Angie Dobbs of Wave Financial shares insights into merchant fraud and how identity theft, account takeover and cardless fraud can affect merchants in the post-pandemic world
The impact of COVID-19 on the small business economy has been severe. Being an entrepreneur was a risky venture before the pandemic. About 20% of small businesses failed in the first year to a 10-year failure rate of 70%. It’s too early to assess the full extent of the entrepreneurship pandemic, but a recent study confirmed that 55% of businesses on Yelp closed during this time. Coupled with unemployment at an all-time high impacting consumers’ ability to spend, it is more difficult than ever to start and run a successful business.
At Wave, we saw a significant influx of new customers after the pandemic for two main reasons. First, small business owners turned to new livelihoods and therefore had to set up new merchant accounts. Second, many abandoned their payment processors after strict deferral policies were put in place to offset the risk of increased chargeback rates that hurt their cash flow. This made legitimate traders more vulnerable to fraud and compromise as they became more and more desperate for business.
Trade fraud is becoming more complex as it evolves through digital channels. Obtaining various sources of stolen data about businesses and their owners is easier than ever, making it far too easy for scammers to create new merchant accounts for illicit profits. We have seen an elaborate trend combining different types of fraud and the patience of the fraudster. This overlay of stolen data makes it almost undetectable to automated systems and requires a close eye, solid onboarding controls, and strict underwriting practices to stop it.
The Trifecta fraud type
We coined this “take on business identity” at Wave because of the three main types of fraud involved. To do this, fraudsters need to orchestrate a targeted attack on a person and / or a company. This has many moving parts and requires patience to pull it off. Each case is a combination of the following types of fraud:
-
Identity theft
-
Account transfer fraud
-
Fraud without a card
1) Identity Theft
The identity of a small business owner is targeted. It is easier to make the payment account appear legitimate when impersonating an existing company than it is to create a fictitious one from scratch. You then already have a strong social media presence, often with positive reviews and a good online story.
2) Account fraud
In the most sophisticated cases, multiple financial, social, and email accounts owned by the actual business owner or employees are taken over by the fraudster, making the account appear more legitimate. This is usually done through phishing attacks on employees of the target company, which gives the scammer access to:
-
E-Mail: The company’s actual inbox can be taken over. However, if it doesn’t succeed, a new but seemingly tight email address is created that is easily overlooked.
-
Bank Account: Access to the company’s online banking credentials is extremely valuable. Alternatively, the scammer can open a brand new bank account on behalf of the business owner, employee, or business.
3) fraud without a card
Stolen card details are used to make online payments to the fraudulent merchant. Typically, you can see map data stolen from the same geographic area of the company.
The key to recognition
In order to detect this type of fraud, strict controls and a thorough takeover of the merchant and their customers are essential. You have to connect all the dots. With most of the data provided going back to the actual business owner, it is important that your analysts and systems pay attention to what does not match. If something is wrong, consider a secondary review. Nothing is foolproof and you need to balance operational capacity with fraud detection.
It may not be cost effective to make every effort to detect the registration fraud, as often the most influential data is found on the cardholders when the “merchant” begins to receive payments. It’s a judgment to balance operating capacity, fraud loss, and customer experience that needs to be aligned with your company’s priorities and risk appetite.
Ultimately, the goal is to waste the scammers’ time to the point where they’ll give up attacking your platform. This trend takes a lot of patience and time to catch on, which means it can be successfully slowed down by getting too boring and the scammer paying little off.
This editorial was published in Fraud Prevention in E-Commerce Report 2020/2021, the go-to place for securing transactions while providing a smooth customer journey.
About Angie Dobbs
Angie is Director, Fraud & Risk, responsible for protecting Wave’s customers and financial services, including its own payment, salary and debit card products. Angie holds a Masters Degree in Applied Mathematics and Statistics from the University of Guelph and takes a data-driven approach to risk detection.
About Wave Financial
Wave Financial’s award-winning software solutions help small business owners manage their finances. Wave offers bookkeeping, billing, payroll, banking and payment software and bookkeeping services all integrated into one comprehensive platform. Wave has received numerous awards for growth, innovation, and corporate culture, including Deloitte Fast 50, Deloitte North American Fast 500, KPMG Fintech 100, CB Insights Fintech 250, Canadian Innovation Awards (Financial Services), Canada’s Best Places to Work and more.
