GeoComply VP of Risk, Simon Marchand CFE, highlights two key trends for the year ahead: professional fraud and opportunistic fraud. While Sightline CEO, Omer Sattar, looks at how to tackle the fraudsters.
“When recession strikes, fraud increases: People still have to pay the bills. At the same time, professional criminals prey on uncertainty, upheaval and chaos. A rise in fraud is coming in 2023 and we all need to be ready for it,” says Simon Marchand, VP of Product, Risk, GeoComply.
The chart above displays fraud cases reported to the FTC. These numbers are concerning with nearly 600,000 victims in the first quarter of 2021. During 2022, these levels have remained far higher than before the pandemic. The real number of victims could have been nearer 6 million, as the FTC only reports statistics of crimes that the victims actually reported. Most people don’t take the time to notify the authorities when an identity theft crime occurs.
When you see social disruption, you see an uptick in fraud. The Covid pandemic caused the massive spike in late-2020 to early-2021.
Identity fraud became easier because governments did not have the proper controls in place to protect the massive amounts distributed as part of special programs, but they were not the only ones caught out. Fraudsters took advantage of the panic, the anxiety, the chaos, and the new emergency programs put in place by governments, but governmental organizations were not the only targets. The criminals leveraged the massive amount of data made available to them on the dark web to target all sorts of businesses, organizations and millions of innocent people.
The increased sophistication of professional fraudsters
Over the past ten years we have seen fraudsters professionalize and it has changed the way they operate. Huge data breaches in 2010 and 2011 shifted the way fraudsters operate.
Today’s fraudsters are not youths in hoods working over a laptop in the garage. These are transnational business organisations. And falling victim to them doesn’t just mean monetary losses or immediate disruption of your operations. The proceedings of those crimes can fund much bigger operations. From human trafficking, to drugs and arms trafficking and funding of terrorist activities. There’s more at stake and we can’t consider fraud a simple “cost of doing business”.
Fraud groups are specializing. They are set up to target large organizations such as governments, banks, and credit bureaus to extract valuable identity data. They will pass the data on to a dark web marketplace, which is operated by other criminal organisations. Then another group purchases the data and specializes in exploiting the data. They don’t need to have any connection with one another so you have a much more resilient chain of criminal enterprises.
Identity theft and ultimately account takeovers have grown significantly in the last couple of years due to this heavy professionalization of fraud groups
For a long time, financial institutions and telecommunication companies were the primary targets of such attacks. It was easier and more lucrative. If you could take control of someone’s bank account and wire those funds to another account you control, all that was left to do was to find the right target and purchase information on a dark web marketplace.
These fraud attacks forced the big corporations to bolster their defenses with methods such as device fingerprinting and 2-factor authentication.
Meanwhile, we – consumers – started trusting online businesses more and more. Online retailers have aimed to create stronger relationships with their customers by asking them to create an account, provide more information, receive promotions, and make purchases in as few clicks as possible. Therefore, they had to store payment information online and hey presto! They were targets for the fraudsters.
This created an amazing opportunity for fraudsters: Take over a well-established customer’s account, make online purchases using a saved payment method, then have the products delivered somewhere else or, even better, intercept the packages on their way to their victim’s real address.
It is no longer a case of if you will become a victim of identity theft but when. Virtually everyone in North America has seen their identity being leaked.
Meanwhile, the rapid growth of the sports betting industry and the attendant advertising has been a magnet for fraud groups, flagging the industry as one that could be a lucrative target.
There are massive networks of fraudsters that are relentlessly attacking gaming operators to exploit bonuses. But bonus abuse is not limited to professionals. When operators are not vigilant, they are left vulnerable to opportunistic members of the public registering multiple accounts and claiming multiple bonuses. We have seen individuals claiming 40 bonuses with the same operator.
Will 2023 be the year of opportunistic fraud?
In difficult circumstances, normally honest consumers will seize any opportunity that comes their way.
Whether it’s abusing a bonus offer using their own identity, accepting a bribe or facilitating crime by becoming mules, economic hardship can transform how otherwise honest people will rationalize their actions. They become new threats to keep an eye on.
One common method of opportunistic or friendly fraud is the chargeback.
Consumer makes a purchase, then claims it wasn’t them or that the product was never received. In gaming, bettors claim they did not place the losing bet.
While these customers might not intend to commit this type of fraudulent transaction multiple times, most likely seeing it as a one-time opportunity they can seize, the problem is widespread.
In addition, credit card networks change dispute rules regularly, and keeping track of acceptable supporting evidence can be challenging. Almost half of merchants don’t fight them because they believe it complicated or that they have no hope of winning them.
But you should never ignore chargeback fraud: If the problem gets too big, you might be fined, audited, or, even worse, forbidden to accept use of the big credit card brands.
How to beat the fraudster
With a wave of fraud approaching, Sightline chief executive officer Omer Sattar explains how to counter it
Device fingerprinting is a great way to prevent account takeovers. If you know what devices someone is using and it changes, and possibly changes to a device seen in previous fraud attacks, you can quickly identify an account takeover.
To tackle identity theft, geolocation is critical. Device fingerprinting is not the best way, because it is likely to be the first time you are seeing a device. But if you know that a fraud has been perpetrated from that location before, then you have an advantage over the fraudsters.
Combining device fingerprinting and geolocation is critical and bolstering KYC is vital. Today, we ask for name, address and social security number. That is the first line of defense. The next line is ID verification and selfie checks. Scanning a driving license or passport and verifying that information against a live selfie is a great deterrent.
Knowledge-based authentication (asking personal questions about first car, girlfriend, address etc) might seem antiquated but is very effective. It is difficult for fraudsters to find this information. There are tools on the dark web but it is not easy.
KYC orchestration is key. There is not one vendor who does everything well. KYC orchestration is about working with multiple vendors to put together the perfect set of tools to cover all bases.
GeoComply’s IDComply is, in effect, KYC orchestration. You’re working with six, seven, eight, or ten different companies in the backend to do each one of those pieces really well.
Fraud is not a static entity. When a customer makes a large or different type of transaction or if they are sitting in a new location, do the checks. Adding these tools will add some friction for customers
Adding these tools will add some friction for customers but we’re talking about seconds of friction, not minutes of friction.
It is important to take action now, because operators might be forced to add minutes of friction if regulators tighten controls.
New Jersey and Pennsylvania have announced new guidelines around multi-factor authentication (MFA) aimed at stopping account takeovers. This could be done in every jurisdiction.
Three or four years ago people would be quite intolerant of additional security measures citing data privacy concerns, but they have become accustomed to it with banks and other financial transactions. In the eyes of the federal government, a gaming operator is a bank. I don’t think the average consumer thinks of it this way yet. But as people gain a better understanding of the security risks, that mentality is changing.
Being able to detect account takeovers gives you a competitive advantage. It allows you to position yourself as the organization that takes security more seriously, it means your customers will have a higher level of trust in you, and that’s how you can build long-lasting loyalty and relationships.