These are unprecedented times — where the COVID-19 pandemic has shuttered stores and brought tens of millions of people (in the U.S. alone) indoors, where “home office” has taken on new meaning and where online commerce is now the way we buy.
The panic is also spurring people into all manner of financial activity — selling stocks, raising cash, sending money to loved ones, buying items they’d never considered before, stockpiling groceries and toilet paper.
To that end, said David Barnhardt, chief experience officer at GIACT, in an interview with Karen Webster, an explosion in online transactions, in card not present activity, has brought with it a host of challenges for companies simply trying to keep up with demand.
The volume of activity, he said, is akin to Black Friday and the holiday shopping season all at once. The frenzy is tied to people getting set up for lockdowns (or grappling with lockdowns that are already underway).
Along the way, he said, GIACT’s customers have reported a 25 percent increase in overall declines and a 15 percent increase in high-risk (likely fraudulent) declines. Those companies being inundated with declines have to figure out which transactions are legitimate — where data is entered incorrectly, mistakes are made that can be rectified — and which aren’t.
“There’s a lot of good traffic,” said Barnhardt, “and this is unbelievable volume. The problem is — just like it is when we have Black Friday — this is where the fraudsters hide.”
As Barnhardt noted, as transaction volumes spike, so does fraud.
In the simultaneous battles against bad actors and false declines, he said, GIACT has advised clients wondering what to do (some have asked if they should relax fraud strategies amid the huge spike in commerce):
“We keep saying, ‘follow the data. Look at the data that are there and make sure that everything is true and correct,’” he told Webster.
He noted that in the current environment, any number of human errors could occur, leading to what he called “first-party fraud.” Consumers may have, in a panic, grabbed an old checkbook, tried to pay with an account that is closed or may have entered the wrong data as a result of “fat fingers.” Or they may have been scrambling to protect themselves against unknown financial circumstances, perhaps by going to a payday lender for the first time.
Said Barnhardt, “there are different types of risk that are being presented to all types of businesses right now, and what really comes into play is tying an identity to a payment.”
Doing so, he said, can help a firm ascertain whether first-party fraud is in play — and the transaction should ultimately go through — or whether fraudsters are attempting account takeovers or establishing new accounts with synthetic IDs.
Understanding consumer behavior and consumer lifecycle, as well as the “digital DNA” (the unique makeup of a consumer’s personally identifiable information) of that individual consumer are critical, said Barnhardt. With those mandates in mind, service providers, financial institutions (FIs) and merchants can monitor activity that can point to signs of malevolent intent.
The Red Flags
By way of example, said Barnhardt, red flags can go up when a consumer calls in with requests to send funds to different accounts or to accounts that do not belong a name or previously established profile with which they’ve been associated — or if they call in to change email and phone numbers while arranging for withdrawals to be transferred to still another account in the following days.
New account openings deserve particular scrutiny, he said, as millions of people are signing up for food delivery and other services, or recurring subscriptions, as they hunker down at home.
As Barnhardt told Webster, the mantra for the retailers and anybody doing online business servicing financial accounts, behind those businesses in those uncertain times, must be: “Verify, verify, verify … If someone is signing up for those services, are they who they say they are? If the payment is being tied to that account, does that payment make sense — does it ‘tie’ to the person?”
A growing number of companies, he said, have been pushing up their efforts to have account validation products in place — where deployments scheduled for the third or fourth quarter of this year, or even into 2021, are taking on new urgency now.
The consequences can be significant because if a company is not running identity verification or understanding who they are doing business with when the proverbial smoke clears, individuals will point to accounts they did not open (the fraudsters opened them). The downstream effects are that these retailers will have to open investigations, work with the credit bureaus and disputes over fraudulent transactions can take years to settle.
New Attack Vectors
The fraudsters’ attack vectors are also gaining traction across other avenues, preying on individuals’ generosity as they seek to donate to charities and may be swindled instead. Barnhardt cautioned that it is imperative for consumers to do their due diligence and to verify the identity and legitimacy of an organization to which they want to give funds.
And in a nod to another hot zone of fraud, said Barnhardt: “Business email compromise is going through the roof.” He pointed to studies that show BEC is a multibillion-dollar business, measured annually, and said the movement toward work from home setups for any number of companies across any number of verticals can actually render firms vulnerable.
As he told Webster, the controllers at a firm who might normally sit next to each other at the office may be, for now, far-flung geographically. They might not be in as regular touch with one another as they might be otherwise — giving fraudsters a weak link to exploit as they seek to change payment instructions and siphon money from corporate coffers.
“The procedures might be relaxed a little bit,” said Barnhardt, “and believe me, the fraudsters know this.”
Now, more than ever, said Barnhardt, firms have to walk through the consumer lifecycle: validating identity at enrollment, payment, and as change events occur.
By closely monitoring the consumer lifecycle, he told Webster, firms can get better at catching fraud, while reducing false declines.
“This means the people that need these things are going to get them,” he told Webster, “and the fraudsters who are trying to exploit the system are not going to be successful.”