At the end of the year, we caught up with Web Shield CEO Alex Noton to look back on the main fraud trends to emerge during 2021 and the implications for fraud prevention and risk management in 2022.
Fraud is relentless as fraudsters are always looking for new ways to target potential victims. No matter where you look or which figures you cite, fraud grew in 2021, despite the best efforts of anti-fraud professionals.
In the first half of 2021, criminals stole more than £750 million (€875 million) through fraud against UK consumers and businesses alone. That’s a year-on-year increase of around 30 percent, according to UK Finance figures.
Meanwhile, the number of digital fraud attempts in the US was up 25 percent in the first four months of 2021, compared to the last four months of 2020. That’s according to credit reference agency TransUnion, which found that digital fraud attacks against financial services companies increased more than 100 percent stateside during the same period, and by 150 percent globally.
Account takeover fraud is a particular concern. Globally, it’s increased more than three times in the two years to Q2 2021.
Unauthorised vs. authorised fraud
“Historically, the largest fraud losses were due to unauthorised fraud committed using payment cards. However, that’s changing. Fraud is moving from unauthorised to authorised payments and from cards to bank accounts. This is when account holders themselves authorise bank transfers to accounts controlled by criminals,” explains Noton.
Sometimes known as authorised push payment or APP for short, fraud losses in the UK increased just over 70 percent during the first half of 2021, surpassing the amount of money stolen through card fraud for the first time. The pay-out method may be a bank transfer rather than cash, cheque, or a credit card charge. But the underlying mechanism remains one of the oldest con tricks in the book: advance fee fraud.
Customers are asked to pay a fee upfront, before receiving any proceeds, money, stock, refunds or for the deal to go through. The advance payment may be described as a fee, tax, commission or incidental expense that will be repaid later. However, the fraudster collects the money and disappears.
“This is a great example of a cyber-enabled crime, an old, physical world scam transferred online to great effect. Fraudsters have capitalised on the pandemic, using fake texts about vaccines, lockdown fines and missed parcels to scam UK consumers out of more than £355 million (€415 million) in the first half of 2021,” says Noton.
Fraudsters also impersonate authority figures, such as bank staff, the police, tax office or health officials to trick people into revealing personal details and passwords. This information is then used to defraud, steal identities, take over accounts or simply sell on the dark web.
Fraudsters switch focus
Banks and financial institutions have become good at stopping unauthorised fraud. By way of illustration, nearly £500 million worth of card fraud in the UK was stopped by banks and card companies in the first six months of 2021. That’s nearly £6.50 in every £10 of attempted card fraud prevented without a loss occurring.
“But just as banks have raised the bar, so criminals have switched their focus. They’ve gone from exploiting bank and payment systems and processes to exploiting people,” explains Noton. “The attack vectors are various: scam phone calls, text messages and e-mails, as well as fake websites and social media posts.”
This type of social engineering powers pandemic romance scams, particularly when victims are locked down and lonely. It powers pandemic investment scams, exploiting the financial uncertainty of furlough and Covid. And purchase scams where people pay in advance for goods or service that never arrive. In fact, UK Finance found that 70 percent of APP scams originated on an online platform.
Account takeover, bust-outs and synthetic ID fraud
“Banks and financial institutions have gotten better at knowing their customers but also what is typical behaviour for them. This is what makes account takeover, bust-out, synthetic identity and money mule fraud so pernicious because they all rely on imitating a genuine customer to a greater or lesser degree,” says Noton.
Account takeover fraud made up nearly 40 percent of all blocked fraud, according to online fraud prevention vendor Sift, so it’s a growing problem. Often nothing happens to corrupted accounts immediately after they’ve been hacked. Fraudsters bide their time to perform card testing, verify associated addresses and other personal data, discover cards on file, connected accounts or apps. It pays to be patient.
“Acquirers know this with bust-out merchants. After a period of normal trading, the merchant deposits a large volume of illegitimate transactions, withdraws the cash and disappears, leaving their acquirer to cover the chargebacks,” says Noton.
Synthetic ID fraud is a sophisticated, newer type of fraud that blends real and fictitious information to create a synthetic identity. Criminals may take a real government ID number and address and mix it with a fake name and date of birth. The aim is to create plausible identities which criminals exploit to apply for loans, card acquiring contracts and so on.
Trust but verify
“The ‘stranger danger’ of third-party fraud attacks is something that every business must contend with. However, some merchants are just mad, bad or dangerous to know, and first-party fraud is an unfortunate reality, too.”
“The downstream impact for acquirers and payment service providers can be significant, resulting in revenue loss, customer churn and disputes. This is why Web Shield solutions are built around the ‘trust but verify’ principle.”
InvestiGate reveals previously unknown relationships, entities clustered around directors, UBOs or even addresses. Versatile Customer Underwriting (VCU) offers effective, efficient and reliable KYC/KYB by automating the laborious tasks associated with customer due diligence. And if your focus is anti-money laundering, PayTracer provides intelligent transaction screening by enriching limited SWIFT data.
Fraud is dynamic and migrates to target the weakest link, which is frequently a consumer or merchant. The rising fraud trends – account takeover, bust-out, synthetic ID and money mule fraud – all involve pretending to be a real customer, which poses new challenges for providers in how to configure anti-fraud rules and models.
The mitigation for risk management professionals is improving education and awareness of new threats; harnessing the best of technology, process and people, and collaborating far and wide to counter fraud and fraudsters.