What Every Payment Service Provider Should Know About the Fraud Economy
By Cory Hinton /
19 Apr 2022
The Fraud Economy is vast and growing daily as fraudsters find new ways to exploit the broad surface area of the payment ecosystem. In the payments industry, the massive amount of point payment tools available pushes payment service providers (PSPs) to differentiate themselves with real-time adaptability—they must consistently predict and meet the needs of all sizes and kinds of merchants.
As illustrated in Sift’s Fraud Intelligence Center, PSPs saw a 169% increase in payment fraud rates in 2021. Note that fraud in this space is calculated based on the combined abuse rates reported by merchants served by Sift’s PSP customers. Our Data Scientists uncovered a key theme: fraudsters follow the money, always, and develop new tactics to take advantage of cutting-edge businesses almost as quickly as they emerge. On top of that, there are ever-changing expectations from and for online shoppers, from adopting alternative payment methods to regulatory innovation. This pressures PSPs of all sizes to maintain operational preparedness for the attack vectors that fraudsters will employ to exploit business growth and evolution.
Fraud and pain within PSPs
For PSPs, attack vectors are varied, and fraudsters always seek new channels to attack. The main fraud use cases are seen in four areas of payment services:
- Account creation
- Money in
- Money out
At the account creation stage, payment abuse should be as much a core concern as fake accounts, as fraudulent merchant accounts are often created for the sole purpose of committing financial fraud. The deep and dark web are homes to caches of accounts opened only to be sold in criminal marketplaces. To fully secure their merchant users, PSPs must also determine if consumer accounts are legitimate from the start, or if they’re the result of stolen or synthetic identities.
At login, the name of the game for fraudsters is account takeover (ATO). Phishing attacks via email or text allow fraudsters to harvest account credentials, and the goal of these ATO attacks is usually withdrawing money from accounts—further complicating the scope of fraud PSPs are dealing with.
Money coming into a PSP is the primary focus for fraudsters on the hunt; it’s vital to add layered protection to secure consumers’ payments and data before, during, and after transactions take place as fraudsters are out to take money. Spam and scams can be used to coax consumers into making purchases based on fake postings and listings, making content fraud another channel through which bad actors can commit payment fraud that negatively impacts PSPs.
Money out refers to withdrawals from merchant accounts. Exiting fraud, aka closed-loop fraud, is a type of collusion where stolen credit cards are used to fund merchant accounts and the funds are later transferred out of the accounts, and potentially to several other accounts, multiple times over. Tracing this type of fraud is difficult because PSPs don’t have visibility into the transfers that may happen after the money leaves a merchant account. To catch such fraud, the PSP would have to manually investigate the fraud rate (due to chargebacks) and transactions of fraudulent merchant accounts. Likewise, merchant accounts with stored earnings or credits are targets for fraudsters using synthetic cards, hacked login credentials, and other means to remove that stored value.
Below, our PSP Fraud Risk Pyramid illustrates the opportunity PSPs have to stop fraud at different stages of customer interaction. At the base—account creation—PSPs are focused on verifying the legitimacy of new accounts, and while the chance of potential fraud is high, the ability to prevent abuse before it’s done financial damage is also at its highest.
PSPs have a greater chance of stopping fraudulent activity the earlier they catch it in the customer journey. With every subsequent action taken by a fraudulent account, the chance PSPs have to prevent money from leaving their ecosystem decreases. At the top of the pyramid, securing or recouping funds becomes difficult and often impossible if stored credits and cards are used, or money is transferred to external accounts not associated with the PSP.
The first step to mitigating fraud for many businesses is commissioning a team for manual review. But manual review is nearly impossible for PSPs, due to their unique position serving multiple independent merchants. In many cases, service level agreements (SLAs) require real-time payment processing, which means transactions cannot be “paused” for the sake of review regardless of their risk level.
Due to the limited data merchants send them, PSPs also lack insights that other types of providers rely on to stop fraud, like item type and user account age. Lighter merchant integrations require a total reliance on disputes to identify fraudulent transactions, and potentially miss false-positive feedback.
PSPs must also choose between reviewing all potential fraud in one account with limited filtering options, or reviewing unique fraud patterns across numerous merchant accounts. This could challenge a PSP’s operational capacity at scale, degrading accuracy as the business processes higher volumes of transactions.
The changing regulatory landscape is pressuring PSPs to retool their transaction monitoring and identity stack. Adoption of 3DS is expanding globally, and PSD2 for the EU and UK is gaining interest internationally as Turkey, Mexico, and Australia consider similar regulations.
Sift solves PSPs’ fraud woes
PSPs need a comprehensive approach for battling the evolving Fraud Economy. Real-time machine learning surfaces and stops fraud in milliseconds, giving PSPs time to act while fulfilling SLAs. From account creation to login to transaction, Sift protects PSPs with active monitoring and automated Workflows that streamline decisioning. Sift’s Global Data Network brings unmatched accuracy and speed using collective learnings from multiple geographies and industries, and Sift Connect links PSPs with Know Your Customer (KYC) and identity verification (IDV) providers to ensure account creations are legitimate.
Sift currently provides PSPs with:
- Fintech-specific API support for various payment types, mapping money movement, and highlighting merchant trends
- Real-time machine learning that surfaces details on PSP platform activities, even if merchant data is limited
- PSD2 regulatory compatibility (EU and UK), with expert guidance available for PSPs routing to 3DS
Throughout 2022, Sift customers will gain access to new toolsets specifically designed to ease the burden of fraud prevention for PSPs:
- Insights reporting to empower deeper dives into patterns and trends within merchant segments, using search, sorting, filtering, and grouping
- A flexible Console experience that supports merchant account management based on the PSP’s business needs (i.e., single- or multi-tenancy)
To ensure PSPs stay ahead of the changing landscape of the Fraud Economy, Sift has purpose-built our Digital Trust & Safety suite to meet the needs of every PSP. Join us in the fight against fraud with cutting-edge technology and services to bolster your competitive advantage for your merchants and within the entire payment ecosystem.
Contact us today to find out how Sift can help you offer a competitive advantage to your merchants.
Cory Hinton is a Product Marketing Manager at Sift specializing in payment risk, trust and safety operations, and surfacing new fraud management insights. Prior to joining Sift, he held marketing and technical roles at Honeywell, where he focused on problem solving and building business opportunities with sensing and IoT technology. Cory is passionate about helping businesses find better solutions for complex challenges.