In our 2023 global compliance survey, 39 percent of respondents said the type of fraud they were most concerned about was credit/debit card fraud, closely followed by identity theft (36 percent) – both of which have a close proximity to ATO. 

As fraud and scams continue to evolve, it is critical for compliance teams to enhance their knowledge of specific fraud types so mitigation efforts are targeted and effective. 

What is Account Takeover Fraud (ATO)?

Account takeover fraud (ATO) occurs when a criminal takes control of a victim’s online account to steal funds or sensitive information. This can happen when a customer’s login details – such as username and password – are used without permission to access their bank account, credit card, mobile phone account, or eCommerce account. The cybercriminals then make fraudulent transactions from the customer’s account, using sophisticated techniques to remain undetected and avoid raising suspicions from the victim or their bank.

Commonly, customers’ credentials are stolen or bought on the dark web in order to commit ATO. This cybercrime has become even easier following several high-profile data breaches affecting large corporations. Once the credentials have been stolen, the criminals either financially defraud the victim or sell their details to a third party. For example, a cybercriminal may pay over $1,000 for the credentials to illegally access a PayPal account.

How Does Account Takeover Fraud Differ From Identity Theft? 

While account takeover fraud and identity theft are similar, the concepts are not interchangeable. With ATO, a victim’s credentials (username and/or password) are stolen for financial gain. With identity fraud, cybercriminals typically have access to some of the customer’s details, but not their login credentials. 

The two fraud types, however, do have a strong connection. Aite Novarica found that 64 percent of US consumers who experienced identity theft in 2021 also experienced account takeover fraud. 

What Methods are used in Account Takeover Fraud?

Common ATO methods include:

• Credential stuffing: With credential stuffing, fraudsters use automated tools, or bots, to test lists or databases to find a match. When people use the same username and password across more than one service provider, this makes it easier for criminals to illegally access customer accounts. This type of cybercrime is also known as list cleaning, breach replay, or password spraying. 
• Brute force attacks: In a brute force attack, cybercriminals use bots to try to hack into accounts by trying multiple different passwords on a single site. This is similar to credential stuffing, but more guesswork is involved. When the bots use random words to try to guess a customer’s password, this is known as a dictionary attack.
• SIM swaps: SIM swapping is a form of social engineering where a criminal transfers the victim’s phone number to their own SIM card. This means they can access the victim’s mobile banking app and intercept security measures such as one-time passwords (OTPs). They can also access any data on the SIM that helps them discover other passwords or personal identifying information (PII).
• Phishing and social engineering: An estimated 22 percent of people in the US have been victims of account takeover fraud, with phishing and social engineering among the most common methods. Fraudsters use information easily discovered online to trick victims into revealing PII. They then use this information to commit account takeover identity theft. Criminals can also send emails to your contacts to try to defraud them too. 
• Man-in-the-middle attacks: Man-in-the-middle attacks are commonly carried out on people accessing public hotspots when they are out and about. Bad actors can disguise their network as a public hotspot and steal payment data from unsuspecting victims. For this reason, many financial institutions encourage customers not to carry out financial transactions over public Wi-Fi hotspots.
• Malware: Criminals adept in account takeover fraud are becoming even more sophisticated, and some are now using malware to intercept OTPs (One-Time Passwords).

How to Detect Account Takeover Fraud?

With global e-commerce sales set to reach $8.1 trillion by 2026, it has never been more important to get ahead of criminal trends, technology, and behaviors. 

Compliance and fraud professionals in financial institutions should be aware of red flags related to this practice and trained in how to spot and report illegal activity. Fraud and anti-money laundering (AML) teams should work together to share information in order to provide a high level of ATO protection. A fraud and AML (FRAML) approach can aid early detection, improve efficiencies and help professionals stay ahead of new typologies.

