QR code fraud, vaccine-theme phishing and loyalty-points takeovers are ready for harvest, so get your guards up now!

Just before the year 2020 was wrapped up, the SolarWinds Orion security breach made global headlines and stoked concerns on the risks associated with supply chain and third-party security.

The massive hit to very established IT conglomerates serves as a stark reminder that any government agency or enterprise can be a target of sophisticated malware attacks, and it is more important now than ever to better understand how cybercriminals are adapting their methods to exploit vulnerabilities found in the gaps between an organization’s security infrastructures, their users and devices.

According to George Lee, Vice President (Asia Pacific and Japan), RSA, the predominant attack vectors listed in his firm’s quarter fraud report were:

• Fraudsters taking advantage of consumer reliance on mobile devices by creating malicious applications purporting to be from trusted brands. Globally, rogue mobile applicationswere the most predominant attack vector at 43% from July to September.
  
• Account takeovers or logins from a combination of new account and new device also accounted for 27% of total fraud volume that RSA observed in the Q3 2020, suggesting that fraudsters are continuing to use stolen credentials from data breaches to set up mule accounts to facilitate cash-out or new account fraud. RSA also recovered close to nine million unique compromised cards and card previews from online credit-card stores and fraud communication channels.

What to expect in 2021

Based on the firm’s observations over the last year, cybercriminals did not waste a good global crisis. Attack surfaces have expanded, and fraudsters will only exploit new targets and priorities this year. 

1. QR code fraud will increase. QR codes have become ubiquitous in just about every establishment these days. Likewise, fraudsters are using QR codes to carry out phishing attacks. One common tactic is tampering with an organization’s domain name for a fake extension, bringing users to a website that appears to be legitimate, and tricking them into downloading malicious programs or making a purchase.
   
2. Pandemic-themed phishing now targets the vaccines. With more vaccines becoming publicly available this year, fraudsters will leverage this opportunity to engage in misinformation campaigns. We can expect to see a significant number of vaccine-related phishing attacks through email, phone call (vishing) or text messages (smishing) under false pretenses attempting to steal unsuspecting users’ personal information.
   
3. Fraudsters will crave ‘loyalty points’. While frequent flyers and other travelers likely have not been keeping a close eye on their loyalty points and account balances over the last several months, cybercriminals know all too well that the pandemic has brought the tourism and hospitality industry to a standstill. That amounts to a great deal of these points sitting around unguarded. Loyalty accounts are easy targets as they are typically guarded by little more than a username and password combination that is often forgotten by consumers until they are ready to use them. Fraudsters could steal loyalty points without the end-user even knowing it—by using methods such as account takeover.

Cybercriminals will adjust their tactics and look for targets whose security gaps are the easiest to attack. But the good news is, cybersecurity teams are also adaptable, and we have seen their resilience as they combat new security threats and challenges targeting their organizations.

With proper security measures and tools in place, organizations and their users stand a better chance of stopping or catching attacks that can compromise their digital systems, said Lee.