The Lexisnexis® Risk Solutions Cybercrime Report January-June 2020 INTRODUCTION

THE CHANGING FACE OF CYBERCRIME The LexisNexis® Risk Solutions Cybercrime Report January-June 2020 INTRODUCTION

TABLE OF CONTENTS

01 INTRODUCTION 02

THE CHANGING FACE 01 OF CYBERCRIME: 02 A Global View 06 INTRODUCTION 03 Across the Opportunity and Risk in a New Digital Environment Customer Journey 14 04 Impact of COVID-19 20

05 An Industry View 36

06 A Regional View 48

07 CONCLUSION 69

08 GLOSSARY, METHODOLOGY, CONTACT DETAILS 71

INTRODUCTION: OPPORTUNITY AND RISK IN A NEW DIGITAL ENVIRONMENT January to June 2020 has seen societal change on a global have they changed the face of global cybercrime. Despite this As COVID-19-related financial support is reduced, it’s possible level, as COVID-19 continues to impact the global digital state of flux, however, the Digital Identity Network provides that many digital businesses that have seen lower attack economy, regional economies, industries, businesses and organizations with consistent protection against new and rates will experience a resurgence in online fraud. Key attack consumer behavior. evolving attack vectors. Against a backdrop of fraudsters typologies of the last few years will likely persist; mass scale targeting state-backed financial support packages on a mass automated bot traffic testing stolen identity credentials, Online transaction volumes in the LexisNexis® Digital scale, the human initiated attack rate in the Digital Identity hyperconnected fraud networks operating across industries Identity Network® continue to grow, particularly across Network has declined. and organizations, and scams leveraging COVID-19-related online retailers and digital banking services. However, some anxieties to prey on vulnerable customers. sub-industries have experienced a sharp decline in online It may be that with new lines of COVID-19-related credit to transactions as demand for products and services fell due to attack, traditional targets – particularly those with robust and A growth in new-to-digital customers and a tough economic lockdown restrictions. established security protocols - have been attacked less. Online climate could make these attacks more widespread and fraud is still rife, but it may just be targeting new and emerging diverse, with evidence of mule activity already increasing as The Digital Identity Network® tracks these changes in consumer products and services, and easier targets. This is supported mule herders capitalize on economic downturns to recruit new behavior, collecting and processing global shared intelligence by the fact that the Federal Bureau of Investigation (FBI) has mule accounts into their network. from billions of online transactions across the customer reported that its Internet Crime Center has already received journey, giving businesses an enhanced view of trust and risk. Businesses must be armed with fraud defenses that layer almost as many fraud reports for 2020 as for the whole of 2019.* multiple solutions to detect and block the full spectrum of From January to June 2020, the Digital Identity Network also However, while human-initiated attacks targeting financial attacks. These must be future-proofed, evolving as cybercrime saw a growth in transactions from new devices, as well as new services and e-commerce have declined, automated bot moves across geographies, industries, organizations and digital identities, with many new-to-digital consumers moving attacks targeting financial services have grown. The media customers. This relies on differentiating good trusted users online to procure goods and services that were no longer industry has seen a small growth in the human-initiated attack - whether new-to-digital or long-established - from potential available in person, or harder to access via a physical store. This rate year-over-year. threats in near real time, before, during and after a transaction contributed to an overall growth in good customer traffic, as is is processed. evidenced in the overall decline in attack volume. In addition, new account creations remain a key target for fraudsters looking to register for new products and services, While shifting consumer behaviors and an unstable economic and the attack rate for new account creations from mobile environment have impacted transaction patterns, so too devices has also grown.

© 2020 LEXISNEXIS RISK SOLUTIONS * www.fbi.gov/news/testimony/covid-19-fraud-law-enforcements-response-to-those-exploiting-the-pandemic PAGE 3 INTRODUCTION THE CHANGING FACE OF CYBERCRIME A Summary of Evolving Threats at a Global, Industry and Regional Level

A Global View Across the Customer Journey During COVID-19

• The media industry experienced a 3% • New account creations continue to be • The impact of COVID-19 has been felt growth in attack rate year-over-year: the attacked at a higher rate than any other across all industries, with peaks and only industry to record a growth in overall transaction type in the online customer troughs in transaction volumes coinciding attack rate. This growth is solely recorded journey, although the largest volume of with global lockdown periods. Financial across mobile browser transactions. attacks target online payments. Login services organizations have seen a growth transactions have seen the biggest drop in in new-to-digital banking users, a changing • Financial services organizations experienced attack rate year-over-year in comparison to geographical footprint from previously well a growth in automated bot attacks year- other use cases. travelled consumers, as well as a reduction over-year and continue to see more bot in the number of devices used per customer. attacks than any other industry. Global, • Analysis across new customer touchpoints There have also been several attacks targeting automated bots remain a key feature of in the online journey has been included banks offering COVID-19-related loans. attacks in the Digital Identity Network, in this report for the first time, providing contributing to large peaks in the additional context on key points of risk such • E-commerce merchants have seen a growth LexisNexis® Risk Solutions Identity as password resets and ad listings. in digital payments, as well as several key Abuse Index. attack typologies that coincide with the lockdown period. These included account takeover attacks using identity spoofing, and a growth in first-party chargeback fraud. © 2020 LEXISNEXIS RISK SOLUTIONS PAGE 4 INTRODUCTION THE CHANGING FACE OF CYBERCRIME A Summary of Evolving Threats at a Global, Industry and Regional Level

An Industry View A Regional View

• The overall attack rate across the financial • LATAM experienced the highest attack rates services and e-commerce industries was of all regions globally, with some significant reasonably stable from January-June 2020. peaks in attacks recorded March-June 2020. Brazil and Mexico have also moved up the • In contrast, the media industry saw several list of countries that contribute the largest spikes in attack rates coinciding with volume of cyberattacks. the COVID-19 lockdown period. This is evidenced in the LexisNexis® Identity Abuse • APAC continues to experience higher attack Index for media. rates than North America or EMEA, with some significant bot activity recorded • The financial services industry experienced coming from Japan, India and Australia. more login and payment attacks than any other industry. The media industry experienced more new account creation attacks than any other industry.

02THE CHANGING FACE OF CYBERCRIME: A GLOBAL VIEW

TRANSACTIONS ATTACKS

37% 33% Mobile browser transactions see the highest growth in global transaction decline in human-initiated attack attack rate of all channels at 2.4%, despite a volume year-over-year: rate year-over-year: decline in attack rate year-over-year. 36% 23% growth in financial decline in financial 38% services transactions. services attack rate. growth in bot volume targeting financial services organizations year-over-year. 49% 55% growth in e-commerce decline in e-commerce transactions. attack rate. 32% 13% 3% growth in bot volume targeting e-commerce growth in media growth in media merchants, January-June 2020, in comparison transactions. attack rate. to the previous six-month period.

The volume of transactions processed by the Digital Identity Network continues to grow consistently year-over-year. This is because: TRANSACTIONS PROCESSED • More services are moving online. Growth YOY +37% • New-to-digital users continue to migrate online. 22.5B • Existing users transact more as the provision of online services continues to improve and refine. TRANSACTIONS SPLIT BY In addition, there has been a higher take-up of online services as physical stores close due to COVID-19. Desktop / Mobile Mobile Browser / Mobile App

The percentage of transactions that are carried out through a mobile device also continues to grow. At the beginning of 2015, just over 20% of transactions in the Digital Identity Network Growth YOY Growth YOY came from a mobile device. In 2020, 66% of all transactions 34% 66% +6% 29% 71% +1% come from mobile devices, largely driven by full service mobile apps.

ATTACKS HUMAN-INITIATED AUTOMATED BOTS

ATTACK VOLUME ATTACK VOLUME Decline YOY Growth YOY 260M -6% 868M +13%

Attack Split by Desktop / Mobile Percentage of attacks coming from Growth/ mobile devices has increased YOY Decline YOY

+42% Financial Services 534M +38% 43% 57%

E-Commerce 206M -13% ATTACK RATE Decline YOY Overall 1.4% -33% However, e-commerce did experience a 32% growth in bot attack volume January-June 2020 in comparison to the previous 6 months. Desktop 1.7% -50% Mobile Browser 2.4% -17% Media 128M -5% Mobile App 0.6% -14%

Attacks in the Digital Identity Network are split by human-initiated attacks, which typically return full digital © 2020 LEXISNEXIS RISK SOLUTIONS identity profiling data relating to individual events, and high velocity automated bot attacks. PAGE 9 A GLOBAL VIEW IDENTITY ABUSE INDEX Despite Early Bot Activity, H1 2020 Shows a More Benign Attack Period Overall

The LexisNexis® Identity Abuse Index shows the percentage of attacks per day, across the entire Digital Identity Network. This includes human-initiated and automated bot attacks.

