Transaction laundering is an increasingly popular scam, in which cyber-criminals hijack the legitimate payment process to sell all manner of illicit goods and services online.
In recent months it has become a favorite of drug dealers, sex service procurers, and other similar criminals. Although many people still haven't heard of it, studies that we at EverCompliant have conducted indicate that there are as many as 6% to 10% of additional unauthorized ecommerce sites that banks may be processing without their consent or awareness. And, in this community of unknown merchants criminals may be selling illicit and illegal goods and services.
The point of this fraud is to make use of the online acquisition system to take payments for those illegal goods and services. Call it a digital version of money-laundering, with cyber-criminals seeking to get the best of both worlds, engaging in illicit commerce while using legal means to get paid. But like other forms of money-laundering, transaction laundering is illegal – without exception.
Detecting these fraudsters is becoming a major challenge for banks, PSPs (payment service providers), acquirers, and other financial service organizations. There have been dozens of cases where legitimate-looking web sites were caught selling illegal products – like the Florida-based site that was caught selling steroids and other illegal substances. The site owner had two sites, one selling legitimate non-prescription drugs, and the other selling substances like HCG (human chorionic gonadotropin), a performance-embracing drug that is illegal in most places.
For every one site that is busted, there are dozens of others that continue along with their ongoing dual-purpose business model. But whether the institution was aware of what was happening or not, the risks to legitimate organizations involved in these scams is the same; as far as the government is concerned, they are responsible, and if the scam is discovered, they will be held financially liable – and, possibly, criminally responsible.
Exacerbating the problem is the plethora of payment methods that have appeared in recent years. If in the past, acquirers, banks, and other institutions focused on web sites as the nexus of transaction laundering, the mobile era has opened up a whole new playground for scammers to operate in. Mobile wallets, Near Field Communication chips, and payment apps are just some of the new ways payments are being collected – and they provide new opportunities for fraudsters to do their dirty work, either routing payments for illicit goods and services through their own legitimate front accounts, or getting someone else to do their dirty work for them.
Add to that the ease with which anyone can open up an on-line storefront (thanks in part to drag and drop web authoring tools like Wix, WebyDo, SiteSumo, EasyWebContent, and many others), the explosion of micro-merchants that are doing business on-line, and the far greater reach they have now thanks to mobile technology, and you have a perfect storm, where businesses opportunities for transaction laundering scammers have never been better.
Battling this problem is one of the most difficult challenges facing institutions today. Not only are they being ripped off – they don't even know that they are victims. The transactions look legitimate, but institutions need to be able to look beyond and behind those transactions to determine whether or not they are the real thing, or just a front for illegal activity.
Determining if merchants are following payment guidelines and observing Payment Card Industry Data Security Standards (PCI DSS) is only possible when you get to know your merchants. Obviously, in the internet era that relationship is not going to be a personal one, but big data analysis – using data collected on activity and analyzed for anomalies, looking for patterns of sales (comparing traffic numbers, site hits, sales numbers, and other figures to industry averages) – along with old-fashioned detective work (checking out the provenance of sites, including ownership, location, reputation, and more) are all part of the solution. And if big data is needed to analyze web site transactions, it's needed to understand mobile payments, which have far more permutations and opportunities for fraud, given the additional options for payments.
Eventually, the industry – if not regulators – are going to adopt specific standards to deal with this issue. The important thing for the industry now is to learn what is happening, and how great the risks are. It's a new challenge, perhaps the greatest the payments industry has ever faced – and educating ourselves on those dangers has become a priority for all of us.
Ron Teicher is founder and CEO of EverCompliant.