Is US payments fraud becoming “too big to fight”?
Innovation in the US has brought about significant changes and advancements across various industries, but it has also paved the way for new avenues of fraudulent activities.
The Federal Trade Commission (FTC) reported that in 2020, consumers in the US collectively lost over $3.3 billion to fraud, with a significant portion attributed to payment-related scams. The prevalence of payments fraud in the US market underscores the urgency for effective countermeasures.
But, combating fraud has become an ongoing challenge that requires constant vigilance—gone are the days where limited functionality effectively deters fraudsters. Fraud attacks in one industry now spill over into others, forcing businesses to look for more advanced fraud solutions and to constantly reevaluate their risk strategies.
By analyzing prevalent fraud types, emerging trends and advancements in detection and prevention technologies, we can combat fraud and safeguard the integrity of the US payments ecosystem. To gain insights into the state of US payments fraud, we consulted one of our fraud experts, who sheds light on whether fraud might be becoming "too big to fight."
State of US payments fraud
Michael Taylor, senior manager of solutions engineering
What is the current state of payments fraud in the US market? Is it growing into a “too big to fight” problem?
Michael Taylor: Innovation in the US disrupts industries and changes lives, but it also introduces new ways for bad actors to conduct fraud. The way US consumers engage in commerce is constantly shifting, which makes staying ahead of fraud trends a full-time job. Gone are the days where a single-point solution is sufficient to keep fraudsters at bay; merchants are increasingly looking for comprehensive solutions to the nuanced and numerous types of attacks they experience. The rise of non-commerce payment companies (like Fintech and BNPL operators) also introduces new vectors of attack that didn’t exist ten years ago. This problem, however, only becomes “too big to fight” if we let it get that way.
The knowledge (or sensitive information) gained from one fraudulent activity can be utilized to exploit vulnerabilities in other sectors. So, it’s more important than ever to re-evaluate your risk strategy even if you don’t think you have a problem today.
What are the most common types of payments fraud that occur in the US market, and what are emerging trends you’re seeing? What can merchants do to protect themselves?
MT: First party or friendly fraud continues to be a hot topic given the macroeconomic climate the world finds itself in today. A person who wouldn’t normally consider perpetrating fraud may be much more tempted to do so when the rest of their financial standing is deteriorating at a rapid pace. That’s why adoption of Visa’s Compelling Evidence 3.0 (CE 3.0) policy is going to be critical for merchant success in 2023. With CE 3.0, merchants can submit data from historical transactions to prove that a cardholder has conducted business with them in the past. So, if the same IP, account, email, shipping address or other data point matches with previously non-disputed purchases from the merchant, it's difficult for someone to claim their card was stolen.
How are payments fraud detection and prevention technologies evolving, and what are some key innovations worth highlighting?
MT: ID verification and validation technology is an incredibly exciting space to watch right now. It’s only recently become feasible to provide seamless verification in a way that’s scalable and effective.
Being able to leverage this kind of upstream intelligence will fundamentally alter the way that fraud managers conceive of their strategy—think of a neobank or money remitter using a built-in identity validation API from their payment service provider to influence the type of risk assessment conducted on a transaction. Of course, use of that data carries its own set of considerations, which is why compliance with things like PVID certification in France will be critically important for vendors who choose to offer this kind of service.
For some time, machine learning seemed to be all people wanted to hear about, thinking that rules-based systems were archaic or ineffective. However, that conversation is shifting back to understanding why using a hybrid ML/rules-based solution is more optimal to address increased sensitivity businesses have to turning away good customers. So, it’s more important than ever to ensure your good customers are able to convert without any friction. Fraud solutions today need to be able to provide dynamic outcomes based not only on the level of risk associated with accepting a transaction, but the level of risk associated with insulting a good customer. Frictionless 3D-Secure is a good example of this kind of lever, allowing a risk engine to put “mid-risk” transactions through a different pre-authorization workflow than high/low risk ones.
How do fraudsters typically operate in the US payments market, and what are some of the key tactics they use to evade detection?
MT: It sounds like you want me to tell you how to conduct fraud! Jokes aside, the social engineering component that goes into some fraud operations is truly jaw-dropping. Not long ago, fraudsters would buy a list of cards on a dark web forum and find an unsuspecting merchant that didn’t have proper card testing measures in place to see which ones were still good. It was very much a game of “move quickly and see how much we can get.” Fraudsters have become much more patient, in some cases conducting years-long infiltration operations into vulnerable populations to get access to the data needed to construct a synthetic identity or (worse), convince a good person to do something bad.
How do payments fraud risks vary across different payment channels, such as mobile payments, ecommerce, etc?
MT: The harmonization of eCommerce and mCommerce (a term I have not seen used in several years) have brought a more unified approach to fraud management. Underlying payment method continues to be one of the most important factors to consider in building out a comprehensive fraud management solution. For example, cards, ACH, digital wallets and bank transfers all have different attack vectors and available attributes for screening. More so, each governing agency—be it card schemes, bank networks, government agencies, etc—has their own set of rules about how a dispute can arise and any process for a merchant to fight said disputes.