Target: Financial Services Organization Target: Personal Finance Company Attack: Creating fake new accounts, Attack: Account takeover attempts, from U.S. and Hong Kong from Nigeria 4.0% Attack Vector: Device and IP spoofing Attack Vector: Device and identity spoofing

3.5% Target: Payment Gateway Attack: Attempting fraudulent 3.0% payments, from France Attack Vector: Device, identity Target: Media Streaming Company and IP spoofing Attack: Creating fake new accounts, from Spain 2.5% Attack Vector: Device and identity spoofing

2.0%

1.5%

1.0%

0.5%

0.0% Jan Feb Mar Apr May Jun

An Identity Abuse Index level of high (shown in red) represents an attack rate of two standard deviations across a rolling 3-week period.

LARGEST CONTRIBUTORS TO HUMAN-INITIATED CYBERATTACKS, BY VOLUME Japan and Netherlands Join List of Top 10 Global Attackers by Country of Origin

Human-Initiated Cyberattacks

10 Netherlands In comparison to the same period last year: 2 Canada United Kingdom 5 • Brazil and Mexico have both moved 6 Germany France 8 3 places up the top attackers list. 1 United States 9 Japan

• Japan has moved 2 places up the list. Mexico 4 India 7 • Netherlands has moved 8 places up the list.

• UK and Germany have both moved 2 3 Brazil places down the list.

Brazil and Mexico +3 Netherlands +8

1 2 3 4 5 6 7 8 9 10

UK and Germany - 2 Japan + 2

LARGEST ORIGINATORS OF AUTOMATED BOT ATTACKS, BY VOLUME Japan Records Largest Growth in Bot Attack Originations, Year-Over-Year

Automated Bot Attacks

United Kingdom 2 10 Netherlands Russia 9 LATAM countries that appear in the top 3 Canada human-initiated attack list are notably Ireland 6 4 Germany absent from the top bot attackers list. 1 United States 5 Japan Although the U.S. and Canada are top contributors to global bot attacks, the volume of attacks coming from this region India 7 has slightly declined year-over-year.

By contrast, APAC, EMEA and LATAM have all experienced a growth in bot volume. Australia 8 The financial services industry is targeted by the largest volume of automated bot attacks, which grew 38% year-over-year. Australia +3 Netherlands +2 Japan +8 1 2 3 4 5 6 7 8 9 10 Russia -3 Ireland +4

03THE CHANGING FACE OF CYBERCRIME: ACROSS THE CUSTOMER JOURNEY

New account creations continue to Payments transactions see the highest Transfers (predominantly be attacked at a higher rate than any volume of attacks in comparison to other representing the movement of money other use case. transaction types. between accounts within the same customer profile), see the highest 88% 4% attack rate of all non-core use cases across the customer journey, followed growth in new account growth in payment attacks from by password reset. creation attacks from a a mobile app in comparison to mobile app year-over-year. the previous six-month period. 26% growth in new account creation attacks from a mobile browser in comparison to the previous six-month period.

The Digital Identity Network processes data from transactions across the Although the primary touchpoints in the customer journey are new account entire customer journey, from the point at which an account is opened, then creations, logins and payments, there are several other key moments in the throughout the lifecycle and management of that account. customer journey that can provide additional context for trust and risk decisions. New account creations are consistently attacked at the highest rate in comparison to all other transactions, representing the key These include account management functions (such as changes to opportunity to exploit, augment and monetize stolen and authentication details), or use cases unique to specific industries, (such as ad spoofed credentials. listings for online marketplaces or reviews for travel companies). Although the attack rate on these subsidiary touchpoints is lower than those on the • Around 1 in every 7 new account creation attempts tracked by the core touchpoints, these use cases still present significant points of risk in the Digital Identity Network is identified as a potential attack. customer journey, contributing to millions of additional cyberattacks.

Account logins have a low overall attack rate, driven by a high volume Analysis on these additional touchpoints is being introduced for the first time of trusted transactions from returning customers. However, financial in this report, giving businesses an enhanced view of trust and risk across the services organizations see the highest volume of login attacks, as entire customer journey, rather than just at point-in-time transactions. High- fraudsters seek to take over accounts that provide access to customer risk patterns of behavior across multiple online touchpoints can be highly savings and investments. indicative of fraud, that might otherwise be harder to spot. For example, a new Online payments make up the largest proportion of fraud attempts account creation at an online marketplace, followed by multiple ad listings by volume in the Digital Identity Network, as fraudsters try to cash out tied to that account creation in a short time period, could indicate a potentially stolen credentials with a fraudulent money transfer or payment with a fraudulent scenario. stolen credit card.

Volume of Transactions, by Type 120M Detail Changes New Account Creations Logins Payments Password Resets 335M Ad Listings 446M 82M 14.3B 2.9B 81M Transfers

Transaction “other” includes: New Device Registration, Digital Download, Account Other Balance, Loan Acceptance, Auction Bid and more 937M

Transaction volume by use case is calculated using a subset of the total transaction volume, where outliers and unknown sessions are removed.

NEW ACCOUNT CREATIONS LOGINS PAYMENTS

One-period growth in mobile Two consecutive periods One-period growth in mobile RISK TRENDS browser attack rate. Year-over-year of decline in attack rates across app attack rate despite decline in growth in mobile app attack rate. all channels. other channels.

ATTACK VOLUME 62M 76M 104M

ATTACK RATE

OVERALL 14.0% 0.5% 3.6%

DESKTOP 15.7% 1.0% 3.8%

MOBILE BROWSER 11.1% 0.6% 3.9%

MOBILE APP 19.7% 0.2% 2.9%

• One-period growth represents a growth January-June 2020 in comparison to the previous six-month period July-December 2019. • Two consecutive periods of decline represents a decline in the attack rate January-June 2020 in comparison to the previous six-month period, and a year-over-year decline. • Attack volume and attack rate by use case are calculated using a subset of the total transaction volume, where outliers and unknown sessions are removed.

PASSWORD RESETS DETAILS CHANGE AD LISTING TRANSFER OTHER

RISK SUMMARY Password resets enable Changes to account details Ad listings allow fraudsters Transfers enable money to Encompassing several other fraudsters to take over online enable fraudsters to amend to control the sale or be moved into a different high-risk touchpoints such accounts, often using stolen key account information. promotion of goods and account within a customer’s as new channel registrations, credentials. Access to the Changing a phone number, services. This can provide overall profile. This action standing order mandates, account then enables future for example, means that a way of monetizing stolen sometimes precedes a direct debits and beneficiary actions, such as payments, subsequent events, such goods, posting fake listings fraudulent payment event modifications. to be initiated by the as SMS one-time passcode for properties or services, or after an account takeover. fraudster. authentication checks, are creating phony reviews to sent to the fraudster. facilitate sales. ATTACK VOLUME 1.1M 1.0M 1.6M 1.4M 11.5M ATTACK RATE OVERALL 1.4% 0.9% 0.5% 1.8% 1.2%

DESKTOP 2.0% 1.1% 0.7% 3.1% 1.7%

MOBILE BROWSER 1.1% 0.8% 1.5% 2.2% 0.8%

MOBILE APP 0.2% 0.5% 0.3% 0.9% 0.7%

Attack volume and attack rate by use case are calculated using a subset of the total transaction volume, where outliers and unknown sessions are removed.

04THE CHANGING FACE OF CYBERCRIME: ANALYZING THE IMPACT OF COVID-19 ON GLOBAL DIGITAL BUSINESSES

Growth in transactions Evidence of fraud recorded from new devices targeting COVID-19-related not seen before in the support packages across Digital Identity Network, several financial services March to June 2020. organizations.

