“Low and Slow” Is How the Credit Card Fraudsters Roll

Posted April 5, 2018

“Low and Slow” Is How the Credit Card Fraudsters Roll

Cybercriminals have learned that when it comes to credit card fraud, staying below the radar is the sweet spot.  Gone are the big charges that immediately draw the attention and ire of the cardholder…in, is the “disciplined” low-and-slow approach of leveraging small recurring charges that too many consumers tend to ignore.

Here is how the scheme works. Cybercriminals take stolen payment information harvested from data breaches to purchase small monthly subscriptions, often as low as $10 per month, to music or entertainment streaming services, among others.  And there’s the key…the amounts are low enough that they can easily be missed when cardholders do a cursory review of the monthly credit card statement.  Even more daunting, if the charge is set up as an automatic bill pay, the payment can become institutionalized in the mind of the cardholder and basically subjected to little or no scrutiny.  End result: a recurring fraud stream that appears to be normal given the abundance of recurring consumer services, the monthly payment frequency and the small amount. And, if these charges show up on the statement for a shared credit card, it is easy to assume the charge was made by the other authorized user.

Ironically, even if the cardholder already has a subscription to one of these services, it doesn’t preclude these fraudulent charges from avoiding detection.  Since most people have more than one credit card, it is easy to forget which one was used to pay for, let’s say, your music streaming subscription. Some customers even assume these small charges are just some sort of an extra fee or service charge.  So, slow and low is how the disciplined and patient fraudsters stay below your radar and it’s incredibly effective and it can grow into a big recurring problem.

The Fraud Snowball

Unless the cardholder discovers the fraud and reports it, this kind of scam could persist for years.  Let’s face it: when was the last time that you sat down and reviewed the monthly charges on your favorite entertainment streaming service to make sure the charges were legit?

Here’s another gotcha…not only is this the fraud that keeps on giving, it is yet another way for cybercriminals to test the validity of the stolen credit card information in their possession before using it for bigger and better paydays. But, that’s not the only appeal. After successfully opening these accounts, some cybercriminals are turning around and selling these subscriptions on secondary markets, online auctions, or P2P exchanges.

As the fraud rolls on undetected, the snowball gets bigger and bigger.  This is all part of the more than $22 billion in losses globally due to credit card fraud. And part of a bigger problem that goes beyond customers diligently checking their credit card statements.

The growing tide of fraud continues to perplex merchants and payment processors despite their best efforts to stop it – including taking the precautionary steps of verifying the mailing address associated with the buyer and credit card and flagging large transactions for further review.

These businesses have another tool at their disposal – the Card Verification Value (CVV) number – that three- or four-digit number printed on the back of a credit card. However, according to an American Express Digital Payments Survey, only 53 percent of merchants are currently requiring customers to present the CVV…a fact well known in fraudster circles!

For added security, some businesses are still opting to send their customers through the dreaded step-up authentication process. But, here’s the problem:  One, many of the fraudsters know the challenge questions better than the customers who provided them.  Two, and most importantly, it’s become common knowledge how today’s digital customers feel about anything that adds friction to their online experience.  So, the net impact is that cardholders are bilked, low and slow, and the merchants, afraid of any form of friction, wind up eating over $22 billion in fraud losses.

The Digital Identity Silver Bullet

There is a better way to solve this problem that eliminates the need for friction while also mitigating the massive fraud losses associated with unbridled trust and lax cardholder behavior.  The ultimate solution to this problem comes down to this: anonymous, relevant, real-time data. In the frenetic pace of today’s digital economy, data is the lifeblood of commerce and the only way to help companies avoid the ever-growing snowball effect of fraud and cybercrime.

In the digital world, only four things really matter to distinguish between real users and the cybercriminals.  Merchants need a global network that can simultaneously provide information on the method of interaction with a site or application, anonymously stitch together every aspect of a cardholder’s digital journey into one digital identity, the ability to understand their behavior across the network in real time, and the associated threats.  At ThreatMetrix, we recognized the power of this data and network and its critical role in the digital economy almost a decade ago. That realization is what propelled us down a path of building the largest repository of global digital identities – a repository that includes more than 1.4 billion identities.

But all of those data elements don’t do much good unless they can be put to use when companies need it most – when critical trust decisions must be made. So, we developed a mechanism and the supporting technology to bring this to fruition and deliver highly accurate data around an online user’s method of interaction, identity, and behavior at the point of the transaction in real time.

And, since we process more than 110 million transactions each day, these identities get stronger and more relevant with each transaction.

The Never-Ending Battle

The threats to companies operating in the digital economy continue to grow. The fourth quarter of 2017 alone saw an unprecedented 251 million cyberattacks, a 113-percent increase over the previous year.

And, with the number of fraudulent online purchases continuing to snowball, who can blame online merchants and payment providers if they feel like they are on the losing side of a seemingly endless cybercrime battle.

I believe that when we’re all armed with dynamic data shared from thousands of businesses across the globe, organizations will feel better equipped to battle credit card fraud – low, slow or otherwise, and finally reduce the fraud snowball effect.

To learn more about how payment processors can protect themselves from all types of fraud, read this exclusive Solution Brief.

Frank Teruel

Frank Teruel

SVP/GM, ThreatMetrix

close btn