Cyber Fraud Trends Spur New Mitigation Tactics
Account takeover, or ATO, is a form of identity theft where a third party gains access to an online account using stolen usernames and passwords. New account fraud occurs when a fraudster uses a stolen identity or a synthetic identity in order to open a new account, ask for a loan/credit or use the new account to transfer illegitimate funds. As fraudsters become increasingly sophisticated in their fraud attacks, the surge of both account takeovers and new account fraud has reached alarming levels. Outseer, a digital payments and account monitoring fraud prevention vendor, recently published its latest “Fraud & Payments Report,” which uncovered insights about digital fraud transaction trends for the first half of 2022.
For more than five years, Outseer has acquired considerable data for its quarterly published “Fraud & Payments Report,” leading to valuable insights for the industry. These insights include critical fraud trends, the rise of APP (authorized push payment) fraud, and effective tactics to combat fraud.
Critical Fraud Trends Found
On the e-commerce side, as much as 70% of card-not-present fraud comes from a trusted account using a new device, which suggests an account takeover. What this means is that either the card or the customer’s credentials were stolen. With these stolen credentials, fraudsters can carry out fraudulent transactions.
According to Dima Alkin, Head of Solution Consulting in the Americas at Outseer, adoption of EMV®3DS — as an effective means to mitigate card-not-present (CNP) fraud has increased. “3DS is a business enabler,” Alkin said. “In card-not-present transactions, it’s about trying to keep authorization rates as high as possible and lowering the friction.” Alkin also explained that card issuers, merchants, and consumers alike are benefiting from the use of EMV® 3DS. According to the report, the number of merchants using EMV® 3DS globally has grown by 277%.
According to the report, 2.3 million merchants around the world were using EMV® 3DS by the end of June 2022. Despite the absence of regulation, the study showed that 3DS adoption in the U.S. has grown by 415%. The numbers across the world indicate that more organizations are seeing how effective and efficient EMV® 3DS is to mitigate CNP fraud.
The great asset to EMV® 3DS is that it increases authorization rates of CNP transactions, thereby minimizing friction and maximizing business. This will contribute to happier customers, less fraud, and greater business growth.
Another channel where fraudsters are increasing their attacks is via mobile devices. As more consumers conduct their daily shopping and personal business activities on their mobile devices, this is opening yet another avenue for fraudsters to focus their attacks.
On another note, something many in the industry might not know is that fraudsters are not operating out of a garage. They consider themselves running a business where their focus is on generating the greatest return on investment, which is why they choose the path of least resistance — brand abuse, or the impersonation of an existing brand.
“What they [fraudsters] have discovered is that it is much easier to impersonate an existing brand,” added Alkin. “It can be anything that attracts consumer attention, where the consumer is then asked to provide their credentials, at which point the credentials are stolen. It is much easier to impersonate a major brand website as opposed to creating malware which involves coding and a certain skill set.”
Clearly, fraudsters are more likely to follow the path of least resistance and the results speak for themselves. Overall, Outseer FraudAction™ detected roughly 87,000 attacks during the 1H of 2022. Of those attacks, brand abuse was the dominant attack in the first half of 2022, with as much as 65% of the attacks detected by Outseer FraudAction™ service attributed to the Brand abuse category.
Since Q3 of 2021, brand abuse is increasingly the attack of choice for fraudsters. It has been the vehicle in which fraudsters have stolen customer data and, eventually, money. Conversely, the number of attacks via rogue apps has dropped during the same quarters, as that method requires more time and effort to keep up with.
“On the Javelin side, we’ve seen a jump in phishing attacks, just from a business and employee perspective, especially with so many people working from home,” said Suzanne Sando, Senior Analyst for Fraud and Security at Javelin. “It’s frustrating to see how wide of a net these fraudsters can cast to successfully exploit consumers. It’s a problem that organizations need to take seriously.”
There is no better way for consumers to interact with their preferred businesses than via mobile, as evidenced in this article. As Sando rightfully pointed out, more consumers are using their mobile devices to send friends money using peer-to-peer (P2P) platforms and for their mobile banking, and consumers want to be able to do so wherever they are. This trend is only going to increase. The downside to this trend is that fraudsters will be taking advantage of this opportunity.
