Merchant threats and fraud trends

If it ain’t broke, don’t fix it. This seems to be the mantra of even the most determined criminal. After all, while a particular fraud or scam may be well-known in one country or industry, it may be relatively unknown elsewhere. And if an old modus operandi still works, why try harder?

Acquirers and payment service providers (PSPs) must battle both innovative and persistent crimes. Hence sharing threat intelligence and industry-wide collaboration are central to combating cybercrime.

Drawing on the recently published Europol Internet Organised Crime Threat Assessment 2018 (IOCTA) report, we round up five e-commerce threats and offer merchant underwriting and monitoring recommendations to counter them.

1. Cryptocurrency heists

The price of Bitcoin may have tumbled from a high of $19,000 in December 2017 to around $6,000 today. However, interest — both legitimate and criminal — in virtual currencies shows no sign of waning. More than 450 virtual coins were issued in 2017, raising $6.5 billion for early-stage companies worldwide. So far in 2018, there have been 900 ICOs, which have raised $21 billion, according to tracking website Coinschedule.

Criminals are targeting online cybercurrency exchanges and virtual wallets. Europol predicts that cryptojacking may well overtake ransomware as a future threat. Cryptojacking is any process that uses the processing power or bandwidth of a device to mine cryptocurrencies without the user’s permission.

Issuers worldwide are banning the purchase of cryptocurrencies on credit cards to limit their liabilities. Meanwhile on the acquiring side, Mastercard introduced merchant registration requirements effective October 2018. Acquirers must obtain copies of a licence and legal opinion to trade in every jurisdiction where the merchant offers services. Merchant must also implement effective controls e.g. age and location verification. This applies for new and existing cryptocurrency merchants.

Cryptocurrency is a dynamic area, trending high in the hype cycle. Regulators and regulation are always behind the market. So, if there was ever an area where caveat emptor applies (buyer, or in this case acquirer, beware), it would be cryptocurrencies.

2. Online child sexual abuse

The commercial sexual exploitation of children is an abhorrent crime. However, various characteristics of the internet have accelerated the creation, dissemination and monetisation of child abuse material.

There is growing use of anonymisation and encryption tools to evade detection. These include virtual private networks (VPNs), TOR and Darknet forums. Various social media applications also come with end-to-end encryption as a standard, enabling criminals without technical knowledge to easily communicate anonymously.

Internet coverage, broadband speeds and access to consumer devices are improving worldwide. As such, Europol reports that live streaming of online child sexual abuse is increasing. The benefits for the criminals are obvious: the material doesn’t need to be downloaded or locally stored and therefore leaves limited forensic traces.

As part of their underwriting processes, e-commerce acquirers and PSPs are recommended to identify all associated merchant domains, including affiliate and reseller networks. They should conduct websites content crawling, including member-only areas, to identify illegal, prohibited or brand-damaging content. Websites should be monitored for changing content. Naturally, cyber locker and adult entertainment merchants should undergo enhanced due diligence and monitoring. This helps mitigate the risks of acquiring payments for child abuse material, expressly prohibited by the card schemes.

3. Payment card fraud

Although many card data security compromises are cyber-enabled, criminals still target point-of-sale terminals through manipulation and acquisition, and physically attack ATMs.

Skimming remains a common issue in most EU countries, says Europol.

Criminals skim cards in tourist hotspots which are cashed out in non-EMV geographies. Fraud in the transportation sector continues with stolen or compromised cards being used to avoid paying motorway tolls and book airline flights.

Acquirers and PSPs are recommended to warn their merchants about the risks of terminal swap-out fraud. Brick-and-mortar merchants should be briefed to admit only scheduled maintenance staff, secure terminals and inspect them regularly. Acquirers must promptly upload card scheme ‘hot card’ files and set up transaction monitoring. Look out for simultaneous, multiple transactions, consecutive or excessive attempts using the same account number, high transaction decline rates and cascading transaction patterns.

4. Hidden high-risk

Certain types of merchant may not be identified or recognised as high-risk yet. Typically risks arise not from what merchants sell, but how they sell it. Nutraceuticals are a case in point.

The use of false and misleading claims, trials with recurring billing, negative option selling, friendly fraud and affiliate fraud overtrade in this sector. Mastercard has recently introduced new guidance around deceptive marketing. If a merchant’s sales and marketing practices violate applicable laws, transactions for legal goods and services may become illegal.

As to the goods/services themselves, transactions must be legal both in the buyer’s and seller’s country. Therefore, the cross-border nature of e-commerce increases acceptance risks for acquirers. Particular nutraceuticals may contain undeclared or unlicensed ingredients.

Binary options sites may operate without a licence and/or not undertake appropriate KYC/AML checks on customers. The card schemes have recently ruled that unlicensed and unregulated trading platforms for binary options, rolling spot forex, financial spread betting and contract for difference are considered gambling merchants and must be coded as such. This impacts acquirer risk assessment, management and pricing. And shows how hidden high-risk can become officially high-risk with the card schemes.

Enhanced due diligence during the underwriting stage is reasonable precaution for these types of merchants. Acquirers and PSPs are recommended to request and verify written legal opinions as to the legality of goods/services offered by the merchant in particular jurisdictions. Review the merchant’s website, conduct mystery shopping and review feedback on customer forums on an ongoing basis.

5. Cross-cutting fraud threats and trends

Deceptive marketing, transaction and money laundering cut across all acquirer portfolios. These threats do not depend on merchant category code (MCC). The unpleasant truth is that any merchant account can be used to cash out the proceeds of crime. This happens with and without merchant collusion, in the physical world and online.

Take aggregation, for example. Web Shield research has found that 17% of merchants don’t disclose all their websites to their acquirers. They simply create new websites or sell new products without informing their acquirer. This is non-compliant aggregation. Or they aggregate transactions from a different merchant or website under their own merchant account, without the knowledge or permission of their acquirer. This is illegal aggregation.

Underwriters are advised to really get under the skin of a merchant’s business. Who owns it and what is their background and experience? What are they selling, to whom, how and where? Include clauses in the merchant agreement requiring merchants to advise you of any changes in their business. And that they ensure that contracts they sign with third party agents also include such clauses. Beyond that, monitor, monitor and monitor.

In summary

Criminals often use tried and true methodologies. But they also know that they must innovate. New fraud schemes are emerging all the time as well as subtle variations to existing frauds.

Acquirers and PSPs must battle crimes both old and new, cyber-dependent and cyber-enabled. The merchant threats and fraud trends in 2018/19 are a mixture of the above. Keeping up-to-date with the threatscape is at least half the battle. When it comes to managing risk, ignorance is definitely not bliss.