Fraud & Identity Management

Customer Experience during the holiday shopping season During the holidays, consumers transact at a much greater rate than any other time of the year. Many risk-management departments respond by loosening the reins on their decision engines to improve the customer experience — and to ensure that this spike does not trigger a response that would impede a holiday shopper’s desire to grab one more stocking stuffer or a gift for a last-minute guest. As a result, it also is the busy season for fraudsters, and they use this act of goodwill toward your customers to improve their criminal enterprise. Ultimately, you are tasked with providing a great customer experience to your real customers while eliminating any synthetic ones. Recent data breaches resulted in large quantities of personally identifiable information that thieves can use to create synthetic identities being published on the Dark Web. As this data is related to real consumers, it can be difficult for your identity-authentication solution to determine that these identities have been compromised or fabricated, enabling fraudsters to open accounts with your organization. Experian’s Identity Element Network™ can help you determine when synthetic identities are at work within your business. It evaluates nearly 300 data-element combinations to determine if certain elements appear in cyberspace frequently or are being used in combination with data not consistent with your customer’s identity. This proven resource helps you manage fraud across the Customer Life Cycle and hinder the damage that identity thieves cause. Identity Element Network examines a vast attribute repository that grows by more than 2 million transactions each day, revealing up-to-date fraud threats associated with inconsistent or high-risk use of personal identity elements. Our goal is to provide the comfort of knowing that you are transacting with your real customers. Don’t get left in the cold this holiday season — fraudsters are looking for opportunities to take advantage of you and your customers. Contact your Experian account executive to learn how Identity Element Network can help make sure you are not letting fraudsters exploit the customer experience intended for your real customers. Learn more about the delicate balance between customer and criminal by viewing our fraud e-book.

Electronic signatures and their emerging presence in our Internet-connected world I had the opportunity to represent Experian at the eSignRecords 2015 conference in New York City last week. The concept of electronic signature, while not new, certainly has an emerging presence in the Internet-connected world — as evidenced by the various attendee companies that were represented, everything from home mortgages to automobiles. Much of the discussion focused on the legal aspects of accepting an electronic signature in lieu of an in-person physical signature. The implications of accepting this virtual stamp of approval were discussed, as well as the various cases that already have been tried in court. Of course, the outcome of those cases shapes the future of how to properly integrate this new form of authorization into existing business processes. Attendees discussed the basic concept of simply accepting a signature on an electronic pad as opposed to one written on a piece of paper. That act alone has many legal challenges even though it provides the luxury of in-person authentication through a face-to-face meeting. The complexities and risk increase exponentially when these services are extended over the Internet. The ability to sign documents virtually opens up a whole new world of business opportunities, and the concept certainly caters to the consumer’s need for convenience. However, the anonymity of the Internet presents the everyday challenge of balancing consumer expectations of greater ease of use with necessary fraud prevention measures. Ultimately, it always comes back to understanding who is actually signing that document. All of this highlights the need for robust authentication and security measures. As more and more legal documents and contracts are passed around virtually, the opportunity to properly screen and verify who has access to the documents gets more critical. Many organizations still rely on the tried-and-true method of knowledge-based authentication (KBA), while many others have called for its end. KBA continues to soldier on as an effective way to ensure that people on the other end of the wire are who they say they are by asking questions that — presumably — only they know the answers to. In most cases, KBA is viewed as a “check the box” step in the process to satisfy the lawyers. In certain cases, that’s all you need to do to ensure compliance with legal policy or regulatory requirements. It starts to get tricky is when there’s more on the line than just “check the box” actions. When the liability of first- or third-party fraud, becomes greater than simple compliance, it’s time to implement tighter security, while at the same time limiting the amount of friction caused by the process. Many in attendance discussed the need for layers of authentication based on the type of documents that are being processed and handled. This speaks directly to the point that one size does not fit all. As the industry matures and acceptance of e-signatures increases, so too does the need for more robust, flexible options in authentication. Another topic — that was quite frankly foreign to everyone we talked to — was the need for security around the concept of account takeover. When discussing this type of fraud, most attendees did not even consider this to be a hole in their strategy. Consider this fictional scenario. I’m responsible for mergers and acquisitions for my publicly traded company. I often share confidential information via electronic means, leveraging one of the many electronic signature solutions on the market. I become a victim of a phishing attack and unknowingly provide my login credentials to the fraudster. The fraudster now has access to every electronic document that I have shared with various organizations — most of which have been targets for mergers and acquisitions. Fraudsters are creative. They exploit new technologies — not because they’re trendsetters, but because oftentimes these new technologies fail to consider how fraudsters can benefit from the system. If you are considering adopting e-signature as a formal process, please consider implementing: Flexible levels of authentication based on the risk and liability of the documents that are being presented and what they are protecting FraudNet for Account Takeover, which enhances security around access to these critical documents to protect against data breaches Not only the needs and experiences of your own business, but customer needs as well to enable to the best possible customer interactions If you haven’t considered implementing e-signature technology into your business process, you should — but be sure to have your fraud team present when considering the implementation.

