By Jonathan McDonald
Government agencies (and their customers) aren’t immune to cyberattacks. In fact, they’re often a more tempting target with an extensive network of compromised personal data available for sale or provided by a consumer unaware of a scam. The pandemic only exacerbated an already serious problem with cybersecurity in the public sector. Now, government agencies are faced with scams and fraudulent claims in addition to typical cyberattacks, and the problem needs real attention.
Account Takeover and Other Threats
One of the most significant threats facing government agencies at all levels during the pandemic is account takeover (ATO). ATO was accompanied, to a lesser degree, by fraudulent account creation, fraudulently filing for benefits, or filing under a false identity. The numbers are still being tallied, but costs to U.S. taxpayers from COVID-related fraud total in the billions.ATO occurs when a bad actor gains control over a person’s benefits account. First, they will gain login details, then change seemingly insignificant PII data on the account slowly. Successful ATOs can unlock a host of benefits for the attacker, who is then free to make fraudulent claims and assume the online identity of the victim.
Gaining access to an account isn’t too difficult. Examples of COVID-19 scams abounded over the past year, with scammers calling to “verify benefits,” sending phishing text messages, or asking people to take part in “COVID-19 surveys.” These scams would target personal information that, in some cases, would get the scammers just the info they'd need to execute an ATO.
According to a recent study by TransUnion, government agencies at all levels recognize that ATO is a significant threat to their customers, and that threat has been growing over the past two years. Unfortunately, a corresponding rise in security to combat this threat has not occurred. Mobile devices are one of the most significant vectors for ATO fraud, but government agencies have been slow to respond, which leaves the door to fraudsters wide open.
Beyond ATO, agencies face threats from scammers filing false claims using a real identity or creating a fake identity to make claims. Although neither of these threats is as pressing as ATO, they’ve cost taxpayers millions. Although noble, the rush to issue benefits to Americans in need created an irresistible opportunity for unscrupulous fraudsters. Some of these were even committed by organized crime rings. There’s no question that government agencies need to take steps to improve their security protocols, reduce fraud, and ultimately get the funds to the people who need them the most.
Government Agencies Face Implementation Barriers
Unfortunately, public sector agencies face different implementation barriers for risk-mitigation strategies than private-sector organizations. Changes often move slowly through bureaucracies, and government agencies are often hampered by more restricted budgets. Furthermore, as in many industries, senior management may have been slow to recognize the risk presented by increasingly sophisticated online attacks. However, there is hope for potential solutions to be simple, effective guards against these problems.Two-Factor Authentication
One of the simplest ways to help mitigate ATO is through enabling two-factor authentication for sign-ins. The simple step of texting or emailing a one-time password could help government agencies add a second layer of identity proofing to online transactions and give constituents additional peace of mind to securing their accounts.Behavioral Analytics
Behavioral analytics is also a promising technological solution to a complex problem. Using huge data sets, several identity-verification services can create an online picture of a person’s behavioral patterns (including the device profile they typically use). In the event of an ATO, those services can flag behaviors that are out of character for the individual or the device. In the event of questionable behavior, those services can then trigger an online transaction platform to seek additional information from the constituent to authenticate them. This can happen in real-time, with minimal to no friction for the constituent.These are just a couple of the tools available to government agencies as well as the private sector. Threats like ATO are a real problem, and all reports indicate they will increase in prevalence so government agencies need to develop and implement risk mitigation strategies to protect their constituents. As more and more constituents use mobile devices to access online benefits, it is incumbent upon government agencies to offer higher levels of security.
