With the threat of fraud rising globally, it’s vital that organizations implement effective fraud prevention processes that are adaptable and secure, while still ensuring good customers can onboard and transact quickly and seamlessly.
In 2019, identity fraud in the U.S. was estimated at $16.9 billion. One article points to 41 different types of fraud, and while not all will be applicable to each organization, it does indicate the variety and depth of fraudulent activity that needs consideration.
Likewise, the threat of cybercrime is increasing, with the annual cost to the global economy from cybercrime estimated to rise to $6 trillion by 2021. Viruses, ransomware, phishing and many other digital threats pose a significant risk of fraud. Cybercrime can also cause compliance failures, either from the act itself, from non-reporting, or by weakening control systems to hide illicit activities.
Understanding these threats and how fraudsters use technology to create new opportunities is an ongoing necessity. It’s mission-critical for organizations to have holistic anti-fraud systems that are robust and can quickly adapt and deliver security and protection with minimal customer friction.
Types of online fraud
As Cathy Liu, Head of Fraud Prevention at Bolt states, “Fraud is a moving target, and the best protection is one that grows with your business. Fraud is such a difficult problem because fraudsters are constantly innovating; therefore, fraud prevention solutions must also innovate to remain one step ahead.”
Below are just some of the online fraud schemes that organizations should consider as part of their fraud strategies.
New account fraud
New account fraud usually occurs within 90 days of account opening. Also referred to as application fraud or account origination fraud, the occurrence of fraud so close to account opening indicates the account's creation was not for proper business purposes.
For businesses, new account fraud is especially dangerous as there's no track record to compare to, no existing relationship, and no history of trust. The initial activities might be benign or they may be acts of fraud yet to be uncovered.
The worldwide increase in data breaches has led to wide-spread black-market access to so-called “fullz,” a full set of identity data that can be used for account opening. As hackers point out, “Buying identities was so much better for them than stolen payment card data, because card data could be used once or twice before it was no good to them anymore. But identities could be used over and over again for years.”
Card-not-present (CNP) fraud
As digital transactions are categorized as card-not-present (CNP), there are substantial risks of CNP fraud — and the merchant is liable for any costs incurred.
An effective CNP fraud prevention program is about risk mitigation. By understanding the techniques used by fraudsters, the fraud reduction tools and techniques available, and your organization’s risk strategy, you can develop and operate a program that contains costs while still being consumer-friendly.
Online merchants are required to meet the Payment Card Industry Data Security Standard (PCI). The PCI is an industry group for payment organizations to develop standards for payment data security. The following image details how PayPal addresses the standards:
Additional security measures in credit cards include:
- Address Verification Service (AVS). AVS checks the numbers of the address on the credit card file to the corresponding numbers provided in the transaction. While Visa, Mastercard and American Express widely support AVS in the U.S., Canada and the UK, there is still significant work to expand to more countries.
- Card verification value (CVV). An additional security feature comprising a three- or four-character number.
Identity fraud is when a person uses another person's personal data, without authorization, to deceive or defraud someone else.
With so much of our lives now digital, treasure troves of personally identifiable information (PII) are on numerous databases, only one data breach away from being in the hands of fraudsters or organized crime rings. According to Flashpoint, you can buy an ID for as little as four dollars on the dark web. Or, fraudsters can create synthetic identities based on PII of real ID's to use for activities.
Synthetic identity fraud (SIF) uses fake identities usually based on combining fake information with actual ID data. One example of what comprises a fake identity is one that contains a real social security number along with a fake address and other synthetic data points. The fraudster can then use the fake identity to acquire everything from driver's licenses and passports to credit cards and other accounts.
Protecting your customer’s information and taking precautions to prevent data breaches is a prudent business practice. The costs of prevention are minimal when compared to the financial and reputational costs of a data breach.
