Technology
3DS is a security protocol used to authenticate users. The objective of 3DS is to provide an extra layer of protection for payment card transactions in card-not-present scenarios.
Artificial intelligence (AI) is wide-ranging branch of computer science concerned with building smart machines capable of performing tasks that typically require human intelligence. Machine learning is a subset of Artificial Intelligence.
AVS stands for Address Verification Service. AVS is one of the most widely used fraud prevention tools in card-not-present transactions. The way AVS works is it compares the numerical portion of the billing address on file at the bank with the numerical portion of the billing address provided by the customer. Due to inconsistencies in numerical address formatting, AVS results in a large number of false-positives.
Behavioral biometrics is the analysis of how an individual interacts with a given device, whether that be a desktop browser, mobile browser or a mobile app. Behavioral biometrics include interactions such as keystrokes, scrolling patterns, tap pressure and many more.
CVV stands for Card Verification Value. CVV is a combination of features used in credit, debit and automated teller machine (ATM) cards for the purpose of establishing the owner's identity and minimizing the risk of fraud. It often appears as a 3 digit code on the back of credit and debit cards. CVV is also known as the card verification code (CVC) or card security code (CSC).
Device ID refers to a group of unique identifiers that a specific device contains. One of the primary signals is a DI Print (Device Fingerprint). These unique identifiers can be used to link fraud amongst different devices and are valuable within a consortium of data.
IP & Geolocation is the utilization of an IP address, along with other device signals, to determine geographical location.
Physical Biometrics is the use of distinctive, measurable physiological characteristics to verify an individual’s identity. Physical biometrics includes techniques such as retinal scans, fingerprints and voice prints.
Machine learning is a subset of artificial intelligence. Machine learning has the capacity to learn over time without being explicitly programmed. It can ingest a large amount of data and detect patterns and anomalies at scale. Supervised machine learning models are trained on a set of labels, while unsupervised machine learning does not require labeled data.
Rules are algorithms that use specific attributes and parameters. A rules engine allows for the creation and management of these fraud rules in order to make risk decisions and/or generate a risk score. While not self-learning in nature, analysts can test, modify and improve rule performance.
Risk-based authentication is the process of assessing user trust and access based on varying levels of risk-based analysis. Risk-based authentication can leverage analysis in a variety of forms such as behavioral profiling on multiple data inputs. The output of risk-based analysis could be approving, declining or step-ing up authentication to a different form of verification.
Fraud, Abuse & Risk Types
Account Takeovers are the unauthorized access of a user’s account in order to steal identity credentials, execute a fraudulent transaction or engage in varying types of abuse.
Application fraud is the unauthorized opening of a new account leveraging compromised identity information. This can be for a variety of accounts, including credit cards, retail bank accounts, consumer lending and much more.
Authorized push payment fraud occurs when a fraudster manipulates a genuine customer into making a payment to an account they control. There are a variety of types of authorized push payment fraud, including romance scams, invoice scams and a handful of others.
Affiliate fraud refers to any false or unscrupulous activity conducted to generate commissions from an affiliate marketing program. Affiliate fraud also encompasses any activities that are explicitly forbidden under the terms and conditions of an affiliate marketing program.
Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.
Call center fraud is the process of exploiting call centers as a channel in which to launch fraud attacks, spanning varying forms of fraud and abuse. Account takeover is a common fraud type associated with call center fraud.
Card Fraud is one of the most commonly referenced fraud definitions. It occurs when a fraudster uses a card (debit or credit) to make a purchase without the authorization of the cardholder. Card fraud can occur in-person or through digital channels.
Card-not-present-fraud is fraud that occurs through any channel in which the customer does not have to present the physical credit card to the merchant. Card-not-present fraud includes fraud placed through a mobile device, online, over the phone and through the mail.
Check fraud encompasses several tactics in which fraudsters use paper checks or digital checks to defraud a target’s account.
