Illustration of man holding balloons that carry him over a field of coronavirus; meant to illustrate how payment service providers can get ahead of fraud during COVID-19

How PSPs Can Get Ahead of Fraud in the Post COVID-19 World

Fraudsters have been busy. During this crisis phase of the Coronavirus pandemic, they’ve launched an avalanche of attacks. Perhaps more importantly, they’re poised to commit even greater fraud once governments start easing lockdowns and consumers start shopping again.

Fraudsters are plotting future attacks, PSPs should fight them now

The number of consumer transactions has decreased, but scams are on the rise. It’s the perfect environment for criminals to be in attack mode. They’re using bots to initiate multiple login attempts from the same device or the same location. Their goals? Discover which login credentials they’ve garnered through phishing scams or other fraud schemes provide them with access to their victim’s accounts. Once they know a login credential is valid, they’ll either sell the credential on the dark web or use the credentials themselves.

Payment service providers (PSPs) can also find opportunities in this period of reduced transactions. Because the number of transactions has decreased, false positives should also have reduced.

Use the time this provides to beef up your fraud-fighting techniques and prepare for the wave of fraud that’s likely coming as governments remove strict lockdown measures.

Transaction monitoring in an upside-down world

Transaction monitoring, typically a superior method because of data, volume, and consistency, may need a boost from fraud prevention techniques rooted in the current crisis. Day-to-day consumer transaction behavior is significantly different than what it was pre-pandemic.

You could make major changes to models or your infrastructure to accommodate consumer behavior changes. Still, I’d advise against such drastic measures because the data that you’re using is in an artificial period.

Instead of making significant changes, double down or start to identify early fraud pattern indicators so you can block fraud in the coming recovery.

How to protect your customers from fraud

Protect vulnerable digital users

Municipal lockdowns and social distancing have forced many traditional customers to become digital customers. And customers who usually just look at their accounts online, whom I refer to as digital views, are now forced to transact online.

Most of this new digital customer base doesn’t trust online banking, yet they’re particularly vulnerable to fraud schemes. They’re going to need extra support making this transition. The strategies for determining who this population is can include:

  • segmenting users who have either increased their digital usage from zero to medium or from low to medium;
  • combining that information with traditional, vulnerable indicators that you’ve seen in previous scams; and
  • looking for other indicators on their files, specific MMC codes, or other notes, that might indicate a particular vulnerability that fraudsters can easily exploit in the context of a pandemic.

Once you’ve zeroed in on this population, determine how to treat them given your policies and strategies as they’re the most vulnerable.

Educate your customers

Educating customers to avoid fraud scams is the million-dollar solution, but far easier said than done. One crucial step is directing customers to legitimate sources of information on coronavirus fraud scams such as the Federal Trade Commission, the World Health Organization, and INTERPOL.

You may also want to help customers distinguish between trusted communications and advice from fraudsters. Providing an illustration that compares a legitimate email vs. a phishing scam can be helpful.

Be sure to utilize pop-ups in apps and on your website to spread this message as well.

Leverage e-Crime partnerships

Capitalize on existing relationships with e-crime providers, dark web experts, and both internal and external cybersecurity professionals to uncover credential testing and check customer scam reporting.

Don’t neglect consortium data

Because we’re in such unchartered territory, industry sharing of data may have slowed. While that makes sense from the perspective of not wanting to be wrong about what you’re calling fraud, sharing data across PSPs (be they banks or acquirers) is invaluable now.

Check whether you’re sharing the same amount of data as before the Coronavirus, and try increasing how often you share. I’d recommend sharing data twice a week for now.

How to identify early fraud pattern indicators

Fraudsters and credential testing

When fraudsters steal login information, they test the credentials to ensure they work. Scammers often conduct credential testing on a volume basis via bots. Fraudsters attempt a large number of logins from the same device or the same location in an attempt to discover which credentials give them access to the victim’s account. We’ve seen bot-enabled credential tests attempt one million logins in one minute. They’re collecting, testing, and cleaning data.