Growth in new online Evidence of an increase in banking registrations for identity spoofing and first- several financial services party fraud targeting some organizations, March to e-commerce merchants. June 2020.

Spike in new account creations for financial services organizations, April to May 2020.

As well as looking at the broad industry categories of financial services, e-commerce and media, the Digital Identity Network further categorizes transactions by sub-industry. INCREASE IN TRANSACTION VOLUME DECREASE IN TRANSACTION VOLUME From January to June 2020, several periods of growth and decline in transaction volumes were recorded across many • Government Services • Ticketing sub-industries that have either benefited from, or been Reliant on live sporting events negatively impacted by, the effects of COVID-19. • Web Hosting • Travel • Personal Finance Reviews, airlines, accommodation Some significant growth in lending • Charity • E-Commerce Merchants Heavily impacted by economic / lockdown Particularly those selling food environments and entertainment • Gift Cards • Cryptocurrency • Gaming and Gambling • Digital Wallets • Online Dating • E-Commerce Marketplaces

16% Percentage of Transactions from New Devices GROWTH IN 15% 14% 13% 12% TRANSACTIONS 11% 10% 9% FROM NEW DEVICES 8% 7%

Shift in Global Commerce Draws % New Device 6% 5% New Businesses, Users and 4% 3% 2% Devices Online 1% 0%

Transactions made with new devices have grown significantly since early March, Jan Feb Mar Apr May Jun across all global regions.

Many factors could contribute to this growth, including: Percentage of Transactions from New Digital Identities

4.5% • The lockdown environment changing the way that consumers access goods 4.0% and services. 3.5% 3.0% • A growth in new-to-digital consumers. 2.5% 2.0% • New organizations looking to protect their online user journey. 1.5% 1.0%

• New organizations who have moved their offline functions online. Identity % New Digital 0.5% 0.0% Some growth was also seen in other new entities, such as digital identity, during Jan Feb Mar Apr May Jun March and April.

JAN-20 APR-20 90% Number of Devices Used by Financial Services Customers

80% The number of devices used by customers in financial services has reduced as a result of the COVID-19 lockdown. 70%

The percentage of customers using one device only has 60% grown between January and April, while the percentage of customers using two or more devices has dropped during 50% the same period. 40%

30%

20%

10%

1 DEVICE 2 DEVICES 3 DEVICES 4+ DEVICES

MORE FINANCIAL 60,000 New Online Banking Customers - Web 50,000 SERVICES 40,000 30,000 CUSTOMERS TURN 20,000 10,000 TO DIGITAL FOR 0 THE FIRST TIME Jan Feb Mar Apr May Jun

Online and Mobile Banking 60,000 New Online Banking Customers - Mobile App Registrations Grow at Start 50,000 40,000 of Lockdown 30,000 20,000 Several financial services organizations in the Digital Identity Network 10,000 saw a growth in new registrations for online banking, both via web and 0 mobile app, at key points throughout January-June 2020. Jan Feb Mar Apr May Jun

U.S CANADA UK 0.25% Percentage of Account Logins with Customer Distances Traveled Over 1,000KM in a Week

Both North American and UK financial services institutions 0.20% recorded far fewer logins from customers that had traveled more than 1,000km in a week. 0.15% • Global travel restrictions have meant customers predominantly log in from local locations.

Login patterns also shifted from a high density in urban and 0.10% metropolitan areas, to a wider dispersal around suburban and rural areas. 0.05% • Fewer logins recorded from office locations as more consumers work from home. 0.00% Jan Feb Mar Apr May Jun

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 26 IMPACT OF COVID-19 GROWTH IN NEW ACCOUNT CREATIONS COINCIDES WITH LOCKDOWN PERIOD AND RELEASE OF FINANCIAL SUPPORT PACKAGES Spike in Applications Includes Credit Cards, Loans and Deposit Accounts

Many countries are offering financial support for both businesses and New Account Creations, Financial Services 1000K consumers impacted by the COVID-19 pandemic. 900K This financial support has had an impact on the transaction volumes of several financial services organizations in the Digital Identity Network. 800K

700K There has been an overall growth in new account creations for financial services April to May 2020. 600K

These includes a combination of: 500K

• Deposit account applications to pay in government-backed funds. 400K

300K • Loan applications – where government-backed business loans are administered by the financial services organization. 200K

• Credit account applications for back-up sources of credit during 100K the pandemic. 0K • New online banking registrations. Jan Feb Mar Apr May Jun

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 27 IMPACT OF COVID-19 SHARING INTELLIGENCE TO REDUCE THE RISK OF FRAUD DURING COVID-19 International Bank Uses Intelligence from the Digital Identity Network to Mitigate Risk for COVID-19 Loan Applications

This international bank has implemented LexisNexis® Loan Applications at International Bank TOTAL LOAN APPLICATIONS ThreatMetrix® on its new COVID-19-related online loan APPLICATIONS WHERE DIGITAL IDENTITY PREVIOUSLY SEEN % APPLICATIONS LINKED TO FRAUD IN OTHER LINES application as an additional layer of risk mitigation. These OF BUSINESS OR OTHER FINANCIAL INSTITUTIONS loans are backed by the government to support small business owners in the region.

LexisNexis ThreatMetrix can help the bank identify high-risk applications in near real time.

The bank can also benefit from crowdsourced intelligence Applications Loan Number of from other providers, understanding, for example, whether 4/5/2020 4/12/2020 4/19/2020 4/26/2020 5/3/2020 5/10/2020 5/17/2020 5/24/2020 an applicant has been flagged as high-risk elsewhere in the • More than 80% of loan applications came from personas previously seen in the Digital Digital Identity Network. Identity Network.

• More than 800 applications linked to fraud on the bank’s other lines of business.

• Approximately 50 applications linked to fraud or compromised credentials at another financial institution in the Digital Identity Network.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 28 IMPACT OF COVID-19 SHARING ADDITIONAL DATA POINTS WITH TRUST AND CONTEXT WITHIN CONSORTIUM UK Banking Consortium Shares Data Relating to Fraudulent Loan Applications

The UK banking Fraudsters have used Several applications A group of UK banks Link analysis has Policy rules have consortium has seen several tactics to try and have been linked to is sharing information been used to identify been created to target an increase in secure a loan, including: known mule activity related to confirmed and track high-risk specific fraudulent fraudulent activity on using link analysis fraudulent loan activity across the patterns of behavior, in new loan applications • Upgrading consumer relating to devices, applications with banking consortium. near real time. for the government- accounts to business locations and behaviors. other members in the backed Bounce Back accounts to meet consortium, to identify Loans Scheme (BBLS) in the loan scheme and block fraudsters response to COVID-19. requirements. attempting to defraud • Applying for multiple multiple UK banks. loans using the same underlying credentials to maximize monetary payout.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 29 IMPACT OF COVID-19 GROWTH IN ONLINE PAYMENTS AT E-COMMERCE MERCHANTS COINCIDES WITH GLOBAL LOCKDOWN Fall in Payments Attack Rate Indicates a Higher Proportion of Trusted Transactions

E-commerce merchants in the Digital Identity Network saw E-Commerce Payments

a strong growth in online payments coinciding with the 10M Payments lockdown period. 8M Although the e-commerce industry has seen some pockets 6M of attack growth, the payments attack rate is on a general downward trend. This indicates that much of this growth in 4M payment transaction volume came from trusted customers, 2M who were turning to online platforms in place of physical stores. 0M However, there was a spike in attack rates during May; with the Attack Rate highest attack rate of the period recorded at 4.6%. 4%

This was predominantly caused by an identity spoofing attack 3% coming from Brazil, targeting a global payments gateway. 2%

Jan Feb Mar Apr May Jun

FRAUD: TARGET: METHOD: ATTACK: DETECTION: Sustained increase in login U.S. e-commerce merchant. Automated bots testing Global bot attacking Multiple login attempts attack rate April to June 2020, stolen identity credentials. from several locations made from the same possibly coinciding with including US, Russia, device / location during a the lockdown period when Vietnam and Japan. short period of time. fraudsters knew consumers were making more online transactions.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 31 IMPACT OF COVID-19 EMAIL ADDRESS INTELLIGENCE PROVIDES ADDITIONAL RISK CONTEXT DURING COVID-19 Growth in High-Risk Activity Related to Chargebacks and Shipping Fraud

LexisNexis® Emailage® uses email address metadata, along with customer These include: name, location data, shipping / billing address and phone number, as a basis for transactional risk assessment and digital identity validation. A growth in first-party chargeback fraud as more consumers attempt to claim money back for goods they actually received. Intelligence from LexisNexis® Emailage® March – June 2020, augments analysis from the Digital Identity Network to reveal additional insights A growth in fraud linked to email addresses that had multiple regarding potential fraud risks as a result of COVID-19. billing addresses associated with them in a short time frame.

