Technology
3DS is a security protocol used to authenticate users. The objective of 3DS is to provide an extra layer of protection for payment card transactions in card-not-present scenarios.
Artificial intelligence (AI) is wide-ranging branch of computer science concerned with building smart machines capable of performing tasks that typically require human intelligence. Machine learning is a subset of Artificial Intelligence.
AVS stands for Address Verification Service. AVS is one of the most widely used fraud prevention tools in card-not-present transactions. The way AVS works is it compares the numerical portion of the billing address on file at the bank with the numerical portion of the billing address provided by the customer. Due to inconsistencies in numerical address formatting, AVS results in a large number of false-positives.
Behavioral biometrics is the analysis of how an individual interacts with a given device, whether that be a desktop browser, mobile browser or a mobile app. Behavioral biometrics include interactions such as keystrokes, scrolling patterns, tap pressure and many more.
CVV stands for Card Verification Value. CVV is a combination of features used in credit, debit and automated teller machine (ATM) cards for the purpose of establishing the owner's identity and minimizing the risk of fraud. It often appears as a 3 digit code on the back of credit and debit cards. CVV is also known as the card verification code (CVC) or card security code (CSC).
Device ID refers to a group of unique identifiers that a specific device contains. One of the primary signals is a DI Print (Device Fingerprint). These unique identifiers can be used to link fraud amongst different devices and are valuable within a consortium of data.
IP & Geolocation is the utilization of an IP address, along with other device signals, to determine geographical location.
Physical Biometrics is the use of distinctive, measurable physiological characteristics to verify an individual’s identity. Physical biometrics includes techniques such as retinal scans, fingerprints and voice prints.
Machine learning is a subset of artificial intelligence. Machine learning has the capacity to learn over time without being explicitly programmed. It can ingest a large amount of data and detect patterns and anomalies at scale. Supervised machine learning models are trained on a set of labels, while unsupervised machine learning does not require labeled data.
Rules are algorithms that use specific attributes and parameters. A rules engine allows for the creation and management of these fraud rules in order to make risk decisions and/or generate a risk score. While not self-learning in nature, analysts can test, modify and improve rule performance.
Risk-based authentication is the process of assessing user trust and access based on varying levels of risk-based analysis. Risk-based authentication can leverage analysis in a variety of forms such as behavioral profiling on multiple data inputs. The output of risk-based analysis could be approving, declining or step-ing up authentication to a different form of verification.
Fraud, Abuse & Risk Types
Account Takeovers are the unauthorized access of a user’s account in order to steal identity credentials, execute a fraudulent transaction or engage in varying types of abuse.
Angler phishing is a recent variation of traditional phishing attacks. In this method, scammers identify targets on social media, especially those publicly complaining about a reputable B2B company.
The attacker then poses as a customer service account from that company and tries to deceive the complainant into providing access to personal data or account credentials.
Application fraud is the unauthorized opening of a new account leveraging compromised identity information. This can be for a variety of accounts, including credit cards, retail bank accounts, consumer lending and much more.
Authorized push payment fraud occurs when a fraudster manipulates a genuine customer into making a payment to an account they control. There are a variety of types of authorized push payment fraud, including romance scams, invoice scams and a handful of others.
Affiliate fraud refers to any false or unscrupulous activity conducted to generate commissions from an affiliate marketing program. Affiliate fraud also encompasses any activities that are explicitly forbidden under the terms and conditions of an affiliate marketing program.
Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.
Bust-out fraud is a scheme in which fraudsters spend a long time—sometimes years—building up a credit line. Once they have a high credit limit, they max out the card and run off with their ill-gotten gains, never to be seen again.
Call center fraud is the process of exploiting call centers as a channel in which to launch fraud attacks, spanning varying forms of fraud and abuse. Account takeover is a common fraud type associated with call center fraud.
Card Fraud is one of the most commonly referenced fraud definitions. It occurs when a fraudster uses a card (debit or credit) to make a purchase without the authorization of the cardholder. Card fraud can occur in-person or through digital channels.