We all know that first party fraud is a problem. No one can seem to agree on the definitions of first party fraud and who is on the hook to find it, absorb the losses and mitigate the risk going forward. More often than not, first-party fraud cases and associated losses are simply combined with the relatively big “bucket” of credit losses. More importantly, the means of quickly detecting potential first-party fraud, properly segmenting it (as either true credit risk or malicious behavior) and mitigating losses associated with it usually lies within more general credit policies instead of with unique, targeted strategies designed to combat this type of fraud. In order to create a frame of reference, it’s helpful to have some quick — and yes, arguable — definitions: Synthetic identity: the fabrication of an identity with the intention of perpetrating fraudulent applications for, and access to, credit or other financial services Bust-out: the substantive building of positive credit history, followed by the intentional, high-velocity opening of several new accounts with subsequent line utilization and “never payment” Default payment: intentionally allowing credit lines to default to avoid payments Straight-roller: an account opened with immediate utilization followed by default without any attempt to make a payment Never pay: a form of straight-roller that becomes delinquent within the first few months of opening the account So what’s a risk manager to do? In my opinion, the best methods to consider in the fight against first-party fraud include analytical solutions that take multiple data points into consideration and focus on a risk-based approach. For my money, the four most important are: Models and scores developed with the proper set of identity and credit risk attributes derived from current and historic identity and account usage patterns (in other words, ANALYTICS) — Used at both the account opening and account management phases of the Customer Life Cycle, such analytics can be customized for each addressable market and specific first-party fraud threat The monitoring of individual identity elements at a portfolio level and beyond — This type of monitoring and LINK ANALYSIS allows organizations to detect the creation of synthetic identities Reasonable (e.g., one-to-one) identity and device associations over time versus a cluster of devices or coordinated attacks stemming from a single device — Knowing a customer’s device profile and behavioral usage with DEVICE INTELLIGENCE provides assurance that applications and account access are conducted legitimately Leveraging industry experts who have worked with other institutions to design and implement effective first-party fraud detection and loss-mitigation strategies — This kind of OPERATIONAL CONSULTING can save time and money in the long run and afford an opportunity to avoid mistakes By active use of these methods, you are applying a risk-based approach that will allow you to realize substantial savings in the forms of loss reduction and operational efficiencies associated with non-acquisition of high-risk first-party fraud applications, more effective credit line management of potentially high-risk accounts, better segmentation of treatment strategies and associated spend against high-risk identities, and removal of first-party fraud accounts from traditional collections processes that will prove futile. Download our recent White Paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise, to understand how data and technology are needed to strengthen fraud risk strategies through comprehensive customer intelligence.

