Fraudsters don't take the holidays off, so what are the top fraud attacks you should look for this coming peak season?
A period of economic uncertainty like the current cost-of-living crisis will often spur changes in fraud trends and patterns. Fraudsters will likely adapt their techniques to keep their operations going, while individuals struggling to make ends meet may be tempted to try first-party (or 'friendly') fraud. To maximize good order acceptance during peak season you’ll need to balance a frictionless flow for genuine customers against the checks needed to keep fraudsters at bay.
Here are the top four fraud attacks you should look out for this peak season.
Account takeover fraud
Account takeover remains a top fraud attack. Our 2022 Fraud Report found that 27% of global merchants report experiencing account takeover.1
We believe merchants could see a rise in account takeover attacks during peak season, likely with credentials obtained through increased phishing and smishing campaigns targeting consumers with fraudulent messages promising, for example, lower fixed-rate mortgage deals or energy tariffs.
It’s important to warn your customers to be wary of unexpected messages of this nature that may be designed to capitalize on people's financial worries. Merchants who haven't yet done so should also consider deploying a specialized account takeover protection solution that's designed to block fraud at the account level and prevent bad transactions from taking place.
BIN range targeting
Since enforcement of the PSD2 strong customer authentication (SCA) requirement, our managed risk analysts (MRAs) have seen an emerging fraud trend: BIN range targeting. The BIN, or bank identification number, refers to the first four or six numbers on a payment card that identify the issuer.
Some issuers more readily support low-risk and other SCA exemptions, meaning there's no requirement for an authentication step such as a one-time passcode (OTP). Customers love this frictionless payment flow—and so do fraudsters, as they don't need to intercept OTPs. Fraudsters try to determine which issuers are more lenient in this regard and target those BIN ranges accordingly.
To counter the risk, monitor hot spots and make sure you have the business intelligence to analyze attempted and actual fraud rates on relevant BIN ranges.
Low-value transaction fraud
Our MRAs have also observed that low-value transaction fraud is increasing. In PSD2 SCA terms, low-value transactions are less than €30 and are typically exempt from SCA. Fraudsters are exploiting the frictionless flow this exemption enables by keeping fraudulent purchases to €29 or less.
To reduce the risk of low-value fraud:
- Put checks and balances in place.
- Use fraud management data to identify emerging trends.
- Ensure you can determine the origin of genuine and fraudulent transactions.
Routinely requiring new customers to authenticate their first transaction, even if it's low value, could be one approach. A fraud management solution like Decision Manager can also help by providing actionable intelligence.
Not all fraud is carried out by dedicated fraudsters. Individuals whose budgets are stretched may attempt first-party fraud—claiming, for example, non-receipt of goods that actually arrived or that a purchase on their credit card statement was made fraudulently.
The primary impact on merchants is increased chargebacks. These are likely to persist into the new year as the arrival of credit card bills in January leads to buyer's remorse about peak season purchases. Where the PSD2 SCA requirement is enforced, stepping transactions up for SCA helps to connect cardholders to transactions because they need to provide additional information. This can help reduce the chance of successful fraudulent chargebacks.
Now for the good news: starting April 15, 2023, merchants will be able to better defend against first-party fraud in card-not-present (CNP) environments thanks to a change to Visa’s dispute program. Called Visa Compelling Evidence 3.0 (CE3.0)2, this change implies that, if merchants can provide additional data to show the disputed charge is valid, the dispute will be invalid. Given that first-party fraud is unlikely ever to go away, consider making CE3.0 part of your longer-term fraud management strategy.
Balancing fraud and friction
As we head into peak season in a challenging economic environment, it’s important to balance:
- When to minimize friction to give good customers the best possible experience.
- When to apply a degree of friction to help protect against fraud.
Continue to monitor chargebacks and look out for first-party fraud. Ask your acquirers for information about fraudulent transactions you're not liable for as well as those you are. This can provide a more comprehensive picture of your fraud situation, including insight into sources of risk, and will provide additional data to enhance your fraud management platform.
Ready to step up your fraud protection?
1 "Global Fraud and Payments Survey Report 2022," pp. 14–15, Cybersource, Merchant Risk Council (MRC) and Verifi
2 "What Every Merchant Needs to Know About Friendly Fraud," Visa, 16 June 2022
Disclaimer: Case studies, comparisons, statistics, research and recommendations are provided “AS IS”, are intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. Cybersource neither makes any warranty or representation as to the completeness or accuracy of the information within this document, nor assumes any liability or responsibility that may result from reliance on such information. Readers are encouraged to engage a competent professional where operational, marketing, legal, technical, tax, financial or other advice may be required.