Card-not-present-fraud is fraud that occurs through any channel in which the customer does not have to present the physical credit card to the merchant. Card-not-present fraud includes fraud placed through a mobile device, online, over the phone and through the mail.
CEO fraud, also called BEC (Business Email Compromise), occurs when a scammer impersonates a company's CEO and targets employees typically in finance or accounting teams. The objective of this identity fraud is to manipulate the recipient into transferring funds to a fraudulent account.
These phishing scams often focus on lower-level employees, so the emails are less personalized and originate from fake email addresses. However, the financial impacts of CEO fraud can be substantial and can cost businesses a whole lot of money.
Check fraud encompasses several tactics in which fraudsters use paper checks or digital checks to defraud a target’s account.
Counterfeiting is defined as the planned attempt to duplicate a real and authentic article such as a symbol, trademark or even money with the purpose to distort and convince the purchaser or the recipient to believe that he or she is really purchasing or receiving the real article itself. In the ecommerce and financial services industry, this often refers to counterfeit cards and checks.
Crypto Scam or cryptocurrency scam is a type of investment fraud where criminals steal money from people hoping to invest in the new world of digital currency.
Most crypto assets and associated services aren’t regulated by the Financial Conduct Authority (FCA) for more than money-laundering purposes, which means they’re not protected by the Financial Services Compensation Scheme.
Deceptive phishing, commonly known as email phishing, stands as one of the most common forms of phishing attacks, constituting 91% of all cyberattacks. In this tactic, cybercriminals assume the identity of a familiar sender to extract sensitive data.
To shield your business from deceptive phishing, it's vital to educate your team(s) and help them use the email itself as a weapon against identity fraud. Encourage them to inspect not only the sender's name but also the email address.
Device Takeover is the unauthorized access to a user’s device in order to manually or automatically control the device and its apps. Devices can become fully compromised when the user installs an innocent looking app that contains malware, or by installing a Remote Access Tool (RAT). Once the device is taken over, attackers can engage in various types of abuse, including credentials theft, acquiring 2FA tokens using screen/keystroke capturing, or executing a fraudulent transaction.
Financial transactions are prime targets of cybercriminals in the realm of B2B interactions. One commonly used tactic to deceive customers/clients involves the use of fake invoices.
In this scheme, hackers send deceptive invoices appearing as trustworthy partners or vendors, aiming to redirect funds into their own accounts.
These deceptive invoices are crafted carefully to look real, with accurate details such as company names, logos, and purchase order numbers.
First party fraud refers to fraud committed against an institution by one of its own customers. First party fraud can extend from transaction fraud to application fraud with the core element being the actual customer engaging in the fraudulent activity.
Fraud Farms or click farms are groups that work on fraud attacks at scale. Normally they have limited resources used for large-scale fraud schemes and they get paid by carrying out the same action several times.
Friendly fraud is a type of first party fraud. Friendly fraud can take many forms, but typically involves an actual consumer obtaining goods or services from a merchant, then claiming they did not make the purchase, did not receive the goods, or only received a fraction of items, in order to keep the goods or services without paying for them.
Hacking occurs when a scammer gains access to your personal information by using technology to break into your computer, mobile device or network
In this type of phishing attack, Scammers target businesses with emails that seem secure because they have “HTTPS” in the URL. Despite this appearance of safety, these links lead to malicious/fake websites.
For example, a finance employee of a company gets an urgent email that appears to be from a trusted partner containing a link to a secure website for an invoice.
The pressure to pay quickly might lead them to click the link and enter sensitive payment info on what seems like a safe site. Doing so will make them fall victim to an HTTPS phishing attack.
Shockingly, more than 50% of phishing websites use both HTTPS and the padlock icon. It shows the need to be extra cautious in B2B communications to avoid these deceptive tactics.
Encompasses human trafficking, child sexual exploitation, elder exploitation, and financial scams. It involves severe violations of individual rights, often characterized by exploitation, coercion, and deceit. These crimes share common elements of manipulation, abuse of power, and violation of trust, often resulting in significant harm to the victims’ physical, emotional, and financial well-being.
