Master cyber criminals making nearly three times as much as FTSE 100 CEOs

A new report from Arkose Labs into the 2022 Q2 State of Fraud and Account Security has detailed a significant rise in online attacks during the first quarter of 2022, elevating cybercriminal earnings to exponential levels.

Following the swathe of new fraudsters moving into online crime, with the introduction of furlough policies and rise in unemployment during the pandemic, the trend has continued to grow. The latest data indicates that the ROI (return on investment) for launching cyber attacks or committing online fraud is larger than ever before. Some of the highest-earning fraudsters are known to be making around £6 million a year according to even the most conservative estimates. This compares to almost three times the amount that FTSE 100 chief executives were paid in 2020 when they earnt an average of £2.7m.

Arkose Labs recently hired Brett Johnson as their Chief Criminal Officer. Brett, a reformed cybercriminal who served seven years in jail, led the infamous Shadowcrew and has since seen the number of active criminals increase ten-fold since 2019.

He commented: “The temptation for committing online fraud is higher than ever simply because the results yield thousands, if not millions of pounds, for even the newest and most junior cybercriminals in the chain.”

”Online criminals have a shopping list of opportunities available to them – everything from refund fraud to account takeover. They can almost pick and choose which type of fraud they want to commit. In particular, marketplace and messaging platforms have become vastly popularised in the fraud community where cybercriminals can promote their own personal fraud business, recommend attack tools and techniques, and offer free step-by-step guides for the rookie fraudster.”

Businesses are wading into the metaverse without putting security front of mind

The latest report reveals how master fraudsters are taking advantage of businesses with new and untested metaverse strategies in particular. Attacks on metaverse companies increased 40% since Q4 2021. Unlike automated bot attacks, fraudsters are putting greater investment into metaverse attacks, requiring more human capital to execute phishing, spam, and scams effectively.

Bots are becoming more intelligent & efficient

Q1 of 2022 also saw consistently higher bot-driven attacks than the average across all of 2021, driven by large-scale scraping and credential stuffing attempts. Scraping attacks increased by 60% in the first three months of the year, while 4% of all logins were a credential stuffing attempt. Bot attacks have three times more complex attack signatures today than in years prior, creating greater detection complexity for businesses.

Industry-Specific Attacks on the Rise

While every industry saw massive attacks, each industry was targeted in different ways and by varying attack patterns.

  • Fintechs saw 2.5 times more attacks in the first quarter of 2022 compared to the two years prior and 75% of attacks aimed at fintech companies were zeroed in on consumer logins
  • Gaming companies experienced 260% more attacks, including an 85% increase in fake account registrations, compared to Q4 2021
  • Technology companies were most impacted by fake accounts, attempting to monetize promotions and free trials
  • Travel companies experienced an upsurge in scraping attacks aimed at obtaining inventory information. An overall 250% increase was seen from Q4 2021 to Q1 2022

UK and Europe

  • The latest Arkose data found that one in every three cyber attacks is now coming from Europe
  • The UK alone saw 52.1 million attacks to online business in the first quarter of 2022
  • 27% of all online transactions in the UK are now attacks
  • Most attacked industries are gaming, social and digital media, streaming services, technology, travel, retail and financial services
  • The financial services, technology and gaming industries represent 88% of all attacks versus all other industries combined
  • 99% of attacks are automated bots versus 1% of human attacks
  • 87% of fraudulent activity was fake new account fraud