How fraud is shifting and how to respond
The COVID-19 pandemic represents one of the biggest disruptions in the history of the electronic payments industry.
Over the past year, fraudsters have added to the confusion, distraction and vulnerability stemming from the pandemic. They can hide among consumer behavioral shifts, take advantage of the fact that banks and merchants alike are shifting gears, and prey on unsuspecting consumers.
For a risk manager it is a perfect storm. This environment puts extreme pressure on all phases of the credit life cycle, all at the same time. To aggravate matters, there is still uncertainty as to what the recovery will look like.
The payments industry is therefore experiencing a deep shift in the nature of electronic payments risk. In the short term, the changes in the risk environment are likely to have a profound impact on overall business performance. In this paper, we focus on customer management, which encompasses fraud detection and fraud management.
There are three key points in regards to fraud detection and fraud management.
1. First, the pandemic is fertile ground for fraudsters.
Types of activity reported include brute force or enumeration attacks, ATM-cash-out attempts, phishing scams, and spurious cryptocurrency purchases, donations, and click-and-collect exercises. All the while, cyber security incidents continue to be a serious cause for concern. Issuers, merchants and acquirers must stay alert to the full gamut.
Additionally, fraud rates do tend to be higher in the ecommerce channel, so shifts in the mix of card-present (CP) to card-not-present (CNP) payments bring an increase to the overall fraud-to- sales ratio.
2. Second, many of the systems used by fraud managers are rendered less useful by the pandemic.
For example, on the fraud detection front, many tools look for out-of-pattern spending. Yet, during the pandemic, most spending is out-of-pattern. So, the proportion of false-positives inevitably spikes.
3. Third, there is a need to be more vigilant for first-party fraud.
As we passed the one-year anniversary of the pandemic, several customers still face real financial hardship, and some may be tempted to challenge legitimate transactions. Similarly, with consumers staying at home and engaging in online shopping sprees, there could also be an increase in buyer’s remorse, and a subsequent ‘tide effect’ of claims and disputes.
Meanwhile, the rise of CNP transactions is also increasing occurrences of ‘friendly fraud’. As cardholders review their statements, they may encounter transactions that look fraudulent – such as growth in categories not historically purchased online, merchant names that are not descriptive enough to connect the item purchased with the transaction amount, and multiple charges relating to a single purchase (for example, if retailers split charges based on the purchase amount and the shipping charges).
The challenge for risk managers is to be extra vigilant, and adapt to the new realities, while also maintaining the quality of the customer experience. At a time when payment behaviors are changing and new habits forming, an over-zealous approach to fraud management could easily nudge a consumer towards using a different card.
While we have yet to determine what the long-term impacts of the pandemic may be, we can rely on some universal truths.
When it comes to payment methods, consumers have always cared – and will always care – about the optimum combination of trust, convenience, speed, simplicity and universal acceptance.
Meanwhile, fraud management always has – and always will – revolve around three inter-related parameters:
These three parameters will continue to determine the role and activity of the fraud management function. The shape of the triangle may be shifting, but the fundamentals remain the same. The task of the risk manager is to maintain the balance and equilibrium.
While the specifics of the response will be determined by the issuer’s circumstances, the size and character of its portfolio, the fraud environment in which it operates, and the severity of the pandemic in its home markets, we have compiled nine imperatives that, we believe, are relevant to any issuer operating anywhere.
Nine imperatives for fraud teams in the COVID-19 pandemic
1. Be prepared for account testing exercises – like enumeration or brute-force attacks
Fraudsters are using the global surge in ecommerce volumes as cover for their account testing exercises. Through enumeration or brute force attacks, they are systematically sending authorization requests to an issuer’s BIN to deduce legitimate payment credentials.
So, look out for any unusually high growth in transaction counts. Pay attention to declines for invalid account numbers, and look out for flurries of regular authorization requests (e.g. one every few seconds from the same source).
If you suspect an attack is underway, act fast to get the situation investigated. Also, look out for authorization requests using sequential account numbers and provide extra protection to any similar numbers.