Profile of an online fraudster I recently read a study about the profile of a cybercriminal. While I appreciate the study itself, one thing it lacks perspective on is an understanding of how identity data is being used to perpetrate fraud in the online channel. One may jump to conclusions about what is a good indicator for catching fraudsters. These very broad-brush observations may result in an overwhelming number of false positives without digging in deeper. Purchase value A single approach for understanding the correlation between purchase value and fraud does not work to best protect all businesses. Back in 2005, we saw that orders under $5 were great indicators of subsequent large-ticket fraud. For merchants that sell large-ticket items, such as electronics, those same rules may not be effective. To simply believe that the low dollar amount is the extent of the crime and not just a precursor to the real, bigger crime indicates a lack of understanding of how fraudsters work to manipulate a system. For some merchants, where fraudsters know they can go to do card testing against their business, low-dollar-amount rules may apply. However, for other businesses a different set of rules must be put into place. Time of day We have been tracking fraud time of day as a rule since 2004, but the critical point is a clear definition of which time of day. For the merchant, 3 a.m. is very different than 3 a.m. for a fraudster who is in Asia or Eastern Europe, where 3 a.m. merchant time is actually the middle of the online fraudster’s day. FraudNet is designed to identify the time from the user’s device and runs its rules from the user’s time. We find that every individual business will have a very specific threat profile. Businesses need to build their individual fraud strategy around their overall attack rate taking into account the strength of the defense and the ability to be flexible to accommodate the nuances for individual consumers. A general approach to fraud mitigation inevitably results in a system that begins to chase broad averages, which leads to excessive false positives and mediocre detection. That’s what drives us to do the job better. The proof of every fraud solution should lie in its ability to catch the most fraud without negatively impacting good customers.  

What the EMV Shift means for you I recently facilitated a Webinar looking at myths and truths in the market regarding the EMV liability shift and what it means for both merchants and issuers. I found it to be a very beneficial discussion and wanted to take some time to share some highlights from our panel with all of you. Of course, if you prefer to hear it firsthand, you can download the archive recording here. Myth #1: Oct. 1 will change everything Similar to the hype we heard prior to Y2K, Oct. 1, 2015, came and went without too much fanfare. The date was only the first step in our long and gradual path to EMV adoption. This complex, fragmented U.S. migration includes: More than 1 billion payment cards More than 12 million POS terminals Four credit card networks Eighteen debit networks More than 12,000 financial institutions Unlike the shift in the United Kingdom, the U.S. migration does not have government backing and support. This causes additional fragmentation and complexity that we, as the payments industry, are forced to navigate ourselves. Aite Group predicts that by the end of 2015, 70 percent of U.S. credit cards will have EMV capabilities and 40 percent of debit cards will be upgraded. So while Oct. 1 may not have changed everything, it was the start of a long and gradual migration. Myth #2: Subscription revenues will plummet due to reissuances According to Aite, EMV reissuance is less impactful to merchant revenues than database breaches, since many EMV cards are being reissued with the same pan. The impact of EMV on reoccurring transactions is exaggerated in the market, especially when you look at the Update Issuer provided by the transaction networks. There still will be an impact on merchants, coming right at the start of the holiday shopping season. The need for consumer education will fall primarily on merchants, given longer lines at checkout and unfamiliar processes for consumers. Merchants should be prepared for charge-back amounts on their statements, which they aren’t used to seeing. Lastly, with a disparate credit and debit user experience, training is needed not just for consumers, but also for frontline cashiers. We do expect to see some merchants decide to wait until after the first of the year to avoid impacting the customer experience during the critical holiday shopping season, preferring to absorb the fraud in the interest of maximizing consumer throughout. Myth #3: Card fraud will decline dramatically We can look to countries that already have migrated to see that card fraud will not, as a whole, decline dramatically. While EMV is very effective at bringing down counterfeit card fraud, organized crime rings will not sit idly by while their $3 billion business disappears. With the Canadian shift, we saw a decrease in counterfeit card loss but a substantial increase in Card Not Present (CNP) fraud. In Canada and Australia, we also saw a dramatic, threefold increase in fraudulent applications. When criminals can no longer get counterfeit cards, they use synthetic and stolen identities to gain access to new, legitimate cards. In the United States, we should plan for increased account-takeover attacks, i.e., criminals using compromised credentials for fraudulent CNP purchases. For merchants that don’t require CVV2, compromised data from recent breaches can be used easily in an online environment. According to Aite, issuers already are reporting an increase in CNP fraud. Fraudsters did not wait until the Oct. 1 shift to adjust their practices. Myth #4: All liability moves to the issuer EMV won’t help online merchants at all. Fraud will shift to the CNP channel, and merchants will be completely responsible for the fraud that occurs there. We put together a matrix to illustrate where actual liability shifts and where it does not. Payments liability matrix Note: Because of the cost and complexity of replacing POS machines, gas stations are not liable until October 2017. For more information, or if you’d like to hear the full discussion, click here to view the archive recording, which includes a great panel question-and-answer session.

