31 August 2023
7 min read
Popular alternative payment methods on the rise are e-wallets, account-to-account (A2A) payments, and Buy Now, Pay Later (BNPL). And fraudsters are constantly looking for ways to make unauthorized transactions using these payment methods.
A fraudster with unauthorized access to an account holder can wreak havoc using any payment method. They just have to be sneaky enough. They trick the system by imitating legitimate user behavior over several weeks or months. They simulate typical online shopping activities, such as browsing various stores, adding and removing small items from their virtual carts, and making purchases consistent with those an account holder would make. They may even engage in customer support interactions with the merchant to make things look more genuine. Once they have established a seemingly legitimate behavior pattern, they then purchase high-value items and may even modify account details to facilitate payments.
Let’s go through these three alternative payment methods to see what threats they come with and how you can best address each issue without disrupting your customer experience.
E-wallets are a preferred payment method worldwide. Bigtech products like Apple Pay, Google Pay, and PayPal have gained widespread acceptance due to their convenience and speed, and now, more brands are expanding their market share locally and globally. However, these advancements also bring forth new security risks. Since e-wallets store sensitive financial information (including card details), they become attractive targets for cybercriminals looking to access accounts to make unauthorized purchases or sell data on darkweb.
Mobile wallets have come a long way since their inception and are now an integral part of the digital economy. There’s no more just a simple payment method at the checkout enabling online purchases from the consumer to the merchant. They've transformed into super apps with a range of functionalities - by storing personal and financial information on one app, consumers can use mobility services like ride-sharing or food delivery, pay their bills, purchase various items, and more. Super apps are now embedded payment platforms, and while this is pretty impressive, this innovation comes with risks.
For example, unlike other simple transactions, embedded payments pose even more risk to the user. If one account is compromised, all those embedded services stored in the digital wallet are also compromised. They can use one's account to make unauthorized payments for all sorts of things - food, clothing, gadgets, you name it.
Fraudsters usually get stolen login credentials for an e-wallet account through social engineering scams, malware, or other means. Once they have access to the account, they can make unauthorized payments using the stored payment methods. Here are some ways they operate to make unauthorized payments:
A2A payments, which refer to bank transfers or bank-to-bank payments, have increased in the B2C space, with merchants now adopting (or considering adopting) this alternative payment method. Pix in Brazil, iDEAL in the Netherlands, and UPI in India are just a few examples of local payment methods highly used by both consumers and merchants, exceeding half of the market share in their countries. While they bring a lot of convenience on the consumer's end and lower costs for the merchant, there are still some gaps to fill in when it comes to fraud prevention.
In the case of A2A payments, if a fraudster manages to hack into a bank account, they essentially gain direct access to the source of funds. This means that once they breach the account's security, they can immediately initiate transactions, potentially moving the funds to another account under their control. The simplicity here lies in the fact that a successful account breach provides them with a direct route to the user's money, often requiring minimal additional steps.
In the scenario of card-based payments, the process involves an additional layer of complexity for fraudsters. Even if they manage to compromise a bank account, they still need to take an extra step to access the associated card details.
For this reason and more, fraudsters have always exploited bank transfers - less stepping stones towards their ultimate goal.
FBI also warned of a fraudulent tactic - hackers are targeting users of digital payment apps to make instant money transfers. They are doing this by sending a spoofed message alert to users asking if they initiated any transactions with a financial institution. If the victim responds, the hacker calls them from what appears to be a legitimate 1-800 number and tricks them into transferring money to the hacker's bank accounts.
Businesses and banks are increasingly concerned about authorized push payment fraud (APP fraud) risk. Common examples of APP fraud include requests for invoice payments and bank transfers. Fraudsters convince the victim to make real-time payments under false pretenses. By creating elaborate schemes, sometimes posing as authority figures or service providers, and using Remote Access Tools (RATs), fraudsters persuade their victims to send them money directly. When a fraudster gains control over a victim's device using a RAT, they possess a direct line to the victim's personal and financial information. This access gives them the upper hand in cooking up APP fraud schemes with uncanny precision.
A fraudster with access to a user's online banking account can also transfer funds from the user's account to their own or a mule account, effectively stealing money directly from the user. In more complex schemes, attackers might use the compromised account for money laundering purposes, funneling illegally obtained funds into the account and then rapidly moving them out again to create the appearance of legitimate activity by the account holder. This not only allows the attacker to hide the source of the funds but also potentially implicates the innocent account holder in criminal activity.
A2A payments don't have a uniform refund process, as each bank has its own procedures and requirements, making it difficult for merchants to navigate. In a dispute, resolving the issue can be more challenging for A2A payments than card payments. A2A payments typically involve direct transfers between bank accounts, making reversing the transaction and retrieving the funds harder. Moreover, refunds for A2A payments often require communication between banks, which can slow down the process. Banks may have different systems and methods for handling refunds, leading to delays and potential errors.