Implementing anti-fraud technologies at account creation
While steps for detecting and decreasing fraud should occur during all stages of an account lifecycle, preventing bad actors before they enter your system helps eliminate the risk before it does any damage. As Trulioo COO Zac Cohen said, “As a first step to safeguarding against bad actors, companies must ensure they’re paying close attention to the onboarding process; by taking a holistic approach — using a variety of identity verification and authentication methods to deliver the right level of risk protection — businesses can prevent these bad actors from accessing their customers.”
Before an account is opened, identity verification processes can flag potential fraudsters and prevent any damage being done. Anomalies in identity information, such as out-of-date information or mismatches in data, can quickly reveal issues for further examination. By cross-referencing multiple data points and data sources for identity checks, you create even higher barriers to fraudsters.
According to Carmen Honacker, Sr. Manager Global Fraud Strategy at Sony, “Identity verification is necessary if you want to find out if a person is who they say they are. Customer friction needs to be kept to a minimum, so making sure you don’t accidentally hold good people up in your fraud checks is only possible if you can properly authenticate the people who interact with your ecosystem.”
Authentication establishes whether the person presenting the identity data or document is the holder of that identity. Biometric authentication evaluates one or more distinguishing biological traits to uniquely identify a person. Combining ID document verification (proof of possession of a legitimate identity document) with a selfie (liveness check) provides two additional layers that help deliver authentication for online channels.
The ubiquity and usefulness of mobile phones enable mobile network operators (MNOs) to collect significant amounts of identity data, including name, mobile number and address, along with device information like geolocation, usage and billing data. When cross-referenced with other identity data points, MobileID data helps verify the individual, plus it offers real-world data patterns that can pinpoint inconsistencies. Patterns such as out-of-location, traffic spikes, or unusual behavior can also be set to trigger a fraud flag for further investigation.
Fraud prevention tips
While fraud prevention and compliance measures are necessary, requiring every customer to go through the highest levels of scrutiny often isn’t necessary and can lead to customer abandonment. The customer, use case and many other factors will affect the risk profile, and the rulesets and workflows should also vary. Workflows may be customized to offer the most appropriate onboarding experience based on the risk associated with the digital identity.
Workflows that allow lower-risk accounts to onboard seamlessly, while requiring higher-risk accounts to go through more robust measures, help to provide a balanced, risk-based approach.
As Rutherford Wilson, Trulioo VP of Emerging Tech, said, “Apply a risk profile. Understanding your customer’s risk during onboarding allows you to remove friction for less risky customers and apply friction for risky customers.”
Data as fraud-fighting fuel
All transactions leave a data trail, including the fraudulent ones. Every eCommerce transaction involves data – a name, shipping address, credit card number or other personal information. Data fuels the transaction by helping to define, authenticate and verify identities, ensuring that the right person receives the right goods and services. But data can be used more effectively to verify identities and detect eCommerce fraud before any losses occur.
Moreover, the use of specific data points can create barriers that prevent criminals from gaining access to eCommerce accounts while simultaneously authorizing legitimate customers to effortlessly access their accounts. In mere seconds, data can be referenced, verified and used to prevent a fraudulent transaction – saving digital services time, money, and resources – while allowing legitimate customers to easily and efficiently onboard.
Fraud prevention as a core business competency
Organizations now need to be constantly vigilant to best protect their business, customers and employees from fraud. With digital transformation accelerating, the need for effective fraud prevention measures is increasing as well.
Fraud represents a broad operational risk and unfortunately, the fraudsters are well-funded, organized and tech-savvy. As Ralph Echemendia, “The Ethical Hacker,” points out:
The law is always years behind the criminals. The technologies are always behind the criminals[...] Then you come into regulatory, compliance, and governments, and all their involvement. By the time it gets there, the truth is, we’re addressing issues that are maybe five to ten years old, as far as regulations and compliance is concerned.
Fraud is a global issue with serious financial consequences. It can affect individuals and organizations, and sows’ mistrust in in our digital lives. With the increasing level and sophistication of fraudulent attacks, all organizations, employees and consumers need to take ownership of preventing fraud from happening to them. The problem is too big and too serious to rely on hopes it won’t happen to you.
Taking active fraud prevention measures is a necessity in this new era of doing business.