Why Cybercrooks Love Alternative Payments

Alternative payment methods

By now it’s clear that fraudsters migrate to the spaces where vulnerabilities are available for them to exploit. Now that credit cards are more secure than they’ve ever been, cybercriminals have set their sights on increasingly popular alternative payment methods (APM). Dan Frechtling, CMO and chief product officer of G2 Web Services, shared why APMs have becomes the hot cybercrime ticket and how financial services companies can protect themselves best against the growing threat.

Fraudsters are always looking for unsuspecting payments types that can be used to perpetrate their crimes.

Today, that means alternative payment methods, or APMs.

G2 Web Services categorizes these alternative payments among eight different types, which include peer-to-peer (P2P) payments, money service businesses (MSBs), eWallets, mobile payments, prepaid cards, vouchers, bank debits and credits or linked bank accounts and cryptocurrencies.

Dan Frechtling, CMO and chief product officer of G2 Web Services, used this analogy: hackers are cybercriminals who seek unauthorized access to data, while payment hustlers seek unauthorized access to payment methods.

It’s no surprise that as credit cards have increased in security, the payment hustlers have been hard at work finding other payment method avenues to fraud.

“Because fraudsters are finding it harder to launder proceeds through credit card networks, they are looking for less monitored payment types — they are exploiting loopholes and looking for weaknesses,” Frechtling said.

APMs are extremely vulnerable because of their tendency to unwittingly enable crime and fraud.

The APM Growth Trajectory

One of the most common themes among all APMs is that they are growing very quickly, driven by a surge in both consumer and merchant acceptance.

It’s because of this growth that banks, merchants and acquirers should pay attention to the ever-evolving market of alternative payments.

Frechtling shared that this year, according to data from Juniper Research, mobile wallet transactions are expected to grow to $1.35 trillion, a 32 percent increase over what was reported in 2016. According to Mastercard, digital wallets comprise 75 percent of social conversations about new payment methods, which amounted to 2 million mentions.

“When people talk about new ways to pay, digital wallets dominate the conversation,” he noted, underscoring the increasing popularity and usage of APMs, such as digital wallets and P2P payments.

P2P payments, Javelin Strategy & Research reported, will be used by nearly 100 million adults in the U.S. this year, which is about a 25 percent increase over last year and equates to about 38 percent of the U.S. adult population.

There’s no doubt that these types of APMs are not going anywhere anytime soon.

“They will not just grow payments, but they will steal [shares] from the traditional credit card transactions,” Frechtling pointed out.

Overshooting the Bare Minimum

With the increased usage of alternative payments has quickly come increased attention from both cybercriminals and the authorities charged with keeping them at bay.

In order to help combat fraud and payment laundering in this space, financial institutions and APMs must do their due diligence to use both know your customer (KYC) and/or know your customer’s customer (KYCC) in the area of anti-money laundering (AML) and fraud prevention.

“They have to know, as a bank or as an acquirer, where the money is being spent,” Frechtling emphasized. “You have to take a payment chain view, not just the very next link.”

He suggested that it’s not just about focusing on the payment method itself, but also looking down the chain to ensure those methods are not engaging in things that could be criminal or in violation of AML.

Not only is it necessary to know who owns a business using an APM and who they are doing business with, but companies must also be able to monitor changes within business models or changes within the owner or beneficial owner structure. Bad actors are constantly coming in and out of the market over time, which makes monitoring an important part of fraud prevention.

“It’s more than just AML that you need to worry about as payment method — it’s really reputation as well,” Frechtling noted.

Consequences of Aiming Low

Authorities don’t just look at banks and hold them responsible when cybercrime takes place — they look at payment processors, alternative payments and a number of industry participants, Frechtling explained.

This is why APMs must do their best to stay ahead of bad actors before law enforcement or regulators have to get involved, because the repercussions can be quite costly.

Though the larger, more established APMs tend to have a better handle on fraud prevention because they’ve been at it longer, Frechtling noted that the smaller players in the space can often underestimate the necessity of protecting their payment channels from the impact of cybercrime.

Newer entrants are typically focused on simply trying to grow their business and get their operations hardened, so effectively protecting against fraud can sometimes become an afterthought.

Frechtling said many payment facilitators are focused on removing friction and making the consumer experience easier, which are great intentions but can lead them to leave the backdoor open for fraud and cybercriminals.

“That’s the conundrum — you still might be a small guy, but you have to think big and similarly to how the more established APMs are protecting themselves,” Frechtling explained. “It’s actually quite hard and can make it harder to be a startup or innovator in this space as a result.”

Many APMs also run the risk of using manual processes that work fine as they are just starting out, but as they begin to grow their businesses, those processes can turn into choke points.

If left unaddressed, they also open the door for bad actors to come in.

Addressing the Threats

Through its investigative process, G2 Web Services has identified three common fraud themes that have taken hold in the past few months within the APM space: payment hustling, sequential digital wallets and local law arbitrage.

Frechtling said that after a G2 client found out its credit card acquiring client was engaging in counterfeit pharmaceuticals, the account was closed; but in many cases, 25 percent of merchants terminated for misconduct will later restart the very same prohibited services. In this particular case, the site was relaunched using a popular P2P payment method and proclaimed that it no longer accepted credit cards and incentivized customers to use the APM for transactions.

That’s the payment hustle — when a fraudster is shut down on one payment method but starts back up using another.

Since digital wallets can be funded with a credit card or bank-linked account, card networks have required that if you operate this way, which is called staged digital wallets, an operator has to register with the network to ensure the systems aren’t being abused.

As a result, some operators may put another wallet in front, which is known as a sequential digital wallet. This enables the first wallet to be funded with a credit card, and then that money is used to fund another wallet that hides who the cardholder is and how the money is being used from the card networks. Now the consumer can go gamble, buy counterfeit goods or do other things because the wallet they are using is essentially hidden from the card networks, Frechtling explained.

The final theme noted by G2 is when consumers simply utilize the mobile wallet of another country to make purchases of things that are illegal in their own countries, which Frechtling referred to as local law arbitrage.

In any case, companies must come to their own conclusion on how much it’s worth for them to avoid the reputation damage, law enforcement intrusion or regulator scrutiny that can come as a result of being held liable for fraud taking place via their payment channel.

“The other side of it is that these are fraudulent merchants, and they are engaging in fraudulent acts, so they will cost you money and leave you holding the bag,” Frechtling added.

While many established players aren’t willing to take a chance on this happening, smaller or newer entrants may not see the value in protecting themselves adequately.

Due to the increased seriousness surrounding AML, a company’s ability to protect themselves from harm can mean the difference between make it or break it for their operations.

“It’s not really a choice — you are going to be targeted, and it’s just a matter of how good your defenses are,” Frechtling said.


Attend our PYMNTS Coffee Talk and Win Free Coffee (of your choosing)!

Join Dan Frechtling, G2’s chief product officer, and Jane Hennessy, G2’s head of external alliances, on Tuesday, April 18 at 9:30 AM PST for a 30-minute PYMNTS Coffee Talk. We’ll provide a quick recap on our latest PYMNTS article titled, “Why Cybercrooks Love Alternative Payments” and then open it up for a live Q&A session. Take this opportunity to comment or ask any questions you may have. Attend and get entered for a chance to win free coffee (of your choosing) on us. Click here to register now!