Risk Assessment: Buttress Account Security and Foil Fraudsters | Consumer Security
Under ordinary circumstances, the average consumer can order a latte on the way to the coffee shop, book a last-minute trip to the coast, and come home to find groceries delivered — all with the click of a button. What makes these transactions so smooth and effortless? It starts with account creation. Consumers increasingly are willing to create accounts with sites they interact with regularly. In fact, the average U.S. email address
is associated with 130 different accounts.
There are many benefits to consumers for having these accounts: receiving promotions, saving payment information for quick and easy checkouts, even personalized advertising that provides suggestions for future purchases based on previous orders and browsing history. This also helps retailers provide customers with optimal buying experiences.
Unfortunately, fraudsters are all too aware of those strong account relationships, and they use them to exploit businesses and consumers.
Account Fraud Comes in Many Shapes and Sizes
There are several different types of account fraud that consumers are vulnerable to, and depending on the sophistication, the fraud can impact a consumer’s overall digital trust of a platform drastically and negatively impact the reputation of that business.
For instance, through social stats abuse, fraudsters create accounts to write fake positive reviews for a company’s product or service, or to damage a competitor through a bad review. Forty percent of consumers will never buy from a brand again if they based a purchase on a misleading review online, according to Sift’s
report, “Fake Reviews: A Growing Fraud Concern Affecting Brand Loyalty and Growth.”
Another example of account fraud is malware — fraudsters create social profiles or accounts to act as a real person to direct people to malicious sites. Also prevalent is promo abuse — fraudsters create accounts to take advantage of sign-up promotions, referral promotions, etc.
Twenty-five percent of attempted transactions involving online promos in 2019 were fraudulent, found another Sift
report, “Digital Trust & Safety Index: A Rapidly-Changing Fraud Landscape.”
Fraudsters also implement listing scams, using fake accounts to upload scraped images to convince users to wire money or accept a phony cashier’s check as payment.
However, two types of account fraud that have a very large impact are account takeover and synthetic identity fraud.
What Is Account Takeover Fraud?
Account takeover fraud occurs when a fraudster gains access to someone else’s account, changes information such as log in credentials or personal information, and then makes unauthorized transactions in that account.
Forty percent of all account access attempts online are high risk, meaning they are targeting access to financial data or something of value, a 2018 NuData security report found.
These fraudulent online transactions can be as minor as buying groceries on a debit card or as severe as using someone else’s account to take out a mortgage. Account takeover fraud is a serious threat for consumers, who face both financial loss, damaged credit and compromised account identity.
Account takeover fraud can lead to revenue loss too. In fact, online payment fraud losses will exceed US$200 billion between 2020 and 2024, according to Juniper Research.
Account takeover fraud has gone even further in recent years and now can include gaining control of separate accounts, such as mobile or email accounts. Mobile phone account takeovers have increased 78 percent from the previous year, with fraudsters gaining malicious access to more than 680,000 victim accounts, according to Javelin’s identity fraud study.
Further, while human-driven account takeover attacks remained relatively steady across the beginning of 2019, attacks increased by 330 percent in the last four months of the year, NuData’s “2019: Fraud Risk at a Glance” report found.
Of the top 10 fraud attacks consumers experience, account takeover ranks third, at 37 percent, according to CyberSource’s “2019 Global eCommerce Fraud Management Report. Fifty-nine percent of respondents anticipated that account takeover attacks would increase in the next 12 months.
What Is Synthetic Identity Fraud?
Synthetic identities are created to look like real customers but are used for fraudulent transactions. They are made up of blended information that combines real and fake data, such as an address from one person mixed with another’s Social Security number. Then, they establish the synthetic identities by opening bank accounts and cards, and acting like legitimate customers.
For example, instead of immediately performing a big fraudulent action (something security professionals have learned to anticipate), they make purchases in line with normal consumer spending patterns and pay off their cards and bills on time and in full for a period of time.
After these fake customers have established stronger credit scores, the fraudsters will ask for a higher credit limit or a larger loan that they have no intention of repaying. This type of fraud is challenging to identify because it is so gradual that the victim often doesn’t even realize it is happening (let alone report it).
This particular type of fraud tends to be more prevalent in the United States, because it centers around static personal identifiable information (PII) — in the U.S., Social Security numbers. Accessing this information has proven easy for fraudsters due to the number of U.S. data breaches.
