The  sales season is upon us and as ever it provides a paradise of sorts for criminals, largely because “security vs convenience” is a common trade-off and, during peak seasons, security tends to take the back seat at a time when it’s easier than usual for criminals to hide transactions amidst the spike of legitimate payments. For retailers, both online and offline, the risks get greater at this time of year and in this short guide we outline some of the key  areas in which fraud might occur.

BUT NOW PAY LATER (BNPL) FRAUD
 
i. Payment Defaults

The last few years have seen a marked increase in companies adding BNPL functionalities to their checkout pages and we wanted to test  the hypothesis that BNPL service providers are less vigilant when it comes to Know Your Customer (KYC) and Customer Due Diligence (CDD) best practices. In order to do this we opened a BNPL account in someone else’s name and were shocked to realise how easy it is to “borrow” money with simply a name and address.  Not only this but  credit limits were raised automatically to £250 following the first successful transaction and follow-up transactions permitted.
 
ii. Refunds and Money Movements

Another vulnerability in the BNPL model appears to involve uncertainty around compliance an refunds -especially in offline contexts. In order to protect customer cash flow: funds from BNPL providers should not mix with the customer funds and in practice this means that where purchases are completed with BNPL, firms should refund to the same account. This sounds pretty obvious and in the case of online payments is relatively straightforward. In our own case studies we show, for example, that Amazon does not permit the return of funds to alternative accounts, however a vulnerability can arise in the return of funds to an ‘account balance’. Things gets trickier for in-store payments that involve human interaction. It is not uncommon for sellers and managers in retail  to encounter situations where a  customer claims to be unable to receive a refund via the original payment method and because there are legitimate reasons why this might be the case, refund policies are often relaxed or ignored altogether.


CASHBACK, SETTLEMENT & PROMOTION ABUSE 

III. Cashback abuse

Cashback and perks are an increasingly common way in which fintech’s create customer loyalty and ecosystem engagement. And the fintech still earns money, just less. The average cashback is around 1% for specific categories which is precisely how much issuers earn on each transaction received from the merchant—the so-called interchange fee. Ultimately merchants pay for cashback, so if refunds occur merchants lose 2% since interchange fees are not refundable. In  their battle for customer retention some fintechs can miscalculate on cashback by failing to adequately review merchant terms correctly and some criminals are exploiting firms by examining terms and conditions to identify loopholes which can be abused.

IV. Settlement Vulnerabilities

We’ve shown that refunds are often painful for merchants. Permitting the transfer of  funds between different accounts inevitably creates a gap that criminals can exploit for money movements and other forms of fraudulent transactions.

Much of the problem arises because of the tension that arises between security, automation, and the drive for convenience and customer satisfaction. In a world where the perception tends to be that money moves instantly, people maintain expectations that refunds should be immediate. However the perception is wrong and consumers rarely consider the “settlement and clearing” period, so where a merchant or issuer takes a relaxed view and provides the opportunity for refunds before goods are returned, or balances are settled, it provides a gap is created for criminals to exploit.

V. Promotional abuse

Schemes which provide rewards to existing customer for bringing in new business are also vulnerable to abuse. Without appropriate Customer Due Diligence, schemes which provide financial rewards are particularly vulnerable to synthetic traffic attacks with bots, not only bleeding the scheme but also importantly misrepresenting genuine business performance.


MALICIOUS MERCHANTS

VI.  Fraudulent transactions

It might be a challenge to fight criminals pretending to be innocent customers but things get still more complicated when they imitate merchants.  We have had a number of merchant accounts since 2018 and over the last four years have conducted hundreds of tests against hundreds of cards, by setting up our own merchant page and Point of Sale, we have demonstrated that we can test card validity, check balances, and guess card requisites, important information for criminals who wish to deploy fraudulent eCommerce tactics. Why is it so simple? Because the process of setting up a business account without confirmed proof of identity is still relatively trivial.

 
VII. Credit Line Abuse

Besides offering fraudulent or non-existent services, malicious merchants may also use a variety of techniques to subvert credit agreements or avoid charges or fees. For example by making payments in the middle of the month and refunds at the end, it is possible to avoid fees for many credit cards if cardholders provided they do not spend more than half of the credit allowance. So an amount is spent, and since most banks require a 45-60 day due period. a fraudster may make a matching payment using it’s own merchant, and then once the payment is cleared, initiate a refund, thereby avoid fees or interest on the initial spend. Without sophisticated anomaly detection techniques or specific antifraud rules and policies, fraudsters can repeat these techniques for as long as they want.

The Institute of Money Laundering Prevention Officers trading as The Institute. © Copyright Institute of Money Laundering Prevention Officers. All rights reserved.
Log in | Powered by White Fuse