During lockdown, since more customers are transacting near or from home, there is an increase in the likelihood of fraud when the distance between IP and billing address is large.

1. LINK BETWEEN CARD-NOT-PRESENT TRANSACTION AND EMAIL DATA SHOWS INCREASE IN FIRST-PARTY CHARGEBACK FRAUD RATE Analysis Suggests Consumers are Claiming More Chargebacks for Goods they Received During Lockdown

Analysis shows a strong pattern of growth in first-party Retail First-Party Chargeback Fraud chargeback fraud for a U.S. e-commerce merchant.

This analysis validated that both the transactions and

the chargebacks were likely coming from the legitimate U.S. Lockdown owner of the credit card, based on a digital identity confidence score. Rate of Chargebacks that are Potentially First-Party Potentially are that Chargebacks of Rate

Jan Feb Mar Apr May Jun

2. GROWTH IN FRAUD LINKED TO EMAIL ADDRESSES WITH MULTIPLE BILLING ADDRESSES Significant Growth in Fraud Rates Between April to June 2020

FRAUD 2020 FRAUD 2019 Percentage of Fraudulent Emails Associated with 2+ Distinct Billing Addresses in 1 Week

A U.S. e-commerce merchant saw a marked increase in fraud relating to emails that had multiple billing addresses associated with them in a short time frame.

In April, 40-50% of emails that were associated with multiple billing addresses in one week were reported as fraud.

This represents a significant growth in the fraud rate between April to June 2020, as well as a marked increase in fraud in Rate Fraud comparison to 2019.

Jan Feb Mar Apr May Jun

3. INCREASED FRAUD RISK RELATING TO IP AND BILLING ADDRESS DISTANCE DURING COVID-19 A Reduction in Travel During Lockdown Makes Transactions that were Initiated Further from Billing Address More Indicative of Fraud

Increased Fraud Risk Differentiation from IP-Bill Distance OVERALL DIST < = 10 MILES DIST > 1,000 MILES

U.S. Lockdown

The overall population is compared to two sub-populations:

• Consumers with IP / billing address distance < = 10 miles (generally low-risk).

• Consumers with IP / billing address distance > 1,000 miles

(generally high-risk). Rate Fraud

Between April and June, the likelihood that a large distance between 3.5x IP and billing address was indicative of fraud has increased. Fraud Rate

Jan Feb Mar Apr May Jun

05THE CHANGING FACE OF CYBERCRIME: AN INDUSTRY VIEW

Financial Services E-commerce Media

• The financial services industry • Two-period growth in the attack • The media industry saw more saw more login and payment rate on new account creations new account creation attacks attacks than any other industry. from mobile browsers. than any other industry. • New account creations from • Two-period growth in the • Media organizations have seen the desktops and mobile apps attack rate on payments from a most noticeable spikes in attack have seen a two-period growth mobile app. rates as a result of COVID-19, with in attack rate. an increase in attacks recorded March-April 2020. • Although financial services payments are attacked at a • Two-period growth in the attack higher rate than other industries, rate on logins from a mobile app. the attack rate is declining. • Two-period growth in the attack rate on new account creations from a desktop.

• New account creations NEW ACCOUNT CREATIONS LOGINS PAYMENTS and payments are key targets in the financial services customer journey, Two consecutive periods of Two consecutive periods of Two consecutive periods of offering fraudsters the RISK TRENDS growth in attack rates across decline in attack rates across decline in attack rates across opportunity to monetize desktop and mobile app. all channels. all channels. stolen credentials and cash out.

ATTACK VOLUME 16M 46M 62M • A large bot attack targeting new app registrations in ATTACK RATE December 2019 continued OVERALL 13.1% 0.4% 4.0% through January 2020, DESKTOP 6.1% 0.8% 4.2% contributing to the high mobile app attack rate on MOBILE BROWSER 3.2% 0.6% 5.2% new account creations.

MOBILE APP 29.2% 0.1% 2.0%

Attack volume and attack rate by use case are calculated using a subset of the total transaction volume, where outliers and unknown sessions are removed.

Target: Financial Services Organization IDENTITY ABUSE INDEX 5.0% Attack: Creating fake new accounts, LOW MEDIUM HIGH from U.S. and Hong Kong Attack Vector: Device and IP spoofing 4.5%

The attack pattern for financial 4.0% services is characterized by a number of automated bot 3.5% Target: Payment Gateway attacks that contribute to large Attack: Attempting fraudulent peaks in the overall attack rate. 3.0% payments, from France Attack Vector: Device, identity and IP spoofing Aside from these bots, the 2.5% Target: Personal Finance Company attack environment was largely Attack: Account takeover attempts, from Nigeria stable with no notable changes 2.0% Attack Vector: Device and identity spoofing to existing trends.

1.5%

1.0%

0.5%

0.0%

Jan Feb Mar Apr May Jun

An Identity Abuse Index level of high (shown in red) represents an attack rate of two standard deviations across a rolling 3-week period.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 39 AN INDUSTRY VIEW DETECTING NEW ACCOUNT CREATION FRAUD AT BRAZILIAN FINANCIAL SERVICES ORGANIZATION Mobile Device Attributes Were Used to Identify and Block Fraud Attacks

FRAUD: TARGET: METHOD: ATTACK: DETECTION: Fraudulent new Brazilian financial Fraudsters attempted Growth in fraud • Almost all the fraud attempts were related account creations services organization. to hide the fact they attempts on new to devices that had attempted to evade from a mobile device. were creating multiple accounts opened detection using different forms of device new accounts from the during March 2020. swapping activity. same device by changing device fingerprinting • Persistent markers indicating that this parameters to high-risk activity was coming from the evade detection. same device helped to identify the fraud.

• Rules that were subsequently enabled by the financial organization were so effective at blocking device swapping routines that they reduced total fraud attempts by 20%.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 40 AN INDUSTRY VIEW MITIGATING CASHBACK PROMOTION ABUSE FOR MALAYSIAN DIGITAL WALLET PROVIDER Fraudsters Use Mule Accounts to Siphon Off One unique LexID Digital® entity indicates a single source of bonus abuse across multiple Proceeds of Bonus Abuse account credentials.

FRAUD: TARGET: METHOD: ATTACK: DETECTION: Multiple account Malaysian digital Fraudsters set • New account Multiple accounts creations, logins wallet provider. up multiple new was created. created in a short and initial payment accounts from a space of time from transactions used small number of • First transaction virtual machines. to exploit new devices, attempting was initiated. LexID account bonuses. to bypass device Digital • Cashback fingerprinting. promotion triggered by first transaction was immediately transferred to a mule account.

DEVICE ACCOUNT ACCOUNT © 2020 LEXISNEXIS RISK SOLUTIONS LOGIN TELEPHONE PAGE 41 AN INDUSTRY VIEW E-COMMERCE: OVERVIEW OF TRENDS AND ATTACK PATTERNS Mobile Channel Contributes to Growth in Attack Rates in E-Commerce

• New account creations and payments represent the key risk points in NEW ACCOUNT CREATIONS LOGINS PAYMENTS the e-commerce online customer journey. Decline in attack rates across Overall decline in attack rates, Overall decline in attack all channels. This is driven by a • Attacks are growing across rates except on mobile app except on mobile browser decline in attack volume and a RISK TRENDS transactions, which have seen a the mobile channel, transactions which have seen a higher volume of transactions two-period growth in attack rate. specifically on new account two-period growth in attack rate. from trusted customers. creations from a mobile ATTACK VOLUME 6.5M 22M 39M browser and payments from a mobile app. ATTACK RATE • Identity spoofing on OVERALL 6.9% 1.2% 3.2% e-commerce logins is DESKTOP 11.8% 1.6% 3.5% high, with an attack rate of 12% and above for 3 MOBILE BROWSER 6.0% 0.6% 2.4% consecutive periods.

