Tierney - stock.adobe.com
The global recession has many people – and companies – putting on warm sweaters as they turn down their thermostats.
On the ground level, that means more people pinching pennies and looking for new streams of income. It also means those people might be a little more gullible when presented with a too-good-to-be-true opportunity. They might even be chilly and desperate enough to turn a blind eye to illegal activity if it means a quick buck.
For industry, it means maintaining a delicate balance between stabilising existing sources of revenue while also plugging any leaks in the rickety old windows, to keep the warmth of consistent returns inside.
A few of those companies may even be tempted to take a red pen to the budget of their fraud and risk teams. This would be an unwise decision, though, as between the desperate people and the cooling economy, fraudsters are the only ones really turning up the heat.
A chilly outlook
In 2023, the fraud industry will continue to grow as most economies will face a depression. Criminals that take advantage of vulnerable people and businesses flourish in such an environment.
Fraudulent activity associated with this kind of exploitation, like authorised push payment (APP) fraud, scaled phishing attempts, and ad fraud will cost consumers and companies increasing billions. According to Insider Intelligence, ad fraud alone will amount to a $100bn (£82.4bn) global loss.
Meanwhile, for an example of the snowballing phishing attempts, many will be able to open up their text message inbox for an example (but don’t follow any links you find). If you are one of the victims who is worried their Apple Pay account has been accidentally locked, you may already know the result is valuable accounts being compromised and exploited.
Compounding the risk that the fraud itself represents, high-profile cases of negligent anti-money laundering (AML) and know-your-customer (KYC) due diligence have renewed regulator’s interest in tightening safety mandates. The UK’s Financial Conduct Authority (FCA) handed out over £200m in KYC negligence fines in 2022. AML fines tipped the scales at over $1.6bn in the first half of last year alone.
In the midst of a financial winter, how can businesses balance fraud prevention and regulatory mandates, while also growing ROIs?
Inclement fraud forecast
To bundle up against the threat of fraud melting your bottom line, and avoid even costlier negligence fines, here are some of the most pervasive threats that tend to tick up during economic downturns. Risk management teams should be adjusting their strategies to handle the particular challenges they pose.
First-party fraud: An instance of an individual customer taking it upon themselves to misrepresent their identity in order to defraud businesses is called first-party fraud. Hard times often lead to spikes in this behaviour. Most often this manifests as people exploiting offers of grants, loans, and subsidies by impersonating others or providing invalid personal data. For the most part, only money services have to be particularly careful about vetting loan applicants, with lenders in the UK reportedly preventing some £2.2 billion in loan fraud through AML and KYC checks last year.
One of the most common, and most casual types of first-party fraud is friendly fraud. Major online retailers have to cast the widest net over sales revenue, including a low-friction policy for returns and refunds, including a no-returns policy. Friendly fraud is generally when customers start a refund process on knowingly false pretenses. By citing excuses like the item arriving damaged, incorrectly, or not at all, or perhaps a child making an accidental purchase, customers can recoup their payment and keep their purchase. Some friendly fraudsters may immediately pursue the chargeback process instead, causing even greater losses for the victimized merchant.
Money mules: By taking advantage of desperate situations, criminals wittingly or unwittingly recruit money mules to facilitate credit card fraud and money laundering.
In banking, fraudsters approach people asking them to hold illicit funds in their bank accounts before transferring it to another account in the fraudster’s network. For this seemingly benign service, the mule gets a fee, and the money is effectively laundered. Allowing such activity to happen within a financial institution quickly leads to fines, and potentially even sanctions.
For retail ecommerce, money mules are often unsuspecting people looking for a good deal, even if the deal seems impossibly good. Cyber criminals with stolen credit card information will post popular goods on third-party marketplaces, advertising absurdly good deals. Shoppers who take up their offer will be satisfied with the purchase, but probably don’t realise the deal is the result of the fraudster using stolen credit card information to make the purchase. The fraudster gets paid by the unwitting money mule, the mule gets their product, and the legitimate cardholder gets an unknown charge that rapidly turns into a chargeback, leaving the defrauded business with the losses of the product, the sale, the chargeback fees, and the safety reputation.
Account takeovers (ATOs): Account takeovers are the end goal of many types of cybercrime, like credential stuffing, brute force attacks, and phishing, and all of those are on the rise, but phishing in particular tends to target the wilfully gullible in times of hardship.
Successful account breaches, regardless of what account is targeted, always has spiralling consequences for the victims involved. Unauthorised purchases, accounts drained of funds, and eventual chargebacks are par for the course, but domains skirting AML and KYC checks that help prevent these things will also find themselves subjected to harsh fines, with multiple entities being slapped with punishments in excess of $100m in 2022. During the incipient recession, few companies will be able to navigate both excessive losses to fraud, much less fines of this magnitude.
Ad fraud: Last year the APAC region reported ad fraud losses amounting to $75bn, compared to $6 billion across the rest of the globe. An outlandish number, owing largely to click and install farms that push huge volumes of traffic through paid advertising portals. Companies who have automated PPC partner onboarding processes are especially vulnerable. While this kind of fraud is not necessarily specific to economic depressions, it represents huge dents in returns for companies making timely budget cuts in KYB protocols.
