Answering that question starts with knowing who they are and how they practice their trade. As Kount VP Don Bush and Karen Webster chatted about in a live digital discussion, it’s also time to stop underestimating how effective they can be at getting your data and using it against you and your customers.
Fraudsters have come a LONG way.
If you have an image in your head of the solitary hacker sitting in a dark, dingy basement typing away at a computer, then think again.
The cybercriminals of today are organized, collaborative, motivated and tend to look and operate more like any business professional out there working today.
Don Bush, VP of Marketing at Kount, recently joined Karen Webster for a live digital discussion on what fraudsters are up to these days and how they perfect their trade.
Just like any other professional does.
They carve out their career paths and take the necessary steps to be successful — getting the right training and education, learning from mentors, working from the ground up to gain experience, using networking to connect with the right resources and doing their best to get promoted to the top of the (cybercrime) hierarchy.
And not only is the internet their stomping ground, but it’s also a place where fraudsters have been able to cultivate their own communities and networks — enabling them to keep in touch, share tips, advertise opportunities, seek out help and even boast about their accomplishments.
One of the biggest problems facing the payments industry today is that merchants continue to have a tendency to underestimate them.
As Bush pointed out, fraudsters are more aggressive and equipped with advanced data and improved tools.
“Even merchants that think they have a handle on it, what they were doing last year probably isn’t good enough for this year,” he said. “Whether you know that you have a fraud problem or you don’t, sometimes, even the methods we use to deter fraud can limit us.”
There’s a number of reasons why the fraud problem is getting worse, Bush explained. Fraudsters have better tools and data and are more specialized in their execution, which gives them more opportunity to practice their craft.
There’s one more thing.
“These guys run pretty rampant, with very little worry about being caught or prosecuted,” he added, since it really isn’t clear who has jurisdiction.
Fraudsters really don’t have to look far (or pay much) to access the sensitive and valuable data of both merchants and consumers.
Thanks to the success these fraudsters have had, there are now millions of compromised records made available online. Unfortunately, they aren’t that expensive to purchase.
Bush recalled research showing over 700 million records were breached in 2015, 1.2 billion records are available on the black market and more than 603 million payment cards were compromised.
He also said that roughly two-thirds of all credit cards are most likely compromised.
The data is out there — it’s good, it’s fresh and it’s being sold throughout the fraudster community, Bush pointed out.
But the availability doesn’t just end with data breaches.
Fraudsters are also able to rely on many tried-and-true techniques, such as spam emails, because they still work today.
Those “spoof emails” aren’t just coming from that “Nigerian prince” either. Fraudsters use better execution to send malicious emails impersonating legitimate financial institutions and payments providers in order to trick people into handing over their data.
Fraudsters are also turning to social engineering as another tactic to access rich data.
Bush said that cybercriminals use social networking sites as a way to advertise and find victims 24/7, especially those individuals who may not be as security-minded.
All it takes is for someone to unknowingly click on a message from a “friend” mentioning the ability to get something free if they just “click here,” and they could quickly introduce malicious code to their device or open the door to a fraudster accessing their information.
“The social aspect of fraud is growing rapidly as well,” Bush noted.
The growing list of tools for the fraudster trade is staggering, and access to them continues to get easier.
From longstanding technologies, like bots and Trojans, to new anti-detection tools that allow fraudsters to spoof who they are online, all it takes is a few clicks online for someone to buy everything they need to perpetrate fraudulent activities.
These resources can be found for sale all over the web and are packaged and promoted similarly to any other software bundle on the market. Bush said many even have subscription-based offerings and marketing videos.
Just like any other growing industry, the world of cybercrime also has an array of newsletters and online publications to keep fraudsters in the know. These outlets typically provide information about what’s going on in the space, new products and services and the latest techniques and how to use them.
Fraudsters are able to quickly and easily learn about the latest and hottest fraud topics, access “how to” guides, attend seminars and stay on top of any relevant industry updates.
These resources showcase the evolution and sophistication of fraudsters’ professional development networks. Just like in the legitimate business world, Bush said fraudsters have learned that they can make more money when they do a better job of creating resources that are more professional-looking and accessible.
They know the value in stepping their game up.
By becoming aggregates and helping to send their peers to the right sites and affiliate networks they need, fraudster have tapped into a whole new side of the cybercrime business.
