In a Nutshell: As the COVID-19 pandemic took hold in 2020, consumers purchased more products and services on the internet. Unfortunately, that trend also motivated cybercriminals to increase their efforts. In Canada, for example, 2020 rates for ecommerce merchandise and credit card fraud surged well beyond 2019 levels. Internet fraud is ultimately a game of numbers, according to Jeff Thomson, Senior RCMP Intelligence Analyst at the Canadian Anti-Fraud Centre. If Canadian consumers adopt a few simple fraud protection habits and practices, they can help turn the tide against scammers.
As the COVID-19 pandemic affected Canada in late summer 2020, a cyberattack targeted approximately 15,000 accounts used to deliver government services to the country’s citizens.
But the fraudsters behind that attack weren’t tech-savvy criminals using the latest cyber tricks to breach the government’s strong defenses. Instead, they used a simple technique known as credential stuffing to steal information by exploiting the negligence of account creators.
After obtaining a list of usernames and passwords harvested from previous data breaches, all the scammers had to do was plug those credentials into the government’s system.
The account holders used the same passwords on the government site they had used previously on compromised sites. So the criminals drew resources from more than 11,000 accounts.
According to Jeff Thomson, Senior Royal Canadian Mounted Police (RCMP) Intelligence Analyst at the Canadian Anti-Fraud Centre (CAFC), this attack demonstrated one of the ways criminals use information they gather from data breaches and the need for increased cyber security awareness
“With the credential stuffing attack, you saw the importance of using unique usernames and passwords across accounts,” Thomson said. “In general, if you do your due diligence, you can ensure a higher level of protection for everyone.”
The CAFC is a public agency jointly managed by the RCMP, Competition Bureau Canada, and the Ontario Provincial Police. As a clearinghouse for fraud, the organization allows Canadians to report fraud and cybercrime, learn about the types of fraud, and find ways to protect themselves.
Merchandise Scammers Prey on Homebound Consumers
Everywhere the pandemic intersected with ecommerce in 2020, scammers stepped up to exploit as many people as possible. One area of heightened activity was merchandise fraud, in which consumers either didn’t receive the correct order — or received nothing at all.
The merchandise fraud spike occurred even though Canadians are generally internet-savvy and accustomed to shopping online. The problem was an increase in those online transactions.
“The climate was ripe for fraud,” Thomson said. “Early on in the pandemic especially, when lockdowns were happening, and everybody was at home, you had more people turning to online shopping, including people who had never used it before.”
While ecommerce is a chief vector for merchandise fraud, scams involving nondelivery of goods and services can occur anywhere, Thomson said. In 2019, CAFC received about 3,000 merchandise scam reports amounting to some $2.9 million in losses. By October 1, 2020, however, the yearly fraud reports were already well ahead of the 2019 rate, and total reported losses stood at more than $7.3 million.
“It’s a game of numbers,” Thomson said. “With more people going online to carry out everyday activities, you’re going to see more fraud and more victims.”
Sadly, the increase wasn’t just due to increased usage. The pandemic also prompted a significant amount of exploited commercial activity.
“Part of that big jump can be attributed to victims placing large orders for personal protective equipment that was never received,” Thompson said. “Our challenge is to get people to look for red flags and trust their gut when they suspect fraud.”
Card-Not-Present Fraud Puts Identities at Stake
One significant red flag is when something seems too good or too easy to be true, it probably is. Most people have good intentions, and that trust may come too easily, especially during times of crisis.
Another area of heightened activity for CAFC in 2020 concerns card-not-present (CNP) fraud, in which data associated with personal identity becomes a commodity.
CNP fraud typically refers to any transaction that occurs where the credit card and cardholder are not present, whether it happens online, over the phone, or even through the mail.
It requires the harvesting of large amounts of personal and financial information, including card data and other banking information, and then purchasing goods using that compromised data.
The crime in any CNP fraud, therefore, is identity theft.
“A credit card is attached to or associated with my name,” Thomson said. “So when somebody uses that number, they’ve effectively used my identity.”
One way scammers attain card numbers is through phishing schemes, in which they trick cardholders into giving up their information. Sophisticated malware for recording keystrokes, hijacking online sessions, and even website spoofing sometimes play roles in phishing. However, scammers also find success by calling people, posing as an employee of a legitimate organization, including a bank, and asking for information.
“Take that five extra minutes to stop and think about things or talk with family members or friends,” Thomson said. “Should a bank ever ask for personal or financial information over the phone? No.”
Reject Victimization by Making Fraud Protection Routine
The credential stuffing attack against the Canadian government’s servers wouldn’t have done as much damage if account holders people had taken a few simple anti-fraud steps.
Thomson and CAFC recommend a three-pronged approach to fraud prevention: recognize, reject, and report. CAFC resources help people recognize situations that could give rise to fraud. And reporting incidents of fraud helps the Centre and its partners mitigate damage.
Users making fraud prevention part of their everyday routines is central to the rejection component. Rejecting fraud begins with checking bank statements for unauthorized activity in addition to using unique usernames and passwords across websites.
In Canada and elsewhere, consumers can access free periodic credit reports and check them for accuracy. Consumers should keep devices and software up to date and working normally to prevent more sophisticated forms of attack.
Rejection is also grounded in skepticism. Before purchasing from a new vendor, investigate the company’s history, and look for customer reviews. And no reputable bank, business, or other organization will ever suddenly pop up and ask for personal information or payment.
Fraud victims also access CAFC for insights on how to manage the damage and recover from it. Canadian consumers can protect themselves and the public from long-standing problems by using CAFC resources for fraud prevention, awareness, and education.
“With the large scale data breaches we’ve seen over the past year, and the countless phishing emails which have exploded during the pandemic, today it’s the best practice to check everything,” Thomson said.