Legacy controls don’t apply to new scammers
Fraudulent activities across various industries have evolved over the last few decades, haunting the legacy controls painstakingly developed by organizations. Typically, it was the institutions like banks and ATMs that required fool-proof cybersecurity. Now, every industry, and the companies therein, are at stakes.
As we move deeper into digitization, more so in the current pandemic times, the need for more sophisticated controls has emerged. With the advent of emails, mobile phones, online stores, and now BOTs & social media support, there has been a paradigm shift in how companies are delivering an omnichannel experience to the consumers. As more and more virtual channels of communication are added by an organization, the fraudsters are learning new ways to abuse those channels.
Better customer engagement
This renewed need for superior data security has a direct correlation with the evolving push towards better customer engagement. Battered by fraudulent activities, most of the companies in the retail and ecommerce industry started focusing more on customer-centricity. But the old rulebook to identify and prevent suspicious activities is still in play, which leaves the incumbent players susceptible. Similarly, the legacy techniques and procedures used by telecom and utility space to detect fraud are no longer effective, as fraudsters already know the risk controls. Some of these examples are stated in the table below:
|Industry||Fraud example||Fraud description||Legacy controls (examples) fraudsters are aware of||How fraudsters dodge detection|
|Telecom||Stolen Credit Card||SIMBox device has lots of SIM slots used by fraudsters to help convert international calls into local calls, causing huge losses in terminating revenues for the destination operator||1) Ratio-based rules (e.g. incoming vs outgoing)
2) Non-usage Monitoring (SMS, Data, International Voice)
3) Cell-site Traffic from SIMBox
|1) Make incoming, SMS, data, and international calls via SIMBox SIMs to avoid detection.
2) Keep SIMBox in a moving vehicle to mimic human movement and avoid location (cell-site) specific monitoring
|Retail||POS Fraud||No Sale fraud where store staff can misuse a no-sale receipt and void functions of the POS systems to mask the actual sales, pocketing the money||1) Tracking frequency of no-sale and void transactions
2) CCTV monitoring to monitor cash withdrawal
|1) Leaving cash drawer open slightly, to cash out money
2) POS Screen and drawer is blocked from camera view
|Ecommerce||Stolen Credit Card||Making a purchase using stolen credit cards||1) Monitoring billing and delivery addresses on expensive electronic items
2) Monitor device ID and location from where a purchase is made
|1) Using proxy IP addresses and location (of the actual user) to buy inexpensive items initially.
2) When the next expensive item purchase is made, the device ID controls do not raise alarms as it was already profiled as whitelist from previous purchases.
3) Track delivery of the items online and pick the product from the suggested location. They then sell the stolen credit card information on the dark web.
It is even more challenging to handle the tech-savvy generation that not only understands the workings of technology, but also new age processes of businesses such as Know Your Customer (KYC) protocol, refunds, subscriptions, returns, and so on. Fraudsters often use their social engineering skills to explore products, services, and processes of companies, bypassing the need for investigative homework.
What kind of anti-fraud controls businesses have installed, how are they being implemented, can be gauged simply by looking at product catalogues, client testimonials, press releases, service information, all of which are available at a click of Google search. Needless to say, such information helps fraudsters think ahead and beyond the anti-fraud controls installed, learn on the go, and find new ways to hack. Reviewing of alerts by fraud detection teams is also cumbersome with legacy systems, to say the least, as they are reviewed manually.
A human review is required, but only for suspicious transactions performed by the outliers. To evolve in the ways we detect fraud and deal with it, businesses must put cybersecurity at the centerstage around which an organization’s technology strategy, transformation programs, and budgeting are built. Currently, fraud detection teams stand low on the list of functions integrated with machine learning, statistical algorithmic, or analytics based anti-fraud implementation programs. Customer experience and sales & marketing projects take priority in budget allocation.
Recently, scammers posing as members of a bank’s fraud detection team were caught fooling businesspeople and charity organizations in the UK. They convinced their targets that their accounts have been compromised and must immediately transfer their funds to an alternate account the scamsters created in the victim’s name. Eventually, fraudsters ended up transferring huge chunks of money from the victims’ accounts into their own. Such fraud incidents can be averted easily by combining analytics with behavioral profiling, which can generate alerts on a fraudster’s digital footprint, uncovering new and hidden patterns that legacy systems might have missed.
Clearly, engaging fraud teams at a broader level is crucial to improve the accuracy of detection. Till today, fraud departments work in silos, or with the help of third-party forums/vendors. This disconnect leaves the potential of analytics in understanding consumer behavior untapped, such that teams often stumble in differentiating between legitimate and illegitimate practices by consumers. Technology integration can help fraud teams to identify all structured (and non-structured data feeds (e.g. social media, surveys, customer care chats, etc.) required for anti-fraud modeling. Advanced technology layer of ML or Statistical modeling, combined with Analytics can empower fraud detection systems to process such huge chunks of data, making it possible to also detect the extent of social engineering skills used by scamsters, and how particularly it can manipulate consumer feelings.
Fraud teams, when integrated with other essentials functions, can also effectively foresee vulnerabilities in, say, customer services or marketing processes, by drawing insights from daily transactions, usage records, and historical patterns. Learning from the actions thus taken, the algorithmic models can help companies drastically reduce false positives, helping organizations define robust processes and create future-ready controls.
This article was first published by The Evolving Enterprise and VanillaPlus.