Blog article
See all stories »

New twists in the old story of card fraud

Card fraud has been around for almost as long as credit cards themselves. But since the U.S.’s first reported case in 1899,[1] fraudsters and their methods have become increasingly sophisticated and are constantly evolving.

You’ll think you’ve heard it all. But if you’re a financial institution and a card issuer, there’s now more need than ever for a hypervigilant, proactive approach to security.

So, what are the latest threats to look out for – and how can fraud management technology improve your resilience?

Familiar tales

In many ways, what is new in card fraud is also old. The issue of fraud prevention has been keeping financial institution executives up at night for decades, especially since the mid 1990s and the increased electronification of banking.

Fast-forward 30 years and the continued growth of digital payment options gives fraudsters more means than ever to cheat the system. More than $34 billion was lost globally to debit and credit card fraud in 2022, a total that’s projected to rise to over $42 billion by 2026 – and nearly $50 billion by 2030.[2]

Today, one of the biggest fraud challenges for card issuers is the rise of card enumeration attacks, which see fraudsters use brute-force bots to guess valid credit card details, including a card’s bank identification number (BIN) – its number’s initial digits – its expiration date and its card verification value (CVV).

Full account takeovers are also becoming more common, with fraudsters using a variety of technology-driven techniques, from phishing to hacking, to gain total control of a bank or card account.

Dire consequences

As the bad actors add to their armory of malicious tools, it’s not uncommon for a small bank’s card and payments businesses to lose tens of millions of dollars a year to fraud – sums of money that could purchase a lot of much-needed resources and technology.

These immediate financial losses, however, are only part of the problem of fraud, especially for card-issuing banks.

Most instances of fraud on a card take up time with your agents and push up your costs as customers report and dispute fraudulent transactions and order new cards.

Then there’s the potential loss of future business. Fraud events can knock the confidence of consumers in your bank and push them toward other card or payment providers. That could cost you not only interchange revenue but also the whole of your future relationship with a customer – from deposits to mortgages.

New narratives

Reputations, then, are at stake – and it’s often the issuing bank that shoulders the blame of fraud and takes the most direct hit.

All the while, advances in technology are making the fraudsters a slippery and elusive target – always, it seems, a step ahead of financial institutions.

But technology also gives issuing banks more opportunities to fight back and change the story in their favor. To get ahead of the game, you should make the following four actions part of your proactive fraud management strategy.

1. Weed out first-party fraud

In tough economic times, merchants believe that well over 60% of the fraud they face is from individuals who open accounts or apply for credit themselves but have no intention of repayment. These first-party fraudsters may, for example, claim chargebacks without returning goods or overstate their salary before defaulting on a loan.

To prevent this type of fraud, it's critical for banks to look out for serial chargeback claims or disputed transactions. Card networks are increasingly shifting responsibility for chargebacks from merchants to card issuers, so you need a plan in place to reduce your liability.

2. Consider GenAI

For financial institutions, generative AI is a double-edged sword that can be used to both commit fraud and fight against it.As GenAI-powered malicious tools flourish on the dark web, the fraud management community is also harnessing the technology’s power to complement and strengthen existing lines of defense.

3. Aggregate your data 

With fraud still representing only a tiny minority of transactions, overly blunt prevention methodologies can bring friction to payment processes and harm the customer experience. One answer is to move from simply rule-based to more heuristics-based configurations that help you work smarter and avoid simply chasing fraud around your network.

But first, you need a strong data strategy that will allow you to break down traditional silos and bring together disparate datasets from different customer channels. That way, you can start holistically monitoring the entire account life cycle for anomalies – using not only rules but also predictive strategies and AI and machine learning.

Low-dollar transactions may not look suspicious individually. But a sharp spike in them across a whole portfolio will soon catch your attention and help you triangulate back to the source of possible fraud. As part of the investigative process, you can even use robotics process automation to trigger follow-up actions. 

4. Don’t forget the basics

New technologies aside, it’s important to make sure you’re adhering to basic card parameter and authorization controls, checking CVV codes, interrogating expiration dates and so on.

You should also still be monitoring closely for compromised accounts, excessive authorizations with no settlements, high volumes of credit reversals from merchants, and sudden accelerations of account activity.

Plus, stick to the best practice of issuing card numbers randomly. It’s not a silver bullet but sequential numbers are much easier for fraudsters to guess.

Happy ever after?

Whatever approach you take and tools you use for fraud management, your best bet is for your fraud team to work closely and share knowledge with your technology provider.

While the latter will have a birds-eye view of fraud activity across a region or country, the former can provide valuable insight into local specifics.

Ultimately, collaboration of this kind will be a powerful weapon against fraudsters. And that could help banks, if not write a happy ending, then at least start a fresh and optimistic new chapter in the story of fraud.  

[1] Frank on Fraud, The Story of the Very First Case of Credit Card Fraud, July 22, 2022

[2] WalletHub, Credit Card Fraud Statistics, 2023

8348

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 February, 2024, 11:31Be the first to give this comment the thumbs up 0 likes

Tokenization seems to undermine your strategy #4, specifically the part about CVV. 

Post tokenization under Reg CofT here, many merchants have stopped asking for CVV. While they say "CVV is not needed..." in a bid to appear cool and enhance CX, I believe the truth is that CVV of tokenized credit card CANNOT be verified. 

While CofT improves security by reducing the risk of hacking, I wonder if it increases the risk of fraud by taking CVV, one key weapon in the fight against fraud, out of the credit card processing equation.

Brad Strock

Brad Strock

SVP, Group Executive, Payments

FIS

Member since

18 Jan

Location

North Carolina

Blog posts

4

This post is from a series of posts in the group:

Banking and Lending Solutions

Technology Innovations for Banks and NBFC's in Lending Operations


See all

Now hiring