Threat Intelligence

ThreatMetrix Cybercrime Report: An interview

Susan Morrow
November 4, 2019 by
Susan Morrow


In a recent Infosec Cyber Work podcast, we welcomed Rebekah Moody, market planning director at ThreatMetrix, a LexisNexis Risk Solutions company. Rebekah also co-authored the H2 2018 Cybercrime Report on behalf of ThreatMetrix. In this broadcast, Rebekah gave us an insight into how the report is created and what it tells us about the current state of cybercrime. 

Rebekah works with sales, analysts and customers to help develop the report. She has over 12 years of industry experience which she can draw on to help develop insights.

Rebekah first became interested in computing and cybercrime from a background in product strategy and planning. She told us how she “fell” into the security business from working in fraud and has now worked with LexisNexis and ThreatMetrix for over four years.

Creating the H2 2018 Cybercrime Report

The ThreatMetrix Cybercrime Report has been going since 2015 and Rebekah has been involved for most of that time. The Cybercrime Report is biannual.

Originally, the data collected to create the report was in the millions of transactions, but the numbers have grown to many billions, adding increasing weight to the findings. An interesting fact that has crystallized from this year’s report is that in the 2015 version, 20% of network traffic came from mobile traffic; the latest report is based on 61% of traffic originating from mobile networks.

This is interesting as it also shows changes in customer trends and consumer behavior, both of which influence global cybercrime trends.

The H2 2018 Cybercrime Report is compiled from analysis of transactions across the ThreatMetrix network, which currently stands at around 35 billion transactions a year. These transactions reflect a global customer base across most industries and represents transactions across the entire customer journey. Touchpoints include new accounts registration, login attempts and payment transactions. Other areas covered include events such as change of details and other high-risk points in the customer journey.

Rebekah told us that ThreatMetrix utilizes “digital identity intelligence.” This is data relating to the device, location, behavior and other threat intelligence events.

Any recorded attacks in the cybercrime report are based on customer scoring around high-risk transactions.

The H2 2018 Cybercrime Report Findings

During the interview, we discussed various aspects of the report. Here, we’ll condense some of the key findings.

Cybercrime and the mobile

Within the report is an interesting point, seemingly an anomaly: what is the significance of the finding that 61% of all transactions take place on mobile, but only represent 40% of attack volume? Coupled with this, mobile payments are showing a 24% year-over-year growth. What does this mean?

Rebekah told us that there is an increase in both payment platforms and a wholesale shift to a mobile channel. In Asia Pacific, for example, you see many different methods of mobile payments. It used to be that the mobile channel was primarily used for logging into an account, but this has changed. We now see a move to this channel for financial transactions. And fully mobile user journeys, from registration onwards, are happening: mobile is becoming ubiquitous across the entire user journey.

However, the attack patterns found in the report show that mobile is still safer than a desktop. Mobile does see higher volumes, but still experiences less than half of the cyberattack numbers.

This is because of generally better mobile app security. However, ThreatMetrix can see a shift in mobile channel attacks; this is evident in an increase in attacks such as mobile takeover in financial services.

There are also geographical differences in attack volumes, and attacks are increasingly being seen in growing economies.

Bots, remote access and stolen identity

More surprising than the increases in mobile-based attacks was the migration of historical attack patterns to mobile. For example, remote access on desktop attacks is now being seen on the mobile channel.

Bot volume, too, is increasing in the mobile channel. In Q2 2018, one of the most surprising findings was the high bot traffic volumes along with a slight downturn in the number of human-initiated attacks.

In other words, automated attacks are up and human-initiated attacks are slightly down.

The Cybercrime Report shows that stolen identity data is used to initiate these automated attacks. With growth economies, in particular, using stolen identity data to feed the bot attacks; this is creating sub-economies within these countries.

ThreatMetrix will be watching this growth in automated bot traffic over time to see how it evolves. Important to note is that stolen personal data from recent breaches are behind these attacks.

Cross-network activity

Another important finding from the ThreatMetrix Cybercrime Report is that they can see the same bots targeting multiple organizations outside the originating country. The H2 2018 report was the first time that full cross-organization/cross-industry fraud was identified and confirmed. ThreatMetrix was able to prove, using identity data intelligence, that the same fraudster was operating across different organizations in the same industry and across different industries.

The ThreatMetrix data shows the entire life cycle of the fraud, laying out the critical pathway of the fraudster. This shows the importance of looking at fraud risk on a global level: ThreatMetrix is able to get this level of detail using their global network of shared intelligence.

The identity data intelligence gives ThreatMetrix a view of the global footprint of fraud.

How to deal with digital fraud

Rebekah provided some intelligence on the subject of fraud mitigation. She said that using a layered defense model is the best way to deal with the levels of fraud we are seeing; single-point solutions cannot solve the complicated fraud landscape. ThreatMetrix creates a layered defense approach in their own product: they look holistically at a person's identity intelligence and how they transact, aka the “how, where, why and what” of behavior to spot unusual events and anomalies.

Latin America: "A hotbed of new account creation fraud"

The ThreatMetrix Cybercrime Report identified Latin America as a focus for account creation fraud, with around 20% of the total volume against an industry average of 12.2%.

We asked Rebekah why this is.

A combination of an increase in technological capability alongside the capability to commit fraud are the likely factors. Latin America has a high percentage of unbanked customers; new digital technologies give better access to financial services to this demographic. This, in turn, creates a “melting pot” of new customers who are not as tech-savvy as more mature digital customers. This creates an environment of heightened risk. 

We can also assume that stolen identities are trickling down to these growth economies. It may be the case that Latin America is a test-bed for stolen ID data.

New account creation a focus for fraud and the media industry

It seems evident that by creating a fraudulent new account a fraudster opens up pathways to continued fraud; a trusted online identity gives opportunities for many other fraudulent activities.

The media industry, in particular, seems to be a “free-for-all of fraudulent account creation,” Rebekah told us. This is possibly down to less stringent security measures being used in these organizations, as there is a lower perceived risk than in the likes of banks. 

Media companies are often entry points for a digital journey for new entrants moving to digital, such as younger people. To tighten up security, media could use identity intelligence, both physical and digital, to make sure a user is a genuine person and ensure the registrant is not using a stolen or synthetic identity. Again, this is achieved by layering in various solutions. This includes technologies such as multi-factor authentication and risk-based analysis.

Risk-based analysis and digital identity intelligence

ThreatMetrix uses digital identity intelligence by looking at various data points, including location, device data and behavioral identity data. We work out if this correlates elsewhere in the network. Is there any known threat intelligence? Information we already have about a user can be used to establish the risk level of the transaction.


Fraud prevention is all about using layered defense. Bot attack detection must be done before it can impact a merchant or company. How to mitigate against other cybercrime attacks, holistically speaking, is about looking at all of the transaction data and identity data. This can be used to recognize anomalies and unusual behavior.

ThreatMetrix is now compiling the H1-2019 report. Rebekah told us that they have already noted some interesting fraud stories, again looking at how fraudsters are working across the network. She anticipates the mobile story will evolve further, and the bot volumes seem to be continuing to increase.

Check out the H2 2018 Cybercrime Report from ThreatMetrix.

You can see the full interview with Rebekah on our Infosec Cyber Work podcast



H2 2018 Cybercrime Report, LexisNexis

Mobile Security Training Modules, Infosec

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Fraud trends from the latest ThreatMetrix cybercrime report, Infosec (YouTube)

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.