It Takes A Hub: Fighting eCommerce Fraudsters Across New Vectors

Fighting eCommerce Fraudsters Across New Vectors

As commerce shifts online in a pivot that is likely to remain permanent, the fraudsters are also shifting their targets — and methods.

And as Rob Tharle, head of fraud strategy at NICE Actimize, told PYMNTS in a recent interview, financial institutions (FIs) and merchants need to adopt a multi-layered approach to combatting those bad actors.

 

“There are a number of areas where the fraud threat has increased this year and where we have seen an increasing trend — and the current situation with COVID-19 has added to it,” he told PYMNTS.

What’s different this time? Tharle said real-time payments have increasingly seen adoption across the globe, as seen in volumes reported in Europe, Australia and the U.S.

Real-time payments, he said, “increase the attack surface” for fraudsters and are attractive for two reasons: speed and the fact that the payments are irrevocable.

This means, according to Tharle, that fraudulently obtained monies can be moved through several accounts in the span of minutes, which makes the money trail virtually untraceable.

The rise of FinTechs, also a global phenomenon as Tharle said, brings third parties into the mix. The combination of faster payments and more parties tied to a transaction heightens the fraud risk, introducing “gaps” where fraudsters can hide.

“With the rise of FinTechs in Europe and the rest of the world, and with EMV, there’s a shift away from counterfeit fraud and mag stripes, toward CNP [card-not-present] and eCommerce fraud,” Tharle said. “What’s going to change, quite significantly in the U.S. is that as new technologies come in, merchants will put in new controls to limit their liability.”

That’s especially important as criminals seek to use eCommerce to commit what might be termed “authorized fraud” as bad actors get hold of card details or log-in credentials, pose as legitimate account holders and send payments. Authorized fraud also encompasses business email compromise (BEC) scams, too, said Tharle.

In some cases, the fraudsters are carrying out their schemes across a variety of channels, showing up at victims’ addresses, dressed in carriers’ uniforms, after (fraudulent) deliveries arrive, stating there’s been a mistake — and making off with the stolen goods.

As a result, he told PYMNTS, authorized fraud is harder to ferret out and combat.

“Just putting device profiling or two-factor authentication in place doesn’t help,” if it seems on the surface as if the actual customer is doing the transacting, he said.

For merchants and banks there’s the double-edged sword of swelling volumes of consumers embracing eCommerce — many of whom have not necessarily transacted online before and may not get much initial scrutiny in terms of risk scoring.

Introducing new levels of friction into the mix, flagging transactions and slowing the checkout process, Tharle cautioned, means consumers will be frustrated as they’ve come to expect speedier transactions and deliveries of what they’ve actually ordered.

But, according to Tharle, “there are a number of new technologies coming down the pipe that will mitigate some of this.”

FIs, he said, need to take a multi-layered approach to combatting fraud. As he cautioned, relying on one part of the transaction flow, or on only a few types of fraud attack means “you’re always asking for trouble … it’s all about introducing the right amount of friction at the right time.”

The aforementioned layered approach means that FIs must integrate various silos within the firm and create a sort of fraud “hub” that can identify high-risk transactions, said Tharle.

Embracing The ‘Fraud Hub’

He pointed to platforms such as NICE Actimize’s IFM-X, which can integrate structured and unstructured data into those fraud hubs to get a holistic view of risk, leveraging machine learning (ML) and biometrics, among other advanced technologies.

In this way, FIs gain granular insight on transaction details and device details — and can pinpoint SIM swaps and other fraud techniques that otherwise can fly under the radar.

“By having good, ‘slick’ authentication, you get around some of the abandonment issues and put strong security in place,” he said.

FIs, he added, can step up authentication factors (three factors and beyond) and challenges as new risks are identified or transactions pass a threshold of, for example, $10,000.

The multi-layered, integrated approach also is valuable as fraudsters attack an FI’s corporate clients, said Tharle. Those customers have been seeing an uptick in BEC fraud, identity theft and synthetic ID schemes, and in some cases the bad actors have been trying to siphon off funds from the Paycheck Protection Program (PPP).

He noted too that with distributed workforces, it can be harder to track employees who are tasked with making payments on behalf of their employers.

In the ever-evolving battle against fraudsters, waged across new fronts, “being able to have the right toolkit to help detect and look for anomalies and then do something about that” is critical, he told PYMNTS.