You can help stop them by uncovering the telltale signs of credential testing, which can include:

  • spikes in daily login rates from the same device that last from half an hour to several hours combined with higher failure rates;
  • bots that hide devices, label them as unknown, or simply don’t provide any information regarding the device;
  • cross border logins (which should stand out as most people are stationary) particularly if combined with a test transaction (a charge of less than £1) that is not a typical e-commerce event — a proverbial red flag;
  • logins using the same password in different accounts;
  • one device logging into multiple accounts;
  • sequential IP addresses, such as 127.40.48, 127.40.49, 127.40.50;
  • increases in the number of failed logins over the previous week;
  • older, well-known accounts that have a sudden increase in activity;
  • increases in updated account information such as user name, password, address, etc.; and
  • perfectly uniform mouse movements – bots always click on the exact same spot on a website button, say the center of the button, whereas humans vary where on the button they click.

IP addresses hold new value

Traditionally, looking at IP addresses to indicate fraud would be a fool’s task; many corporations require employees to share IP addresses. Having thousands or even tens of thousands of people using the same IP address makes that method implausible.

However, in the upside-down world of Coronavirus, large parts of the global population never stray far from home. The beauty of this, and the perversity of where we are right now, means looking for common IPs is more valuable than ever. Dusting off the cobwebs from this old technique can help distinguish good behavior from fraudulent behavior.

Focus on session times

Most scams take longer than legitimate activities, so look at online session times. If sessions typically take four or five minutes are now fifteen minutes long or longer, that’s probably indicative of account takeover (ATO) or other fraud.

That’s true in reverse as well. Sessions that are less than thirty seconds long can also indicate fraud.

Collaborate with your cybersecurity teams

We all know that working in silos creates blind spots. That’s particularly true when fraud teams cut themselves off from the organization’s cybersecurity team. Instead, work together to understand:

  • number of logins to an account;
  • marked changes to website traffic; and
  • the number of phone calls to customer service regarding password resets initiated by the customer.

These are all fraud tells.

Look for concurrent logins

If someone is logged in via a computer and also on a mobile device, that might indicate that a fraudster is trying to get a victim to take one action through the web and do something else through their mobile device.

Build trust

Consumers understand the need for added protection right now. That won’t always be the case, so use this grace period wisely. Here are a few ways to build trust:

  • Password reset. Many companies do this on a three or six-month basis. Now is the perfect time to implement that requirement. Resetting passwords is a quick and easy way to thwart ATO attacks.
  • Trusted devices. Create a safe login via a device. Some companies, such as Google, already do this. It would be prudent for all companies to require some form of two-factor authentication (2FA). With 2FA, a customer wouldn’t be able to log in from an unknown device without first providing the code that you would send to a registered and trusted device. While people are stationary, adding location data to this process dramatically improves the security around logging in from new devices.

Gray lists: putting it all together

Let’s say you take all the advice I’ve outlined in this article. And sure enough, you find customers who’ve had long banking sessions or cross border transactions below a dollar. But you’re not sure it’s fraud, are you? And, let’s face it, the volume is too high to call every customer. And frankly, with everyone’s cell phone currently flashing the ubiquitous “scam likely” when the phone rings, you stand a good chance of getting lost in the noise.

Let’s face it; it’s one thing to know what to look for; it’s a whole other thing to implement processes based on those learnings.

Enter the gray list. A gray list is a method of integrating these insights into the system. The gray list allows you to say “wait and see” in a way that doesn’t lose the knowledge you’ve gained. It identifies and segments populations who will be at heightened risk later should further events occur.

When we shift from crisis to recovery, the number of transactions will increase. Fraud will increase as well, and this is when you can set different thresholds and values. It can be as simple as saying instead of waiting for a fraud score to hit 900, if the score is 700, but is also on the gray list, trigger an alert. What you’re doing is increasing your monitoring threshold for those at risk.

Key Learnings

Fraudsters are in attack mode. They’re preparing to commit an onslaught of fraud once consumer spending picks up, indicating that we’ve moved past crisis mode and into recovery mode. PSPs should use this time to get ahead of the fraud that’s on the horizon by placing a particular emphasis on protecting the most vulnerable populations. Utilizing techniques well suited to the current environment will help uncover fraud behavior patterns. Finally, implementing gray lists ensures acting at the right time to help prevent fraud.

Subscribe to stay infomed