Cyber fraud: Lessons learned from 2018

Facebook, British Airways, T-Mobile – high profile data breaches involving millions of people’s personal and financial data consumed the news in 2018. With ever more sophisticated cyber threats targeting individuals and businesses, this advanced fraud is only set to become more sophisticated.

But it’s not all doom and gloom. The more you understand cyber threats, the better prepared you can be to stop them. We’ve rounded up some of the most important learnings, from some of the leading cybersecurity players, to help keep your business safe from cyber-attacks in 2019.


Formjacking is a virtual form of card skimming – it uses malicious code to steal information as it’s entered into online payment forms, on ecommerce and ebanking websites.

On average, Symantec reports that 4,818 unique websites were compromised by formjacking code every month last year.

While household names are splashed across the headlines, Symantec says "it is often small and medium sized retailers selling goods ranging from clothing to gardening equipment to medical supplies, that have had formjacking code injected onto their websites.”

With consumers increasingly buying through the internet, this type of fraud looks set to stay, so investing in anti-formjacking security checks could be the next priority for businesses.

How is merchant fraud evolving?

Credit card and banking malware

Credit card theft has long been a problem for individuals and businesses, but it’s recently reached new heights of sophistication.

McAfee’s 2018 report found that e-commerce malware – malicious code on payment platforms – had overtaken point-of-sale fraud as cyber criminals’ preferred method of attack.

Banking malware also continues to be a constant threat, with more and more spam campaigns managing to bypass email protection systems and compromise banking details.

Anti-fraud measures to try and protect against credit-card and banking malware include:

  • geographic IP location checks for online payments
  • two-factor authentication for online banking actions

Two-factor authentication is part of the PSD2’s Strong Customer Authentication, which officially comes into force on 14th September 2019. Make sure your business is ready for the new legislation, read our guide to Strong Customer Authentication.

cyber fraud lessons learned

Advanced persistent threats

Advanced persistent threats are sustained attacks where a cyber criminal typically invests a lot of effort into compromising a network, in order to have access to data over a prolonged period.

Email threats

Email threats have been on the rise since 2015, and last year was no different – Symantec found that numbers of phishing, spam and malware were still on the up.

According to Symantec, 55% of emails in 2018 were registered as spam, showing just important a good spam filter is. But don’t just rely on your junk inbox to catch these threats. 48% of all malicious email attachments came from Microsoft Office files. These might look innocent, but it’s worth having an internal checking system to verify links before you unwittingly download a virus.

Symantec’s cyber security report also found that the malicious email rate for smaller companies was much higher (one in every 323 emails) than bigger organisations (one in every 556 emails). If you’re a small business, investing in a rigorous email security system gives you a much better chance to avoid falling prey – saving a lot of time and money in the long run.

Spear phishing

Spear phishing is typically an email scam which targets an individual, leading them to input personal details, which are then captured by cyber criminals, or click a link, which might download malware

Spear phishing is a favourite among cyber criminals because of its success rate. Antivirus and internet security software provider, Kaspersky Lab predict spear phishing will continue to be popular in the future. Relying on human interaction to avoid automatic fraud detection systems, spear phishing usually hooks targets with a legitimate looking or sounding communication. Unfortunately, that means data breaches – especially on social media platforms – fuel spear phishing by giving cyber criminals an even more targeted opportunity.

As with email threats, additional authentication is highly recommended. It won’t affect day-to-day operations too much, and could save you from a potentially devastating data breach.

Supply chain attacks

Supply chain attacks target the network between businesses and suppliers to access valuable business data at the end of the chain.

Over the past few years, supply chain attacks have been steadily mounting, and Symantec report an increase of 78% last year. They’re a main draw for cyber criminals because accessing one supply chain could allow access to multiple businesses.

According to Symantec, developers are a main source of attack, allowing cyber criminals to hijack software updates and version controls. It’s a good idea to check the security systems of your third-party web applications, such as review tools or chat, to make sure they can’t be exploited.

Cloud databases

You probably associate cloud data breaches with leaked celebrity photos, but it can also be a serious problem for businesses. In 2018, Symantec reports that more than 70 million records [were] stolen or leaked as a result of poor configuration of Amazon S3 buckets.

Amazon S3

Amazon S3 is the short name for Amazon Simple Storage Service, a data storage service for businesses.

Around 42% of UK enterprises depend on the cloud, according to Eurostat. So, if you’re one of them, make sure you’re aware of the risks and taking all precautions to protect your data.

How to protect your business from cyber-attacks in 2019

It’s impossible to know exactly what the new cyber criminal trends will be this year, but here are some simple steps to help protect your business from future cyber-attacks:

Credit card and banking malware:

  • Help prevent formjacking with automated vulnerability scanners and intrusion detectors on your website
  • Protect online payments with geographic IP location checks
  • Make sure you’re compliant with Strong Customer Authentication by updating your Payment Service Provider platform. Read our guide to find out how.

Email threats and spear phishing:

  • Don’t just rely on spam filters and traditional blacklists
  • Set up internal policies and encourage staff to report attacks
  • Use multi-factor and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication for extra protection.

Supply chain attacks:

  • Ensure you have full visibility over your supply chain
  • Know how many providers you have and what type of software you’re using
  • Confirm security requirements and responsibilities with suppliers
  • Check for third-party attacks by implementing monitoring systems and intrusion detectors.

Cloud databases:

  • Create offline back-ups of all your data
  • Encrypt any information you store in the cloud
  • Use unique passwords with multi-factor authentication for each cloud account
  • Make sure all cloud accounts are securely configured
  • Block public access to any Amazon S3 buckets – if necessary, create special buckets for any data that needs to be publicly readable.