In 2019, 1,473 breaches occurred, an increase of 17 percent from the 1,257 breaches reported in 2018, according to the Identity Theft Resource Center.
How Merchants Can Manage Account Fraud Threats
As account fraud rates continue to skyrocket, merchants must take the necessary measures to manage this threat. As soon as a customer arrives at a merchant’s site, the merchant is responsible not only for delivering optimal customer experiences, but also for preventing fraud loss.
Beyond standard post-authorization fraud assessment, merchants should be minimizing false positives when detecting fraud in their customer accounts. Giving customers the opportunity to provide more information for authentication before disabling their account can prevent added customer friction and frustration.
The best way to manage fraud is to stop it before it happens. One way to do this is through preauthorization risk assessment — which merchants conduct by using machine learning algorithms to identify fraudulent activity before bank authorization occurs.
The trend toward leveraging ML to better predict fraud is on the upswing. It has become a crucial tool, “as it enables payments industry stakeholders to analyze transaction flows in a holistic way, unlocking hidden insights on fraudulent behaviors,” Juniper Research found. It forecast ML spend for fraud detection to reach $10 billion in 2024, a 15 percent increase from 2020.
Fraud detection is a great use case for ML, in particular, because of the varying characteristics involved with fraud. They can span across geographies and have changing patterns depending on the type of fraud scheme used.
Some data attributes that models can use to assess patterns: the endpoint (what type of device a customer is using); behavior (how a user is interacting with the site); identity assessment (if the person is who they say they are); and link analysis (how the credit card, email, phone, etc., on one order is connected to other orders).
Since ML mimics the real world, merchants can use it to build geo- and use-case-specific models to better predict fraud. This also helps them respond to the dynamic and changing world, and to defend against increasingly sophisticated fraudsters who continue to evolve their tactics.
Just as critical as the ML models themselves is the dynamic data that feeds the models. Much of the data available for modeling in the fraud space is direct customer input, so it’s important for merchants to normalize user inputs in a manner that is scalable for a transaction taking place anywhere across the globe. Merchants also need to have a clear definition for fraud labels, such as if a transaction was “confirmed fraud” vs. “suspected fraud” vs. an “agent’s disposition,” etc.
By successfully building ML models for fraud detection, merchants can leverage risk assessment to prevent fraud during both account creation and modification.
Risk Assessment Benefits at Account Creation
Assessing the risk at account creation is a crucial step that more merchants are focusing on to prevent fraud proactively and reduce customer friction. To create as little friction as possible at account creation, most merchants will ask only for the most necessary information — usually name, email address, IP address, device ID, and perhaps behavioral data.
Validating and verifying data from third-party networks allows merchants to decide if an account appears low risk or if they should implement a progressive sign-up flow. Then merchants can choose to request more information (such as phone number or physical address) or implement two-factor authentication to ensure account openers are who they say they are. Risk assessment at account creation helps merchants to minimize friction, while not losing sight of nefarious players.
Risk Assessment Benefits During Account Modification
Risk assessment shouldn’t stop at account creation. It should be part of the account lifecycle too. Merchants should use relevant data across the ecosystem any time a customer modifies an account, to reduce friction while still catching fraud. In a world where fraudsters are increasingly sophisticated in recreating customer identities, data from multiple sources can help find unique markers that identify the actual human behind a digital identity.
Sudden changes in shipping address, email address, or device ID are all signs that an account takeover might be occurring. A fraudster might be trying to get the physical good or prevent the real customer from getting the order confirmation. Merchants can leverage identity verification within their models to monitor changes in behavior to avoid not only a loss of goods, but more importantly, a loss of customer trust.
While preauthorization risk assessment offers many benefits, it is a very new capability brought about by machine learning and the ability to leverage third-party data at a point in the workflow — one that wasn’t possible before due to latency requirements.
Because of its newness, we still see more than 90 percent of our customers doing their fraud-checks post-authorization. To drive better online user experiences and build consumer trust, merchants need to assess risk as early as possible to protect customer accounts — not allowing them to be taken over or created artificially.
As more merchants take proactive measures to prevent fraud across the account ecosystem, they will reap the benefits of more loyal customers, who trust them to deliver smooth and safe experiences.