The Rise of APP Fraud
Online banking payment fraud is another trend the report identified. Based on the report, roughly 75% of online banking payment fraud happens on a trusted account and trusted device. This points to APP fraud, where a customer essentially authorizes an illegitimate transaction after being manipulated or social engineered by fraudsters. However, current fraud monitoring tools detect the transaction as legitimate as the transaction attributes match a genuine user transaction. Based on these findings, organizations should home in on this trend as it continues to grow and threatens the security of their customers.
Alkin noted that Outseer has received an increase of concern from its clients regarding APP fraud.
“When it comes to fraudulent transactions, we see that over 75% of the fraud volume happened with [a] known and trusted account and device, which means nothing was stolen,” said Alkin. “It means the customer was talked into performing that fraudulent transaction. And that’s what makes it so challenging in terms of prevention, mitigation, and investigation. The customer genuinely believes that he has performed a genuine transaction.”
Fraudsters have become so savvy in their fraudulent attacks that they seem to have abandoned the practice of stealing customer credentials in order to make fraudulent transactions. Instead, they have found a way to persuade customers to transfer money to fraudsters in disguise of legitimate cause. This can be in the form of bogus account alerts, utility bills that must be paid, real estate wire fraud, and P2P fraud, just to name a few. What makes mitigation of this fraud difficult is that consumers are duped into making payments that seems legitimate yet money is transferred to mule accounts and fraudsters.
Once again, new regulations and technology are not the end-all to stop fraud. The consumer must be educated as an effective preventative measure against fraud.
“When it comes to scam and fraud loss liability, you have to stop it from the get-go,” Sando said. “At Javelin we’re looking at that education for comprehensive fraud scam and cybersecurity for consumers, empowering the customer with this kind of information and these education materials whether it’s coming from their financial institution or a merchant. It’s not just benefiting the customer, it’s benefiting the business as well.”
Best of all, a business that takes the time to educate its customers will increase its customers’ sense of trust in the business by conveying that the business has their safety in mind.
The reality is that fraudsters and their elaborate scams are not going away soon, so the best strategy is for businesses to arm their customers with as much information as possible to protect themselves. This way, everyone wins.
Alkin pointed out the importance of organizations taking ownership to mitigate fraud and not relying on external regulating bodies to step in. “We don’t have to wait for a regulation to tell us what to do. We can ask ourselves, ‘If I was the regulator, what would I ask myself to do and start putting those controls in place without waiting for anyone, making it our problem?’”
What Can Be Done About Fraud?
When it comes to eradicating fraud, there is no magic wand regardless of what many in the industry might claim. What will work with APP fraud is more of a holistic approach. Anomalies and deviations in behavior and device use must be identified during the customer journey.
For example, it would be more effective during the authentication process to ask the customer questions that are more specific than “Is this you?” Instead, confirm whether the customer agrees to send the specified amount to an account they have never sent funds to before. Research has shown that this usually results in a higher response rate.
It’s about being selective where you will challenge the customer, without causing challenge fatigue.
Using behavioral analytics is also effective, in some cases of APP Fraud, as it can detect anomalies in customers’ behavior. However, in other APP fraud cases it might not be as effective because there is no change in behavior — customers are simply following what they believe is a legitimate transaction.
Businesses must keep abreast of current fraud trends in order to develop an effective course of action to mitigate fraud. They should consider participating in consortiums that operate in different industries and geographies to get a better feel for what is happening in the fraud world. By educating themselves on fraudulent trends, businesses can be better informed and equipped, and have the tools necessary to protect themselves and their customers.
The fact that fraudsters tend to attack larger institutions does not mean that fraudsters will leave smaller players alone. No FI, be it a large bank or a regional credit union, will be safe. That’s why these aggregated data are important, so all organizations, big and small, will be armed with the necessary information to protect themselves and their customers.
Alkin also mentioned investing in tools to protect a business’s brand. Businesses should be ready to take down fake websites before they do massive damage to their customers.
Sando reiterated how the customer can be in the front lines of stopping fraud before it starts. “Just stop and think,” said Sando, “You don’t have to immediately react. If you are an FI telling your customers, ‘If you are unsure about something that someone is asking you to do, if they’re posing as an employee of this financial institution, stop, hang up, call us back. Just make the smart decision to just stop and analyze what’s happening.’”