The pandemic pivot to digital banking, shopping, and other services was an important health measure, but it created opportunities for organized fraudsters to grow their "business" and expand their offerings to include fraud-as-a-service (FaaS). FaaS takes several forms, all with the goal of making it easier for both experienced and novice criminals to commit fraud. Here's what merchants need to know about this trend and how to prevent FaaS attacks.
How Fraud-as-a-Service Works
There are two main components to FaaS: bots and brand impersonation. Neither tactic is entirely new. Fraudsters have been using bots for card-testing attacks for years, and brand impersonation is a classic scheme for phishing credentials and payment data.
Now, though, fraud "service providers" are going farther. Criminals can rent bot networks inexpensively to launch large-scale fraud campaigns against websites and to phish victims. However, two-factor authentication (2FA) can prevent thieves from breaking into accounts even with stolen data. SIM-swapping is one option for getting around 2FA, but it's time consuming and requires planning. So, criminals now offer OTP (one-time password) bot services. Fraudsters can plug in victims' names and financial institutions or favorite stores, and the bot handles the rest – phishing the victim for their one-time password so fraudsters can take over the related account – all for as little as 15 cents per bot call.
Detecting and Preventing Fraud-as-a-Service Attacks
The best practices that protect businesses from fraud are more important than ever . This is a good time to make sure your organization's anti-fraud program includes these elements:
1. Limit data entry attempts and velocity: One of the telltale signs of a bot attack is the speed at which it moves. Bots can load up carts, check out, and place orders much faster than humans can. They can also repeatedly enter different passwords and one-time codes until they hit a match.
If your website allows customers to make unlimited attempts to enter their data correctly, setting a limit on the number of attempts before they're locked out can protect your store from bots. Likewise, flagging orders for velocity can help to separate busy shoppers who are reordering familiar items from botnets that are programmed to scoop up as many items as they can, as fast as possible.
2. Screen every order: Because there are billions of compromised credentials available to fraudsters now, because FaaS scams are harvesting more credentials, and because FaaS bots can use those credentials to crack accounts at scale, businesses can no longer assume that returning customers are who they appear to be.
That means it's no longer safe to automatically approve orders from known customers. Every order needs to be screened for payment data as well as for device, geolocation, and behavioral biometrics to help validate the customer or flag the order as possible account takeover fraud.
3. Run batch analyses to detect fraud at scale: Bot rental and compromised credentials allow fraudsters to get creative with their attacks on businesses. For example, a gang can target an online store with a spate of orders that appear to come from different customers using different payment methods. Each of these orders may pass muster with the fraud screening solution and get approved.
However, if the merchant also selects random orders for analysis as a group, the fraud solution may find patterns that indicate criminal activity. Maybe that burst of orders from different customers were all shipping to the same address. Or perhaps all of the cards they used to pay had the same bank identification number, indicating that the customers might be synthetic identities. Batch analysis can reveal these issues so that fraudulent orders can be canceled before items ship.
4. Avoid automatic declines: Stopping fraud can only save a company money if it doesn't also stop good customers from completing their orders and coming back for repeat purchases. Automatic declines may seem like a way to save money and time on order decisioning, but this approach typically generates a high rate of false declines. A recent ClearSale five-country survey of online shoppers found that 40% won't ever go back to a website that declines their order. That represents a lot of lost customer lifetime value.
5. Use manual review: The alternative to automatic declines is manual review by fraud specialists, who can distinguish between fraud and unusual but valid customer behavior. Manual review of flagged orders costs more than auto-declines up front, but the ROI includes more approved orders and less customer churn due to false declines.
6. Continuously train your ML: Manual review results can and should feed the automated fraud solution's machine learning algorithms. This helps the AI get better at detecting sophisticated fraud and customer behavior that's not completely normal but also isn't fraudulent. This can result in fewer flagged orders and reduce the need for manual review over the long term.
7. Monitor brand mentions: FaaS schemes often impersonate brands to trick consumers into sharing their credentials and even authentication codes. Every business should keep an eye out for social media accounts, websites, email campaigns, and even SMS campaigns that impersonate their brand. Depending on the channel, a company can report imposters to the platform, Web host, or Federal Communications Commission and alert their customers there's a scam operating under the company's brand.
FaaS shows how fraud continues to evolve, and how the technologies that make life more convenient for customers also make fraud easier for criminals. By understanding how FaaS works and following best practices to prevent it, your business can help protect your customers, your revenue, and your brand reputation.