With every innovation in the payment world, fraudsters are following close behind, looking for new vulnerabilities to exploit. Unsurprisingly, the new wave of fraudsters is targeting businesses and consumers largely through online and mobile avenues. The numbers alone are staggering: Online payment fraud losses topped $22 billion worldwide in 2018 and are expected to balloon to $48 billion by 2023.¹
Because the battle against fraud has many fronts, businesses must take a wide range of actions to fight the problem effectively. Here are three fraud trends to watch for and actions businesses can take to help protect themselves and their customers.
Today’s cybercriminals aren’t just looking for credit card information. They’re targeting usernames, passwords, email addresses, social security numbers, bank account information and other sensitive data that can allow them to take over a consumer’s account. This could be a checking or savings account, a loyalty program account, an online profile with a business or login credentials for a mobile app.
These takeovers can be the basis for one-time fund transfers or ongoing exploitation. Takeovers occur by adding a registered user to the account or changing the contact email or mailing address. Social media has made this type of fraud more viable. Using bots to scrape social media accounts, fraudsters harvest unthinkable amounts of personal information that they use to create fake profiles or conduct phishing schemes.
Businesses should consider two primary lines of defense against this type of fraud. First, implement multi-factor authentication such as biometric authentication, PIN codes and security questions. Then, monitor customer behavior and set security limits that, if breached, prompt fraud notifications to the consumer using the device.
“The most robust fraud prevention measures employ predictive modeling through real-time machine learning and artificial intelligence applied to both a specific business payment activity and to other businesses in the same industry segment,” says Brian Borneman, product manager at Bank of America Merchant Services.
The successful implementation of machine learning and AI depends on continuous data capture and analysis, Borneman adds. “There is simply no substitute for massive amounts of data to feed and refine the models in use,” he says. “The best machine learning platforms can detect new threats and patterns of fraudulent behavior only if they are fed the volumes of transactions and variety of data points that enable accurate prediction. Our purpose is not only to mitigate fraud but also to confidently approve a business’s real customers.”
As “buy online, pick up in-store” (BOPIS) becomes an increasingly popular purchase option for consumers, criminals are finding new ways to capitalize on areas of weakness.
Using stolen information, fraudsters place an order for quick pick-up to shorten the amount of time businesses have to process the purchase and verify the authenticity of the purchaser’s account. This type of fraud is doubly difficult to detect given the absence of a shipping address at the ordering stage, since matching cardholder billing and shipping addresses has historically been an important part of determining transaction legitimacy.
The bad actor arrives at the store and presents the order confirmation either from the business’s website or on their mobile app. The merchandise picked up will typically then be sold at a discounted price with the fraudster pocketing the proceeds from that sale. The business will subsequently receive a chargeback and be out their cost of goods as well as other fees associated with the transaction and chargeback.
Geolocation data, order histories, purchase velocity and phone data can help businesses detect a fraudulent transaction before the in-store pickup occurs. Waiting until pick-up to check IDs and verify credit card information is generally not advisable, since this can add friction to what should be a quick customer experience.
While gift card fraud has a long history, today’s fraudsters are taking advantage of new ways to exploit gift card systems.
Some fraudsters steal gift card numbers in stores before they’re activated, wait until a customer buys the card and then transfers the funds. Others target customers through phishing emails or phone calls to gain access to gift card numbers and make fraudulent cash transfers. They can also direct similar emails toward employees to attack a business’s entire gift card program.
As criminals gain intelligence about how cards are activated and balances are checked, they can manipulate that system, often from inside the organization. For larger retailers with staff attrition, fraudsters may find it easier to penetrate the organization, learn policies and procedures and start initiating suspicious gift card-related activities. This can affect customers, brand reputation and ultimately business.
To combat gift card fraud, companies should consider deterrents such as tamper-resistant gift card packs, CAPTCHA technology to help determine that the user is human, and velocity monitoring. They should also require customers to enter the extended account number (EAN) and security card value (SCV). Bank of America Merchant Services recommends requiring an eight-digit encrypted EAN or unencrypted SCV for all transactions.
As new payment methods arise and fraud continues to evolve, companies must take a multi-pronged approach to fighting the problem. “No one solution or product can one hundred percent secure a business’s environment,” says Larry Brennan, merchant data security and cybersecurity director of Bank of America Merchant Services.
Instead, businesses should develop a comprehensive and flexible strategy that addresses fraud on multiple fronts. Doing so can help companies protect revenue from fraud losses and avoid the reputational damage that can happen when large-scale fraud occurs.
“Businesses should develop a comprehensive and flexible strategy
that addresses fraud on multiple fronts.”