5 ways COVID-19 changed the nature of payments fraud

As many businesses and consumers have been forced to deal with the difficult conditions thrust upon them by the COVID-19 pandemic, so too have fraudsters needed to make adjustments just to continue their life of crime.

Given that the nature of fraud activities has been evolving during the crisis, not all of the changes are for the worse. In some cases, fraudsters have left themselves exposed by not mirroring consumers’ activities; and in other areas risk management providers, card networks, banks and others have modified how they operate in order to better detect fraudulent activities.

Beyond the transition of many businesses having staff work remotely, probably the biggest change had to come in the form of a new fraud opportunity — government stimulus packages. In the case of the U.S., it was the $2 trillion CARES Act. This legislation included $350 billion in PPP loans for small businesses, $300 billion in direct individual checks and $250 in supplemental unemployment insurance.

The number of fraud attacks has increased in the first half of 2020 compared to the same period in 2019, according to data from LexisNexis Risk Solutions’ Digital Identity Network's report, The Changing Face of Cybercrime. In the first half of 2020, the Digital Identity Network analyzed 22.5 billion transactions, up by 37% from the same period last year.

Automated bot-initiated attacks on the Digital Identity Network were up by 13% in the first six months of 2020, to 868 million, compared to the first six months of 2019; while human-initiated attacks were down by 7% to 260 million over the same time period.

“We saw a rise in automated bot attacks in the first half of the year, which is an ominous sign for the future,” said Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions. “An automated script offers a fraudster the ability to test a list of stolen credit cards or identities, for example. It’s a first test of what’s valid and what’s not. Then a fraudster moves on to the next stage where they will take those credentials to open a bank account and cause real financial damage.”
Despite the increase in transaction volume for the first six months of 2020, the rate of cyber attacks fell during this period. According to LexisNexis Risk Solutions, the overall attack rate fell during January through June 2020 to 1.4%, down by 33% compared to the same time period in 2019.

The biggest drop in attack rates was experienced in the desktop channel, which had a 1.7% attack rate during the first six months of 2020, down by 50% year-over-year. However, while the attack rates were also down in mobile, the declines were not as precipitous. The mobile app attack rate was 0.6%, down by 14% compared to the same time period in 2019, and the mobile browser attack rate was 2.4%, down by 17% from last year.

“Although transaction volume has increased 37% over the previous year, overall the attack rates declined,” said Moody. “Fraudsters migrated to lower-hanging fruit during the first half of the year, going from attacking companies to targeting government stimulus monies in selected countries such as the U.K.”

The biggest evidence of fraudsters migrating to lower-hanging fruit in the form of government stimulus funds can be seen by the September announcement from the Department of Justice, which has charged 57 individuals to-date in attempts to steal over $175 million from the small-business Paycheck Protection Program. The DOJ also said that the government has suffered $70 million in fraud losses from the PPP funds while recovering another $30 million in fraud. According to CNBC, the DOJ is actively investigating another 500 individuals who may have stolen PPP funds, in many cases including criminal fraud rings.
Typically fraudsters will use the similar digital channels as consumers do when making online purchases, logging into a bank account or applying for a new credit card in order to fool risk management software and risk analysts. However, that’s not always the case, which can make it somewhat easier for the people and companies charged with mitigating fraud to spot it.

Based on data from LexisNexis Risk Solutions’ Digital Identity Network, about 75% of the e-commerce transactions conducted in the EMEA region (Europe, Middle East and Africa) for the first half of 2020 were done using a mobile device such as a smartphone. However, in examining the fraud attacks during that same period of time, it was noted that only 51% had been committed using the mobile channel. This disparity has created a potential avenue for companies to identify digital fraud more quickly if it originated from a desktop or laptop.

By contrast in the other regions of the world, fraudsters more closely mirrored the channel mix of real transactions whether it was heavy in mobile, such as Latin America, or closer to a 60/40 desktop/mobile mix such as in North America.

“As consumers are doing more on their mobile devices, so are fraudsters doing more on mobile devices,” added Moody.
The U.S. Federal Trade Commission has reported that the number of fraud reports filed by consumers and businesses is down in the second quarter of 2020 by over 23% from the same quarter in 2019. The FTC logged 387,561 fraud report cases with a total loss of $416.3 million for the April-through-June 2020 time period. The median dollar loss was $200. About half of all fraud reports for the quarter were sourced from the four largest states by population — California, Texas, Florida and New York.

In comparison, for the April-through-June 2019 time period, there were a total of 497,111 fraud case reports filed. While the number of cases did come down in 2020, the dollar losses fell by only about 5%, to $416.3 million. The median dollar loss was $350.

In other words, while there may have been fewer fraud cases reported by Americans during the second quarter of 2020 compared to a year earlier, fraud losses were almost as high.
According to the FTC, the number of identity theft-related cases rose significantly in the second quarter of 2020 on a year-over year basis. There were 349,641 identity theft fraud cases during the April-through-June quarter of 2020, up by more than double’s last year’s second quarter tally of 165,072 ID theft cases.

Overall, the leading fraud type committed with ID theft was credit card fraud. However, since ID thefts are often committed by criminal gangs that operate in a particular geographic territory, the resulting fraud can be very localized. For example, the Seattle-Tacoma-Bellevue, Washington metropolitan region experienced a rash of ID thefts in the second quarter, amounting to 27,973 reports. Of this number, 22,534 were related to government documents and benefits fraud or about 80% of the cases. In fact, the Seattle area accounted for almost one third (29%) of the nation’s ID theft benefits fraud cases in the quarter.

In contrast, ID theft-related credit card fraud barely made the top five most common theft types for the Seattle metro area. For both the New York City-Jersey City, New Jersey region and the Los Angeles-Anaheim-Long Beach, California region, credit card fraud was the top ID theft-related fraud type reported in the quarter.