Hallowe’en is still months away, but Frankenstein is out trick-or-treating even as you read this, and the operative word here is “trick”. Payment fraud criminals continue playing their games with financial institutions’ (FIs) customers and online merchants. Instead of knocking on your door, they are now operating online, where they create Frankenstein IDs (synthetic identity fraud), steal credit card numbers, run automated attacks, or come up with “friendly” fraud (more on that later).
Let’s take a close look at 5 payment fraud trends that FIs and online merchants should be aware of this year and beyond, to prevent losses and protect their customers. We reviewed the latest reports, research, and our own data to put together the following list.
Which Types of Payment Fraud Are on the Rise in 2021?
This type of fraud is expected to surge in 2021, largely due to the pandemic. With so many businesses closing offices and following work-from-home policies, fraudsters are crafting new ways to breach security measures and gain access to confidential information. The number of identity theft cases is high. Nearly 1.4 million cases were reported in the US and their Federal Trade Commission reported that the number of cases in 2019 was triple those of 2018. Since it takes time to identify the victims, many consumers whose personal information was stolen in 2020 will only discover fraud this year.
In the United States, the fastest growing type of financial crime is synthetic identity fraud. This is where a fraudster uses a combination of real and fake information to create an entirely new identity, sometimes including the use of fake faces for biometric verification – hence the name Frankenstein IDs. It might take cybercriminals from 12 to 18 months to build such an identity and credit history, in order to steal the largest amount of money possible.
Card-not-present (CNP) fraud is a scam where the scammer attempts to make a fraudulent credit card transaction while not possessing the physical card. A study from Juniper Research has found that retailers are set to lose $130 billion in digital CNP (Card-not-Present) fraud between 2018 and 2023.
CNP fraud often happens when credit or debit card numbers are given out to a fraudster by mistake, when cards are lost or stolen, when mail is diverted, or when a malicious actor copies the cards, PINs or card numbers. Credit card skimming and PIN capturing devices are used to capture data from the magnetic stripe on the back of a card. They are most commonly inserted by fraudsters at ATMs, gas pumps or other POS devices.
As Covid-19 restrictions led to stay-at-home orders and a general reluctance for many to stick close to home instead of heading to the local mall, cardless and contactless payments have become the norm. Increased digitization of payments in 2020 created new opportunities for cybercriminals: card number details could be easily compromised and used by fraudsters to order something online. When a person pays with a physical card in the store, the employees can check the photo IDs or verify the signature. With online transactions such verification can be bypassed in certain cases.
In 2021 and beyond, we will see a similar CNP fraud growth trend as criminals find new ways to take advantage of the stolen credit card information. While many jurisdictions have rules that limit the amount for which a cardholder is liable, the financial institution is still on the hook.
Account takeover (ATO) happens when cyber criminals gain access to one or more of a user’s accounts and use the stolen credentials to complete unauthorized transactions. Last year, many online retailers saw a spike in a particular kind of ATO, namely buy-online-pickup-in-store (BOPIS) fraud. The nature of curbside pickup allows fraudsters to bypass standard methods of basic fraud detection solutions. The BOPIS trend is expected to remain post-pandemic, but its amount largely depends on the success of fraud measures that will be set in place by online merchants this year.
In 2021, you can expect ATO cases to continue rising as fraudsters become more innovative and opportunistic in stealing data. Hackers will use automated methods such as script creation and credential stuffing to commit attacks and make ATO fraud easier than before.
Malware and Man-in-the-Middle Attacks
The pandemic restrictions gave fraudsters the perfect opportunity to launch corporate network attacks from a remote worker’s home network. FortiGuard Labs predicted in their 2021 report that advanced malware could also discover valuable data and trends using new Edge Access Trojans (EATs) and perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands.
This year, we expect a rising number of man-in-the-middle attacks that exploit the real-time processing of transactions, conversations or transfer of data. Man-in-the-middle is a type of attack that occurs when a malicious actor inserts himself (via malware) as a relay/proxy into a communication session between people or systems. These attacks often involve criminals breaching a bank or payment card processor to manipulate fraud detection controls as well as alter customer accounts.
Ironically, this type of fraud is anything but friendly. It occurs when someone tries to gain money back from a legitimate transaction by filing a chargeback. Let’s say you want a new laptop but don’t want to pay full price for it. What do you do? You hire a professional refunder on the dark web that will lie to the online merchant that you “never received” the package. They will contact that online store after you’ve received your laptop, report fraud, and get you your money back for a small fee. And some people make quite a good living by doing just that.
During the pandemic, as online retailers’ refund policies became more friendly, fraudsters exploited the refund policies. Friendly fraud is expected to cost retailers more than $25 billion per year by 2025, and growing at a rate of 41% year-over-year.
Best Practices for Securing Payments in 2022 and Beyond
Fraudsters are creative. As we progress through 2021, fraud types and cases will continue to change and evolve, so what should FIs and online merchants do to stay ahead of malicious actors? As it’s always cheaper and easier to prevent fraud than deal with the aftermath, here are some fraud prevention best practices.
1. Have unlimited access to your real-time payment data.
Look for advanced solutions that can do the work for you: they can provide insight into all your payment data as the fraud occurs in real-time.
A study from analytics firm FICO, found that almost four in five Asia-Pacific banks (78 percent) believed the introduction of real-time payment platforms such as P2P (peer-to-peer) transfers and mobile payments had resulted in increased fraud losses.
2. Establish a payment fraud management framework that works for you and avoid a one-size-fits-all solution.
A good place to start is building out a fraud-fighting strategy that minimizes financial loss, reputational harm, and unnecessary payment transaction declines. To help you check whether you have all components of an effective framework in place, we put together a series of blog posts and a whitepaper that you can find on our website.
3. Eliminate payment process “blind spots”.
Detecting and preventing payment fraud requires an in-depth assessment at every step along the customer payment journey. Leverage digital intelligence to ensure there are no loopholes or blind spots in your fraud detection process.
For example, in some man-in-the-middle fraud scenarios, malware is placed on a transaction switch, which goes into a stand-in mode and starts to approve the fraudulent transactions. As transactions never get to the back-end to be authorized, the limits on accounts are not enforced and fraud detection systems are blindsided. If you adopt the real-time network-based transaction monitoring tool with multi-link correlation capabilities, you will catch the cybercrime before it happens.
4. Improve your vigilance but don’t forget about the customers.
While FIs and merchants work hard on keeping their data and payments secure, they also need to ensure that genuine customers are able to complete a transaction with minimal friction.
According to a study by Aite Group, merchants lose 75 times more potential revenue to false declines of customers than they do to fraud. They estimate the losses at a whopping $US4.4 billion. Any merchants who assume that all the automated declines generated by their automated fraud screening programs are accurate can in fact be hurting their bottom lines and reputation. Fraud prevention solutions with real-time data monitoring and unsupervised machine learning capabilities can help FIs and merchants solve that problem.
For more ideas on how to protect payments in 2021 from rising types of fraud, sign up for INETCO’s payment fraud mini-series.