Payment Fraud Schemes and Warning Signs
- March 23, 2022
Card Testing AKA Card Cracking
This is a form of fraud frequently seen in the realm of online commerce where the fraudster is attempting to determine whether stolen card information is active and able to make purchases without triggering a merchant’s fraud detection measures.
Warning signs for merchants and processors include a high percentage of declines, particularly declines linked to invalid accounts. Also, look out for a high number of card attempts. There are many ways to police this including audit logs at the merchant level looking for repeat users, velocity rules at the acquirer level targeting declines and sequencing, automatic disabling of velocity rule triggers and using captcha on merchant websites.
In the scheme known as synthetic identity the fraudster uses a combination of real information and fake information to create an identity and open accounts. Tell tale signs include mismatched business information (SSN, name, DOB misalignment) and quick first time use and processing. A weighted risk scoring model is a helpful way to police synthetic identity, with an emphasis on newer credit files and quick first-time use of new merchant accounts. Also, like with card testing, synthetic identity can be policed with audit logs, velocity rules, automatic disabling and captcha.
Account takeover occurs where a fraudster gains access to a user’s account credentials, i.e., user name and password. Warning signs include very large purchases, often during off-hours like the middle of the night or early morning, and logins from new or unknown IP addresses. Policing methods include multi-factor authentication (“MFA”), notification of account changes to customers and flagging for review after account changes.
Secret Shopper, Romance and Recruitment Fraud
This is a scam with several variations.
In its secret shopper form, an innocent mark gets what appears to be a real check in the mail with a job offer to be a secret shopper. The check shows up in the account and before its fraudulence comes to light the fraudster convinces the mark to wire it funds.
Romance typically emerges from dating sites. The fraudster pretends to be the mark’s love interest and creates a seemingly deep connection over the course of time. Once the mark is hooked the requests for money start to take place.
Recruitment or employment is where the fraudster creates pretend job offers with up-front fees for the “new employee” for materials, training, etc. The fraudster might also ask for social security numbers and other information to use for identity theft.
All variations of this scheme have similar warning signs. The applicant information is accurate and the SSNs etc. all match up. The business is a sole proprietor, and first sales are typically processed in 1-5 days. Sales tend to be low in quantity but for high values. Principals are not responsive to questions or vague, particularly about the goods and services.
Policing these schemes is nearly impossible. It is hard to see coming and there are limited means of prevention. Attention to device and logging and usage is useful, as are post-closure interviews. Commonalities in cards, IP addresses and email addresses tend to be signs. Keep an eye on known bad actors and maintain ongoing negative lists.
Bust Out AKA Sleeper Fraud
This is primarily a first party scheme where the user applies for and uses credit under their own name or a synthetic identity to make transactions. There is typically a period of on-time payments and maintenance of an account in good standing. They may also use this to create more accounts. The end game is using up all the credit and bouncing on payment.
Look for a normal, legit account that suddenly starts processing unusually large sales on the same card or cluster of cards. There is typically a great deal of information collected for these large sales including photocopies of cards and drivers licenses. Monitor for the sudden bursts in amounts and frequency and for after-hours transactions as well as repeats of sales on the same cards or cluster of cards.
This is returning goods that are ineligible for a refund to a retailer in exchange for money or other goods. The goods may have been acquired illegally or they may be discarded damaged goods.
The business is often legitimate with processing volume consistent with the business type. There are refund volume increases, often not above sales volume. A good indicator is refunds that are not matched to particular sales. Refunds also may be going to the same cards or bins. The principal in this scam may or may not be aware that it is occurring.
Policing can be done by requiring returns to match up with purchases and including original transaction information. Restrictions can be placed on access to initiate refunds at the merchant level, and only allow the most trusted employees to do returns. The reason being that this form of fraud is often tied to a particular rogue employee.
About the Author
Bradley Crosley is a seasoned attorney with a successful background of guiding clients through a wide array of transactional and courtroom challenges. In addition to litigating countless subject matters, including electronic payment processing and complex business disputes, Brad has served as general counsel for a nationally operating corporation in complex real estate financing and development projects including public private partnerships and infrastructure development ventures. These experiences allow him to see matters from the perspective of the client and create pragmatic solutions and strategies that are custom suited to the wants and needs of the individual client. Brad serves our clients in planning, compliance and transactions, as well as advocating on their behalf in litigated matters.
Even though embedded finance is becoming more popular lately, the idea itself isn't...Read More