March 15, 2019
9 Key Cybercrime Trends for Financial Institutions in EMEA
Posted March 12, 2019
To get a sense of the e-Crime risks facing online banking in a nutshell, look no further than a recent study from Lloyds of London that finds a single, coordinated cyberattack could cause up to $193 billion in losses for banks, governments and businesses worldwide.
Yet while this statistic captures the global challenge in dramatic fashion, it may also obscure reality in regions dealing with what can be wildly divergent sets of pressures, priorities and paradigms when it comes to defending against e-Crime. Case-in-point: EMEA is home to 2 billion people speaking 2,000 native languages in more than 130 countries and with its mix of mature, emerging and high growth economies it needs to ensure that it responds both individually and collectively to the threats of cybercrime.
As part of an increasingly global digital economy, there are certainly some commonalities with the rest of the world. But as you narrow the view to individual markets, the more the picture sharpens. Here’s a snapshot of global trends and dynamics playing out in this region.
1. Cyberattacks: Down, but With Pockets of Growth
According to our new H2 2018 Cybercrime Report, financial institutions are making significant progress in shoring up their defenses. In fact, the total volume of cyberattacks are down in some regions, including EMEA. But there are still pockets of growth in key countries. In France, account takeover (ATO) attacks are up 199% year-on-year, and in Germany, account creation fraud is up 66%.
2. Mobile’s on the Move, and so are Cyberthieves
On a global basis, 67% of financial services transactions are now mobile—and cybercriminals are adapting accordingly. Mobile ATO attacks, for example, are up 107% compared to the first six months of 2018. Without a doubt, fraudsters are mimicking genuine customer behaviour targeting the volume shift to mobile in order to gain access to customer balances and credentials.
3. Focus is on the Front Door—but What About the Back?
Historically, the focus both here and abroad has been on optimizing perimeter defenses, but with PSD2 looming large we are going to see that change. It’s only recently that attention has started to grow on mitigating the risk of cyberattacks that successfully make it through. It doesn’t help that financial crime, fraud prevention, and cybersecurity organizations often work in silos—sometimes in different buildings, cities, or regions. Not surprisingly, cyberthieves are targeting the gray areas and weak spots between these silos.
4. Networked Fraud Patterns Emerging
ThreatMetrix data also reveals a rise in networked crime patterns, in which the same digital identities are used in attacks across multiple organizations within the same or different industries. Within financial services, for instance, we’re seeing a growing number of mule accounts linked with networks that span multiple banks. Meanwhile, online gambling and media sites, as well as charity accounts, are increasingly used for credentials-testing in preparation for larger attacks in eCommerce and financial services.
5. The Bot Threat is Building
Although EMEA is experiencing a drop in the number of cyberattacks targeting payments and eCommerce, the threat hasn’t gone away. It’s just evolving. Out of 3 billion bot attacks launched during the latter half of 2018, for instance, two-thirds targeted eCommerce—and this region has not been spared. Bots are being used to test stolen identity credentials. Once validated, these credentials may then be used in a series of cross-organizational, cross-industry attacks, to maximize their value.
6. Transformation Efforts in Danger of Stalling Out
Digital transformation is tough, and there are certain inflection points that can make or break these efforts. Within six to 12 months, many businesses in EMEA and elsewhere find themselves pushing through without yet seeing real value. Oftentimes, the transformation agenda is pursued in parallel to existing business goals. According to Forrester, CX performance has flattened in 2018, with 50% of digital transformation efforts stalling out—some of this is due to organizations underestimating the cost and work involved; some over fears that it would hurt quarterly performance. Key business metrics stay the same, so stakeholders must decide if the new models deliver the value they want, or if new metrics must be adopted. It can take 18 to 24 months before organizations start to realize significant value, and at least 3 years until full fruition. Steadfast commitment is required, or efforts can easily stall out or get derailed.
7. PSD2 Will be More Painful Than You Think
Expect serious turbulence from PSD2’s September 14 deadline for strong customer authentication (SCA). While most of the industry is on track for compliance with the directive, many larger organizations in payments, banking, and retail are already seeking exceptions. And given requirements span both mobile and desktop banking, rollouts are likely to be phased in as customers adjust. What’s more, organizations hoping to forego SCA can do so only after demonstrating low levels of fraud. Which means meaningful reductions in what is sure to be major upfront friction won’t be seen until well into 2020. In the meantime, fraudsters will still seek to exploit any vulnerabilities they can find.
8. Middle East: Secure, but What About Scalability?
One market that illustrates the profound differences within a single region is the Middle East. Here, there is little appetite for data losses—and no appetite for fraud. Friction is actually more standard when compared to other regions. So although the attack rate in the region is high, it isn’t currently growing so the threat levels are managed. However, the region has not yet succumbed to the same mass cyberattacks and data breaches that other more mature markets have experienced. As the region’s digital capabilities scale and mature, resistance to such attacks, that will inevitably come, may be tested.
9. Layered Defenses Increasingly Mandatory
With all of this as a backdrop, many EMEA-based organizations continue to walk that increasingly unforgiving tightrope between fighting both fraud and friction, with customers demanding an experience that’s both seamless and secure. As cyberattacks continue to evolve, look for savvier organizations to deploy multiple layers of modern, digital identity-based defenses, spanning fraud detection, identity assessment, and authentication backed by global identity and threat intelligence. Given the risks, organizations that don’t implement these kinds of solutions may lose customers to those that do.
To learn more about trends in online banking fraud and other industries in EMEA and around the world, download a copy of the H2 2018 Cybercrime Report from ThreatMetrix