The world around us in the past year has undergone a paradigm shift due to the COVID-19 pandemic. Digital transformation has become an active growth driver for businesses across sizes. In fact, business owners soon came to the conclusion that going online is now an inevitable route for the development and maintenance of their company’s position in the market.
The flip side of this rapid shift towards digitization was the unearthing of various loopholes that became breeding grounds for fraudsters to tamper and take advantage of vulnerable businesses and consumers. Today, there are a number of developing countries that are witnessing a surge in new types of frauds every day, especially the ones targeting digital financial channels to gather personal data.
Let’s have a look at some common types of fraud prevalent today and what businesses can do to navigate through them with minimal to no loss.
Threat 1: Increased use of randomizers
One of the fastest-growing types of online fraud is the use of special software also known as Randomizers. Such toxic software obstructs a device’s digital profile technology and presents the same device, which the fraudster uses to apply for a loan as a new one each time.
Thus, a fraudster can take a loan from the same device an unlimited number of times, changing only the borrower’s data, while the financial institution’s security system will accept each scammer’s application as a new borrower’s application. This so-called multi-accounting is common in fintech, gambling, dating, and tourism.
How to deal with it?
A set of technologies and algorithms for detecting various kinds of device anomalies will help to cope with randomizers – this will allow one to identify new high-risk devices and filter them out at the early stages of the credit pipeline.
Moreover, a stack of technologies of device authentication which usually are stable to various manipulations with internet connection parameters will make it possible to identify devices used by professional fraudsters and organized hackers groups.
Threat 2: Leakage of Personal Data
One of the most sensitive types of attacks is the leakage of a customers’ personal data. The use of personal data seems to be convenient and often does not require high-qualified personnel, while the lack of reliability of IT systems and organizational procedures for storing and processing personal data can lead to a leak of information and cause reputation damage and financial losses to both data subjects and the operator. Once a fraudster gets personal clients’ data, he can apply for a loan under a false name or register an account in a social network. A fraudster can use not only direct customer identifiers, such as full name, date of birth, registration address, and place of residence or card number but also email, place of employment, or education data. Based on our experience, on average, the risk of financial losses caused by massive personal data breach attacks can be twice as dangerous as a regular attack.
How to deal with it?
One of the best ways to deal with the consequences of such incidents is the wider use of alternative user data in the decision-making system. Such data, on the one hand, has sufficient information value, and on the other hand, in case of a data breach no serious damage will be caused to anyone: such data is simply useless for fraudsters.
An attempt to tamper with a digital device fingerprint or some other markers of risky behavior already indicates a high risk of an applicant and online lenders don’t have to verify applicant’s data on other services to score it.
Threat 3: Brute force attacks
A herd of buffalo can only move as fast as the slowest buffalo. Fraudsters are constantly looking for the financial institutions’ security system or applications’ screening systems vulnerabilities as well as so-called “zero-days”. Let’s think of the DDoS attacks, familiar to anyone related to online lending. A cybercriminal overloads the incoming channel with an enormous number of applications in a short period of time until the system breaks down or the security tools kick in, cutting off the source of the threat on one or several IP addresses.
When we talk about fraudulent brute force attacks, it becomes more complicated. Such an attack is launched from a big number of devices that have an individual IP address and some supporting data preventing them from being cut off by conventional security tools in one operation.
Unable to cope with the flow of information, an automatic system that filters out high-risk applications “freezes” or completely breaks down and the flow directed by the scammers’ computers either gets a “green light” and the company issues a lot of loans that no one is going to return, or the system sends the received requests to the operators, which will cause a general slowdown in the company’s work and will also lead to additional costs.
How to deal with it?
Successful online lending is based on three components: data, technology, and team. The data includes various sources that are used to assess the risk. For example, it will be very useful to get statistics on the number of requests from the same device and/or IP address, as well as to learn how to detect the evidence of data manipulation in different applications from one device.
Technologies include methods for collecting and processing data, building various models, filters, and rules, as well as building risk metrics for online traffic based on data collected. The team, which includes risk managers, anti-fraud specialists, and other experts, who use various tools for analyzing risks, can quickly make changes to the decision-making system if some risk metrics go into the “red zone”. A risk metrics monitoring system allows to reduces the risk of various anomalies in application flow significantly.
Threat 4: Holiday fraud
The holiday fraud usually takes place just before the major holidays, online business owners face it every year. New Year, Durga Puja, Holi – whenever shopping activity is growing, online companies have to keep a subtle balance to provide the clients with the opportunity to use financial products online via web and mobile apps and at the same time take efficient risk prevention measures. In high season, the number of applications grows at least 1.5 times, according to our experience.
The main risk that fintech companies usually face during this period is a sharp increase in the flow of fraudulent applications. The fraudster repeatedly submits applications for a loan to different financial institutions, changing part of the data from an application to application, trying to “slip” through the lender’s decision-making systems.
How to deal with it?
With the increase of holiday fraud, financial institutions face quite a challenging task: provide their customers to use financial products in apps and on websites online, taking effective antifraud and risk management measures at the same time. The fact is that such seasonal “scheduled scammers” are usually not very sophisticated and have rather low technical qualifications: many companies manage to stop them even at the stage of the standard initial online verification of the application.
So, dealing with the “fly in the ointment” is quite easy. The most useful methods are the following:
- apply a more conservative approach connected with new applications evaluation policies and rules
- pay great attention to the applications with high-risk markers – attempts of device or internet connection manipulation as well as user’s shady behavior
Additionally, here are a few additional tips that can make online businesses resilient
- Define what exactly fraud means for your online business – it can be either toxic customers with multiple accounts, unpaid loans, unauthorized chargebacks, fake user data, hacking of personal accounts, etc.
- Determine the level of fraud your business can tolerate. Please note: getting rid of all kinds of fraud can be either very expensive or very difficult
- Designate a responsible digital risk management professional. Engage external experts if necessary
- Choose technology solutions most appropriate to your business
- Create a team of experts in various areas of digital risk management, which will constantly monitor risk metrics 24/7
- Practice makes perfect. The technological level of fraudsters is evolving every day and your anti-fraud specialists must be ahead of them. Do not forget to provide your staff with seminars devoted to online threats, working with mail and messengers, and personal/sensitive data
- Use only proven technologies that provide ROI to your business
- Use two-factor/three-factor authentication, dynamic authentication
- Restrict access to the personal and sensitive data of your customers. Use data encryption
- Determine your actions in advance in case of partial online infrastructure failure and define a work plan in case of a mass fraud attack (decrease in the level of applications approval, additional methods of user verification, etc.)
The above article is authored by Mikhail Marchenko, Co-Founder of JuicyScore.