Entrepreneurship and merchant fraud in a post-pandemic world

The effects of COVID-19 on the small business economy has been severe. Being an entrepreneur was a risky endeavour before the pandemic, with approximately 20% of small businesses failing in their first year all the way up to a 70% 10-year failure rate. It’s too soon to tell the full extent of the pandemic on entrepreneurship, but a recent study confirmed that 55% of businesses on Yelp have shut down during this time. That combined with unemployment at an all-time high which impacts consumers’ ability to spend, it’s more difficult now than ever to start and run a successful business.

At Wave, we experienced a significant influx of new customers once the pandemic hit, for two main reasons. First, small business owners pivoted to new means of making a living, and therefore had to create new merchant accounts. Second, many left their payment processors after strict reserve policies were implemented to offset the risk of increased chargeback rates which hurt their cash flow. This made legitimate merchants more vulnerable to scams and compromises as they grew more desperate for business.

Merchant fraud is becoming increasingly complex as it evolves through digital channels. It’s easier than ever to obtain various sources of stolen data on businesses and their owners, making it far too easy for fraudsters to create new merchant accounts for illicit gains. We’ve observed a sophisticated trend that combines various fraud types and patience by the fraudster. This layering of stolen data makes it almost undetectable by automated systems and takes a keen eye, sound onboarding controls, and strong underwriting practices to stop.

The fraud type trifecta

We’ve coined this ‘Business Identity Takeover’ at Wave, because there are three main fraud types at play. To pull this off, fraudsters must orchestrate a targeted attack on an individual and/or business. This has a lot of moving parts and takes patience to pull off. Each case is a combination of the following fraud types:

1. Identity theft

2. Account takeover fraud

3. Card-not-present fraud

1) Identity theft

The identity of a small business owner is targeted. It’s easier to make the payments account appear legitimate if you assume the identity of an existing business as opposed to creating a fictitious one from scratch. You then already have a strong social media presence, often with positive reviews, and good online history.

2) Account takeover fraud

In the most sophisticated cases, multiple financial, social, and email accounts that belong to the true business owner or employees are taken over by the fraudster, making the account appear more legitimate. This is typically done through phishing attacks to employees of the targeted business, which then allows the fraudster to gain access to:

• Email: the real inbox of the business may be taken over, but if that’s not successful, they will create a new but seemingly close email address that is easily overlooked. 

• Bank account: being able to gain access to the business’ online banking credentials is highly valuable. Alternatively, the fraudster may open a brand-new bank account in the name of the business owner, employee, or business.

3) Card-not-present fraud

Stolen card data is used to make online payments to the fraudulent merchant. Typically, we see card data that is stolen from the same geographic region of the business as well.

The key to detection

Strong controls and thorough underwriting of the merchant and their clients is imperative to detecting this type of fraud. You must connect all the dots. Since most of the data provided will revert to the true business owner, it’s important that your analysts and systems pay attention to what doesn’t match. If something seems off, consider secondary verification. Nothing is foolproof, and you need to balance operational capacity with fraud detection.

It may not be cost-effective to put all your effort into detecting the fraud at signup, as often the most influential data is found on the cardholders when the ‘merchant’ begins to receive payments. It is a judgment call to balance operational capacity, fraud losses, and customer experience that must align with the priorities and risk appetite of your business.

At the end of the day, the goal is to waste the fraudsters’ time enough that they give up on attacking your platform. This trend takes lots of patience and time to pull off, which means it can successfully be curbed by making it too tedious with little payout for the fraudster.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Angie Dobbs

Angie is the Director, Fraud & Risk, responsible for protecting Wave’s customers and financial services including its proprietary payments, payroll, and debit card products. Angie holds a Master’s Degree in Applied Mathematics & Statistics at the University of Guelph and takes a data-driven approach to risk detection.

About Wave Financial

Wave Financial’s award-winning software solutions help small business owners manage their finances. Wave provides accounting, invoicing, payroll, banking, and payments software, as well as bookkeeping services, built into a comprehensive platform. Wave has won numerous awards for growth, innovation, and company culture, including Deloitte Fast 50, Deloitte North American Fast 500, KPMG Fintech 100, CB Insights Fintech 250, Canadian Innovation Awards (Financial Services), Canada’s Best Workplaces, and more.