PYMNTS Intelligence: The Problems of First- and Third-Party Fraud in the Digital Ecosystem

Digital fraud is a constant threat to banks, businesses, government entities and individuals, and its volume and costs continue to expand, despite the best efforts of oversight agencies and security and risk management teams. The rate of suspected digital fraud attempts swelled 17% worldwide year over year in Q2 2021, and certain industries were targeted far more than others. For example, the gaming industry experienced a fraud increase of 393%, and fraud affecting travel and leisure companies grew by 156%.

Fraud can largely be divided into two general types: third-party fraud, in which bad actors mask their identities to stage cyberattacks, and first-party fraud, in which disingenuous actors use their own identities in malicious ways. Both are pernicious threats to consumers and organizations of all types. This month, PYMNTS explores the various methods that third-and first-party fraudsters leverage in their schemes.

Third-Party Fraud

One of the most dangerous methods of third-party fraud is new account fraud, in which bad actors deploy fake identities to open new accounts at banks or businesses for use as staging grounds for fraudulent activity. Identity theft is the most well-known source of these false identities, but some fraudsters develop synthetic identities instead.

New account fraud is a relatively new phenomenon, as banks considered it a low priority in the early 2000s, but it has grown into a full-blown scourge, with 85% of financial institutions (FIs) reporting fraud in the account opening process. Banks were expected to lose $3.5 billion to new account fraud in 2021.

Some bad actors instead seize control of existing accounts, a method known as account takeover (ATO) fraud. A 2021 report found that 22% of U.S. households have been victimized by an ATO at some point, costing victims an average of $12,000 per incident. The source of these attacks can vary greatly. Sixty percent of ATO victims report using the same passwords across multiple accounts, a practice that puts them at high risk of identity theft if their passwords are compromised.

Bad actors have a variety of means of accessing potential victims’ personal information, with some obtaining it themselves through phishing emails or malware, while others purchase logins in bulk from dark web marketplaces.

Third-party fraud can be devastating and represents the most common perception of fraud, but it is by no means the only type. First-party fraudsters, for example, are even bold enough to use their own identities.

First-Party Fraud

Most first-party fraud, also called friendly fraud, revolves around exploiting or abusing existing company policies, such as returns, chargebacks or promotions. The most common form of friendly fraud occurs when customers request undue chargebacks from their banks, falsely claiming that their transactions were fraudulent or that their orders never arrived. The banks overturn the sales, refund the customers and then go back to the merchants to recoup the payment. Chargebacks accounted for 29% of eTailers’ fraud losses last year.

Other first-party fraudsters interact with victims directly rather than using a go-between such as a bank or credit card provider. Promotion abuse, for example, consists of fraudsters reusing discount codes, making multiple new accounts or signing up for multiple free trial periods to take advantage of limited-time or one-per-customer promotions.

Other bad actors leverage return fraud, exploiting generous return policies to claim items were defective when they were not. These fraudsters demand refunds while keeping the items they purchase, essentially scoring them for free. Some fraudsters do this solely for the sake of obtaining items for themselves, while others make a career of selling the stolen goods for below-retail prices.

In short, bad actors utilize a staggering variety of fraud methods, and businesses of all types are struggling to defend against them. It is unlikely that a one-size-fits-all solution exists, so businesses must take a multilayered approach to data security.