The pandemic pivot to digital banking, shopping and other services was an important health measure, but it has created opportunities for organized fraudsters to grow their “business” and expand their offerings to include fraud as a as a service (FaaS). FaaS takes many forms, all with the goal of making fraud easier for both experienced and novice criminals. Here’s what merchants need to know about this trend and how to prevent FaaS attacks.
How Fraud as a Service Works
FaaS has two main components: bots and brand impersonation. None of these tactics are entirely new. Fraudsters have been using bots for card-testing attacks for years, and brand impersonation is a classic pattern for phishing credentials and payment data.
Now, however, fraudulent “service providers” are taking things a step further. Criminals can hire inexpensive botnets to launch large-scale fraud campaigns against websites and to phish victims. However, two-factor authentication (2FA) can prevent thieves from breaking into accounts even with stolen data. SIM swapping is an option to bypass 2FA, but it is time consuming and requires planning. Thus, criminals are now offering OTP (one-time password) bot services. Fraudsters can plug in victims’ names and preferred financial institutions or stores, and the bot takes care of the rest – phishing the victim for their one-time password so the scammers can take control of the associated account – the all for as little as 15 cents per bot call.
Detection and prevention of Fraud-as-a-Service attacks
Best practices that protect businesses against fraud are more important than ever. Now is a good time to make sure your organization’s anti-fraud program includes these elements:
1. Limit data entry attempts and speed: One of the telltale signs of a bot attack is how fast it moves. Robots can load carts, pay and place orders much faster than humans. They can also repeatedly enter different passwords and one-time codes until they find a match.
If your website allows customers to make unlimited attempts to correctly enter their data, setting a limit on the number of attempts before they are locked out can protect your store from bots. Likewise, flagging orders for speed can help separate busy shoppers re-ordering familiar items from botnets that are programmed to pick up as many items as possible, as quickly as possible.
2. Filter each order: Because there are now billions of compromised credentials available to fraudsters, because FaaS scams are harvesting more credentials, and because FaaS bots can use those credentials to hack large-scale accounts, businesses can no longer assume that returning customers are what they appear to be.
This means that it is no longer safe to automatically approve orders from known customers. Each order should be screened for payment data as well as device, geolocation, and behavioral biometrics to help validate the customer or flag the order as possible account takeover fraud.
3. Run batch scans to detect fraud at scale: Bot rentals and compromised credentials allow fraudsters to get creative in their attacks on businesses. For example, a gang might target an online store with a series of orders that appear to come from different customers using different payment methods. Each of these orders can pass the test with the fraud detection solution and be approved.
However, if the merchant also selects random orders to analyze them as a group, the anti-fraud solution may find patterns that indicate criminal activity. Maybe these flurries of orders from different customers were all shipped to the same address. Or maybe all the cards they used to pay had the same bank ID number, indicating that the customers might be synthetic identities. Batch analysis can reveal these issues so that fraudulent orders can be canceled before the items are shipped.
4. Avoid automatic rejections: Stopping fraud can only save a business money if it doesn’t also prevent good customers from completing their orders and coming back for repeat purchases. Automatic rejections may seem like a way to save money and time on decision-making, but this approach usually results in a high rate of false rejections. A recent ClearSale survey of online shoppers across five countries found that 40% will never return to a website that declines their order. This accounts for a large portion of lost customer lifetime value.
5. Use manual review: The alternative to automatic declines is manual review by fraud specialists, who can distinguish between fraud and unusual but valid customer behavior. Manually reviewing flagged orders costs more than initial automatic declines, but the ROI includes more orders approved and less customer churn due to false declines.
6. Train your ML continuously: The results of the manual review can and should feed the machine learning algorithms of the automated fraud solution. This helps the AI better detect sophisticated fraud and customer behavior that isn’t quite normal but isn’t fraudulent either. This can reduce the number of flagged orders and reduce the need for long-term manual review.
7. Watch for brand mentions: FaaS systems often impersonate brands to trick consumers into sharing their credentials and even passcodes. Every business needs to keep tabs on social media accounts, websites, email campaigns, and even SMS campaigns that impersonate their brand. Depending on the channel, a business can report imposters to the platform, web host, or the Federal Communications Commission and alert customers that a scam is operating under the company’s brand.
FaaS shows how fraud continues to evolve and how technologies that make life easier for customers also make fraud easier for criminals. By understanding how FaaS works and following best practices to prevent it, your business can help protect your customers, revenue, and brand reputation.