How to weatherproof ROI
Regardless of the economic climate, fraud will continue to be a persistent problem for global business. As discussed, the fraud itself can be just the tip of the iceberg when it comes to impact on your business. Alongside the rising digital fraud rates, cyber insurance companies that help mitigate risk loss are increasing their premiums and making their vetting processes more stringent in order to be underwritten.
To deal with the aforementioned fraud techniques that will likely uptick in the following months, finding a fraud prevention software suite that suits your risk appetite and infrastructure will be a crucial part to plugging leaks in your returns. The software should address the challenges discussed by including features like:
- Generation of a thorough user profile that can be scrutinised when approving loans and applications. This should include the ability to cross-check submitted data points against each other, to scan for signs of a synthetic ID. That profile may draw on sources like openly accessible government databases, as well as alternative data pools like social media registrations. Suspicious inconsistencies in submitted data are at least a warning that the applicant might be a fraudster. Most fraud solutions allow this process to be fully or partially automated, and while they do not present a particularly high hurdle for first-party fraudsters, there will at least be a partially verifiable paper trail.
- Tools to combat financial money muling, like customisable behavioural insights that can notice patterns of suspicious behaviour. By labelling transactional data correctly, singling out instances of fraud, machine learning algorithms that power many fraud solutions can be trained to detect, for example, apparently disparate accounts that all deposit a similar amount of money for a similar amount of time, and then pass it onto a network of other accounts.
- Strong credit card fraud detection that notices suspicious changes in transactional behaviour is a good way to curb retail money muling. Retail money mule fraud often results from stolen credit card credentials. Often, money mule-enabling fraudsters will follow patterns, like opening a new account with the stolen card, then making a single large purchase. Again, good data labelling best practice in tandem with strong machine learning algorithms can help catch money mules before they can make major dents in your revenue streams.
- The ability to combat ATOs by detecting anomalous login and transactional behaviour. Fraud solutions can be tuned to pause user journeys when a login from a new location or IP is detected, or ask for more credentials at that phase. As well, software with strong ATO prevention should pause existing accounts that suddenly make purchases well outside of their expected behaviour, based on historical transactions.
All businesses know that increasing automation in workflows frees up valuable human resources that can be better – and more profitably – utilised elsewhere. Unfortunately, just as fraudsters can’t leave all their malicious processes to automated bots, best-practice fraud prevention also has a manual component. Policies that should be implemented outside of a software solution include:
- A hardened process for onboarding new partners, particularly for pay-per-click ad campaigns. The most important step in minimising wasted advertising spend is to know which partners are providing legitimate traffic, and which are fronts for click farms. Though many companies are adopting automated partner onboarding software, manual oversight and vetting of these partners is key. Manual oversight of partner’s conversion rates, the on-site performance of referees, and a general idea of where ads are being placed is necessary to optimise ad spend.
- Prioritisation of education in both the customer base and staff. For all of the scams that are likely to approach your business, awareness is the first line of defence. This education should be regular and dynamic, to help people recognise current instances of phishing, money muling, and account takeovers before they become major issues.
- Consistent, concise, and accurate language around product offerings, particularly for retailers. Closing the holes that friendly fraudsters wiggle through – vague product labels, slow response times from customer service, suboptimal delivery infrastructures – is done by making sure all your legal bases are covered. This includes generating comprehensive audit trails for disputing fraudulent chargeback claims.
- Customer service teams should be well-provisioned to fulfil valid refunds in reasonable amounts of time. These teams should also have the resources to combat instances of potential first-party fraud. This can include things like a call from a representative to confirm details on a digital loan application, or a quick follow-up call for a new user making a large purchase. These customer service agents should be educated on potential red flags to be on the lookout for.
These safety goalposts, however, are always on the move. Google reported that up to 68% of all phishing scams, for example, were zero-day exploits, meaning that they had never been seen before. Not only does this indicate a strong ability for fraudsters to continually modernise and innovate, it also means that fraud prevention is always more effective when proactive, rather than reactive. If your fraud education programs revolve around looking at historical examples, it may overdevelop a sense of security in staff members who should be on the lookout for the next fraud threat.
Just as fraudsters are looking for new ways to exploit vulnerabilities both in corporate infrastructures and in the human condition, risk management and fraud teams must be actively looking for new ways to preclude them. Failure to do so will leave businesses out in the cold, their bottom lines freezing and maybe even shattering.
PJ Rohall is head of fraud strategy and education at SEON Fraud Fighters, and co-founder of About-Fraud, a global community dedicated to the fight against scams.
Read more on Hackers and cybercrime prevention
Prime minister Rishi Sunak faces pressure from banks to force tech firms to pay for online fraud
TSB calls on Meta to intervene and protect users from fraud losses of £250m this year
Payments regulator makes APP fraud reimbursement mandatory
Lloyds Bank calls on tech companies to control social media ‘wild west’