Third-Party Breaches and the Rise of Imposter Scams in 2022
The Two-crime Crime is Now a Three-crime Crime
Analysis of 2022 data breaches has uncovered sobering news for consumers and businesses. The overall number of publicly reported data breaches remained high at 1,802 in 2022, with an increase in a specific type of breach known to cause scams — the third-party breach.
While there may have been slightly fewer data breaches in 2022 than in 2021, the number of third-party data breaches, also called supply chain breaches, increased by 45%. There was also a 10% increase in severity within those third-party breaches, compared to a mere 2% increase in severity within primary breaches.
Vendors attract unwanted criminal attention
The very nature of a breach changes once it involves a third party.
Third-party breaches generally refer to attacks perpetrated against information processing vendors with a wide range of clients, such as administrative, payroll and accounting firms. These vendors are attractive to criminals for two main reasons:
1. They usually have less sophisticated cyber protection than larger or highly regulated entities, and
2. they have access to customer data from multiple organizations instead of just one. For cybercriminals, it’s less risk and higher ROI, opening up new roads to financial fraud in new or existing deposit or credit accounts at credit unions in the member’s name
Criminals have figured out that the quickest path to identity credentials is through the networks of much softer targets. The softest targets for breaches are healthcare and educational institutions. Half of all breaches are occurring at the third-party firms these organizations rely on for billing and other client services.
For credit unions, which collectively spend millions on security measures, the skyrocketing numbers of third-party breaches should be of particular concern.
Emergence of the three-crime crime
In the classic “two-crime-crime” of identity theft, criminals:
1. breach the data, or
2. misuse that data to commit identity fraud.
The level of criminal gain depended on the level of personally identifiable information (PII) breached in the attack. For example, access to a victim’s birthdate and employer information does not necessarily result in access to financial accounts. Accessing the victim’s online banking username and password is another story.
With the explosion of supply chain breaches in 2022, the “two-crime crime” evolved into a “three-crime crime”:
1. Breach the data
2. Apply that data to a social engineering scheme to obtain even higher value data
3. Misuse the data to commit identity fraud
The breach of a third-party vendor yields contact and data this is of lower direct risk to consumers’ existing financial accounts. However, cybercriminals use that low-level data to fuel social engineering attacks, such as phishing (email), smishing (mobile device) or vishing (phone calls and voicemails), to gain more sensitive and damaging personal data. These attacks are often deployed as imposter scams, designed to harvest the high-level personal identity information (e.g. card numbers, SSN, etc.) required to commit fraud in the consumers’ existing financial accounts. For example, the three-crime crime allows a skilled scammer to breach a healthcare vendor to quickly turn stolen name/ birthdate/medical information into the keys to access a victim’s credit union savings account.
Implications for credit unions and their members
The uptick in third-party breaches is expected to continue. As a result, credit unions need to understand the implications for their organizations and members.
Third-party breaches are a rising threat to consumers. According to the FTC, imposter scams in which criminals pretend to be someone they’re not — government officials, bankers, romantic suiters — to steal money or gather personal information were the number one consumer scam in 2022. Artificial intelligence (AI), deep fake audio and video techniques and other emerging technologies are helping criminals create more sophisticated imposter scams to trick consumers into divulging sensitive PII.
Poor security practices by third-party vendors impact CU security. Historically, fraudsters have shied away from attacks on credit unions because of the sophisticated cyber protections in place. That may have given some cooperatives an outsized sense of safety against digital crime. Today, the rise of third-party breaches poses a significant risk to credit unions, due to potential exposure of data in third-party breaches at healthcare or educational institutions, or even among third parties that the credit union itself relies upon.
Account-level risk intelligence is paramount. Each credit union member has a different level of risk for identity theft based on their individual history of breaches and the mitigation steps they have already taken. Educating members on common scams is a helpful service that credit unions can provide. To give authentically beneficial services to members, credit unions should consider offering hyper-personalized tools for account-level assessment and advice.
Criminals are using the tactic of third-party breaches to tremendous effect. More data for less effort delivers a greater ROI on their criminal activities. As trusted advisors, credit unions can play an important role in countering this trend by empowering members with the education and tools necessary for to protect themselves.
Jim Van Dyke is a senior principal and leader of innovation at TransUnion. He can be reached at Jim.VanDyke@transunion.com.