Examples of account takeover red flags include:

• Multiple login attempts
• Multiple password change requests
• Changes to the back-up device or email address where OTPs are sent
• Notifications being turned off
• Changes to contact details, including postal address and zip code
• Setting up of a new payee or authorized user
• Requesting credit cards or cheque books to a new address

While no single red flag will reveal if an account has been compromised, firms should consider each transaction’s relevant facts and circumstances in line with a risk-based approach to compliance. 

How Can Companies Protect Themselves Against Account Takeover Fraud?

There are a number of methods financial organizations use for account takeover protection. For example, many firms typically:

• Encourage customers to practice good password hygiene: change passwords regularly; use a password manager encryption service; avoid using the same password across multiple sites
• Alert customers if their username or password has been compromised in a data breach
• Offer customers the option to be contacted before their credit limit is increased
• Require customers to request a credit limit increase in a branch or over the phone rather than online
• Recommend customers turn on multi-factor identification (MFA) 
• Send an email and/or text when a change has been made
• Include fraud alerts at relevant points in the customer journey
• Use methods, such as CAPTCHA, to spot and block bots

ATO methods are constantly being devised and adapted by cybercriminals. Firms can use fraud detection technology to look for patterns and identify risks in real-time. Customer screening and transaction monitoring solutions that utilize artificial intelligence can compare a customer’s typical behavior with current behavior to identify and block suspicious activity. In the future, biometrics may also be key to account takeover fraud protection.

The post What is Account Takeover Fraud? appeared first on ComplyAdvantage.

With this in mind, how do illegitimate chargebacks differ from legitimate ones, and what can firms do about it?

Legitimate and Fraudulent Chargebacks: Key Differences

Before classifying any illegitimate chargeback as fraudulent, firms should be aware that intent is often required to legally prove an event as fraud. But regardless of intent, illegitimate chargebacks involve the same kinds of behaviors and consequences, leading the industry to commonly refer to illegitimate and fraudulent chargebacks interchangeably. 

Beyond this, proving intent can be elusive. For practical purposes, then, this article will only consider two chargeback categories: legitimate and fraudulent. Nonetheless, firms should consult their legal and compliance departments to ensure their official classifications are appropriate.

Legitimate Chargebacks

The chargeback process is intended to protect customers from unauthorized or unfulfilled transactions. Generally, chargebacks can be submitted legitimately in several key situations. Under the Fair Credit Billing Act (FCBA), customers are supported in disputes with creditors under conditions that include:

• Billing errors
• Unauthorized charges
• Charges for goods that weren’t delivered

According to the FCBA, a customer has 60 days to dispute an unauthorized or incorrect charge in writing. For bank and debit accounts, the Electronic Funds Transfer Act (EFTA) provides similar protections for unauthorized EFTs. To qualify under the Act, a transaction must:

• Not have been made by the customer
• Be made by someone without authority to do so
• Be of no benefit to the customer

Under the EFTA, a transaction does not count as unauthorized if the customer knowingly gave the third party access to their card or account. However, customers remain protected if they were deceived as to the identity of the perpetrator or had already contacted their financial institution to revoke permission before the transaction occurred.

Friendly Fraud

Fraudulent chargebacks, sometimes known as friendly fraud, occur because a customer falsely claims a legitimate dispute reason. This might include claiming:

• A legitimate charge was unauthorized
• Received goods never arrived
• A billing error occurred when it did not 

Generally, firms must undergo a process that requires demonstrating legitimate grounds for a chargeback in order to win the case. If merchants have grounds to believe a chargeback was initiated for misleading or illegitimate reasons, they may challenge the process. So it’s important for firms to ensure they understand legitimate and illegitimate grounds for chargebacks to avoid unnecessary resource drain.

What are the Business Consequences of Chargeback Fraud?

Chargebacks can lead to significant business costs, from revenue losses to chargeback fees – up to $50 per chargeback, and sometimes more. Beyond this, some firms may feel compelled to blacklist merchants that receive too many chargebacks – or in some other way decline to do business with them, further impacting profits.