While walking through a toy store in search of the perfect gift for a nephew, I noticed the board game Risk, which touts itself as “The Game of Global Domination.” For those who are unaware, the game usually is won by players who focus on four key themes: Strategy — Before you begin the game, you need a strategy to attack new territories while defending your own Attack — While you have the option to sit back and defend your territory, it’s better to attack a weakened opponent Fortify — When you are finished attacking, it’s often best to fortify your position Alliances — While not an official part of the game, creating partnerships is necessary in order to win These themes also are relevant to the world of real-life fraud risk prevention. The difference is that the stakes are real and much higher. Let’s look at how these themes play out in real-life fraud risk prevention:  Strategy — Like in the game, you need a strategy for fraud risk detection and prevention. That strategy must be flexible and adaptable since fraudsters (your enemies) also continuously adapt to changing environments, usually at a much quicker, less bureaucratic pace. For example, your competitors (other countries) may improve their defenses, so fraudsters will mount a more focused attack on you. Fraudsters also may build alliances to attack you from different vectors or channels, resulting in a more sophisticated, comprehensive strike.  Attack — As the game begins, all players have access to all competitors (countries). This means that fraudsters might have the upper hand in a certain area of the business. You can sit back and try to defend the territory you already “own,” where fraudsters have no traction, but it’s best to be aggressive and attack fraudsters by expanding your coverage across all channels. For example, you might have plenty of controls in place to manage your Web orders (occupied territory), but your call center operations (opponents’ territory) aren’t protected, i.e., the fraudsters “own” this space. You need to attack that channel to drive fraudsters out.  Fortify — In the game, you can fortify your position after a successful move — that is, move more troops to your newly conquered territories. In real life, you always have the option to fortify your position, and you should constantly look for ways to improve your controls. You can’t afford to maintain on your current position, because fraudsters constantly are looking for weaknesses.  Alliances — In business, we often are hesitant to share information with our competitors. Fraudsters use this to their advantage. Just as fraudsters act in a coordinated fashion, so must we. Use all available resources and partners to shore up your defenses Leverage the power of consortium data Learn new methods from traditional competitors Always team up with internal and external partners to defend your territory If you apply these themes, you will be positioned for global domination in the fight against fraud risk. You can read more about fraud-prevention strategies in our recent ebook, Protecting the Customer Experience. As a side note, I’m always ready for a game of Risk, so contact me if you’re interested. But be forewarned — I’m competitive.

What will the EMV shift really mean for consumers and businesses here in the U.S.? Businesses and consumers across the U.S. are still adjusting to their new EMV credit cards. The new credit cards are outfitted with computer chips in addition to the magnetic strips to help prevent point-of-sale (POS) fraud. The new system, called EMV (which stands for Europay, MasterCard and Visa), requires signatures for all transactions. EMV is a global standard for credit cards. In the wake of the rising flood of large-scale data breaches at major retailers – and higher rates of counterfeit credit card fraud – chip-and-signature, as it is also called, is designed to better authenticate credit card transactions. Chip-and-signature itself is not new. It has been protecting consumers and businesses in Europe for several years and now the U.S. is finally catching up. But what will the EMV system really mean for consumers and businesses here in the U.S.? There is the potential for businesses that sell both offline and online, to see an increase in fraud that takes place online called Card Not Present (CNP) fraud. Will credit card fraud ever really be wiped out? Can we all stop worrying that large-scale point-of-sale breaches will happen again? Will the EMV shift affect holiday shopping and should retailers be concerned? Join us as we explore these questions and more on an upcoming Webinar, Chipping Away at EMV Myths. Our panel of experts includes: David Britton, Vice President, Industry Solutions, Experian Julie Conroy, Research Director, Aite Group Mike Klumpp, Director of Fraud Prevention, Citibank Moderated by: Keir Breitenfeld, Vice President, Product Management, Experian