MOBILE APP 1.5% 0.4% 4.2%

Attack volume and attack rate by use case are calculated using a subset of the total transaction volume, where outliers and unknown sessions are removed.

5.0% IDENTITY ABUSE INDEX LOW MEDIUM HIGH 4.5%

Target: Online Retailer The attack rate for e-commerce 4.0% Attack: Account takeover attempts, from U.S. merchants followed similar Target: Publishing Company Attack Vector: Device and identity spoofing peaks and troughs across the 3.5% Attack: Fraudulent logins / viewings of articles, from U.S. 6-month period. Attack Vector: Bot attack 3.0% Target: Payment Gateway A large e-commerce payments Attack: Fraudulent payment transactions, from Brazil provider saw some significant 2.5% Attack Vector: Identity spoofing growth in attack activity during May 2020. 2.0% There was a noticeable drop 1.5% in the attack rate mid-May through June. 1.0%

0.5%

0.0%

Jan Feb Mar Apr May Jun

An Identity Abuse Index level of high (shown in red) represents an attack rate of two standard deviations across a rolling 3-week period.

FRAUD: TARGET: METHOD: ATTACK: DETECTION: A fraud network targeted this U.S. mobile operator • Credential testing: Fraud network using a series of • Use of dynamic rules to mobile operator in order to Fraudster tested high-risk and “clean” devices alert the mobile operator place multiple orders for high- combinations of stolen for a two-staged attack in order to when multiple identity value handsets. credentials at high velocity to bypass velocity rules and credentials were being in order to create a valid new device fingerprinting. tested via one device. account with the mobile operator. • Conversely, alerting the mobile operator to when multiple devices are • Fraudulent order associated with one placement: stolen identity. Once a successful account had been created, a separate “clean” device placed the order for new hardware.

• Media-based new account NEW ACCOUNT CREATIONS LOGINS PAYMENTS creations are attacked at a higher rate than any Two-period growth in attack rate other industry. on desktop transactions. Two-period growth in One-period growth in attack rate • Globally, identity spoofing RISK TRENDS attack rate on mobile app One-period growth in attack rate transactions. on mobile app transactions. is most prevalent in on mobile browser transactions. the media industry and specifically on new account ATTACK VOLUME 39.6M 8.2M 3.4M creation and payments transactions. Payments ATTACK RATE 17.4% 1.7% 2.9% particularly seem a prime OVERALL target, with a two-period growth recorded on the DESKTOP 23.7% 0.8% 2.7% percentage of attacks using identity spoofing. MOBILE BROWSER 15.1% 0.5% 2.9%

MOBILE APP 17.1% 12.8% 3.1%

Attack volume and attack rate by use case are calculated using a subset of the total transaction volume, where outliers and unknown sessions are removed. © 2020 LEXISNEXIS RISK SOLUTIONS PAGE 45 AN INDUSTRY VIEW MEDIA IDENTITY ABUSE INDEX Sustained Growth in Attack Rate Recorded March-April 2020

Target: Media Streaming Organization B Attack: Fraudulent new account creations, from Spain IDENTITY ABUSE INDEX 12.0% Attack Vector: Device and identity spoofing LOW MEDIUM HIGH 11.0%

10.0% The media industry recorded Target: Web Hosting Organization 9.0 % Attack: Account takeover attempts, the most noticeable spikes in Target: Media Streaming Organization A from Ireland attack rates during Jan-June Attack: Fraudulent new account creations, 8.0% Attack Vector: Automated bot attack from U.S. 2020, coinciding with several using session replay Attack Vector: Identity spoofing, IP spoofing 7.0% COVID-19 regional lockdowns.

6.0% Attack rates were consistently higher in March and April 5.0% in comparison to January and February. 4.0% This was largely driven by an 3.0% increase in fraudulent 2.0% activity at media streaming organizations within the Digital 1.0% Identity Network.

0.0%

Jan Feb Mar Apr May Jun

An Identity Abuse Index level of high (shown in red) represents an attack rate of two standard deviations across a rolling 3-week period.

FRAUD: TARGET: METHOD: ATTACK: DETECTION: Criminal gang Large EMEA-based All accounts were • 85 accounts were • Device markers targeted free bonuses gambling company. offered a free trial created using suggest the offered for first-time of a specific game “different” devices, account creations gameplay, in order to for 30 days. Creating from a virtual came from the increase chances of multiple accounts machine in Finland. same virtual winning the jackpot. significantly increased machine. the likelihood of • During April, one winning the jackpot. device made over • Large volume of 100 login attempts to login attempts these accounts. from one device.

DEVICE ACCOUNT LOGIN

06THE CHANGING FACE OF CYBERCRIME: A REGIONAL VIEW

APAC has a high instance of EMEA has the highest LATAM has the highest overall North America has lower automated bot attacks, with penetration of mobile human-initiated attack rate of overall attack rates than the Japan, India and Australia all transactions of all regions, all regions and saw consistent global averages, with declining appearing on the list of top with corresponding low spikes in attack rates from human-initiated and bot attack bot originators, by volume. mobile attack rates. The March to June 2020, which volumes. However, despite There was a particularly large desktop attack rate is slightly coincided with the onset of these declines, the region attack originating from the higher than the global COVID-19 in the region. remains the largest contributor, Philippines in June 2020. average, however. by volume, for both human initiated and bot attacks.

APAC LATAM NORTH AMERICA EMEA Attack Rate Across 4 Regions 8%

LATAM continues to record the highest attack rates of all regions and has experienced several spikes in attack rates 7% during COVID-19.

APAC saw some growth in attack rates during April and May. The 6% large spike in attack rate in June was an identity spoofing bot attack, originating from the Philippines, targeting a 5% payment gateway.

North America and EMEA recorded lower overall attack rates 4% but continued to be targeted by automated bot attacks which caused considerable attack peaks. 3%

Jan Feb Mar Apr May Jun

The Digital Identity Network continues to record a strong pattern of While these fraud networks are likely to include several different groups of cross-organizational, cross-industry and even cross-regional fraud. fraudsters, there are some interesting conclusions that can be drawn from the pattern of fraudulent entities. For example: These fraud networks have been analyzed to expose the number of devices and transaction types involved, as well as the industries and • It is likely that events linked by a fraudulent device are carried out by regions impacted. the same fraudster or fraud ring.

In this report, this analysis has been extended to: • However, events linked by fraudulent email addresses and telephone numbers may involve different groups of fraudsters using the same Examine the anatomy of key fraud networks regionally. stolen lists of data.

Analyze links between fraudulent email addresses and The Digital Identity Network allows organizations to share intelligence telephone numbers, as well as devices. related to stolen / synthetic identities and confirmed fraud events, so that Assign monetary values to the entire fraud network based on an entity that is marked as high-risk or fraudulent by one organization known payment transaction amounts. can be blocked by subsequent organizations before further transactions are processed.

Interestingly, while devices and email addresses associated with confirmed fraud are both seen operating across regions and industries, telephone numbers associated with confirmed fraud operate almost solely within the same country, and largely across the same industry.

The visualization on the next page shows a fraud network targeting the Entities analyzed as part of this network include devices, email addresses financial services industry, operating across: and telephone numbers.

• Several UK banks (see P61 for detailed view). Over 37,000 events were associated with a fraudulent entity at the source organization, which was then seen at another organization in the Digital • Lending organizations in Poland and Latvia (see P62 for detailed view). Identity Network. Some events may include more than one type of • Payments organizations in Austria and Switzerland. fraudulent entity.

Each arrow illustrates an entity associated with a confirmed fraud event While devices and email addresses are seen operating across industries at one organization crossing over to another organization in the Digital and regions, telephone numbers operate predominantly within the same Identity Network. country, and generally across the same industry.

