New Techniques in Fighting Identity Fraud
Banks and fintechs grappling with increasing identity fraud levels need to take care not to alienate their customers in the process of fighting it. From the call center to high-level task forces, all stakeholders should explore techniques that foster customer buy-in, rather than solely concentrating on the banks’ needs.
During a recent PaymentsJournal webinar, Ubiquity’s Chief Operating Officer Corey Besawand Javelin Strategy and Research’s Director of Fraud and Security Tracy Kitten, discussed the challenges customer support and dispute investigators face when it comes to account takeover (ATO) fraud, how Ubiquity is working with partners to help identify fraud rings, and how financial services providers are adapting to thwart fraudsters.
The Latest Schemes
A Sift Science report, which published in September, found that fintechs saw ATO fraud attacks up 800%. One thing that tells you is that fraudsters are getting a lot more sophisticated and organized in their approach, leveraging social media to increase the effects of their attacks by procuring identities or even dormant accounts in some cases.
Fraud rings are lurking throughout various organizations and Ubiquity has seen them increasingly being set up at call centers.
“One way that this plays out is often a fraudster pretending to actually work for the bank,” Besaw said. “Someone will call up and say, ‘Oh my gosh, I’ve spilled coffee on my keyboard and my boss is so angry with me and I’ve got this account that I need to unblock.’”
“It’s interesting because they’ll definitely have inside knowledge,” he said. “They’ll know the names of systems that they’re using or (specific) tools, and they’ll even be able to help the agent navigate those tools.”
Besaw also identified a trick called double dipping, where fraudsters get access to accounts often with stolen identities and transfer legitimate funds to those compromised accounts. In this scheme, the criminal will make purchases, such as electronics, that they can sell for relatively close to the price paid for them on a secondary market. Then they’ll dispute every transaction in the hopes that they might get a provisional credit on at least some of the accounts or some of the transactions. Even if the institution can prove that these weren’t valid fraud claims, it can be almost impossible to collect the funds.
“One of the tools that we’re excited about listens to calls in real time and transcribes them,” Besaw said. “We’ve got some machine learning models that we’ve built as well as more simple triggers, so that if we see that someone is calling in and saying, ‘Hey, I work for this bank and I’m part of the quality assurance department, and I need you to do this or that,’ we can immediately send a message to the agents workstation to say that this is a fraud call. That’s a really good way to prevent social engineering attacks from working.”
The social media piece is such a crucial one to talk about it, not just within the realm of account takeover fraud, but fraud generally,” Kitten said. “We look a lot at scams here at Javelin and social media is one of the prime channels for that because it’s a direct way to communicate with consumers. “
There are also seasonal fraud tricks that banks should be aware of. Around the holiday season, fraudsters know that operations are more likely to get busy and even overwhelmed, increasing the likelihood of a provisional credit being granted. And during tax refund time there’s a lot of money moving into accounts and typically there’s an increase of legitimate disputes.
What the Call Center Should Be Doing
One critical thing that banks should be doing is empowering and educating their customer service staff—particularly as they have direct contact with customers and can make or break the experience. This is especially key because when fraud is involved, emotions run high.
“When you’re hiring customer service agents, you’re looking for people to create a good customer experience in the fraud call center space,” Besaw said. “But the first thing that you want that person to do is approach everything with a healthy amount of suspicion. We segregate high-risk calls, which would include dispute intake calls and calls on accounts that have suspected fraud transactions or unusual activity to an entirely different team.”
It is a frustrating experience for a legitimate cardholder to have their account blocked, and they might well be angry about it. But fraudsters are often the angriest customers of all because it can be a good strategy to get the other person on the defensive. Call center agents know they should be asking some extra verification questions, but they might not do it if they think that the customer is already extremely angry and just going to get angrier.
“The old adage ‘The customer is always right,’ is something that the fraudsters are really playing up to here,” Kitten said. “The urgency, the anger, not giving people time to stop and think, all this is a basic social engineering tool.”
Balancing Against Customer Experience
Fraud teams usually do not think about the customer experience, but customers spend a lot of time thinking about their ideal experience. If they have a bad customer experience at a particular financial institution, there are ten others that they can easily move to.
“If you’re putting a temporary block on an account, you can’t have a process that requires someone to wait days or a week for that block to be removed,” Besaw said. “Otherwise, you’re just going to lose customers, which is going to be as expensive as fraud losses, if not more.”
It’s important to make sure that your agents are well trained, that you trust them, and that you empower them to make the right decisions. Much of Ubiquity’s training revolves around teaching people how to look for signs of deception and identifying whether they think that there’s a reason to be suspicious or not. Nevertheless, a strong customer experience will necessarily allow a certain small amount of fraud to happen. At the end of the day, Besaw points out, you could stop all fraud by preventing anyone from making any transaction ever.
“You want to settle on the side of unblocking a handful of accounts that you later wish you wouldn’t have rather than going hard in the other direction, where you’ve got lots of legitimate customers whose accounts you don’t unblock for an extended period of time,” Besaw said.
Fraudsters tend to adapt quickly, so it’s important to make fraud detection an ongoing process. Everyone in the customer service environment—whether they’re part of the fraud team, the general customer service team or the disputes team—needs to be aware of the key things that are happening in the fraud space. Even those who aren’t primarily in a fraud role should be getting a short 30-minute training every month to understand what they should be looking out for.
Conclusion
A task force composed of a senior fraud investigator, someone that owns the customer experience, someone that is coming with the analytics that have been done, and potentially some other specialists depending on the circumstances, is something that every organization should consider, according to Besaw. This group should meet regularly with a mandate to both manage account takeover fraud risks, while balancing that with the customer experience.
He also recommends compiling and analyzing all the ATO cases for this task force. They should understand how it happened and what your fraud cases might have in common. That’s a critical step toward defeating the problem