Small Business Fraud When you hear the word “fraud” it’s unlikely that small business fraud comes to mind. However, in terms of potential losses, business identity theft could be considered as big if not a larger threat than consumer identity theft. Just like consumers, businesses face a broad- range of first- and third-party fraud behaviors, varying significantly in frequency, severity and complexity. Small businesses are especially vulnerable, because they typically do not have the layers of security and oversight, an alert accounting or I.T. department, or the sophisticated security technology that larger businesses may have. Over $8 billion is lost or stolen from small businesses each year and 60% of businesses who suffer business identity fraud close their doors within one year. A first-party, or victim-less, fraud profile is characterized by having some form of material misrepresentation (for example, manipulation or falsification of business filings and records) by the business owner without that owner’s intent or immediate capacity to pay the loan item. Historically, during periods of economic downturn or misfortune, this type of fraud is more common. This intuitively makes sense — individuals under extreme financial pressure are more likely to resort to desperate measures, such as misstating financial information on an application to obtain credit. Third-party commercial fraud occurs when a third party steals the identification details of a known business or business owner in order to open credit in the business victim’s name. With creditors becoming more stringent with credit-granting policies on new accounts, we’re seeing seasoned fraudsters shift their focus on taking over existing business or business owner identities. The rising trend of commercial fraud is illustrated by several key reasons including: One of the most common reasons for this is that commercial fraud doesn’t receive the same amount of attention as consumer fraud. Thus, it’s become easier for fraudsters to slip under the radar by perpetrating their crimes through the commercial channel. Keep in mind that businesses are often not seen as victims in the same way that consumers are. For example, victimized businesses aren’t afforded the protections that consumers receive under identity theft laws, such as access to credit information. Another factor is that most businesses are eager to open a new account for a business, after all businesses spend more than consumers. In some cases, opening a new business account can be even easier than opening a new consumer account. Business also have higher credit limits and the invoicing and payment terms allows identity thieves the opportunity to receive products and services without early detection. Finally, it is much easier to get information on a business versus a consumer. Unlike the protections provided to consumers to protect their identity, their credit information much of a business’s information is public record. Armed with the just a business name, address and EIN (employer identification number) fraudulent accounts can be opened and the game of theft begins. These factors, coupled with the fact that business-to-business fraud is approximately three-to-ten times more “profitable” per occurrence than consumer fraud, play a role in leading fraudsters increasingly toward commercial fraud. To learn more about how to protect your business view our interactive Fraud e-book.