Counterfeiting is defined as the planned attempt to duplicate a real and authentic article such as a symbol, trademark or even money with the purpose to distort and convince the purchaser or the recipient to believe that he or she is really purchasing or receiving the real article itself. In the ecommerce and financial services industry, this often refers to counterfeit cards and checks.
Crypto Scam or cryptocurrency scam is a type of investment fraud where criminals steal money from people hoping to invest in the new world of digital currency.
Most crypto assets and associated services aren’t regulated by the Financial Conduct Authority (FCA) for more than money-laundering purposes, which means they’re not protected by the Financial Services Compensation Scheme.
Device Takeover is the unauthorized access to a user’s device in order to manually or automatically control the device and its apps. Devices can become fully compromised when the user installs an innocent looking app that contains malware, or by installing a Remote Access Tool (RAT). Once the device is taken over, attackers can engage in various types of abuse, including credentials theft, acquiring 2FA tokens using screen/keystroke capturing, or executing a fraudulent transaction.
First party fraud refers to fraud committed against an institution by one of its own customers. First party fraud can extend from transaction fraud to application fraud with the core element being the actual customer engaging in the fraudulent activity.
Fraud Farms or click farms are groups that work on fraud attacks at scale. Normally they have limited resources used for large-scale fraud schemes and they get paid by carrying out the same action several times.
Friendly fraud is a type of first party fraud. Friendly fraud can take many forms, but typically involves an actual consumer obtaining goods or services from a merchant, then claiming they did not make the purchase, did not receive the goods, or only received a fraction of items, in order to keep the goods or services without paying for them.
Hybrid fraud is a generic term for sophisticated fraud that is based on the combination of two or more fraud variants.
A job scam occurs when a scammer poses as an employer or recruiter, and offers attractive employment opportunities, which require the job seeker to pay some money in advance. This is usually under the guise of work visas, travel expenses or credit checks that are required for the job. The scammer promises you a job, but what they want is your money and your personal information.
Insurance fraud is any act committed to defraud an insurance process and/or institution. Insurance fraud occurs when a claimant attempts to obtain some benefit or advantage they are not entitled to, or when an insurer knowingly denies some benefit that is due.
Internal fraud occurs when an employee/internal representative dishonestly makes false representation, wrongfully fails to disclose information, abuses a position of trust for personal gain, or causes loss to others. Internal fraud can range from compromising customer or payroll data to inflating expenses to straightforward theft.
Investment fraud involves the illegal sale or purported sale of financial instruments. The typical investment fraud schemes are characterized by offers of low- or no-risk investments, guaranteed returns, overly-consistent returns, complex strategies, or unregistered securities. Examples of investment fraud include advance fee fraud, Ponzi schemes, pyramid schemes, and market manipulation fraud.
They are bogus invoices generated by cyber crooks all to separate you from your personal information or money. First type of fake invoice scam is the click bait. The email seemingly has an invoice attached. But when you click on it, malware is downloaded onto your system and this can lead to ID theft.
Money mules are a type of money laundering where a person transfers illicit funds through a medium (such as a bank account) to obfuscate where the money came from. There are different types of money mules including witting, unwitting, and complicit.
Money laundering is the illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. Money laundering can be done through various mediums, leveraging a variety of payment vehicles, people and institutions.
Loyalty abuse occurs when someone abuses the loyalty program terms of service (TOS) to obtain significant discounts or sell for a profit. This evolves into Loyalty Fraud when a fraudsters takes over an account to steal loyalty points and sell them/use them for profit.
Online shopping scams happen when scammers pretend to be online sellers with a fake website. They can also use a genuine retailer name on their accounts. They offer, in general, brands and luxurious products with cheaper prices and the buyer after paying never gets the purchase delivered.
Payment fraud occurs when someone steals another person's payment information and uses it to make unauthorized transactions or purchases. The actual cardholder or owner of the payment information then notices their account being used for transactions or purchases they did not authorize, and raises a dispute.