2. Keep a close eye on your ATM networks – and be ready to act immediately
- If you fall victim to an ATM cash-out attack, the losses can be swift and significant.
- Review your daily withdrawal rules and limits. Keep a close eye on transaction counts and average ticket values.
- Look out for irregular spikes and put plans in place for an immediate response.
3. Partner with the wider ecosystem – and help your peers to help you
A united, sector-wide approach is one of the best defenses we have. Be sure to actively engage with any industry forums and law enforcement, and reach out to your peers to evaluate trends and possible solutions.
Also, be vigilant with your fraud reporting. The sooner you file your reports, the sooner Visa systems can learn from them. Through tools like Visa Advanced Authorization (VAA) and Visa Risk Manager (VRM), emerging risks can be suppressed before they become full-blown trends.
4. Be aware that any gaps in your armor can be quickly found and exposed
Fraudsters will be probing for vulnerabilities in the way you run your operations and protect your portfolios.
If, for example, you do not have overnight or weekend coverage in your fraud operations teams, now is the time to consider extending their hours. Similarly, with teams working from home, ensure that core functions are evaluated for risks as workers continue to telecommute.
Also, pay close attention to the risks faced by your vendors. If, for example you outsource some of your fraud operations to a third party, how have they adapted to the pandemic?
During this time, your ability to manage fraud should be optimized – not compromised.
5. Inform, educate and encourage your cardholders
Use all channels to communicate proactively with your cardholders – and take the opportunity to both educate and reassure them.
Let them know that, because you are being extra vigilant, they may receive more fraud related communications and/or verification requests than normal.
In addition, warn them about any fraud types that are prevalent or emerging in your market. Also, remind them of any alert or SMS services you provide.
6. Lean on your analytical resources
The key to identifying new or unknown fraud patterns most likely lies in your existing transaction data. So continue to challenge your analytics teams to find new insights.
You should also speed up your existing reporting cycles.
In addition, pre-COVID-19, your CNP fraud rates were most likely skewed due to the high volume of travel transactions. To get like-for-like comparisons, if you have not done so already, you should strip out the travel transactions, which are miniscule in the current environment.
7. Deal sensibly, systematically and swiftly with the increase in fraud alerts
It is inevitable that you are receiving a high volume of risk alerts. You should accept that (due to the mass shift to ecommerce and a surge in out-of-pattern spending) your risk scores will lose some of their effectiveness.
So, reassess your performance rules to reflect the forced change in everyday payment behaviors and prioritize your investigations activity.
Also, move quickly to update your risk models. For example, supervised fraud models will need to be tweaked quickly and more frequently due to changing behaviors.
With most spending being out-of-pattern due to COVID-19 and the increase of false-positives spikes, you should report new fraud as soon as possible, include new findings, and calibrate accordingly.
In addition, if you are still using rules-based techniques, you should modernize using the latest data assets, tools and technologies.
8. Revisit your crisis management and cyber event plans in light of COVID-19
Your crisis management plans, contingency plans, and cyber security assessments were most likely formulated under very different circumstances. It makes sense to evaluate them through a COVID-19 lens and determine what and how you would change.
For example, how quickly and efficiently could you deal with a sizeable compromise or a significant cyber event? How exposed could you be? Would your teams and system capabilities be up to a rapid response?
9. Don’t forget the human touch
If the worst should happen, and an account becomes compromised, be open and proactive in your customer communications. Usually, they will expect:
- To be to informed if fraud takes place
- To be believed
- For everything to be resolved within days
- To be kept informed every step of the way
- To be guided through the recovery process
- To receive advice on how to prevent fraud from taking place in the future
It is also an opportunity for you to turn a potentially difficult situation into a reason for cardholders to stay loyal.
While the COVID-19 pandemic has affected businesses everywhere, opportunities can arise from challenging situations. Visa Consulting & Analytics can advise on how your business can best respond to the COVID-19 pandemic.
For help addressing any of the ideas or imperatives above, please reach out to your Visa Account Executive to schedule time with our Visa Consulting & Analytics team or send an email to VCA@Visa.com. You can also visit us at Visa.com/VCA.