Understanding and managing first party fraud Background/Definitions Wherever merchants, lenders, service providers, government agencies or other organizations offer goods, services or anything of value to the public, they incur risk. These risks include: Credit risk — Loosely defined, credit risk arises when an individual receives goods/services in exchange for a promise of future repayment. If the individual’s circumstances change in a way that prevents him or her from paying as agreed, the provider may not receive full payment and will incur a loss. Fraud risk — Fraud risk arises when the recipient uses deception to obtain goods/services. The type of deception can involve a wide range of tactics. Many involve receiving the goods/services while attributing the responsibility for repayment to someone else. The biggest difference between credit risk and fraud risk is intent. Credit risk usually involves customers who received the goods/services with intent to repay but simply lack the resources to meet their obligation. Fraud risk starts with the intent to receive the goods/services without the intent to repay. Between credit risk and fraud risk lies a hybrid type of risk we refer to as first-party fraud risk. We call this a hybrid form of risk because it includes elements of both credit and fraud risk. Specifically, first party fraud involves an individual who makes a promise of future repayment in exchange for goods/services without the intent to repay. Challenges of first party fraud First party fraud is particularly troublesome for both administrative and operational reasons. It is important for organizations to separate these two sets of challenges and address them independently. The most common administrative challenge is to align first-party fraud within the organization. This can be harder than it sounds. Depending on the type of organization, fraud and credit risk may be subject to different accounting rules, limitations that govern the data used to address risk, different rules for rejecting a customer or a transaction, and a host of other differences. A critical first step for any organization confronting first-party fraud is to understand the options that govern fraud management versus credit risk management within the business. Once the administrative options are understood, an organization can turn its attention to the operational challenges of first-party fraud. There are two common choices for the operational handling of first-party fraud, and both can be problematic. First party fraud is included with credit risk. Credit risk management tends to emphasize a binary decision where a recipient is either qualified or not qualified to receive the goods/services. This type of decision overlooks the recipient’s intent. Some recipients of goods/services will be qualified with the intent to pay. Qualified individuals with bad intentions will be attracted to the offers extended by these providers. Losses will accelerate, and to make matters worse it will be difficult to later isolate, analyze and manage the first party fraud cases if the only decision criteria captured pertained to credit risk decisions. The end result is high credit losses compounded by the additional first party fraud that is indistinguishable from credit risk. First party fraud is included with other fraud types. Just as it’s not advisable to include first party fraud with credit risk, it’s also not a good idea to include it with other types of fraud. Other types of fraud typically are analyzed, detected and investigated based on the identification of a fraud victim. Finding a person whose identity or credentials were misused is central to managing these other types of fraud. The types of investigation used to detect other fraud types simply don’t work for first-party fraud. First party fraudsters always will provide complete and accurate information, and, upon contact, they’ll confirm that the transaction/purchase is legitimate. The result for the organization will be a distorted view of their fraud losses and misconceptions about the effectiveness of their investigative process. Evaluating the operational challenges within the context of the administrative challenges will help organizations better plan to handle first party fraud. Recommendations Best practices for data and analytics suggest that more granular data and details are better. The same holds true with respect to managing first party fraud. First party fraud is best handled (operationally) by a dedicated team that can be laser-focused on this particular issue and the development of best practices to address it. This approach allows organizations to develop their own (administrative) framework with clear rules to govern the management of the risk and its prevention. This approach also brings more transparency to reporting and management functions. Most important, it helps insulate good customers from the impact of the fraud review process. First-party fraudsters are most successful when they are able to blend in with good customers and perpetrate long-running scams undetected. Separating this risk from existing credit risk and fraud processes is critical. Organizations have to understand that even when credit risk is low, there’s an element of intent that can mean the difference between good customers and severe losses. Read here for more around managing first party fraud risk.

Protecting your customer The impact of fraud on the customer relationship Sadly fraudsters seem to always be one-step ahead of fraud-prevention strategies, causing organizations to play catch-up to the criminals. And as information security tightens and technologies evolve, so does the industrious nature of organized identity and online fraud. It should be no surprise then that fraud risk mitigation and management will continue to be an ongoing issue for organizations. But what continues to drive investment in identity management and online risk tools is the arms race across organizations to deliver superior customer experience and functionality. While the monetary cost of fraud losses can be high and rather detrimental, the impact of lost customers and overall reputational decline due to poor customer experiences can be higher. The key is finding the right balance between identifying and segmenting likely fraudulent customers across the vast majority of legitimate customers and transactions. I want to share a recent interactive eBook we launched which outlines the authentication and identity management balance with a focus on the consumer. We highlight current trends and what organizations should be thinking about and doing to protect their business, institution, or agency and customers. I hope you enjoy this look at the impact of fraud on the customer relationship.    

