the consumer information should be gathered appropriated and protected from unauthorised access.
Storing information in a cloud environment can be considered as best practice for combating identity theft. Some cloud service providers have enhanced security, centralised security management and data backups. While cloud providers play a significant role in security, organisations must actively implement cybersecurity controls.
IBM Security offers valuable recommendations to organizations for effectively reducing the cost of a data breach. Firstly, they advocate integrating security measures at every stage of software development and deployment. This proactive approach ensures that potential vulnerabilities are addressed early in the process, minimising the risk of data breaches. Secondly, organisations are encouraged to modernize data protection practices across the hybrid cloud environment. Leveraging advanced security AI and automation tools can significantly enhance threat detection and response capabilities. Lastly, to bolster resilience, organisations should gain a comprehensive understanding of their attack surface and regularly practice Incident Response (IR) drills.
On the flip side, organisations that do not utilize security AI or automation tools find themselves at a disadvantage. Surprisingly, nearly 4 in 10 rely solely on manual controls in their security operations, leaving a significant opportunity for cyber-criminals to exploit vulnerabilities. Relying solely on manual controls is insufficient to ensure comprehensive protection for an organisation. In today’s dynamic and sophisticated cyber-threat landscape, security AI and automation play a crucial role in detecting and responding to threats swiftly and effectively.
Despite the reported increase in sensitive data being stored in the cloud, a concerning finding from the study revealed that New Zealand businesses are not fully leveraging encryption to protect this data adequately. Astonishingly, less than 17% of local IT professionals reported that more than 60% of their sensitive data in the cloud was encrypted. However, there is a glimmer of hope as NZ organisations are gradually recognising the advantages of cloud security, leading to a steady rise in cloud adoption year after year.
New Zealand businesses must prioritise investing in comprehensive security controls that are integrated into their software, policies, and staff training. By effectively managing these three critical aspects of the business, financial leaders gain greater control over vulnerabilities and exposure to cyber threats. The key to success lies in constantly evolving security controls, staying one step ahead of the escalating threat of identity theft and other cyber-crimes. With a proactive and adaptive approach to cybersecurity, businesses can significantly enhance their resilience and protect their valuable assets from malicious actors and human error.
Identity theft is the crime of illegally stealing the personal and financial information of another person with the intent of assuming the victim’s identity. Identity fraud is the illegal use of that stolen information.
Identity theft occurs from many things like breaches of security, malware, hacking, and phishing. There is an abundance of information on the internet and information is generally free, so your identity can be stolen.
Anyone can be a victim of identity theft from entities in the business, individuals, and the government. Nonetheless, in reports, the elderly are more likely to be targeted by attackers, as they are also more likely to have more beneficial information for these attackers.
Not many businesses are fortunate enough to recover financially from identity theft; some are never able to recover at all. There are steps we can take to protect ourselves from fraudsters, such as monitoring our credit card and bank statements, verifying communications, and making sure we use the correct website addresses.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.