So often as we look for weaknesses in online security, the focus is primarily on fraudsters who are attacking websites and customers, and controls are implemented to mitigate these attacks. But, in the past year, a new dimension has been added to the online security gap analysis – first party fraud.
First party fraud, commonly known as friendly fraud, occurs when a customer consciously disputes a transaction to avoid payment or gain a refund. While it has been an issue in online banking for a long time, it is becoming a bigger deal as businesses are losing billions. As banks are refunding more fraud and scam losses, addressing it becomes more important. In the US, banks refund Zelle impersonation scams. In the UK, banks are now mandated to refund most consumer scam losses (e.g. romance, investment and purchase scams). This “reimbursing” catches the eye of fraudsters and sketchy customers.
Why is first party fraud growing?
So, why the renewed interest in first party fraud? There is more promotion in social media, such as the recent ‘check processing glitches’ at several large financial institutions. It was flat out customers committing fraud against their banks. As reported by Frank on Fraud, “The ‘glitch’, as far as I can tell, is simply depositing a fake check in the ATM that will never clear and withdrawing the money before the check bounces.” A bank spokesman said, “Regardless of what you see online, depositing a fraudulent check and withdrawing the funds from your account is fraud, plain and simple.”
Retail stores with online channels are reporting the highest numbers of chargebacks, with fraud being committed by both real fraudsters and, more often, the store customers. Reports have estimated that first party fraud comes at a cost of $50 billion per year.
In today’s culture, cheating your bank or retail store is becoming more acceptable.
How to identify first party online fraud
It is important to realize that it can be difficult to detect first party fraud. After all, the customer is trying to make it look like real third party fraud. They can be claiming an account takeover or being a victim of an authorized transaction scam (e.g. an impersonation scam in the US or an authorized push payment scam in the UK or Australia). Start with asking probing questions about the loss. Most first party fraud situations are committed by unsophisticated individuals, so their ‘story’ may have weaknesses and inconsistencies.
Doing the analysis requires collecting more data points associated with the transaction and applying contextual awareness to this data. Here are some of the possible controls in your first party fraud forensic control stack. These controls may help to distinguish first party fraud from third party fraud. Some of these ideas may be applicable to some FIs and not others
• Install an in-depth infosec network tool to ingest web and online traffic into a database. These infosec network solutions capture massive amounts of data and will often require technical staff to set up and use. The very in-depth data collected includes IP address, user agent string, geolocation data and other important metadata. These products also have machine learning capabilities to detect anomalies.
• Capture data to be able to detect TOR and VPN access. There are tools and lists that help you detect TOR and VPNs. You want to know the actual source IP address location. A customer may use a VPN to try and throw off the location of the transaction.
• Bot detection capabilities can help detect sophisticated fraudster transaction activity.
• Capture precise location data for web and mobile transactions. There are mobile SDKs (requires FI app) that can give the precise location of where the phone is when the transaction is being executed.
• Have strong logon authentication beyond user ID/Password/OTP. Verified real strong authentication can be a data point to help move the needle toward or away from first party fraud.
• Remote access detection.
• Behavioral biometrics to be able to distinguish the real customer from the fraudster. Here, one fraud fighter said it is important to predict what normal behavior is, before customers present fraud/scam complaints.
• Analyze time of day and browser language on the device. This data can be used to validate (or not) what the customer is saying.
• Look for anomalies in the payment request in combination with anomalies in the online session and call center interactions.
• Detect if the customer is on a mobile call while doing online transaction. Is the call inbound and for how long?
• Review any activity with the bank’s call center
• Look for frequency of interaction (more interaction can demonstrate intent to defraud or just confusion).
• Review call center authentication and verbal discussions.
• Analyze customer profile (e.g. age of customer and large transactions). Be sensitive to vulnerable/elderly customers.
• In the UK, CIFAS has several shared network controls that help in the UK. Victim Check provides information if a particular consumer has been a victim of fraud/scam before. Beneficiary Checks helps sending financial institutions verify the legitimacy of beneficiaries in transactions, reporting on previous fraud with this account and providing potential fraud risk flags associated with a beneficiary’s name or details.
Once you are collecting the enhanced data, it becomes important to store the transaction activity with this enhanced data. Part of the solution is to compare a suspected fraud/first party fraud case with previous transactions of good and bad data. The correlation and link analysis of this data will provide alerts to anomalous activity. Also, examining the customer’s history to see if there have been previous fraud claims is important.
If the customer claims their phone was stolen and that is how the transaction was done, require the customer to provide the police report.
Biocatch’s Seth Ruden reminded me, “The best way is to start looking at the data that focuses on true third party fraud.” The stronger the indicators are for third party fraud, the better the case is made that the consumer has a valid claim. Seeing new device, foreign location, new network attributes/path, different time of day, speed of MFA input, device ported/SIM swapped, high ATO risk score, etc. can help confirm a legitimate claim. On the other hand, seeing same device, IP address, same network, same time of day can start to point to the customer doing the transaction.
Data sharing can be helpful to catch the same person committing first party fraud with multiple entities (e.g. a bank and a retail store). Identifying the same device fingerprint across multiple suspicious transactions or fraud claims can be a helpful tool. The Cifas network controls mentioned above are very good examples of data sharing.
The analysis needs to be well documented as both first party fraudsters and real customers with a loss will file complaints with the Consumer Financial Protection Bureau (or equivalent ombudsman in other countries). So be prepared to defend your decisions.
Receiving banks also have a role to play
As receiving banks are increasingly under scrutiny (and in some cases held completely or partially liable for customer reimbursement), they also have a role to play in first party fraud detection.
To start, information sharing between sending and receiving banks is critical in the investigation process. The sending bank may contact the receiving bank and ask questions. Who owns the account? When was the account set up? Does the receiving bank have the account opening transaction data for analysis? Can you tell if the same person opened the account at the receiving bank and sent the fraud transaction from the sending bank?
If the customer claims money was debited from their account (unauthorized debit) and moved to another bank, this then becomes a receiving bank issue. So, as a receiving bank:
• Look at the data associated with the opening of the account (using the IP address, user agent string, geolocation data and other important metadata discussed above). The person opening the account could be intending to commit first party fraud.
• Have analysis/anomaly detection on the debit account activity
• Analyze credit activity in the account. This is not currently required, but is a best practice, especially for detecting money mules.
Summary
As fraud fighters, the number of attack vectors to analyze is rising. In addition to account takeovers and the increase in authorized transaction scams, banks and retailers now have to worry about their own customers participating in fraud (and even money mule accounts). So, the tools we use must be expanded to properly analyze each claim of potential online loss. By asking probing questions, having good details on the transaction, and possibly information sharing with vendors and peers, fraud analysts can properly bucket the claim into third party fraud, an authorized transaction scam, or a real first party fraud.
We will be able to learn some valuable lessons from the UK as the new mandatory scam reimbursement rules went into effect in October 2024. Many UK banks are planning to control for first party fraud as part of their mandated scam reimbursement program.
Identifying first party fraud requires a blend of science, through data analysis, and the art of making proper assessments. Above all, talk with your peer financial institutions to find out what they use to make these determinations.