Increased volume of fraud attempts during back to school shopping season Back to school shopping season will be the first time many consumers' use their chip-enabled credit cards and stores' new card readers. With the average K-12 family spending $630.36 per child in back to school shopping, and more than 1/3 shopping online, according to the National Retail Federation - is your fraud strategy prepared to handle the increased volume? And are you using a dynamic knowledge based authentication (KBA) solution that incorporates a wide variety of questions categories as part of your multi-faceted risk based authentication approach to fraud account management? Binary verification, or risk segmentation based on a single pass/fail decision is like trying to stay dry in a summer rain storm by wearing a coat. It’s far more effective to wear rubber boots and a use an umbrella, in addition to wearing a rain coat. Binary verification can occur based on evaluating identity elements with two outcomes –pass or fail – which could leave you susceptible to a crafty fraudster. When we recommend a risk based authentication approach, we take a more holistic view of a consumers risk profile. We advocate using analytics and weighting many factors, including identity elements, device intelligence and a robust knowledge-based authentication solution that work in concert to provide overall risk based decision.  After all, the end-goal is to enable the good consumers to continue forward based, while preventing the fraudster from compromising your customer’s identity and infiltrating you’re your business.

Protecting consumers from fraud this summer vacation It’s that time of year again – when people all over the U.S. take time away from life’s daily chores and embark upon that much-needed refresh: vacation!  But just as fraud activity spikes during the holidays, evidence shows fraudster activity also surges during the summer, as the fraudster’s busy season is when we step away for some well-deserved rest and relaxation. With consumers on vacation, identity theft becomes easier.  We all know someone who has been the victim of identity theft, resulting in fraudulent purchases on their credit card, or their bank accounts being emptied.  Consumers are most likely to break from their normal spending habits, and credit card’s fraud analytics teams struggle to differentiate these changes in spending behavior for a family on vacation from a fraudster who has compromised dad’s identity.  To make matter seven more challenging, consumers are less likely to take measures that will help minimize fraud while they are out of town, making the fraudster’s job easier. Identifying risky behaviors, or patterns outside of a consumer’s normal behavior when used in combination with a knowledge-based authentication session can help validate that the individual is indeed who they claim to be.  A knowledge-based authentication solution with a wide variety of question types to complicate the fraudsters ability to pass should be part of a risk-based approach to on-going account management, especially when combined with a risk score and device intelligence. Take measures to incorporate a knowledge-based authentication solution with a diverse range of question types to help protect your business and your customers from being burned while on vacation, at least by fraudsters. For more on travel spending behavior and projections for summer 2015, click here.

Imagine the following scenario: an attacker acquires consumers’ login credentials through a data breach. They use these credentials to test account access and observe account activity to understand the ebbs and flows of normal cash movement – peering into private financial records – verifying the optimal time to strike for the most financial gain. Surveillance and fraud staging are the seemingly benign and often-transparent account activities that fraudsters undertake after an account has been compromised but before that compromise has been detected or money is moved. Activities include viewing balances, changing settings to more effectively cover tracks, and setting up account linkages to stage eventual fraudulent transfers. The unfortunate thing is that the actual theft is often the final event in a series of several fraudulent surveillance and staging activities that were not detected in time. It is the activity that occurs before theft that can severely undermine consumer trust and can devastate a brand’s reputation. Read more about surveillance, staging and the fraud lifecycle in this complimentary whitepaper.

Understanding shelf companies and shell companies In our world of business challenges with revenues level or trending down and business loans tougher than ever to get, “shelf” and “shell” companies continue to be an easy option for business opportunities. Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. Click on the internet and you will see a plethora of vendors selling companies in a turn-key business packages. Historically off-the-shelf structures were used to streamline a start-up, where an entrepreneur instantly owns a company that has been in business for several years without debt or liability. However, selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Creating companies that impersonate a stable, well established companies in order to deceive creditors or suppliers in another way that criminals are using shelf companies for fraudulent use. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” or “executive meeting suites” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a conference room for initial meetings, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy – 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations.  It is possible to avoid being the next victim and refine and revisit your fraud best practices today. Learn more about Experian BizID and how to protect your business.

A recent Experian survey found that while consumers are getting better about protecting their information on a regular basis, many do not take the same precautions when traveling. According to the survey, 1 in 5 consumers has had an item with sensitive information lost or stolen while traveling, and 39% have experienced identity theft while traveling or know someone who has. Organizations can protect themselves and customers by using innovative fraud-detection tools designed to reduce potential losses while preserving the customer experience. >> Video: The reputational impact of fraud and identity theft