Fraud: Why Everything Old Is New Again

Fraudsters aren’t usually static. They’re often dynamic when on the hunt for new weaknesses to exploit, new targets to go after and new ways to get into systems where they aren’t supposed to be. And while COVID-19 has accelerated fraud, it’s been more about increasing the quantity than the quality of the scams, an expert panel told CEO Karen Webster recently during PYMNTS’ latest On the Agenda roundtable.

Panelists said most of the frauds we’re seeing today have been incubating in the background for years, but the incredible speed of consumers’ switch to digital commerce has allowed cybercriminals to drop their feet on the accelerator.

“Merchants have since gotten smarter, but they had to make some very fast decisions — and when you make fast decisions, that’s when fraudsters may see a flaw or a security flaw that they can take advantage of,” said panelist Stoddard Lambertson, director of global fraud and breach investigations at Visa. He joined Anne Curtis, TD Bank’s head of U.S. fraud operations; Jamie Warder, KeyCorp’s executive vice president and head of digital banking; and Saurabh Bajaj, chief product officer at Feedzai; in discussing the issue with Webster.

Panelists agreed that the great digital rush has placed more consumers into the eCommerce ecosystem than ever before. They’re also doing more types of things than ever, which has required a lot of fast retooling by businesses — and opened up a lot of opportunities for fraudsters.

After all, consumers are not only buying everything from groceries to clothes online, but also using their devices to work or go to school online, seek entertainment and file for government benefits. All of that has fraudsters showing up in all sorts of new places, launching all kinds of attacks from high-tech bot armies to low-tech social engineering. That’s creating a whole new playing field for those tasked with preventing such scams.

“I think we have to find ways to build authentic trust and communicate it in new and interesting ways,” KeyBank’s Jamie Warder said. “This isn’t a brand-new problem, but I think this is something that we’re having to figure out as an industry that COVID-19 has drastically sped that up and across the board raised the bar.”

Clearing that bar will take more than just a one-off security solution. It will require a new paradigm of security, with a focus on shoring up the weakest links that fraudsters have spent the past several months exploiting, panelists agreed.

Trust, But Verify 

Feedzai’s Bajaj said that if one looks at fraud’s rapid rise in the wider context of the societal changes currently afoot, fraudsters have gotten a great gift of perhaps 10 times more ways to monetize their bad behavior. They’re also getting a chance to leverage all the ill-gotten personal information they boosted during data breaches.

“So the normal is, ‘This not normal, and the data breaches are increasing,’ right?” he said. “There are more ways to monetize these stolen cards [and] credentials, and customers are more vulnerable than ever because you have social engineering and scams that are now built on fears that are now more personal because of COVID-19.”

Worse, the target pools are expanding, panelists said. So-called “man-in-the-middle” attacks are on the rise, while U.S. government payouts like unemployment benefits or federal funds disbursed from the CARES Act are increasing. First-person fraud is escalating, while attacks on merchants are ramping up in terms of crooks’ audacity.

“The world has changed, with credentials hacks to more recently fraud schemes where they’re expanding on the track of getting consumers’ credential accounts [to] where they’re trying to get merchants’ credentials accounts,” Visa’s Lambertson said. “And this is not to get account data. it’s actually to send clearing and settlement batches — [a] totally different fraud scheme. All of these changes and expansions just show you that you have to be eternally vigilant of what is going on out there.”

TD Bank’s Curtis agreed. She said merchants must redevelop their entire paradigm around security to be more holistic, premised around understanding the entire consumer journey and building security for it end to end.

The transaction point is just the final step in a fraud-fighting process. Fraud can show up at all points on the consumer journey, as fraudsters have learned to vary their attacks.

But merchants must secure data on the back end, away from the consumer’s direct line of sight. Curtis said that while the point of security is to protect users, fending off fraudsters by adding in piles of front-end friction is a solution that’s bound to fail.

“A balance is something we have to continue to have, and I do think education is so critical right now — especially as folks are moving more toward the digital platform,” she said. “I think we have to do a better job of proactively reaching our customers from an online perspective, knowing that … scam and phishing activity is definitely on the rise.”

But panelists agreed that as much as technology can help, humans will continue to be perhaps the primary link in any security chain.

The Silver Lining

COVID-19 will end someday, but the security woes it has uncovered (and the requisite need to revamp the security ecosystem) won’t.

“The messages we’re saying in this is that COVID will come [and] COVID will go, [but] there’s going to be another regional or global crisis,” Visa’s Lambertson said. And fraudsters every time will try to go at it, whether it be on mobile, online or face to face. They will always try to go after whatever that pandemic is, whatever that crisis is. Whatever the world event, they will try to see if they can leverage and exploit that event to their advantage.”

He admitted that sounds like a rather dark pronouncement, but for the fact that fraudsters aren’t the only ones getting more practice in today’s target-rich environment. So are the people who are fighting them. Lambertson said.

They’ve learned to look at more data points, watch the entire consumer journey, ditch the rules-based systems of the past to embrace dynamic, artificial intelligence (AI)-backed systems designed to spot emerging fraud patterns in real time. The task now is to build what’s known to better stop fraudsters without damaging the digital experience for billions of legitimate customers worldwide.

KeyCorp’s Warder said fraud’s recent uptick is disturbing, but the situation actually looks more hopeful now than in the past because of everything the industry has learned during the pandemic.

“COVID has only accelerated the challenge we face across the board – but counterintuitively, it also creates more defense mechanisms,” Warder said. “There [are] literally hundreds of thousands of more data points out there that can help you triangulate to a better answer as to whether this interaction is legitimate or not.  So, I do think [that] as digital creates new risks, it also creates new defenses.”