Outside direct costs to firms, fraudulent chargebacks can fuel further criminal activity, including money laundering and related financial crimes. This, in turn, contributes to the rising compliance risks firms around the world are facing.

According to one report, 90 percent of surveyed firms reported being impacted by chargeback abuse, and only a minority felt they effectively managed it. But effective fraud risk management is essential to firms wishing to stay at the forefront of the fight against financial crime. 

How Can Firms Detect and Prevent Chargeback Fraud?

The measures that help firms prevent chargeback fraud are part of a broader, robust risk management system. They include proper customer documentation and onboarding – especially customer screening, including KYC measures – enabling firms to know who they are doing business with in the first place. Connected with this, robust customer and transaction documentation will help firms compare dispute claims with the records on hand.

Still, some fraud will always slip through the cracks, and for that purpose, a solid transaction monitoring system is indispensable. Many perpetrators of fraudulent chargebacks are repeat offenders, so the use of machine learning and artificial intelligence can pinpoint patterns invisible to the naked eye. For example, thanks to identity clustering, an artificial intelligence overlay can detect subtle red flags which might slip under a human radar – but add up to pinpoint a fraudster’s concealed identity.

Fraud risks will always be a part of the landscape for financial services providers, but with proper tools and knowledge, firms can stop illicit activity in its tracks.

The post What is Chargeback Fraud? appeared first on ComplyAdvantage.

What is ACH Fraud?

ACH fraud occurs when funds are stolen through the ACH network. A criminal needs two things to carry out ACH fraud: 

• A bank account number
• A bank routing number 

With this information, they can transfer money from the victim’s account, either as a lump sum or as recurring payments. They can also make unauthorized payments for goods or services. The time delay with ACH payments is a key vulnerability that financial criminals exploit. 

How Common is ACH fraud? 

Although not the most widespread fraud method, ACH scams are increasing. In 2021, the Association For Finance Professionals found that the percentage of survey respondents reporting fraudulent activity via ACH debits increased from 34 percent in 2020 to 37 percent in 2021. 

Examples of ACH Fraud

ACH fraud tends to affect medium-sized banks, businesses, and schools. In September 2022, the Federal Bureau of Investigations (FBI) Cyber Division issued a notification relating to cybercriminals increasingly targeting healthcare

payment processors to redirect victim payments. In one case, a large healthcare company lost $840,000 in an ACH scam, where a hacker impersonated an employee and changed the ACH instructions. 

In addition to “insider employee fraud” typical examples of ACH scams include:

• Data breaches: Criminals often gain access to customer credentials via a data breach. In this scenario, fraudsters log into bank accounts with bought or stolen information from the dark web before withdrawing funds through the ACH network. 
• Email phishing ACH scams: When a customer clicks a link in a phishing email, which sends them to a malicious website that infects their computer with malware. Fraudsters can track the customer’s keystrokes and discover their banking credentials. This is also known as spear phishing.
• Check kiting: In this type of ACH fraud, criminals move money back and forth between accounts at different banks. When the transfer is approved by the clearing house, it looks like the money is in the account, but it has already been moved.
• Loss or theft of debit card: If the loss or theft of a debit card is not immediately reported, criminals can use this window of time to carry out an unauthorized ACH withdrawal.

Many of these methods reveal other information that can lead to identity fraud and/or account takeover fraud. In fact, the Financial Crimes Enforcement Network (FinCEN) has frequently highlighted the connection between ACH fraud and identity fraud, with money being illegally transferred via ACH transfer to accounts that were set up with stolen or fake identities. 

What is the Impact of ACH Fraud on Businesses?

The impact of ACH fraud can be costly for organizations in terms of remediation time and money, both of which can negatively affect relationships with customers and prospects. Indeed,  a 2020 merchant survey found that “avoiding organizations or services I don’t trust” was the top way consumers say they protect the privacy and security of their personal data online.

