We spoke with Fraugster CEO, Christian Mangold to learn more about what findings revealed in their recently released Payment Intelligence Report 2022.
What mistakes are companies consistently making that led to 80B dollars lost in a single year?
The biggest mistake companies are making today is assuming fraud to be static when it is ever evolving. There is a need for a mindset shift in the industry where we don’t just focus on catching fraud but move to managing risk. Risk management is a practice that requires a wide skill set and a holistic approach to identify and assess different risk types, and constantly prioritize the ones that are the most urgent and important to solve.
What are the biggest attack vectors out there right now that companies aren’t taking seriously enough?
Beyond purchasing cheaply available customer Personal Identifiable Information (PIIs) and payment information off the Dark Net, fraudsters today are implementing sophisticated attack methods such as Man In the Middle attacks, where they place themselves between a user and an application via home routers/public Wi-Fi networks, or Social Engineering attacks where they trick users into giving away their personal information while posing as an authority figure.
Fraugster’s payment intelligence report reveals that Synthetic Identity fraud rose by 109% in 2021, standing as a €19.38bn problem for ecommerce today. After gaining access to PIIs and stolen card information, fraudsters employ millions of bots to construct fake identities and test credentials (up by 45% in 2021). They are then known to mimic the behavior of a good customer to stay unnoticed before making a series of high value purchases, thus making them one of the most lethal.
In such a scenario it is important for merchants to know that the devil, and the clue to a fraud, is often in the details. Increasingly this means using graph and linking analysis to list suspicious transactions engaged in by the fraudster using the same shipping address, IP or email address. Machine learning assessing over hundreds of data points further aids in spotting mismatches in shipping address, device location and IP location.
What are the biggest gaps in overall chargeback prevention you are seeing today?
With chargebacks costing merchants 2x the actual amount of the goods, it is important to adopt a holistic approach in forming your chargeback prevention strategy as a merchant and thus also focus on their cause and where they emerge from. Our 2021 data estimates, as pointed out in the report, revealed that the most common reason codes for chargebacks across verticals pertained to cardholders not authorizing the transaction in a Card Not Present (CNP) environment. Fraudsters have increasingly resorted to building fake profiles with stolen card details, which leads to increased chargebacks once the actual card owners notice the transactions completed at their expense.
In this light, a lack of investment in trained personnel, good technology and tooling is a major gap in merchant’s overall chargeback prevention strategies. It is key to shift focus on stopping a fraudster right at the point of checkout to curb chargebacks. Moving away from static fraud rules and leveraging systems built with advanced machine learning, overlaying hundreds of attributes to spot behavioral and data-based anomalies is the best way forward to reduce chargebacks.
Merchants should also bring more focus on the root causes of a chargeback and employ some best practices such as providing a quick and easy resolution to consumers in case of issues. Additionally they should also focus on providing accurate transaction descriptors that cardholders see on their statements, to avoid cases of confusion or panic.
What are the biggest BNPL vulnerabilities right now, and how are fraudsters exploiting them?
BNPL solutions have been prone to Account Takeover Attacks (ATO) and Synthetic Identity attacks by fraudsters which could lead to a significant fall in consumers’ trust in the service. The focus of BNPLs on providing a seamless buyer journey along with the availability of guest checkouts, has left them prone to sophisticated attacks by fraudsters. Last year 34.6% of the ATO attacks were directed towards the financial sector, including BNPL providers. This brings us to the importance for BNPL providers to not only assess buyer’s risk of default but also verify their identities to prevent losses.
Using sophisticated AI driven risk assessment solutions that leverage data enrichment and linking analysis can allow BNPL providers to assess risk of both first-time and repeat customers, without introducing unnecessary friction in the buyer journey.
What are the most successful travel companies doing to mitigate risk during this crazy period of endless cancellations, re-bookings, and refunds amidst soaring demand?
Being prepared to adjust their service
In such turbulent times successful companies are focusing on investing in expert resources to timely manage unexpected situations before they become a big problem, adapting their service and enabling fast learning based on merchant feedback, partners and data.
Staying on top of fraud risks across regions and channels
Complex, global businesses are never standing still. Companies today are more careful while expanding to new regions and focus on addressing new fraud patterns that may arise due to different payment methods, payment types (for example, multi-bookings and 0 value transactions), and channels (for example, B2B travel agencies and B2C call centers). Understanding these nuances and developing a dynamic and flexible data structure is key.
Taking a cost-saving approach to fraud prevention
Aiming for continuous growth in their core business, travel companies are partnering with Payment / Fraud Management experts that work together to prevent fraud on their behalf, allowing them to dedicate their resources to what they know to do best.
How should companies look to efficiently approach customer experiences in the increasingly complex regulatory environments they operate in?