UK UK UK UK

UK UK

UK Bulgaria

UK Mexico Russia UK

Latvia UK

UK FINANCIAL SERVICES: Poland Sweden PAYMENT GATEWAY CREDIT SCORING BANK Poland Austria UK CARD NETWORK Austria MERCHANT PAYMENTS LENDING COLLECTIONS Poland INSURANCE REMITTANCE Germany Switzerland ENTITIES: Less than 10 entity overlaps between DEVICE companies have been removed. EMAIL A thicker line denotes a higher TELEPHONE volume of fraud. PAGE 53 A REGIONAL VIEW HUGE E-COMMERCE FRAUD NETWORK OPERATING ACROSS THREE REGIONS Proliferation of Email Addresses Associated with Fraud Connects Multiple Merchants

The visualization on the next page shows a fraud network targeting the This fraud network sees a higher proliferation of fraudulent events e-commerce industry, operating across: connected through email addresses and telephone numbers, with fewer connections between fraudulent devices, particularly among • Multiple online retailers in the U.S. U.S. merchants. (see P68 for detailed view). It’s likely that email addresses and telephone numbers that have been • A payment gateway in Japan. compromised as part of a data breach are being used by multiple fraudsters • Travel companies and an online marketplace in LATAM. to perpetrate attacks, and hence these show up in thousands of events in the Digital Identity Network. Each arrow illustrates an entity associated with a confirmed fraud event at one organization crossing over to another organization in the Digital Over 525,000 events were associated with a fraudulent entity at the source Identity Network. organization, which was then seen at another organization in the Digital Identity Network.

Again, devices and email addresses are seen operating across industries and regions while telephone numbers operate predominantly within the same region (U.S. and Canada) and across similar industries (largely e-commerce).

U.S. U.S. Japan Japan U.S. U.S. U.S. U.S. U.S. Japan Japan U.S. U.S. Japan U.S. U.S. U.S. FINANCIAL SERVICES: U.S. PAYMENT GATEWAY Japan PERSONAL FINANCE Japan U.S. U.S. Japan GOVERNMENT Japan U.S. U.S. U.S. U.S. TICKETING Japan Canada FRAUD & Japan AUTHENTICATION U.S. Argentina SERVICES U.S. Argentina U.S. U.S. Canada U.S. Chile MEDIA: U.S. MEDIA STREAMING Canada U.S. Brazil MOBILE OPERATOR PUBLISHING U.S. U.S. U.S. Argentina SOFTWARE U.S. U.S. U.S. U.S. E-COMMERCE: U.S. U.S. U.S. MARKETPLACE U.S. U.S. GIFT CARDS U.S. U.S. Canada HEALTHCARE RETAILER U.S. U.S. U.S. TRAVEL U.S. U.S. FOOD U.S. U.S. LOGISTICS/MAIL DELIVERY ENTITIES: U.S. U.S. Less than 100 entity overlaps between DEVICE Canada U.S. U.S. U.S. U.S. companies have been removed. EMAIL A thicker line denotes a higher TELEPHONE volume of fraud. PAGE 55 A REGIONAL VIEW

APAC TRANSACTIONS 1.4B Overall Growth YOY TRANSACTION AND Transactions 1.4B +32% Processed

ATTACK PATTERNS Transactions Split by Transactions Split by India Tops List of Biggest Desktop / Mobile Mobile Browser / App

Regional Attacking Nations 43% 57% 38% 62% 37M Human-Initiated Attack Volume ATTACKS

Human-Initiated Decline YOY 37M –1%

India Automated Bot Growth YOY Top Attacker 121M +9% TOP ATTACK DESTINATIONS by Volume 121M FROM INDIA Automated Bot Attacks Split by Percentage of attacks Attack Volume UK AUSTRALIA Desktop / Mobile coming from mobile devices has increased YOY U.S. CANADA +20% INDIA 49% 51%

GLOBAL APAC

Although the attack rates in APAC are higher than the OVERALL DESKTOP global average, they have declined across all channels ATTACK RATE ATTACK RATE year-over-year.

The only exception to this trend is the 9% growth in 1.4% 3.0% 1.7% 3.4% automated bot attacks, although this growth is lower than the global average of 13%.

Japan, India and Australia all make the top ten attackers list for largest global bot originators.

MOBILE BROWSER MOBILE APP ATTACK RATE ATTACK RATE

2.4% 3.8% 0.6% 2.0%

Australia AUSTRALIAN FRAUD Australia NETWORK OPERATES Australia Australia Australia Australia ACROSS ALL Australia

3 CORE INDUSTRIES Australia Personal Finance Company at the Australia Australia Australia Heart of Complex Fraud Network Australia

Fraud Network by Numbers Australia Australia Australia Australia 25 Over 8,500 Organizations in Australia formed a Events at other large interconnected fraud network. organizations in the Digital Identity Network Australia Australia Australia The network comprised: were linked to these fraudulent source entities. Australia Australia • 2,400 Devices. Australia • 3,700 Email addresses. At least $800K • 1,500 Telephone numbers. Exposed to fraud across entire network. ENTITIES: DEVICE EMAIL TELEPHONE At the source organization: • 4,950 Events were associated with FINANCIAL CREDIT SCORING BANK FRAUD & AUTHENTICATION SERVICES a fraudulent device SERVICES: PERSONAL FINANCE LENDING MERCHANT PAYMENTS • 7,500 Events were associated with a fraudulent email address MEDIA: MEDIA STREAMING TELCO GAMING/GAMBLING • 3,750 Events were associated with a fraudulent E-COMMERCE: MARKETPLACE RETAILER telephone number

Most of these events were new Less than 10 entity overlaps between companies have been removed. account creations. A thicker line denotes a higher volume of fraud. PAGE 58 A REGIONAL VIEW

EMEA TRANSACTIONS TRANSACTION AND 7.8B Overall Growth YOY Transactions 7.8B +31% Processed

ATTACK PATTERNS Transactions Split by Transactions Split by Penetration of Mobile Transactions Desktop / Mobile Mobile Browser / App

Higher in EMEA than Any Other Region 25% 75% 22% 78% 71M Human-Initiated ATTACKS Attack Volume

Human-Initiated Decline YOY 71M -20% Brazil Top Attacker Automated Bot Growth YOY by Volume 270M +45% TOP ATTACK DESTINATIONS UK 270M FROM UK Top Attacker Automated Bot by Volume Attacks Split by Percentage of attacks U.S. LATVIA Attack Volume Desktop / Mobile coming from mobile devices has increased YOY UK SWEDEN +53% CANADA 49% 51%

GLOBAL EMEA

The attack rates in EMEA are generally lower than the global OVERALL DESKTOP average, particularly for mobile app transactions. ATTACK RATE ATTACK RATE

This is driven by a high volume of trusted login transactions across relatively mature mobile app propositions. 1.4% 1.0% 1.7% 2.0%

Notable exceptions in EMEA include:

• Desktop transactions, where the attack rate is higher than the global average.

• Automated bot attack volume, which grew 45% year-over-year. MOBILE BROWSER MOBILE APP ATTACK RATE ATTACK RATE

2.4% 1.9% 0.6% 0.3%

SPOTLIGHT ON THE UK UK ANATOMY OF A UK BANKING FRAUD NETWORK

$17M+ Exposed to Fraud Across UK 10 Financial Services Organizations

UK Fraud Network by Numbers UK 10 Over 123,000 UK banks formed part of Events at other UK a larger interconnected organizations in the fraud network. Digital Identity Network were linked to these The network comprised: fraudulent source entities. • 7,800 Devices. At least $17M • 5,200 Email addresses. Exposed to fraud across UK • 1,000 Telephone numbers. entire network. UK UK At the source organization: • 25,300 Events were associated with a fraudulent device • 8,300 Events were associated UK with a fraudulent email address

• 1,350 Events were ENTITIES: DEVICE EMAIL TELEPHONE associated with a fraudulent telephone number FINANCIAL SERVICES: BANK Most of these events were logins, but there was also a significant volume of new account creations Less than 10 entity overlaps between companies have been removed. and payments. A thicker line denotes a higher volume of fraud. PAGE 61 A REGIONAL VIEW

SPOTLIGHT ON THE Poland ANATOMY OF AN EASTERN EUROPEAN LENDING FRAUD NETWORK Poland 2,850 Fraudulent New Account Latvia Creations Across 4 Regional Lenders