Furthermore, in our 2023 global compliance survey, more than one in three senior compliance professionals cited “reputational risk” as the factor most likely to drive change within their organization. This was a 6 percentage point rise from the previous year and was the only factor to see a year-on-year increase. And with global executives attributing 63 percent of their firm’s market value to its reputation, it’s easy to see why concern levels are so high. 

ACH fraud also increases the likelihood of chargeback fraud, which occurs when a consumer requests a refund (or chargeback) from the card issuer despite having received goods from a merchant. 

How to Detect ACH Scams

ACH fraud detection is essential for firms of all sizes across all sectors. Current trends in the ACH fraud detection space include: 

• Secure APIs: Application programming interfaces (APIs) allow firms to detect fraud faster and more efficiently as it enables two systems to communicate integrate with one another. For example, with ComplyAdvantage’s RESTful API, firms can improve their operational efficiency and reduce false positives with access to real-time data. 
• Biometrics: Various biometric types, known as physical, linguistic, and behavioral modalities, can aid firms detect ACH fraud as they help identify the actual human being that is interacting with a device or service. 
• Enhanced behavioral analytics: Behavioral analytics that ultize machine learning capabilities can help firms build an accurate picture of “expected” versus “unexpected” account behavior, so action be taken to mitigate risk in near to real-time.

When employing any of the above fraud detection solutions, firms must ensure they are calibrated in such a way that reflects their organization’s risk appetite. When adopting a risk-based approach, firms should consider the level of threat ACH fraud poses to their business and deploy solutions accordingly. Transaction monitoring tools should also be fine-tuned to detect specific ACH red flags, including

• ACH transactions taking place across different geographic areas
• Customers using a different device or account to their preferred choice
• Employees who are found breaking security protocols
• Customers showing signs of being phished
• Customers with a high rate of ACH chargebacks

How Can Companies Prevent ACH Fraud?

ACH fraud prevention measures used by businesses may include:

• ACH freeze barrier: This allows companies to block unauthorized transfers from a customer’s account.
• ACH fraud filter: This allows companies to filter between authorized and unauthorized debits and credits.
• Authorized user list: Customers can create a list of allowed regular transactions.
• Multi-factor authentication (MFA): Requiring customers to use MFA when logging in and making transfers.
• One-time payment (OTP) authorization: One payment is authorized at a time – this is also known as “positive pay”.

Company employees need to be fully trained in how to prevent ACH fraud. Compliance and fraud professionals must stay on top of new typologies and trends, as well as regulatory updates and in-house know your customer (KYC) policies.

Firms should also have strong security measures in place, for example using data encryption when storing and sending customer credentials – including credentials given over the telephone where calls are recorded. This information should never be stored locally.

The post What is ACH Fraud and How to Prevent It appeared first on ComplyAdvantage.

While many cases of return fraud are carried out by lone actors, according to the National Retail Federation (NRF), organized retail crime (ORC) is a burgeoning threat within the retail industry. With such collaborative forces at work, compliance staff need to be aware of the red flag indicators of return fraud and how it can best be prevented.

What is Return Fraud?

Return fraud is a type of payment fraud that abuses a merchant’s return policy. It involves returning an item to a retailer that does not qualify for a return or refund, such as:

• Stolen merchandise
• Items that have already been used
• Items purchased from a different retailer
• Returning counterfeit items

Also known as return abuse, return fraud is regarded as one of the most common retail fraud typologies and can take place both online and in-store. 

What is the Difference Between Return and Refund Fraud?

While return fraud centers around taking advantage of customer-friendly return policies, refund fraud involves making false claims about an item to receive a refund without returning the item in question. 

The revenue losses for the two different fraud types also vary. With return fraud, merchants lose the revenue from the initial sale, but sellers dealing with refund fraud also lose the revenue from any potential resale. 

What is the Impact of Return Fraud?

