Cybercrime and online fraud: What’s in store for 2019?
It’s not surprising that online fraud is, and will continue to be, a major issue in e-Commerce. In 2018, global cybercrime totalled $1.5 billion. Online shopping continues to attract criminals; but as authorities increase regulations and payment service providers and merchants build up their defences, fraudsters will find new ways to conduct cybercrime.
False and misleading claims, negative option selling, affiliate fraud, and friendly fraud are some of the most common types of online fraud - and it is expected that these types of fraud will continue to dominate in the years to come. New types of fraud will include money laundering, tax fraud, and sanctions evasion fraud (like Mastercard’s MATCH-list). Fraud through cryptocurrency and recurring payments is also worth keeping an eye out for. On a positive note, ransomware fraud is steadily declining.
Fraudsters target financial institutions instead of small businesses
One of the big game changers in online fraud is Strong Customer Authentication - the last part of PSD2. This will come into effect by September 2019; which means that two-factor or multi-factor authentication becomes mandatory for most EU transactions over 30 Euro. This will make consumer fraud increasingly difficult for cybercriminals, as they will no longer be able to use stolen payment cards because they will have no way of providing the extra authentication factor.
This forces the fraudsters to find new victims - and in the future, they will aim their attacks at financial institutions. This typically involves long-term schemes where they build trust with the providers and then suddenly commit their fraudulent action. Although this is much more complicated and time-consuming for the fraudsters, they will also be able to get away with larger sums of money.
One way to cheat financial institutions is engaging in KYC (know your customer) type of fraud. Here’s an example: a fraudster opens an account with a payment provider and runs his business legitimately for a few months. However, the fraudster will only have bought a limited amount of stock. When the stock runs out, the scheme sets in. The fraudster will keep accepting orders (which he cannot and does not intend to fulfil). The fraudster then pretends to ship the goods and when he receives the money for the orders, he’ll withdraw the money and disappear. The payment provider is then left with the bill for the fraudster’s misconduct.
Cybercriminals are - much like everyone else - taking a great interest in cryptocurrencies. The massive value tied up in the virtual currency is, therefore, a target for new attempts at online fraud. The fraudsters mainly aim their attacks at virtual wallets and cyber-currency exchanges, where they will try to mine the cryptocurrency without the permission of the owner.
Fraudsters love crypto-mining since it’s easy to get started with, it’s hard to trace, and they can potentially keep a steady stream of income for a long period of time - mainly because it often takes victims a long time to realise that they are under attack.
A major issue is that this area is still very dynamic, constantly leaving regulation behind the market trends. Regulators are simply not able to make new legislation at the same pace as the crypto industry is developing. However, measures have already been taken as issuers are banning the purchase of cryptocurrencies using credit cards, but merchants must also do their part and take the necessary safety precautions when accepting cryptocurrencies. For example, asking for extra information, i.e. age and location to verify the payer.
Another great source of online fraud is membership and subscription schemes. These can take many forms, for example, a trial with recurring billing, unclear information that the customer is agreeing to a subscription, or unreasonably long notice periods.
While Mastercard has done its part in battling this type of fraud by introducing a guide on deceptive marketing, it is the payment provider’s job to make sure that their merchants provide clear and visible terms of their products, services and, especially, subscriptions.
That is, online fraud is still on the rise and consumers, merchants, and financial service providers must be careful.
Money muling is a type of money laundering procedure that often involves innocent and unknowing victims. Fraudsters will hire a “money mule” - who most often do not know what they are part of.
The fraudsters lure people in with job posts or posts on social media, promising people quick and easy money. The “mule” will receive (illegal) money from the fraudster, withdraw it from their account, and then wire all or parts of the money to another account, typically overseas. The “mule” often keeps part of the money himself as his salary.
Money muling is typically whitewashing illegal money obtained from phishing, payment card fraud, malware fraud, or other types of e-Commerce-related fraud.
What kind of effort do we need to make?
As cybercriminals adopt more technical and complicated ways of stealing; governments, financial institutions, and payment providers must seek new and more advanced methods of fighting fraud. There’s a clear call for more technical specialists with the skills and knowledge to make quick decisions when met with complex fraud patterns.
To stay on edge and be competitive in the market, payment institutions must develop sophisticated BI systems that can help them detect and fend off fraud. At Clearhaus, we developed such a system, Riskr, and it has already saved our merchants 2.3 million euros.
- Claus Methmann Christensen, Clearhaus CEO
However, all providers must also be careful not to harm consumers and merchants in their fraud-mitigation efforts. Online shopping should still be a smooth and easy process - both for consumers and online shops. Additionally, it is crucial that new fraud systems do not decline non-fraudulent transactions, as that will put a spoke in the wheel for e-Commerce.
Overall, we keep facing the same forms of fraud, but we’ll also face newer and more complex forms. The fight against online fraud is most likely one that cannot be won - but we can most definitely try to limit the fraudsters’ success.