A job scam occurs when a scammer poses as an employer or recruiter, and offers attractive employment opportunities, which require the job seeker to pay some money in advance. This is usually under the guise of work visas, travel expenses or credit checks that are required for the job. The scammer promises you a job, but what they want is your money and your personal information.
Identity theft is a type of fraud that involves using someone else's identity to steal money or gain other benefits.
Insurance fraud is any act committed to defraud an insurance process and/or institution. Insurance fraud occurs when a claimant attempts to obtain some benefit or advantage they are not entitled to, or when an insurer knowingly denies some benefit that is due.
Internal fraud occurs when an employee/internal representative dishonestly makes false representation, wrongfully fails to disclose information, abuses a position of trust for personal gain, or causes loss to others. Internal fraud can range from compromising customer or payroll data to inflating expenses to straightforward theft.
Investment fraud involves the illegal sale or purported sale of financial instruments. The typical investment fraud schemes are characterized by offers of low- or no-risk investments, guaranteed returns, overly-consistent returns, complex strategies, or unregistered securities. Examples of investment fraud include advance fee fraud, Ponzi schemes, pyramid schemes, and market manipulation fraud.
They are bogus invoices generated by cyber crooks all to separate you from your personal information or money. First type of fake invoice scam is the click bait. The email seemingly has an invoice attached. But when you click on it, malware is downloaded onto your system and this can lead to ID theft.
Merchandise mules are a type of fraud where a person receives merchandise (typically from an online retailer) obtained by fraudulent activity and ships that merchandise on to a specific address or in most cases a freight forward location. The mules are often recruited by work from home ads as a secret shopper or other work from home schemes. Others are recruited to scope out certain addresses such as an Airbnb to grab any packages sent to the address and then ship them or drop them off at a collection spot.
Money mules are a type of money laundering where a person transfers illicit funds through a medium (such as a bank account) to obfuscate where the money came from. There are different types of money mules including witting, unwitting, and complicit.
Money laundering is the illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. Money laundering can be done through various mediums, leveraging a variety of payment vehicles, people and institutions.
Loyalty abuse occurs when someone abuses the loyalty program terms of service (TOS) to obtain significant discounts or sell for a profit. This evolves into Loyalty Fraud when a fraudsters takes over an account to steal loyalty points and sell them/use them for profit.
Online shopping scams happen when scammers pretend to be online sellers with a fake website. They can also use a genuine retailer name on their accounts. They offer, in general, brands and luxurious products with cheaper prices and the buyer after paying never gets the purchase delivered.
Payment fraud occurs when someone steals another person's payment information and uses it to make unauthorized transactions or purchases. The actual cardholder or owner of the payment information then notices their account being used for transactions or purchases they did not authorize, and raises a dispute.
The fraud definitions for payment fraud are confusing unless you specify "non-plastic". Payment Fraud (non-plastic) refers to payments made outside of card networks, via payments rails that send funds from one bank account to another. When making this type of payment, fraud occurs when a payments is sent to an account that the fraudster controls. Payment fraud can be unauthorized, which is commonly executed as an account takeover. Payment fraud can also be authorized, which is commonly executed through authorized push payment fraud (scams).
Pharming is an advanced form of phishing attack in which scammers redirect their targets to a fake site. This is typically achieved using cache poisoning by targeting the DNS (Domain Name System), which is responsible for converting website names to IP addresses.
The scammers change the IP address linked to a website name, redirecting the victim to a malicious website. Any information shared on that site is then vulnerable to unauthorized access and potential theft and misuse.
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Promo abuse is the abuse of promotional offers by circumventing the terms of service (TOS) in order to obtain significant discounts.
Remote access scams try to convince you that you have a computer or internet problem and that you need to buy new software to fix the problem.
Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, these malware place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.
Refund fraud occurs when bad actors take advantage of a merchant’s return policy in order to profit or get goods for free. Refunding fraud is a twist on friendly fraud that is particularly challenging for merchants because there are no associated chargebacks, yes the losses are significant.