Fraud Network by Numbers 4 Over 5,500 Eastern European lending Events at other companies formed part of a larger organizations in the interconnected fraud network. Digital Identity Network were linked to these Poland The network comprised: source entities. • 2,200 Devices. At least $1.1M • 2,900 Email addresses. Exposed to fraud across • 200 Telephone numbers. entire network. ENTITIES: DEVICE EMAIL TELEPHONE At the source organization: FINANCIAL SERVICES: LENDING • 2,300 Events were associated with a fraudulent device Less than 10 entity overlaps between companies have been removed. • 3,150 Events were associated with a fraudulent email address A thicker line denotes a higher volume of fraud. • 370 Events were associated with a fraudulent telephone number Most of these events were new account creations. PAGE 62 A REGIONAL VIEW

LATAM TRANSACTIONS TRANSACTION AND 740M Overall Growth YOY Transactions 740M +63% Processed

ATTACK PATTERNS Transactions Split by Transactions Split by Growth in Human-Initiated and Desktop / Mobile Mobile Browser / App

Bot Attack Volume 26% 74% 38% 62% 39M Human-Initiated ATTACKS Attack Volume

Human-Initiated Growth YOY Brazil 39M +23% Top Attacker TOP ATTACK DESTINATIONS by Volume Automated Bot Growth YOY FROM BRAZIL 35M +46% U.S. ARGENTINA 35M Automated Bot BRAZIL CHILE Attacks Split by Percentage of attacks Attack Volume Desktop / Mobile coming from mobile UK devices has increased YOY +16% 28% 72%

GLOBAL LATAM

The attack rates in LATAM are significantly higher than the OVERALL DESKTOP global average, and are the highest of all global regions. ATTACK RATE ATTACK RATE

Attack rates in LATAM appear to be more strongly influenced by the effects of COVID-19 than other regions, 1.4% 5.6% 1.7% 6.1% with noticeable spikes in attack rates recorded from early March onwards.

LATAM is the only region to experience a growth in attack volume year-over-year. Attacks grew 23%.

LATAM is also the only region to record an overall growth in attack rate for desktop and mobile browser. This growth, however, was only recorded across one period. MOBILE BROWSER MOBILE APP ATTACK RATE ATTACK RATE

2.4% 8.3% 0.6% 3.8%

LATAM FRAUD NETWORK Brazil TARGETS GROUP OF 4 BANKS Brazil AND 2 PAYMENT GATEWAYS Series of Brazilian Financial Institutions See Strong

Cross-Organizational Fraud Pattern Brazil Fraud Network by Numbers 6 Over 36,500 4 banks and 2 payments gateways Events at other in Brazil formed an interconnected organizations in the Brazil fraud network. Digital Identity Network were linked to these The network comprised: fraudulent source entities. Brazil • 1,600 Devices. At least $275K Brazil • 9,300 Email addresses. Exposed to fraud across • 500 Telephone numbers. entire network. ENTITIES: DEVICE EMAIL TELEPHONE At the source organization: • 2,850 Events were associated with FINANCIAL SERVICES: BANK PAYMENT GATEWAY a fraudulent device

• 15,800 Events were associated with Less than 10 entity overlaps between companies have been removed. a fraudulent email address A thicker line denotes a higher volume of fraud. • 880 Events were associated with a fraudulent telephone number Most of these events were logins, but there was also a significant volume of new account creations and payments. PAGE 65 A REGIONAL VIEW

NORTH AMERICA TRANSACTIONS

11.6B Overall Growth YOY TRANSACTION AND Transactions 11.6B +42% Processed

ATTACK PATTERNS Transactions Split by Transactions Split by Decline in Human-Initiated Desktop / Mobile Mobile Browser / App and Automated Bot Attack Volume 40% 60% 33% 67% 109M Human-Initiated Attack Volume ATTACKS

Human-Initiated Decline YOY U.S. 109M –6% Top Attacker by Volume Automated Bot Decline YOY 442M -0.3% TOP ATTACK DESTINATIONS FROM U.S. 442M Automated Bot Attacks Split by Percentage of attacks U.S. LATVIA Attack Volume Desktop / Mobile coming from mobile devices has increased YOY CANADA AUSTRALIA UK +48% 43% 57%

North America includes the U.S. and Canada. Mexico is included in the LATAM regional analysis.

GLOBAL NORTH AMERICA

The U.S. and Canada see lower attack rates across the OVERALL DESKTOP desktop and mobile browser channels than the global ATTACK RATE ATTACK RATE average during this period.

However, the media industry has experienced attack rate 1.4% 1.1% 1.7% 1.2% growth across all use cases, year-over-year. The financial services industry has experienced attack rate growth across new account creations only.

There is also a strong pattern of networked fraud recorded across the region, highlighted by the large, interconnected e-commerce fraud network targeting multiple retailers in the U.S. MOBILE BROWSER MOBILE APP ATTACK RATE ATTACK RATE

2.4% 2.0% 0.6% 0.6%

High Volume of Email Addresses U.S. Associated with Fraud Shared U.S. between Online Retailers and an Online Marketplace U.S. Fraud Network by Numbers 6 Over 750,000 5 online retailers and 1 online Events at other marketplace in the U.S. formed organizations in the part of a larger interconnected Digital Identity Network fraud network. were linked to these source entities. U.S. The network comprised: U.S. • 850 Devices. At least $27.9M Exposed to fraud across • 134,000 Email addresses. entire network. ENTITIES: DEVICE EMAIL TELEPHONE • 61,000 Telephone numbers.

E-COMMERCE: MARKETPLACE RETAILER At the source organization: • 1,230 Events were associated with a Less than 10 entity overlaps between companies have been removed. fraudulent device A thicker line denotes a higher volume of fraud. • 200,000 Events were associated with a fraudulent email address • 105,000 Events were associated with a fraudulent telephone number All these events were payments. PAGE 68 CONCLUSION

07CONCLUSION: A DIGITAL ENVIRONMENT IN FLUX

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 69 CONCLUSION CONCLUSION AND FUTURE TRENDS The changing face of cybercrime was clearly evident across Several fraud typologies that have been consistently observed Market-leading innovation needs to continue apace to mitigate regions, industries and businesses January to June 2020. in the Digital Identity Network over time look set to continue. the complex and changing face of global cybercrime. The Attacks across the LATAM region grew, media organizations These include: following core capabilities should be layered with digital were heavily targeted during the peak of several COVID-19 identity intelligence for the next generation of fraud, identity lockdowns, and many organizations reported attacks of • Global bot attacks allowing identity testing at scale, verification and authentication decisioning: greater intensity or evolving typology. providing the opportunity to validate and then monetize stolen credentials. An integrated decisioning and orchestration layer The financial services industry experienced a growth in that can bring together the insight and intelligence of automated bot attacks, as well as fraudsters targeting • Hyperconnected, networked fraud rings tying disparate targeted products and solutions. COVID-19-related support packages. groups of criminals together to share knowledge and resources for maximum efficacy. An enterprise view of risk across the entire Meanwhile, attacks continued on new account creations that customer journey. could deliver the promise of lucrative benefits, often using So while the face of cybercrime will continue to re-shape automated bot attacks in higher volume to deliver huge, to fit the growing global digital economy, the ability for The integration of complementary data sets and connected attacks. businesses to reliably recognize good, trusted customers must contextualization for enhanced risk decisioning, for remain constant. Fraudsters – whether opportunists or highly example email and behavioral data. As regional lockdowns start to lift and global economies begin networked fraud rings – need to be identified and blocked the their recovery, it will be interesting to see what changes in moment they transact. Knowledge sharing must be as pivotal to Personalized authentication journeys tailored to the attack rates the next six months will bring. global businesses as it is to the cybercriminals that attack them. needs of individual customers, as well as businesses. Cross-organizational, cross-industry data sharing via dedicated consortia. The Digital Identity Network helps businesses to make near real-time fraud and The development of transactional network analysis, risk decisions that harness global shared intelligence from thousands of global entity linkage and network visualizations. digital businesses, across millions of daily transactions, and billions of data points. A collaborative network that consistently and reliably identifies online

users, even as fraudsters pivot across different attack patterns, industries and LexisNexis, the Knowledge Burst logo and LexID are registered trademarks of RELX Inc. ThreatMetrix and global geographies. Digital Identity Network are registered trademarks of ThreatMetrix, Inc. Emailage is a registered trademark of Emailage Corp. Other products and services may be trademarks or registered trademarks of their respective companies. Copyright © 2020 LexisNexis Risk Solutions. © 2020 LEXISNEXIS RISK SOLUTIONS PAGE 70 GLOSSARY, METHODOLOGY, CONTACT DETAILS 08 GLOSSARY, METHODOLOGY, CONTACT DETAILS