It’s not about how to approach the customer experience, but how to approach regulation: regulation is here to stay, and customer experiences will be shaped around it. Read the actual laws, understand the spirit of the laws, focus on substance, and adapt your user experience accordingly. In this environment, the law is not only for legal and compliance teams anymore. It is key to encourage your product managers, system architects and data scientists to understand the boundaries of the playground they are in – use regulation constraints as a catalyst for creativity.
What upcoming regulatory changes do merchants need to start preparing for right now?
2021 saw record fines being levied against companies that failed to comply with anti-money laundering regulations. We predict that both total compliance costs (headcount, processing, and vendor costs) and fines levied will increase in 2022. Why? Because the 6th Anti-Money Laundering Directorate (6AMLD) broadens the scope of money laundering offenses to include those aiding and abetting, inciting, and attempting an offense. This will make it easier for law enforcement to pursue those often described as enablers facilitating money laundering or serving as accomplices in money laundering schemes.
The biggest winners in such a scenario would only be those who can leverage technology like transaction monitoring and sanctions and Politically Exposed Persons (PEP) lists to avoid entering illegal business relationships.
In the long run merchants could look out for PSD3 as the European Union has begun work on the same. Additional regulations on currently unregulated payments such as those via BNPL, crypto assets, operating payment systems and digital wallet services could be expected.
How should companies mitigate the effect of PSD2 on the customer experience?
Post introduction of PSD2, SCA has been seen as added friction that would lead to increased customer drop-offs and added friction. Effective strategies to mitigate this include Transaction risk analysis (TRA) that allows low risk transactions such as recurring transactions, B2B payments or low value transactions to be easily exempted from SCA.
Assuming the general ATV in e-commerce is ±60 EUR, its relatively easy to get exemptions for an increased number of transactions. Keeping a lower fraud level by leveraging advanced software can further aid in increasing this exemption limit to 100 EUR. Having 3DS checks or 2FA for high value sales can then be justified as an increased safety measure to keep customers safe rather than a burden or hinderance.
Additionally it is important to note though 2FA/3DS leads to increased customer drop-offs, these are compensated with decreased issuer declines as issuers place increased trust in transactions undergone 3DS.
What is the biggest fraud trend you are seeing as we head into the holiday season?
Considering the rise in ‘revenge travel’ alongside increased flight cancellations and delays (as witnessed in the UK and other popular travel sectors), affected customers are likely to resort to filing ‘angry chargebacks’, in the case of denial or a delay in refunds from the merchant. A similar situation was observed last year when flights were cancelled due to lockdowns. Our data showed angry chargebacks increasing from a pre-pandemic baseline of 15% to over 50% during the peak of regional lock-downs and flight cancellations.
Alongside this, merchants should be aware of newer and emerging types of fraud. One such type is Rebooking Fraud where fraudsters use stolen financial information to buy expensive tickets and then resell them again as cheaper “last minute” offers to an unwitting customer via a fraudulent OTA at a competitive price. At the end it is the merchant who is left to bear with increased chargebacks when the owner of the stolen card notices a transaction they didn’t authorize.
Fraudsters may also take advantage of promotional schemes run by popular ecommerce websites such as Amazon Prime day and engage in Bot enabled reseller fraud that makes use of bots to buy cheap products in large quantities. These products are then sold to customers at a premium via another storefront.
What fraud risks do you believe will make an impact on 2023?
Studying trends and multiple data points across verticals and topics of compliance, fraud risk management and revenue uplift, Fraugster’s payment intelligence report aligned the following fraud risks to keep an eye out for:
Fraudsters exploiting openness of web3 using stolen financials
The rise of web3 and the metaverse would not only trigger increased purchases of high value digital assets like NFTs but also low value, high frequency in game purchases like that of swords, skins, and usernames. These environments can thus be preferred locations for fraudsters testing stolen financial instruments before going on to make higher value purchases. This in turn presents a massive chargeback risk for merchants, and especially gaming companies. In parallel we can also expect an increase in the number and value of scams coming from fraudsters masquerading as creators. This was recently seen in the case of Squid Coin, a fraudulent currency that netted scammers an estimated USD 3.5 million dollars.
Fraudsters and good customers will become harder to tell apart
More online shoppers are now using VPNs to mask their IP address and protect their personal data online – a behaviour that is often seen from fraudsters and that typically increases the risk score of a transaction. Spotting the difference between the two will become harder, especially as fraudsters are becoming more sophisticated at mimicking the behaviour of good users.
Rise of fake identities
In 2021, we saw a massive rise in the use of fake and synthetic identities, constructed from stolen information widely available on the dark web for as little as 5 EUR. his has made it easier for fraudsters to pass KYC checks for new services like BNPL, gift cards, and online gaming platforms. We expect this trend to continue, however we forecast a fightback as machine learning algorithms get better at identifying signals that point to an increased probability of fraud, for example a frequent change in IP address, device ID mismatches, and frequent asset hopping.