How Fraud Happens Online: How Fraudsters Can Damage Your Business

Fraud is stubbornly prevalent and occurs in many forms, both offline and as an internet crime. Criminals often steal and use details from honest customers, such as email addresses, credit card numbers, and other personally identifiable information. Such data can then be used to perpetrate a fraud scheme, such as card fraud for wire transfer or other types of online theft, like making unauthorized purchases online. In many cases, criminals can access vast amounts of personal information, allowing them to commit large-scale fraud.

Indeed, almost since the birth of the internet, criminals have been using the anonymity of the online environment to commit fraud. The following are just a few significant examples that severely damaged the affected businesses. 

Facebook and Google fall for $100m fake invoice scam

Business email compromise (BEC) is an issue for firms of all sizes, with even the biggest names vulnerable to becoming the victims of a well-crafted scam – and the methods don’t necessarily have to be technologically sophisticated. 

Between 2013 and 2015, Facebook and Google were duped out of over US$120m by a Lithuanian man who sent a series of fake invoices to the two tech giants. Having noticed that both organizations used the Taiwanese infrastructure supplier Quanta Computer, Evaldas Rimasauskas registered a company in Latvia with the same name. 

Over the next two years, he sent a series of phishing emails to Facebook and Google employees containing forged multi-million-dollar invoices, accompanied by contracts and letters that appeared to have been signed by the company's senior executives. He then transferred funds paid to bank accounts in the fake company's name to further accounts in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

The scam was eventually discovered, and following legal action, Rimasauskas was sentenced to five years in prison. However, only around half of the stolen funds were recovered. 

Sony hack is not a pretty picture  

Often, the reputational and operational cost of online fraud on a company can be just as severe as any direct financial loss. 

When in 2014 Sony Pictures suffered a huge data breach, the attack was tracked back to a series of phishing emails sent to top Sony executives months earlier. These were seemingly made to look like requests relating to Apple IDs and directed the executives to a bogus site that captured their login credentials. This information was then used to access 100 terabytes of sensitive data, including details about employees and their families, private correspondence, and information regarding then-unreleased films. At the same time, the attackers erased Sony Picture’s IT infrastructure and posted yet-to-be-released films online.

Experts estimated the overall cost to the company at up to US$100m. This included the cost of lost productivity, internal investigations, replacing or repairing computers, steps required to prevent future attacks and the loss of trade secrets, as well as the impact on parent company Sony’s reputation, for a perceived failure to safeguard information. 

Deepfake vishing lands a huge catch

One of the most alarming recent trends is the deployment of AI by hackers, including the use of ‘deepfake’ voice technology.

The first significant case came in March 2019, when an executive at a UK-based energy firm was duped into believing he was speaking on the phone to the CEO of the firm’s parent company.  In response to his fake boss’s urgent request, he transferred US$243,000 to a fraudulent account.

That may seem like a lot of money, but it pales into insignificance next to the figure stolen in a ‘virtual bank heist’ in Hong Kong in early 2020. On that occasion, a bank manager received a call from the director of a company he’d spoken to before – or so he thought. The voice told him the company was about to make an acquisition – a claim supported by emails in the manager’s inbox from both the director himself and a lawyer apparently hired to oversee the transaction. As a result, the bank manager authorized transfers to the tune of US$35m. Unfortunately, the call was part of an elaborate plot involving at least 17 individuals, as part of which “deep voice” technology had been used to clone the director’s speech.

Keeping one step ahead of the fraudsters

What all these examples have in common is the use of deception and false identities to trick businesses into allowing bad actors to gain access to sensitive information, like the social security number. With more and more sensitive information accessible via the internet, being sure somebody is who they say they are online is more critical than ever. 

Our own data shows that nearly 1 in 10 of the identity checks we carried out between January and October 2022 identified fraudulent activity – of which more than half involved identity fraud. Relying on legacy approaches leaves the door wide open to bad actors – passwords are far too vulnerable to data breaches, while two-factor authentication is too susceptible to device compromise. And with the use of deep fake technology on the rise, even conventional identity verification technology isn’t completely infallible.

Veriff is leading the fight against friendly fraud occur and identity theft, credit card fraud, using stolen credit card information or stolen social security information, and other others of online fraud. We tackle fraud from multiple angles to ensure that fraudsters are caught both in the moment and in recurring attacks and organized fraud rings. As well as examining device, network, face and document information for individual sessions, we use crosslinking to compare this information across thousands of sessions and pick out bad actors through patterns of behavior even when their actions are superficially legitimate. That means we can stop online scamming in its tracks.