Fraudsters have taken to crowdfunding sites and other consumer-driven marketplaces in a new scheme designed to mask their use of stolen card data.
The new threat exploits the crowdfunding site's reputation to avoid flagging a card transaction as suspicious. In this shell game, fraudsters create a small business with a listing on a crowdfunding site, then send funds to that business from stolen cards.
"It's a fake transaction with a fake merchant and fake buyer," said John Canfield, vice president of risk for Palo Alto, Calif.-based WePay Inc. "If they are successful, they can have the money deposited straight into their bank account."
WePay provides the payment platform for various marketplaces, crowdfunding sites and small businesses. The company manages risk for these clients. WePay has seen such growth in crowdfunding sites and small-business marketplaces that it began using the Google Cloud Platform last year to handle spikes in payment volume.
Micro-merchant marketplaces include Kickstarter, Uber, Airnb, Task Rabbit and GoFundMe, Canfield said. "This is a new form of economy, not a brick-and-mortar business that has been there for years," he added.
Instead, these types of companies sometimes evolve from an individual doing part-time work. For example, a programmer could use Kickstarter to seek funds to develop an iPhone game. Fans of that project would contribute funds, sometimes with the expectation of getting a free copy of the game when it is developed.
But even legitimate crowdfunding projects sometimes fail to deliver, making it harder to determine whether a listing came from a true fraudster or just an inexperienced business owner promising too much.
"Shell selling" is a difficult form of fraud to detect, Canfield said, but WePay has had success in examining a company's "social network footprint" to see if the request for funds is also being promoted on Twitter, Facebook and LinkedIn.
"Legitimate people and fundraisers use their social networks, which they have built over many years, to spread the word," Canfield said. "If you discover a company just built its Facebook page the day before it opened a crowdfunding site and there is no other social network backing it up, that raises a red flag."
Through that type of research and other risk-management tools (such as device identification and third-party vendor connections), WePay has been able to stop up to 80% of the fraudulent activity on its client sites, Canfield said.
As this new threat grows, the onus is on companies providing these types of marketplaces to do a better job of vetting their users, said Avivah Litan, a vice president and distinguished analyst at Gartner Inc.
"Amazon, eBay and Google do it, but there is no simple solution to this," Litan said.
The marketplace or its payment processor should continuously monitor transactions and payees, Litan said. "You can do that through the payment process and look for patterns of abuse, and use of stolen credit cards."
New businesses can protect themselves by using established acquirers and financial institutions when opening an account, said Ronen Morecki, chief technology officer of payments tech provider Zooz.
Morecki previously led research and development operations for VeriSign Israel's fraud detection service.
Many entrepreneurs in the mobile economy use a personal bank account for business purposes, and this practice creates "a big hole in the system" that makes it harder to track fraud, Morecki said.
"There are ways to verify an identity through a registered business document," Morecki added. "Another option is to hold the money [from crowdfunding] for a month or longer, and that would give you time to verify."
Legitimate micro-merchants often don't have the financial means to seek third party vendors for help. But if a company has proven to bring in high volume and does not protect its sites, fraudsters will "go to town," Canfield said.