For those who are looking to catalogue the number of identified fraud methods, it can quickly grow to staggering heights. Investopedia created a list of eight categories, each with its own subset of iterations and flavours.
The most common practices (such as dark web carding) are relatively simple to get going. A crypto wallet, a computer with an Internet connection, and guidance provided by a damaged moral compass will get an entry-level fraudster up and running and causing damage totalling more than USD 5.8 billion, a 70% increase between 2020 and 2021, according to the FTC.
Conversely, methods that require long-winded manipulation of data (i.e. identity theft and the establishment of new credit cards) take time and deep knowledge of how the systems work and the requirements that each stage requires. AARP (in collaboration with Javelin) reported that victims of identity theft lost USD 52 billion.
Data breaches have also become a regular occurrence, affecting virtually every platform that stores information. The information leaked by these breaches supports criminal operations while also flooding the black market and leading to account takeovers (ATOs), identity theft, payment fraud, etc.
Looking at the entirety of fraud, we can identify a through line that applies to most of the methods: interaction with various touch points across a Customer Experience (CX) Journey.
What are the touchpoints in a CX Journey?
The touchpoints of an operation would include any interaction wherein the user has an opportunity to create a request that would affect a part of the platform. Common examples include account creation, transactions, fulfilment adjustments, transfers, account changes, chargebacks, and refunds/ returns.
-
Session start: The moment a user enters an online platform, be it a website, an app, a kiosk, or a video game. At this point, the data points that can be applied towards a later determination are heavily centred around session data such as device fingerprinting and behavioural analytics.
Methods that can be identified at this point include bot attacks and high-velocity attacks.
Available Datasets: Device Fingerprinting, Behavioural Analytics.
-
Account creation or the first point across the CX Journey that a user identifies themselves. Depending on the provider’s industry, the set of the requested information might include name, phone number, SSN/EIN, email address, and billing/shipping address. Fraud teams can leverage the device information and behavioural information from the first touchpoint along with submitted PII to start making determinations.
Methods that can be identified at this point include identity theft, stolen payment information, account takeover attempts, duplicate profile attempts, and more.
Available Datasets: device fingerprinting, behavioural analytics, Personal Identifiable Information (PII), payment information, biometrics (voice/ face/ fingerprint). -
Checkout/deposits: Payment information is used to transact with the platform. It is expected to see payment information and the need to evaluate whether the transaction should be honoured, escalated, or declined. The checkout form is an opportunity to collect and verify credit card details, bank account details (for ACH payments/ deposits), gift card details, and more.
Methods that can be identified at this point include carding/ card testing, wire fraud, ATO attempts, discount/ promotion abuse, and gift card fraud.
-
Customer service/sales/help desk. Customer-facing agents communicate directly with users via service tickets, emails, phone calls, in-person meetings, social media messages, and more. Each agent has a set of abilities and, therefore, can be targeted by savvy fraudsters. Depending on the authority and access of the agent, most of the methods listed above might come into play.
Methods that can be identified at this point include: carding/card testing, account takeovers, discount/promotion abuse, gift card fraud, automated website security bypasses, account creation, identity theft, scams leading to data breaches (phishing), and others.
- Chargebacks: They monitor the performance of true fraud and operational failures. The fraudulent method is unique because the fraud is deployed by the account holder. This system is exploited by account holders who wrongfully file chargebacks against a company. There are several reasons that might lead to this behaviour, but the over-arching story revolves around good customers doing bad things, negatively affecting merchants by abusing the chargeback system.
Common terms describing this method are friendly fraud, first-party fraud, or chargeback abuse.
The five touchpoints outlined above provide a high-level perspective on the most common types of fraud found across various industries and serve to illustrate the need for what has been called a ‘holistic fraud prevention strategy’.
When working with merchants, these following items provide a strong foundation for a fraud prevention strategy that covers all touchpoints across a CX Journey.
The identification of all touchpoints wherein a user might influence the operation of a company
There are countless methods that can be applied against a company, but most of them require either submitted information or back-end device monitoring that can support accurate determinations downstream. By thoroughly identifying the touchpoints that a user has access to, an operator can quickly and accurately identify fraud methods.
The use of an expansive data set
Most common include biometrics (voice, facial, fingerprint), device fingerprinting, behavioural analytics, PII, and more. At each stage, different data becomes available either by monitoring the user throughout the session or by reviewing and verifying the information that the user submits. Depending on the industry of the company, regulations and compliance might limit the choices regarding which data sets can be deployed in your system.
Automation and escalation
For high-volume companies, working with vendors that provide expansive data sources can afford your team the ability to achieve higher accuracy, while removing unnecessary friction for your good customers.
This editorial is part of The Paypers' Fraud Prevention in Ecommerce Report 2022-2023, the ultimate source of knowledge that delves into the world of fraud prevention, revealing the most effective security methods for companies to stay one step away from bad actors and secure their businesses.
About Alexander Hall
Alexander Hall is the owner of Dispute Defense Consulting and the host of the Fraud Prevention Roundtable Series. He has 15 years of fraud-related experience, 10 of which were spent operating as a fraudster. During that time, his methods were deployed against businesses across all industries and caused 10's of millions in damages. In 2017, following the birth of his daughter, Alexander joined the ranks of fraud prevention. In 2020, Alexander founded Dispute Defense Consulting. DDC works with merchants, banks, vendors and publications in varying capacities to secure transactions across the global marketplace.
About Dispute Defense Consulting
Dispute Defense Consulting provides fraud prevention training and strategy development consulting to companies transacting in the card not present space. With a growing portfolio including recognizable brands from across the marketplace, Dispute Defense has successfully mitigated losses stemming from account takeovers, identity theft, transaction fraud, chargeback abuse and more.
