Why email remains key to card account fraud
Many futurists and pundits predicted email would be obsolete by 2020, replaced by a new, superior communication channel.
But email refuses to die. Five billion email accounts now exist globally, and while texting and a host of personal and corporate electronic messaging systems have joined the fray, email continues to play a key role in payments fraud precisely because of its ubiquity, according to Emailage, an Arizona startup.
Financial institutions, e-commerce websites, billers and wireless operators require an email address as a core identity anchor, and fraudsters frequently steal — or manufacture — email addresses to spoof customer identities and open fake accounts, said Amador Testa, chief product officer at Emailage.
“Most consumers have an email they keep for at least a few years, and it’s not usually easy to change emails because of key activity connected to each one,” Testa said.
Until recently, it’s been relatively easy to test whether an email associated with a new account was freshly created or inactive, either of which could signal fraud, according to Testa. But in recent years fraudsters have gotten sneakier in how they use email to commit online account fraud. They also pair email addresses with other personal information to create a convincing fake or impersonated identity.
Launched in Chandler, Ariz., in 2012, Emailage began by developing a massive database of global email and IP addresses to instantly analyze the legitimacy of emails for banks, merchants and other organizations around the world. The company has raised about $16 million in outside funding, and now has offices in Brazil, Mexico, Argentina, Australia and the U.K.
Demand for Emailage's services has grown steadily, with partners including American Express’s Accertify, Visa’s Cybersource and the biggest credit bureaus are on board, Testa said.
Featurespace, the U.K.-based payment fraud detection company based in London, this month announced a partnership with Emailage to protect global e-commerce and financial services organizations from the growing threat of online application fraud by integrating Emailage’s email-analysis engine into Featurespace’s platform.
One reason Emailage is seeing more demand is the surge in large consumer data breaches in recent years that’s enabled criminals to step up the pace of online account fraud by using sophisticated tricks to generate accounts, including developing emails that mimic legitimate ones, according to Testa.
“Fraudsters buy millions of stolen legitimate emails off the Dark Web they use to commit fraud, and they also create new email identities they allow to season and ‘age’ with use so they appear to be legitimate, not like the obvious, hastily created fake emails we were seeing a few years ago in online application fraud,” Testa said.
To unmask the new breed of imposter emails, Emailage last year began applying machine-learning techniques to improve its email fraud detection.
“We developed tools that can tell whether an email is authentic or was created by a bot and made to look like a real email with history,” Testa said.
Emailage conducts an email risk assessment leveraging data inputs from a global network generating different digital identities from individual email addresses and assigns it a risk score, according to Testa. Featurespace, for example, takes the digital identities Emailage generates and feeds them into its ARIC platform to flag emails that may be suspicious or associated with fraud, he said.
Emailage’s service may be critical, but its use is fairly narrow, according to Madeline Aufseeser, an independent payments industry consultant.
“Emailage could work like other methods of curbing payments fraud, by adding one more check for authenticity during account-opening, but in and of itself it can’t eliminate fraud,” Aufseeser said.
Fraudsters continue pouring their own ingenuity into email misuse.
Late last year Emailage used its email-analysis tools to root out a scam for an undisclosed customer where fraudsters used a cache of fake emails created months ahead of time and aged to look like creditworthy consumers to open 1,400 checking accounts in a large online application attack.
“Fraudsters opened the accounts and did small transactions over a period of time to lower suspicion and about nine months later they started opening credit card accounts linked to these bogus accounts,” Testa said.
Emailage detected that the emails associated with the accounts were all created at about the same time from the same source, blocking the scam, he said.
While Europe’s PSD2 requires merchants to obtain two different factors to authenticate a customer’s identity for each electronic transaction beginning next month — and biometric authentication measures are rapidly developing to block fraudsters — email will likely continue to be a key factor in a wide range of account activities, Testa said.
In addition to online account fraud around banking and e-commerce, Emailage also provides email risk scores to companies in the travel and hospitality, gaming and event-ticketing industries.
“Email is decentralized and free, its open standard works across all legacy and new devices and, with approximately 3 billion active users and 5 billion total accounts, and it’s accessible to everyone, which makes it hard to phase out — and fraudsters realize that,” he said.