The growing adoption of BNPL services has generated new consumer conversion opportunities for merchants. Now online shoppers can manage their budgets and buy their most desired items by paying in installments. And the great benefit here is that no interest fees are involved and no waiting time. Credit approval that used to take days or weeks is now possible within seconds if the user proves to have legit intentions. So, speed and affordability make BPNL one of the most popular payment methods that can boost sales, but if there is any situation where understanding your users is more crucial than ever, then this is the one. The most common risks here are identity theft or synthetic identity fraud, and fraudsters can get away with it without a thorough verification.
Merchants must assess the creditworthiness of applicants quickly and accurately without slowing down the checkout process. Yet checking the consumer background in real time requires advanced tools and data that not all online businesses have access to. BNPL provides, and merchants need to make sure the background check is not altered by other fraudulent activities that can manipulate the real information about a user.
Because this payment method allows users to make purchases without paying for them in advance, it can be tempting for fraudsters to exploit the system by using stolen personal information to create fake accounts or manipulate existing ones. For example, a fraudster might use the details of a legitimate user with a good history to purchase items on that user's behalf without their knowledge. Since most of the time, installments are paid via direct debit payments, undetected fraud can lead to a range of negative outcomes. The one that comes first is chargebacks, as the legit user won't recognize the purchase made.
The ease with which cybercriminals can obtain account details is alarming. Social engineering and malware attacks have made it simpler for fraudsters to acquire sensitive information. By using a victim's basic details, fraudsters can sign up for a BNPL payment method and carry out extensive fraudulent activities, such as ordering goods to be delivered to an address of their choice.
You can accept alternative payment methods and have the most intuitive and personalized checkout, but if you allow payment fraud to slip through, the chances for conversion are gone. Fraud is the biggest deal breaker, so here is what you need to offer for a secure journey that can also ensure conversion and retention.
The more you know about your users, the more you'll learn about their real intentions, and the better you can refine your fraud detection mechanisms to distinguish between legitimate transactions and potential risks.
With our Know Your Users approach, you can determine with high probability that users have bad intentions if they are making concerted efforts to hide their true identities, spoof hardware, and software details, mask their geo-location, and if the payment history in an account differs wildly from previous purchases. Our profiling solution scans thousands of data attributes in real time, running quietly in the background, completely unnoticed by consumers during their browsing and checkout session. It all comes down to what data to collect and what patterns are identified.
Dozens of indicators point to fraudulent activities, known as risk signals, yet detecting them involves a lot of research and data analysis. By collecting and processing large volumes of data from multiple sources, including transaction data, user behavior patterns, historical data, and external threat intelligence sources, we can uncover patterns, identify anomalies, and develop algorithms to flag suspicious activities on your website or app. You get actionable insights into who should proceed with the transaction, thus rejecting only fraudsters. Moreover, we go beyond data made available by the user by digging deep into your customers' sessions to discover fraudsters.
How do we make sure that we meet the highest precision standards for you? By looking into the toolkit that fraudsters tend to prefer. Our risk detection strategy comprises more than 100 fraud risks, some more prevalent than others. For example, we know that RATs, bots, VPNs, and residential proxies are hot picks in the cybercrime world, so we've dedicated our attention to pinpointing and detecting the usage of these tools with the utmost accuracy.
We take on Remote Access Tools (RATs) head-on, spotting their real-time usage and identifying instances where they're installed but lying dormant. Regarding bots, we've got you covered across the whole playing field. And about VPNs, we rely on something other than fixed lists. Instead, we watch how internet connections behave, spotting recent additions to proxy networks in real-time.
We understand the need for pragmatic solutions and a comprehensive understanding of their risk landscape, so we bring this to the table.
We know what tools and methods fraudsters employ to make unauthorized payments. It's all about understanding their mindset and strategies, giving you an upper hand in spotting and stopping potential fraud scenarios. In this context, we crawl the darknet to learn how fraudsters exploit various e-wallets brands and BPNL methods. Darknet intelligence allows you to put yourself into the fraudsters' shoes and act before fraud reaches your business, but also to use that intelligence to reverse engineer their tactics.
Machine Learning is highly effective for fraud prevention, but it's also hard to set it up correctly. We are crunching all the gathered data to find automated ways of spotting non-obvious patterns and correlations. Our models go through the data gathered by our profiling solution and through our API to increase the accuracy of recommendations. This includes using advanced techniques and algorithms to enable our systems to learn from and adapt to new data over time and enhance the ability to detect and prevent fraud.
Ready to increase your conversion rate by protecting your consumers with no harm to UX? Get in touch to learn how we can help.