How payments fraud is becoming more complex—and expensive

Recent reports that counterfeit card fraud is markedly down in the U.S. since the introduction of EMV chip cards in 2015 is fantastic news, except for retailers that also sell goods sells online. In that case fraud has merely moved from an in-store payment attempt to a card not present (CNP) one. For e-commerce only stores the rise in payments fraud attempts has been a deluge.

According to data from Visa as of June 2019 there were over 3.7 million merchant locations that accepted EMV cards, up almost 10 fold from September 2015, representing about 80% of U.S. storefronts. This shift to EMV has allowed merchants who have completed the chip upgrade to see an 87% drop in counterfeit card-related fraud dollar losses between September 2015 to March 2019.

While some thieves have moved to online channels due to the advent of EMV, others have not because they have just gotten smarter. Thieves are now applying for and receiving real credit cards with active EMV chips from banks. They are able to obtain real cards by creating synthetic identities that combine real social security numbers with fake ages and addresses. In doing so, thieves can obtain legitimate payment cards and continue to defraud banks, merchants, and the consumers whose identities they steal thereby making fraud prevention a more complex and costly problem to solve.

The media often reports on just the dollar losses a bank issuer or merchant suffers at the hands of a fraudster such as the value of the merchandise stolen when in reality the total associated costs are much greater. According to a LexisNexis Risk Solutions’ recent 2019 True Cost of Fraud study retailers spend an incremental amount of money related to fraud which it calls the “LexisNexis Fraud Multiplier.” These are expenses related to each dollar of fraud incurred which includes chargebacks, fees, merchandise redistribution, labor/investigation, legal prosecution and IT/software security.

In 2019 each dollar of fraud suffered by a retailer cost an incremental $3.13 in fraud related expenses. This is up 6.5% from 2018 and up over 30% since 2016 demonstrating that the cost to fight fraud and recover from it is becoming increasingly expensive.

“This is our tenth year of the study and we are seeing unprecedented volumes of fraud attacks. While the magnitude of these fraud attacks is surprising, what may be more surprising or concerning is the limited adoption of those solutions shown in our study to lower an organization’s cost of fraud and successful fraud attempts such as digital identity intelligence, behavioral biometrics, identity authentication and automated transaction scoring,” commented Kimberly Sutherland, vice president of fraud and identity management strategy at LexisNexis Risk Solutions.
Fraud committed using authentic payment cards, checks, bank transfers, etc., are a major source of attacks for many types of retailers, especially ones that focus on e-commerce. Based on data from the LexisNexis Risk Solutions’ 2019 True Cost of Fraud study 86% of fraud losses suffered by mid-to-large e-commerce retailers with digital goods was as a result of payments made through friendly (1st party) and synthetic ID accounts.

“Reports of synthetic identity fraud are growing in the U.S. and even neighboring countries like Canada, as businesses often associate this type of fraud with the magnitude of incomplete consumer data available from data breaches. Rather than relying on identity theft and account takeovers, fraudsters continue to find success in the difficulty of detecting the creation of synthetic identities that may use a combination of real and fictitious data,” added Sutherland.

In the case of “friendlies” these are real people with legitimate accounts, a type of attack that is is almost impossible to stop since transactions are conducted with the assumption that the consumer will pay. Synthetic IDs are created by fraudsters to obtain legitimate bank cards and checks for the purpose of committing a crime. Since their payment accounts are authentic and not stolen, retailers need to use more complex software and verification methods to ferret out these criminals.
Despite the significant efforts being made by the financial services industry, risk and fraud mitigation vendors and the global law enforcement community merchants are reporting that their fraud losses have risen in the past year. According to an Experian blog which highlighted its 2019 Global Identity and Fraud report which surveyed 1,000 businesses in 21 countries over half of businesses reported that their fraud losses had grown in the past 12 months compared to a year earlier. Additionally, one-quarter (27%) of businesses stated that losses had stayed the same over the same time period.

“The dark market is full of criminals selling real data that others are buying for the purposes of committing fraud and it’s only getting worse as we have more breaches and synthetic identities are being created,” stated Tim Yunusov, head of banking systems security at Positive Technologies, a digital security firm offering solution to combat cyber threats.
The most prevalent type of identity-related fraud facing merchants can vary based on their size and whether or not they maintain physical stores. Fraudulent account creation, often using a synthetic identity, is a more significant type of identity-related fraud at mid-to-large e-commerce merchants. Further, as physical store merchants add e-commerce capabilities or in some cases transition to mainly e-commerce sales, the composition of identity-related fraud can change which will lead to greater confusion as to how cyber threats should be handled.

“Merchants should ensure that they are leveraging a combination of digital and physical data associated with their customer transactions to better assess fraud risks and ultimately improve the customer experience. It is possible to do both,” added Sutherland.
In a recent Experian blog that shares the results of the company’s Child Identity Theft Aftermath Survey found that the average age of a minor identity theft victim was 12 years old and that over one-quarter (26%) were 9 years old or less.

“There are two significant at-risk populations that fraudsters target: children and the elderly. In the case of children, they have real social security numbers but have not yet established any credit. A fraudster will use their real name and social security number, coupled with a fake address, to apply for a bank account and attached debit card. This puts them [the synthetic ID] on the radar allowing a criminal to build a transactional history and eventually apply for credit with the ID,” noted Yunusov.

Since the Social Security Administration has gone to a randomized social security number (SSN) assignment scheme, it is no longer easy for banks to infer an applicant’s age based on the numbers of the SSN. Conversely this makes it easier for a fraudster to steal a child’s identity and claim to be an adult, thereby starting the process of creating a synthetic identity.