While honest mistakes do happen, according to the NRF, “retailers incur $166 million in merchandise returns for every $1 billion in sales” – and lose $10.40 to return fraud for every $100 of returned merchandise accepted. This equates to an estimated $24 billion in losses per year.

Incidents of return fraud are particularly high during holiday seasons: 25 percent of annual product returns occur between Thanksgiving and New Year’s Day. According to credit reporting agency TransUnion, e-commerce fraud attempt rates between Thanksgiving and Cyber Monday in 2022 were 82 percent higher globally than the rest of the year.

Not only is return fraud a costly problem for businesses, it can also put customers at risk and damage an organization’s reputation. If a business tightens its policy to crack down on fraudulent activity, legitimate customers may become wary of making purchases if they believe their return may not be accepted. This can result in fewer sales and a loss of trust in the brand. 

What are the Types of Return Fraud?

One of the reasons return fraud can be difficult to detect is that fraudsters employ numerous tactics to carry out their schemes. Some of the most common return fraud types include:

• Empty box scams: When fraudster customers falsely claim they have received an empty box instead of the intended merchandise and claim a refund. This fraud type can also refer to dishonest sellers who deliberately ship out empty boxes only to claim that it is the buyer’s word against theirs.
• Wardrobing: When consumers buy items, use them once, and return them later. This common type of return fraud has caused contention in the past, with many consumers believing it to be a harmless action. 
• Price switching: This type of scam refers to consumers that buy an item at one price before switching the price tag with a more expensive item and returning it for a refund. This fraud type is most prevalent in physical stores.
• Opportunistic: This type of return fraud occurs when consumers choose – either deliberately or unwittingly – the wrong reason for a return on a form. This isn’t necessarily a pre-meditated fraud type as many consumers are unaware that choosing the incorrect “reason” will affect the merchant.
• Bricking: This type of return fraud is typical with electronic devices. It occurs when a buyer returns an item after dismantling the product and removing its valuable parts. The fraudster will then usually re-sell the parts for a profit, and keep the refund fee issued to them by the merchant.
• Seller sabotage: When sellers buy all the items from a competitor and send them back as late as possible to deplete the competitor’s inventory. Sometimes counterfeit items are returned in the original packaging to damage the competitor’s reputation with legitimate buyers. 
• Stolen merchandise return: This return fraud type occurs when a fraudster uses a stolen credit card to buy an item online before returning the stolen goods in-store for a refund. If the refund is completed on a different card or given in cash, this is an example of placement.

How to Detect Return Fraud?

Since the risk of exposure to fraud grows as companies scale, it is important to implement innovative solutions that can detect fraud in real-time. Measures to proactively detect return fraud include:

• Using machine learning and behavioral analytics to identify anomalistic behavior that indicates various types of fraud.
• Analyzing data from past return fraud cases allows retailers to identify behavioral patterns or red flags specific to their business. This type of information can help sellers spot potential scams and take the appropriate risk-based action to prevent losses.
• Educating and training staff to be able to recognize the red flags surrounding return fraud and explaining what a “normal” vs “abnormal” number of returns looks like.

How to Prevent Return Fraud?

While steps can be taken to prevent return fraud through educating employees, verifying customer identities, and updating policies, companies that take an AI-driven approach are much more likely to stay one step ahead of fraudsters. 

To effectively mitigate the risk of return fraud, firms should:

• Ensure their anti-fraud tools can detect common fraud scenarios and project future risks to help teams anticipate threats. This can be done efficiently and cost-effectively by implementing an AI overlay to existing tools as it does not require a total system overhaul.
• Implement a solution that offers a high level of configurability and provides the ability to build custom rule sets to prevent fraud types that pose a particular threat. 
• Employ a tool that fine-tunes alerts across various payment chains and allows firms to respond to changing fraud risks in near real-time. 

The post What is Return Fraud and How to Prevent It appeared first on ComplyAdvantage.