Reseller abuse includes purchasing large quantities of products in an effort to resell the items for a profit. While reselling is a common practice, abuse can damage a client’s brand, deplete product availability for other customers, and violate terms of service (TOS).
A romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to get the victim to send money to the scammer under false pretenses or to commit fraud against the victim.
Social engineering is the psychological manipulation of another person by preying on emotions and vulnerabilities in order to extract information or convince he/she to take a desired action. Social engineering can be the initial layer of other fraud types such as account takeovers and authorized push payment fraud (scams).
A spear-phishing attack is a very targeted form of deceptive phishing, and organizations, on average, receive 5 such attacks daily. To understand this type of attack, consider a scenario where a cybercriminal targets a high-ranking executive within a company.
The attacker uses public information to understand the executive's role, recent business activities, and even upcoming projects. Using this knowledge, they craft a highly personalized email, appearing to be from a trusted B2B business partner.
Is the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.
Telephone Oriented Attack Delivery is an initial access tactic where fraudsters mimic a bank (or other known institute) and convince the victim to install a Remote Access Tool (RAT) or app that contains malware. At a later stage, the now fully compromised user device can be used by the attacker to commit Device Takeover (DTO) fraud or Identity fraud.
Third party fraud is when a fraudster leverages stolen information (PII, payment, etc.) to commit fraud (application, payment, card, etc) without the authorization of the owner of that information.
Transaction fraud is the unauthorized execution of any monetary transaction. Transaction fraud can include different payment types including cards (debit and credit), non-plastic forms of payment (ACH, Zelle, Wire, Faster Payments, etc.) and other payment methods.
Vishing, short for “voice phishing”, involves cybercriminals attempting phishing over the phone. In this scam, the hacker calls the target's phone, typically clients, to trick them into sharing personal or financial information.
To appear trustworthy, scammers even alter their phone numbers to seem like they're calling from a reputable company, which makes it challenging to report them.
These scams rely on social engineering tactics to create a false sense of urgency or fear and manipulate targets into revealing sensitive information.
Miscellaneous
Authentication is a process that determines or recognizes an user's identity. It's a technology focused on bringing accurate information about people's identity in order to confirm that the right person is trying to access a system, website, software, etc.
A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.
Cyber fraud is the crime committed via a computer with the intent to corrupt another individual's personal and financial information stored online. Fraudsters can use the information which they gather to then financially fund themselves, or worryingly they might use this money to fund terrorism.
Chargebacks are a forced payment reversal process where consumers can contact their bank and dispute a transaction for a refund. Banks typically review the transaction and issue provisional credit in the consumer’s favor.
Computer security, cybersecurity, or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
A fraudster is someone who commits fraud and/or abuse, often to achieve monetary gain. Fraudster is often a blanket term used to refer to many different types of fraud, money laundering and nefarious activity committed by criminals.
An organizational structure that bridges cybersecurity, threat intelligence, and fraud prevention. This blended environment allows cyber and fraud professionals to work together and create effective detection, prevention, and response to fraud activity, and shift the focus from reactive to proactive mitigation.
The know your customer or know your client guidelines in financial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship. The procedures fit within the broader scope of a bank's anti-money laundering policy.
These are websites or URLs that fraudster creates to induce users to visit and input personal information. Usually the websites are very similar to the original URLs.
PSD2 is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). Two of the large focuses of PSD2 center around open banking and SCA (Stronger Customer Authentication).
Scammers can come in many forms, but their main purpose is to gain the trust of someone in order to convince them to take a desired action. This can include clicking on links, divulging sensitive information or sending a payment to an account they control.
SCA is a requirement of PSD2 on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.
The Ultimate Beneficial Owner, shortly known as UBO, defines the company's beneficiary's legal entity. According to the regulator, banks, investment, insurance, and other financial companies must disclose the UBO for various reasons. One of the reasons for this is to prevent serious crimes such as money laundering and terrorist financing. The lack of disclosure of UBOs paves the way for people to launder money through companies. Therefore, countries should pay attention to UBO in the fight against money laundering and terrorist financing.