Patching is the process of applying mini updates to software in-between full updates, to fix bugs, install upgrades and safeguard against security threats.


  • Regularly patch your software to keep improving your cyber security
  • Keep all your IT systems up to date with the latest versions of software and firmware.


  • Configure any staff accounts with the lowest level of access 
  • Keep permissions up to date when people leave by removing them from the system.

Further help

Get insights on how to defend your business in our video – Cybersecurity: A hacker's advice on protection from payment fraud

See more help online from the Cardnet Payment Security insights


  1. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  2. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  3. https://www.itgovernance.co.uk/blog/the-cost-of-a-payment-card-data-breach
  4. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  5. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  6. Kaspersky Security Bulletin: Threat Predictions for 2019
  7. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  8. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  9. Symantec Internet Security Threat Report, Vol 24, Feb 2019
  10. DCMS, Cyber Security Breaches Survey 2019
  11. DCMS, Cyber Security Breaches Survey 2019

Related articles


Cybersecurity and fraud: how to keep your data safe

Read more about how to keep your data safe



Cybersecurity: A hacker’s advice on protection from payment fraud

Read more about protecting yourself from payment fraud



Online card fraud: balancing convenience and security

Read more about online card security

All Payment Security stories

Receive our Thought Leadership and Market Updates

Get our top insights to help your business by signing up to our Thought Leadership and Market Updates. From the latest retail trends to payment regulation, our experts will keep you up to speed. Please enter your email below if you would like to receive our Thought Leadership and Market Updates.

Your information will be held by Lloyds Bank plc trading as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at lloydsbankinggroup.com.

Please scroll down in order to confirm acceptance of our Terms and Conditions

Who looks after your personal information

Your personal information will be held by Cardnet which trades as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at www.lloydsbankinggroup.com

How we use your personal information

We will use your personal information:

  • to provide products and services, manage your relationship with us and comply with any laws or regulations we are subject to (for example the laws that prevent financial crime or the regulatory requirements governing the products we offer).
  • for other purposes including improving our services, exercising our rights in relation to agreements and contracts and identifying products and services that may be of interest.

To support us with the above we analyse information we know about you and how you use our products and services, including some automated decision making. You can find out more about how we do this, and in what circumstances you can ask us to stop, in our full privacy notice.

Who we share your personal information with

Your personal information will be shared within Lloyds Banking Group and other companies that provide services to you or us, so that we and any other companies in our Group can look after your relationship with us. By sharing this information it enables us to better understand our customers’ needs, run accounts and policies, and provide products and services efficiently. This processing may include activities which take place outside of the European Economic Area. If this is the case we will ensure appropriate safeguards are in place to protect your personal information.

You can find out more about how we share your personal information with credit reference agencies below and can access more information about how else we share your information in our full privacy notice.

Where we collect your personal information from

We will collect personal information about you from a number of sources including: information given to us on application forms, when you talk to us in branch, over the phone or through the device you use and when new services are requested. from analysis of how you operate our products and services, including the frequency, nature, location, origin and recipients of any payments. from or through other organisations (for example card associations, credit reference agencies, insurance companies, retailers, comparison websites, social media and fraud prevention agencies). 

In certain circumstances we may also use information about health or criminal convictions but we will only do this where allowed by law or if you give us your consent.

You can find out more about where we collect personal information about you from in our full privacy notice.

Do you have to give us your personal information

We may be required by law, or as a consequence of any contractual relationship we have, to collect certain personal information. Failure to provide this information may prevent or delay us fulfilling these obligations or performing services.

What rights you have over your personal information

The law gives you a number of rights in relation to your personal information including:

  • the right to access the personal information we have about you. This includes information from application forms, statements, correspondence and call recordings.
  • the right to get us to correct personal information that is wrong or incomplete.
  • in certain circumstances, the right to ask us to stop using or delete your personal information.

From 25 May 2018 you will have the right to receive any personal information we have collected from you in an easily re-usable format when it’s processed on certain grounds, such as consent or for contractual reasons. You can also ask us to pass this information on to another organisation.

You can find out more about these rights and how you can exercise them in our full privacy notice.

Other individuals you have financial links with

We may also collect personal information about other individuals who you have a financial link with. This may include people who you have joint accounts or policies with such as your partner/spouse, dependents, beneficiaries or people you have commercial links to, for example other directors or officers of your company. We will collect this information to assess any applications, provide the services requested and to carry out credit reference and fraud prevention checks. You can find out more about how we process personal information about individuals with whom you have a financial link in our full privacy notice.

How we use credit reference agencies

In order to process your application we may supply your personal information to credit reference agencies (CRAs) including how you use our products and services and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We may also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time, information on funds going into the account, the balance on the account and, if you borrow, details of your repayments or whether you repay in full and on time.

CRAs will share your information with other organisations, for example other organisations you ask to provide you with products and services. Your data will also be linked to the data of any joint applicants or other financial associates as explained above.

You can find out more about the identities of the CRAs, and the ways in which they use and share personal information, in our full privacy notice.

How we use fraud prevention agencies

The personal information we have collected from you and anyone you have a financial link with may be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in our full privacy notice.

Our full privacy notice

It is important that you understand how the personal information you give us will be used. Therefore, we strongly advise that you read our full privacy notice, which you can find at https://lloydsbankcardnet.com/privacy/ or you can ask us for a copy.

How you can contact us

If you have any questions or require more information about how we use your personal information please contact us using https://lloydsbankcardnet.com/. You can also call us on 01268 567100. If you feel we have not answered your question Lloyds Banking Group has a Group Data Privacy Officer, who you can contact on 01268 567100 and tell us you want to speak to our Data Privacy Officer.

Version Control

This notice was last updated in April 2018.

Thank you

Thank you for subscribing to our news alert.