PAGE 71 GLOSSARY GLOSSARY Industry Types Percentages Attack Explanations LexID® Digital Financial Services includes mobile banking, online Transaction Type Percentages are based on the Device Spoofing: Fraudsters delete and change LexID® Digital is the technology that brings Digital banking, online money transfer, lending, brokerage, number of transactions (account creations, account browser settings in order to change their device identity Identity Intelligence to life; creating a unique online alternative payments and credit card issuance. login and payments) from mobile devices and desktop or fingerprint, or attempt to appear to come from a identifier for every transacting user. This identifier is computers received and processed by the LexisNexis® victim’s device. LexisNexis® ThreatMetrix® patented built using intelligence relating to devices, identity E-Commerce includes retail, airlines, travel, Digital Identity Network. cookieless device identification is able to detect information, locations, behaviors, transaction details marketplaces, ticketing telecommunications and returning visitors even when cookies are deleted or and threat data. LexID Digital helps businesses elevate digital goods businesses. Attack Percentages are based on transactions changes are made to browser settings. To differentiate fraud and authentication decisions from a device to a identified as high-risk and classified as attacks, by use Media includes social networks, content streaming, between cybercriminals and legitimate customers who user level, as well as uniting offline behavior with online case. Events identified as attacks are typically blocked gambling, gaming and online dating sites. occasionally clear cookies, only high-risk / high velocity intelligence. LexID Digital has the following benefits: or rejected automatically, in near real time dependent cookie deletions (such as a high number of repeat visits on individual customer use cases. • Bridges online and offline data elements for each per hour / day) are included in the analysis. transacting user. Common Attacks Identity Spoofing: Using a stolen identity, credit card • Goes beyond just device-based analysis and New Account Creations Fraud: Using stolen, or compromised username / password combination to Desktop Versus Mobile groups various other entities based on complex compromised or synthetic identities, to create new attempt fraud or account takeover. Typically, identity Desktop Transactions are transactions that originate associations formed between events. accounts that access online services or obtain lines spoofing is detected based on a high velocity of identity from a desktop device such as computer or laptop. of credit. usage for a given device, detecting the same device • Identifies a person irrespective of changes in Desktop Attacks are attacks that target a transaction devices, locations or behavior. Intelligence from Account Login Fraud: Attacks targeted at taking over accessing multiple unrelated user accounts or unusual originating from a desktop device. the Digital Identity Network helps accurately user accounts using previously stolen credentials identity linkages and usage. recognize the same returning user behind multiple available in the wild or credentials compromised by Mobile Transactions are transactions that originate IP Address Spoofing: Cybercriminals use proxies devices, email addresses, physical addresses and malware or Man-in-the-Middle attacks. from a handheld mobile device such as tablet or to bypass traditional IP geolocation filters, and use account names. mobile phone. These include mobile browser and Payments Fraud: Using stolen payment credentials to IP spoofing techniques to evade velocity filters and mobile app transactions. conduct illegal money transfers or online payments via blacklists. LexisNexis ThreatMetrix directly detects alternative online payment methods such as Mobile Attacks are attacks that target transactions IP spoofing via both active and passive browser and direct deposit. originating from a mobile device, whether browser network packet fingerprinting techniques. or app-based. Man-in-the-Browser (MitB) and Bot Detection: Man- in-the-browser attacks use sophisticated Trojans to steal login information and one-time-passwords from a user’s browser. Bots are automated scripts that attempt to gain access to accounts with stolen credentials or create fake accounts.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 72 METHODOLOGY SUMMARY METHODOLOGY Overall Report Fraud Network Linking • The LexisNexis Risk Solutions Cybercrime Report is based on cybercrime • Fraud performance data is taken from January to March 2020, based attacks detected by the Digital Identity Network from January-June 2020, upon devices, email addresses and telephone numbers recorded during near real time analysis of consumer interactions across the online as fraudulent in the Digital Identity Network between January journey, from new account creations, logins, payments and other non- and March 2020. core transactions such as password resets and transfers. • Monetary exposure calculated on observed payment transactional • Transactions are analyzed for legitimacy based on hundreds of value at risk January to March 2020, based upon the identification of attributes, including device identification, geolocation, previous history all transactions associated with that confirmed fraudulent transaction and behavioral analytics. (and associated group of entities) during the period. Does not include any financial values at risk from customers who do not provide payment • The Digital Identity Network and its near real time policy engine provide transactional data. unique insight into global digital identities, across applications, devices and networks.

• LexisNexis Risk Solutions customers benefit from a global view of risks, LexisNexis Emailage leveraging global rules within bespoke policies that are custom-tuned • Intelligence from LexisNexis Emailage March – June 2020, augments specifically for their businesses. analysis from the Digital Identity Network and is included for the first time in this report. • Attacks referenced in the report are based upon “high-risk” transactions as scored by global customers. • LexisNexis® Emailage® uses email address metadata, along with customer name, location data, shipping / billing address and phone number, as a basis for transactional risk assessment and digital identity validation.

The overall volume of transactions processed by the Digital This subset of 22.5 billion transactions is also used for analysis of automated Identity Network January – June 2020 was 26.5 billion. bot attacks. This includes known sessions related to individual events, as well as unknown sessions which can sometimes be a feature of bot traffic given The LexisNexis Cybercrime Report analyzes a subset of these transactions that attack velocity fails to record complete profiling data. that excludes non-transaction-based events, (such as feedback data and test transactions), as well as transactions from organizations that are considered Human-initiated attack volumes are calculated on a further subset outliers based on extremely high or zero recorded reject rates. This subset of 19.2 billion transactions. These are categorized as “known sessions” totals 22.5 billion transactions. related to individual events. This subset excludes events that failed to gather any digital identity intelligence data due to unsuccessful profiling. The Cybercrime Report uses these 22.5 billion transactions to calculate overall transaction volumes globally and by region. There are 840K transactions without an IP address. These transactions cannot, therefore, be assigned to a region. These are mostly unknown sessions where an organization does not send the input IP address.

© 2020 LEXISNEXIS RISK SOLUTIONS PAGE 74 FOR MORE INFORMATION: risk.lexisnexis.com/ FraudandIdentity risk.lexisnexis.com/insights- resources/research/ cybercrime-report risk.lexisnexis.com/products/ threatmetrix

North America: +1 408 200 5755 EMEA: +44 203 2392 601 About LexisNexis Risk Solutions This document is for educational purposes only and does not guarantee the functionality or features of LexisNexis products LATAM: LexisNexis® Risk Solutions harnesses the power of data and identified. LexisNexis does not warrant this document is Brazil: + 0800 892 0600 advanced analytics to provide insights that help businesses complete or error-free.If written by a third party, the opinions and governmental entities reduce risk and improve decisions may not represent the opinions of LexisNexis. Colombia: +01 800 5 1 84181 or to benefit people around the globe. We provide data and +57 1 2911359 technology solutions for a wide range of industries including LexisNexis, the Knowledge Burst logo and LexID are registered Mexico: +01 800 062 4989 insurance, financial services, healthcare and government. trademarks of RELX Inc. ThreatMetrix and Digital Identity Headquartered in metro Atlanta, Georgia, we have offices Network are registered trademarks of ThreatMetrix, Inc. All Other LATAM & Caribbean throughout the world and are part of RELX (LSE: REL/NYSE: Emailage is a registered trademark of Emailage Corp. Other countries: +001 855 441 5050 RELX), a global provider of information-based analytics and products and services may be trademarks or registered decision tools for professional and business customers. trademarks of their respective companies. Copyright © 2020 APAC: LexisNexis Risk Solutions. NXR14610-00-0920-EN-US +852 39054010 For more information, please visit risk.lexisnexis.com, and relx.com