As the card schemes move toward universal adoption of domain-bound payment credentials (ie. network tokens), I expect we’ll see a short-term drop in “traditional” fraud attacks—like stolen card information—but unfortunately, a fast uptick in upstream fraud (ie. account takeover).
Are fintechs and financial institutions collaborating to combat fraud? What may be some of the challenges they face in doing so?
MT: Nobody likes fraud (well, except fraudsters), but every player in the ecosystem has different exposure and tolerance to it. This makes cross-channel collaboration very difficult among unrelated parties, especially when incentives for each party may not be aligned—even in service of a noble goal like stopping fraud, the way that we choose to do it drives commercial decisions that have far-reaching impact. Organizations that have visibility into more of the ecosystem (from payment gateway to fraud engine to processing stack) are better positioned to make effective changes simply because they see the whole picture. The analogy I like to use here is checking the score of a football game after it’s over versus watching it. The person in the former scenario will know what the outcome was, but the person in the latter scenario will understand why the outcome happened.
What role do ML and AI play in detecting and preventing payments fraud, and how effective are these technologies today?
MT: Machine learning and AI have been at the core of fraud management for decades—their effectiveness depends on deployment and adaptation, but largely we’re at a point where the technology is commoditized. The main driver of value now is the relevance of the data powering the algorithms. I think what we’ll see next is a push into using AI to streamline workflows for fraud teams. Farming out the intermediate steps needed to manage a fraud strategy or work cases to an AI system that never sleeps and doesn’t mind working weekends means that teams can focus elsewhere. Strategy back-testing, automated champion/challenger evaluation, system-generated rules suggestions, and reports customized to stakeholders via AI are all things that fraud teams can use to make themselves more efficient.
How do payments fraud regulations in the US compare to those in other regions, and what impact do these regulations have on fraud prevention strategies?
MT: The biggest regulatory difference in the US as compared to other geographies is the lack of requirement for customer authentication. Merchants regulated by the SCA requirement from Europe’s PSD2 framework have largely used 3D-Secure to become compliant—this authentication scheme is still underutilized in the US. That means “business as usual” transactions in countries where 3D-S is encouraged (or required) contain additional data about the request compared to those in the US. Bear in mind, additional data will always help better refine a fraud strategy.
Do payments fraud risks vary across different industries and sectors in the US? If so, how?
MT: Massively. The breadth of the US economy means that there are almost no universal truths in commerce, which is doubly true when it comes to fraud. Luxury goods retailers tend to be incredibly sensitive to both customer insult (aka “false positive” results) and hard costs associated with fraud (luxury goods cost a lot to make). Compare that to digital goods retailers, who have minimal or negligible costs involved to provide a service to a single user—both businesses care about wildly different KPIs because of factors inherent to their operating models. That’s why it is important to ensure that your fraud management engine is robust AND flexible. As businesses continue to grow and pivot, the KPIs that matter today may not be relevant in the future.
How can businesses balance the need for strong fraud prevention measures with the need to provide a seamless and user-friendly payments experience for customers?
MT: Dynamic friction is a concept that’s discussed often in balancing customer experience and fraud risk. There’s not a “one size fits all” answer here—which is why it’s critical to spend time walking through customer journeys and possible attack vectors when making decisions about where to apply it. Risk profiles are key to ensuring that the level of friction applied to a specific customer is commensurate with how they’re interacting with the business. In years previous, fraud tools really only had “accept” and “reject” as possible outcomes. But now we’re seeing the need to have many different decision types in order to achieve the right (and effective) balance.
What advice do you have for businesses looking to improve their payment fraud prevention strategies in the US? What are best practices for staying ahead of evolving fraud tactics?
MT: Staying on top of the latest fraud trends involves substantial time sifting through numerous publications and literature released by various boards or councils; but is that truly where your focus should lie?
Running a business is really, REALLY hard! As a business operator, you need to focus on what matters most with the limited time you’ve got in a day. Making sure you partner with an organization that can take over the heavy lifting and come to the table with solutions customized to your unique needs is absolutely critical to stay ahead of fraudsters. If fraud is a never-ending cat-and-mouse game, you want to make sure your fraud team has a lion in the corner.
Time to rethink your fraud strategy
In today's rapidly evolving landscape of payments fraud in the US market, it is imperative for businesses to take proactive measures to combat this pervasive threat. The rise of innovative technologies and changing consumer behavior has opened new avenues for fraudsters to exploit vulnerabilities.
To navigate this complex landscape, it is crucial to partner with a trusted expert that has deep expertise in fraud prevention and cutting-edge technologies to provide tailored solutions that empower businesses to stay one step ahead of fraudsters.
At Checkout.com, we recognize that every industry and sector faces unique fraud risks. Our comprehensive fraud management engine is built to accommodate diverse business needs and adapt to evolving fraud tactics. With our proactive approach and continuous monitoring, businesses can safeguard their operations while delivering exceptional payment experiences to their customers.