The fraud definitions for payment fraud are confusing unless you specify "non-plastic". Payment Fraud (non-plastic) refers to payments made outside of card networks, via payments rails that send funds from one bank account to another. When making this type of payment, fraud occurs when a payments is sent to an account that the fraudster controls. Payment fraud can be unauthorized, which is commonly executed as an account takeover. Payment fraud can also be authorized, which is commonly executed through authorized push payment fraud (scams).
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Promo abuse is the abuse of promotional offers by circumventing the terms of service (TOS) in order to obtain significant discounts.
Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, these malware place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.
Refund fraud occurs when bad actors take advantage of a merchant’s return policy in order to profit or get goods for free. Refunding fraud is a twist on friendly fraud that is particularly challenging for merchants because there are no associated chargebacks, yes the losses are significant.
Reseller abuse includes purchasing large quantities of products in an effort to resell the items for a profit. While reselling is a common practice, abuse can damage a client’s brand, deplete product availability for other customers, and violate terms of service (TOS).
A romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to get the victim to send money to the scammer under false pretenses or to commit fraud against the victim.
Social engineering is the psychological manipulation of another person by preying on emotions and vulnerabilities in order to extract information or convince he/she to take a desired action. Social engineering can be the initial layer of other fraud types such as account takeovers and authorized push payment fraud (scams).
Is the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.
Telephone Oriented Attack Delivery is an initial access tactic where fraudsters mimic a bank (or other known institute) and convince the victim to install a Remote Access Tool (RAT) or app that contains malware. At a later stage, the now fully compromised user device can be used by the attacker to commit Device Takeover (DTO) fraud or Identity fraud.
Third party fraud is when a fraudster leverages stolen information (PII, payment, etc.) to commit fraud (application, payment, card, etc) without the authorization of the owner of that information.
Transaction fraud is the unauthorized execution of any monetary transaction. Transaction fraud can include different payment types including cards (debit and credit), non-plastic forms of payment (ACH, Zelle, Wire, Faster Payments, etc.) and other payment methods.
Miscellaneous
Authentication is a process that determines or recognizes an user's identity. It's a technology focused on bringing accurate information about people's identity in order to confirm that the right person is trying to access a system, website, software, etc.
A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.
Cyber fraud is the crime committed via a computer with the intent to corrupt another individual's personal and financial information stored online. Fraudsters can use the information which they gather to then financially fund themselves, or worryingly they might use this money to fund terrorism.
Chargebacks are a forced payment reversal process where consumers can contact their bank and dispute a transaction for a refund. Banks typically review the transaction and issue provisional credit in the consumer’s favor.
Computer security, cybersecurity, or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
A fraudster is someone who commits fraud and/or abuse, often to achieve monetary gain. Fraudster is often a blanket term used to refer to many different types of fraud, money laundering and nefarious activity committed by criminals.
An organizational structure that bridges cybersecurity, threat intelligence, and fraud prevention. This blended environment allows cyber and fraud professionals to work together and create effective detection, prevention, and response to fraud activity, and shift the focus from reactive to proactive mitigation.
The know your customer or know your client guidelines in financial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship. The procedures fit within the broader scope of a bank's anti-money laundering policy.
These are websites or URLs that fraudster creates to induce users to visit and input personal information. Usually the websites are very similar to the original URLs.
PSD2 is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). Two of the large focuses of PSD2 center around open banking and SCA (Stronger Customer Authentication).
Scammers can come in many forms, but their main purpose is to gain the trust of someone in order to convince them to take a desired action. This can include clicking on links, divulging sensitive information or sending a payment to an account they control.
SCA is a requirement of PSD2 on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.
The Ultimate Beneficial Owner, shortly known as UBO, defines the company's beneficiary's legal entity. According to the regulator, banks, investment, insurance, and other financial companies must disclose the UBO for various reasons. One of the reasons for this is to prevent serious crimes such as money laundering and terrorist financing. The lack of disclosure of UBOs paves the way for people to launder money through companies. Therefore, countries should pay attention to UBO in the fight against money laundering and terrorist financing.