A fast-growing financial services company detected and prevented a targeted phishing campaign that exploited their loan approval process and was hampering their growth along with their reputation. The company had jumped on a niche market that provided merchants a way to provide rapid lease-to-own financing loans to customers to purchase their goods. Once the loan was completely paid, it allowed the consumer to finally own the item after the payment plan ended. Making the need for API security a must-have, the company website and smartphone app were both heavily reliant on APIs that gave users multiple ways to apply for loans.
The company acted as a middleman helping to process loan applications on behalf of the merchant that evaluated if the loan applicant was credit worthy and financially able to payback their loan. However, cybercriminals also realized that this type of lease-to-own business was a perfect opportunity for them to enact a phishing campaign to exploit the fintech’s loan approval process.
Targeted Attacks Using SMS Phishing
Cybercriminals were utilizing SMS phishing (Smishing) against merchants by sending them texts containing links to a fake webpage similar in every way to the fintech’s web page, except for the URL. The fake webpage promised an award upon login for the merchant. The merchants would then log into the fake webpage, giving the cleartext username and password to the cybercriminals. This allowed the attacker to login into the merchant’s account and apply for fake loans on behalf of their customers. Once the attackers authenticated to the real webpage, they were able to submit fake loan applications to their targeted merchant company that, if approved, would enable them to purchase expensive high-end items such as Apple products that were shipped to them at no cost.
Enormous Strain on the Fraud Detection Team
This targeted cyberattack placed an enormous strain on the fraud detection team responsible for evaluating each loan. It increased the amount of work for each fraud analyst who worked tirelessly to determine if a loan application was legitimate or fraudulent. Worse, the fraud analysts were now becoming a bottleneck, holding up loan applications that were now affecting the business of the fintech company. What resulted was an increase in fraudulent activity, lost revenue, and poor brand image.
Fraud Team Needed Help and Fast!
For the security team, this was not sustainable. They were looking for a security solution that not only could prevent fraudulent loan activity but also streamline and speed up the loan application process.
They were looking for in a new API protection vendor that could do the following:
- Reduce fraud analyst burden: Reduce the number of hours spent by fraud analysts on each loan application.
- Increase Accuracy: Increase the accuracy and quality of analysis for each transaction, ensuring that mistakes were not made that delayed or blocked legitimate loan applications.
- Loan Quality: Ensure that only legitimate loans were submitted and processed, ensuring there were no delays due to manual fraud analysis.
- Reduce fraud cost: Reduce the cost of fraudulent loan processing that hit the company’s expenses.
Cequence Comes to Rescue
The Cequence Unified API Protection (UAP) solution was introduced to the fintech company to help the fraud team to fight this malicious activity. Working together, Cequence and the fintech company deployed API Spartan, a UAP module that completely blocked fraud traffic in a matter of days. They were able to achieve the following results:
- Fraud Analysts Productivity: A reduction in the number of hours spent by each analyst on processing each application.
- Decrease Loan Processing Time: The amount of time spent on processing each loan application decreased, enabling customers to receive a response on loan approval much sooner.
- Fraud Cost Reduced: As a result of blocking fraudulent bot activity, the fintech company saw an immediate reduction in the fraud costs that were impacting their bottom line.
Streamlined Approval Process
API Spartan was deployed in front of the fintech API application that reduced fraudulent logins and streamlined the approval of loan applications. In one attack, API Spartan was able to block a cyberattack campaign that targeted a retailer that sold iPhones. Once compromised, the attacker was able to apply for fraudulent loans that would lead to expensive high-end items such as iPhones being shipped to them at no cost. Through API Spartan, they were able to block 3,150 fake applications that saved over $3,150,000 in potential account losses.
Learn more about how Cequence helped this fintech company achieve full API protection.
Never miss an update!
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.
