At the intersection of government assistance, vulnerable populations and digital payments … the fraudsters lie in wait.
Amid the trillions of dollars in pandemic-related aid being disbursed by federal, state and local governments, Visa said in its August 2020 Security Alert that pandemic unemployment assistance fraud — done through mobile conduits — as a “prolific” vector of attack.
In an interview with Karen Webster, Mike Lemberger, senior vice president and regional risk officer for North America at Visa, said a “layered” approach helps criminals cover their tracks. And a layered approach, too, helps Visa, through its Payment Fraud Disruption (PFD) unit, help uncover those tracks and identify suspicious patterns that can help identify, and stop fraudsters.
Layers Upon Layers
In terms of mechanics, bad actors leverage mobile applications to contact people who have received or are receiving unemployment or stimulus benefits. They use phishing campaigns, and the promise of speedy payment of government benefits, to prod victims into giving up sensitive personally identifiable information (PII).
As is seen all too often, the fraudsters then use the PII to make fraudulent transactions, in some cases by using prepaid payment accounts and mobile apps. In other cases, the stolen PII is used to fraudulently apply for government assistance.
In addition, Visa’s PFD has identified an increase in fraudsters’ recruitment of money mules through what the network giant has identified as fraudulent work from home efforts that take advantage of the stubbornly high unemployment rate.
As Lemberger noted, “the fraudsters have not been hibernating. They are working all the time. And as soon as they see a window of opportunity, they just go for it.” And, he added, with the challenging headwinds faced by the economy — and payments themselves becoming ever digital in nature and faster too — there has been more involvement by the payment networks (including Visa) to ferret out and guard against fraud.
Visa, as he told Webster, has become more involved in disbursements and has been building out its Visa Direct platform, and in the meantime has sought to take at least some of the fraud battle burden away from the “acceptance” side of the equation.
As to where it all begins: The fraudsters have been able to latch on to PII — that’s been floating around for years — ahead of launching full-blown into their schemes.
As Lemberger said “one of the things we need to do better, collectively, as a society” is to lock down the data that has so often made its way onto the Dark Web.
It’s no secret, he pointed out, that breaches have been gaining steam, gaining by double-digit percentages year over year.
The increasing use of high tech, he said, means that “fraudsters have found that they can use part of the networks that they haven’t been able to use before.”
Money can be loaded on digital cards and spent relatively anonymously, making it easier to transfer money. Digital wallets can give criminals access to credentials fairly quickly.
As Lemberger illustrated: “It used to be that a wire transfer went through an ACH-based bank-to-bank commercial sponsoring bank network. But right now there are apps that let you send money throughout the world through transfers. There are neobanks that allow you to move money within their apps even between currencies.”
The leapfrogging creates a “layering effect” of transactions and currencies and cards that allow fraudsters to cover their digital tracks pretty effectively. The tech providers, at first glance, are heartened by what seems to be growing volumes and customer counts.
But Visa, he said, with its own links to an increasing number of financial institutions, can offer granular insight (by way of its fraud teams) to those financial institutions, and governments, too.
“What we’ve done is create a center for fraud monitoring called the Visa Risk Operation Center,” he told Webster, “and those folks are watching what’s going on all the time. If you think about artificial intelligence — and how we model data — those teams are looking for patterns in fraud.”
If the fraudsters themselves are looking to hide behind layers of deception, Visa’s fraud teams have embraced a layered approach too — which moves from observation and alerts to full on investigations as needed.
He said the PFD sends alerts out to FIs and other stakeholders about “levels of suspicion” in real time. Visa has set up investigation teams, too, that look into what’s going on behind the scenes globally when transaction amounts (and some red flags) creep up to noticeable levels.
“It’s a patterns game,” he said, pointing to that kids’ arcade staple “Whack-a-Mole” as an example, “but don’t underestimate the value of the mobile phone networks and mobile phone data being mapped out against many kinds of email and other databases.”
Across prepaid cards and virtual cards, and traditional debit and credit cards, fraudsters are cobbling identities together and onboarding at the online portals that banks of all types (neobanks too, branchless as they are) have set up to attract customers.
Drilling down into the current pandemic of pandemic-related fraud, he said Visa is making much of its data available to a variety of stakeholders, especially on the government side of the disbursement equation — tracking whether money is flowing to direct deposit, prepaid or debit accounts, for example. Looking at spending patterns is important too, he said, noting that a hypothetical $100 disbursed to a claimant who then turns around and buys $100 in gift cards, and a pack of gum to throw folks off the scent, may raise some flags.
Looking ahead, as stimulus payments slow down — and loan forbearance becomes an issue — it will be increasingly important for Visa to help calibrate its algorithms to help financial institutions and merchants weather what might be new economic storms, or new vulnerabilities.
“If you look at traditional fraud, usually there’s a victim. And the victim is reported — for instance, the bank got ripped off. Or the bank reports it lost its money, or the merchant does. The unemployment fraud falls in the middle of this because here it’s the government getting ripped off,” he added.
Visa has been bringing its identity and know your customer (KYC) tools to various governments to layer their own security efforts on the front end.
But the effort is by no means one size fixes all.
“You have to go to each state and do this,” maintained Lemberger, who added that “we see transactions in every state … so we can help with the data, but we don’t have one solution that can solve all 50 states.”