November 19, 2018
Transaction Laundering: A Growing Fraud Risk for Merchants
Posted April 26, 2018
Author Patrick Reames is just one of the latest victims of transaction laundering — and he’s the one stuck with the bill.
In February, Reames had received a 1099 tax form from Amazon reflecting his $24,000 cut of book sales on the company’s self-publishing site, CreateSpace. But Reames doesn’t self-publish and doesn’t even have a CreateSpace account.
It turns out someone was using Reames’ name and social security number to hawk a $555 book full of random, computer-generated blather on several Amazon sites in various countries.
It’s also unclear whether Amazon will even send him a corrected 1099. If it does, the online retail giant could be giving people a brand new way to avoid paying taxes – sell something, then fraudulently claim to be the victim of a money laundering scheme.
In all, the predicament offers a microcosmic view of the complexities surrounding a growing form of fraud that’s distressingly easy to pull off and enormously difficult to detect and stop.
Merchants of Menace
Amazon is hardly alone.
In recent months, high-profile political figures in the U.S. have been indicted for transaction laundering via a popular home rental platform. Uber has fallen victim to sham drivers laundering credit card funds for rides that were never given, and illicit merchants have been allegedly laundering money through PayPal and others to fund terrorist activity.
These thieves aren’t doing this in some dark web back alley, mind you. They’re right out in the open, on the legitimate sites that dominate the everyday “surface web.”
And why wouldn’t they? With stolen credentials, these fraudsters can take over existing merchant accounts or create fraudulent new accounts on popular marketplace and sharing economy sites, as well as numerous payment platforms, in mere minutes. Heck, they can even recruit existing merchants to process transactions in exchange for a quick kickback, and often do.
Whatever the tactic, transactions are run through the legitimate merchant’s accounts, and funds from fraudulent sales go directly to the thieves’ bank account before anybody’s the wiser. By the time chargebacks roll in, the crooks have vanished into thin air.
Hardly a blip on anyone’s radar just a few years ago, losses from transaction fraud like this are now estimated to top $200 billion a year in the U.S., and could reach $500 billion worldwide in 2018. To put that into perspective, total revenue generated by eCommerce in the U.S. was $453 billion last year.
Staunching Losses, Stemming Risks
Beyond revenue losses, there are other reasons payment processors, acquirers and other merchant service providers (MSPs) are seeking to slam the brakes on transaction laundering.
One is consumer and merchant trust, which can seriously erode business when legitimate merchants and their customers are impacted. Another is the Bank Secrecy Act and evolving anti-money laundering (AML) laws, which include provisions that make financial services companies party to financial crimes if they fail to prevent them.
Today, there are at least three big challenges MSPs must overcome to extinguish this threat, and all may involve the same digital identity-based technologies some are using to stop illegal purchases from fraudsters posing as customers.
- Merchant Onboarding: Cybercriminals can easily create full and convincing merchant accounts using stolen pieces of identity information that pass most security checks in place today. But more rigorous vetting can also mean legitimate merchants encounter increased friction. To counter this, MSPs will likely seek access to globally crowdsourced digital identity intelligence that can be used to instantly recognize whether a prospective merchant is using compromised credentials. Some will even look to integrate offline identity details to further screen prospects in real time.
- Ongoing Transaction Screening: With troves of misappropriated payment details readily available online, it’s clear that transactions need to be validated in a more sophisticated way. Dynamic, digital identity information captured at the point of sale has been shown to help organizations recognize legitimate identities and pinpoint fraud without adding friction to the digital experience. The key is passive, ongoing monitoring that doesn’t create friction.
- Compliance Risk Mitigation: MSPs face mounting pressure to comply with rapidly evolving regional regulations, from open banking to illegal funds transfers to known criminal entities and embargoed nations. Look for a growing number of organizations to adopt solutions that can meet these ever-changing needs, including risk-based authentication and strong customer authentication (SCA) that utilize digital identity intelligence.
Adding Insult to Injury
All of this is just the beginning, of course. As soon as MSPs put solutions in place, cyber thieves will no doubt hatch inventive new techniques to circumvent them.
Indeed, just to put a fine point on the kind of attacks Amazon faces when authors like Reames discover they’ve fallen victim to fraud, online searches for Amazon support contacts sometimes turn up yet more deception.
As Krebs points out, fake support numbers are known to connect unwitting users to fraudsters who harvest even more personal information to commit further crimes.
It’s enough to make you wonder if we’ve blown past the age-old warning “buyer beware.” With transaction laundering running rampant, platform-based merchants and the financial services that support them are now the ones that have to beware.
To learn more about how a digital identity-based approach to preventing new merchant fraud schemes, such as transaction laundering, be sure to check out this exclusive Case Study.