The end-of-the-year flurry of holiday shopping is a classic example of business seasonality. As fraud professionals have long observed, fraud activity also follows seasonal patterns, with seasonal upticks and slow-downs. The challenge has been reacting to seasonality with precision in real-time, instead of just recognizing them in the rear-view mirror. And new data shows that this seasonality doesn’t correlate to the business year as much as one might expect—fraudsters have a seasonal calendar all their own
In a recent PaymentsJournal podcast, NeuroID Head of Operational Strategy Nash Ali and Tracy Kitten, Director of Fraud & Security at Javelin Strategy & Research, discussed the seasonality of fraud. They analyzed the methods criminals use and offered solutions to keep businesses safe.
Winter Fraud
Fraud attempts are rising overall, up 57% from 2022 to 2023. Due to the holiday frenzy, December might seem like the logical peak of fraudulent activity.
“In fact, it’s January,” Ali said. “January has a 78% higher fraud attack rate than the average monthly rate. That includes a 59% increase in application fraud, where criminals falsify data or misrepresent themselves to business owners. There’s also an 85% increase in the hours businesses are under attack in January compared to the rest of the year.”
After a February slowdown, there’s a 44% higher fraud attack rate in March compared with the typical monthly average. A higher portion of March attacks consists of identity fraud, identity theft, or creating synthetic identities with bots and scripts. After another lull in April, fraud picks back up in May.
“We see 50% more application fraud in May compared to monthly averages,” Ali said. “A lot of that fraud is concentrated fraud attacks committed via fraud rings. After a slow summer, fraud rates pick back up in the fall, peaking again in October.”
Identify the Compromise
Criminals are constantly looking for weaknesses, and seasonal fraud trends are no doubt spurred by company vulnerabilities. Business owners should also understand that there can be a delay between when their business is breached and when fraud actually occurs.
“Company information is likely being compromised during these high-usage months, like the holidays,” Kitten said. “Then we don’t start to see the fraud until several weeks to a couple of months later. When does a compromise happen and when does the actual fraud result?”
In the drive for year-end sales, companies often open themselves up to fraud attacks.
“They’ve relaxed controls, they’ve let their guard down in order to attract more volume,” Ali said. “They also staff additional people to meet the additional volume. In January, businesses are scaling down their workforce and there are less eyes on fraud.”
Dark Web Trenches
The spike in March may also be attributed to the end-of-the-year rush. It takes time for data obtained from end-year breaches to circulate to the bad actors who exploit it.
“By March, it’s made its way through the trenches of the dark web and into the hands of fraudsters who will actually do something with it,” Ali said. “That’s why we see more identity theft, identity fraud in March.”
Data breaches are increasing in frequency, to the point that it’s no longer shocking. That trend is likely to continue.
“Breaches don’t raise flags anymore,” Kitten said. “But there are still things companies and security teams should continually look for, including on the dark web. They must keep searching for indicators that a larger breach has occurred and company information has been compromised.”
The high-tech means criminals have at their disposal, especially since the advent of AI, increase the difficulty of preventing attacks. Cybercriminals have sophisticated ways of creating forged documents, like passports and driver’s licenses. Businesses that rely on document-based verification will likely see fraudulent documents that are difficult to detect, even with physical biometrics.
The May fraud spike is also a reaction to a time when businesses are vulnerable.
“The first quarter of the year tends to be a time when many companies release new products, new offerings,” Ali said. “In the financial services world, they release new loans. Fraudsters home in on that, which is why we see a resurgence of fraud in May. New products tend to have lower controls as they’re rushed to market, so in May criminals are looking to exploit that.”
Probing Attacks
Criminals often spend a lot of time conducting probing attacks. Criminals will explore perimeters, controls, and boundaries to measure a company’s effectiveness at identifying and preventing fraud.
“They’re testing companies to see what they can get away with,” Ali said. “Probing attacks are these short bursts of fraud activity, and most institutions don’t even react. If they do detect it, often they’ll ignore it because they’re looking for larger-scale fraud. When the real attack comes, they won’t realize it until it’s too late, because fraudsters found vulnerabilities through probing.”
The holidays are a common time for probing attacks, when thresholds are down and companies provide customer incentives and promotional products. That’s why it’s crucial for businesses to place a special emphasis on fraud prevention at the end of the year and install systems that will be attuned to detecting probing attacks.
New technology has made it increasingly difficult to detect fraud, because bots can be programmed to perform probing attacks. They can create new identities or attempt entry through permutations of personal data.
“It’s important to have tools that can detect whether an attack is an automated script or a human,” Ali said. “Businesses need proactive, real-time, technology-based solutions. You can’t rely on humans doing manual reviews. It’s not scalable, especially at the holidays. If you do install automated tools, however, they must be fine-tuned to lower false-positive rates.”
New Attack Vectors
Often, businesses go too far and use outdated methods that end up placing undue friction on consumers.
“Enterprise fraud mitigation solutions have to equally evolve with fraud, if not be ahead of the game, especially since AI has been used in fraud attacks,” Ali said. “The best way to be prepared is not to rely on the same legacy fraud mitigation solutions to try to solve new fraud attack vectors. Behavioral analytics complements traditional fraud tools, and you can passively detect fraud.”
A combination of behavioral analytics, technology, and skilled oversight is the most potent defense. To that end, NeuroID offers an array of fraud detection and prevention solutions that harness the power of behavioral analytics.
“It has to be a multilayered approach,” Kitten said. “As things continue to evolve, the amount of friction on the customer is also a critical consideration. It’s increasingly important to do whatever can be done on the back end to authenticate and verify the authenticity of a user in a transaction. That’s where behavioral analytics come into play.”