“It’s rampant out there because they know that prosecution is just not going to happen,” Bush added.
“Whenever there is disruption or change, that provides opportunity,” Bush said.
And there’s no question that fraudsters are going to take advantage of every opportunity they can get.
Today, fraudsters are after more than just financial data and payment card information. They’ve discovered that the more they know about a person’s identity, the more havoc they can wreak.
Take tax returns, Bush said. The amount of personal information entered on a consumer’s tax form is a fraudster’s dream — employment details, salary, Social Security number, deductions, bank account and investment account numbers, etc. With that information, a fraudster can create new identities to perpetuate fraud.
Bush describes the synthetic IDs fraudsters make as a “Frankenstein” of digital information, allowing them to pick parts and pieces of legitimate data to create the digital identity of a person who doesn’t even exist in real life.
And with the deployment of EMV in the U.S., fraudsters have not only been pushed online but they are also moving more aggressively into other ways of moving money.
Gift card fraud is one of those ways that enables laundered funds to be turned into cash quickly.
Fraudsters know they have a limited timeframe in which to work with a stolen payment card, Bush said, so they typically move quickly to validate the card works and then turn to things that are just like cash, such as gift cards.
“They’ll go buy up gift cards because they hold value and they are legitimate,” he explained. Once the gift card is purchased, whether the credit card used is flagged as fraudulent afterwards or it’s charged back, it doesn’t matter anymore because cash has already changed hands.
Another big area of opportunity lies in mobile.
According to Bush, studies predict, within the next year or two, there could be as many as 10 billion mobile devices out in the market.
Unfortunately, Kount’s data shows that 40 percent of merchants cannot detect what type of a device their consumer is even transacting from.
This is troubling for two reasons: It can lead to reduced sales, and it doesn’t allow merchants to know attributes of their customer that could introduce fraud.
“If you don’t know the type of device, you give up the opportunity to know the characteristics and behavioral patterns that go with that device, and it leaves fraudsters with another opening,” Bush emphasized.
For instance, three out of four tablet owners are shown to make weekly purchases using their devices, yet tablets remain the device that merchants decline the most. Bush said that, because merchants are unaware of the devices behind the purchase, they lose sight of the higher-order values and greater frequency of use that shoppers tend to have when they are on tablets.
Fraudsters are also taking advantage of the rise of omnichannel services.
By observing patterns of delivery and intercepting packages, fraudsters have been able to use omnichannel techniques to steal from merchants and consumers alike through offerings such as click-and-collect.
As the time merchants have to look at a transaction and mitigate fraud becomes more compressed, fraudsters can easily stand in a store, make an unauthorized purchase on a mobile device and, before the fraud can even be detected, they are walking out with the fulfilled order, Bush said.
“They’re ingenious. To be honest, they’re pretty smart,” he added.
Bush explained that, despite the gloomy scenario, there’s still an opportunity to keep fraudsters at bay. But it starts with a layered approach — putting more layers in between the good guys and the cybercriminals.
To do this, it’s not only important to know what technology is out there but how to use it.
And recognize that they actually have a problem and a clear idea of what “normal” buying patterns actually look like for their site.
Bush put it simply, “If merchants don’t know what’s happening, they have a much harder time thwarting the fraudster’s attempts.”
There are many fraud tools and technologies out there to help merchants both detect and mitigate increasing cybercrime threats. But it’s also important for merchants to know they can, and should, seek out the help of experts when they need it, Bush noted.
No matter which route they choose for fraud protection, merchants should try to keep up with the proliferation of new technologies and connected devices, while also ensuring the technology they are employing is up-to-date and top-of-the-line.
But it’s also about striking the right balance between fraud protection and keeping customers happy, which Bush said takes strategy.
“In the end, what we want to remember is that speed and flexibility are key. The Amazon one-click world is here to stay, and it’s not going anywhere. Customer expectations are high, so we can’t delay them when we start to put in these other mitigation tools,” he explained.
The right strategy to fight fraud should take into account three pillars, which Bush identified as fraud protection, strategy management and operational management. It needs to be comprehensive and reach across a range of customer interactions, including online, mobile and in-store.
“Better fraud mitigation not only helps you out of the woods with fraud, but it also helps you accept more valid orders, and that’s really the one-two punch that we want to see.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More