By Erin Richey, Contributor
The customer experience with credit card fraud has changed in recent years: Instead of discovering unauthorized charges after diligent checks of account histories, cardholders are increasingly hearing from their banks within moments after a fraudulent purchase.
Proactive credit card fraud detection grows in accuracy and speed with every leap in computing power and data analysis, but it seems like fraudsters are keeping up. The Federal Reserve estimates that fraudulent payment card transactions increased 8.5 percent in quantity and 9.8 percent in value every year from 2009 to 2012.
“If and when a new approach is introduced which is very effective at detecting one kind of fraud, instead of abandoning their life of crime, fraudsters change their modus operandi,” writes David Hand, senior research investigator with Imperial College of London’s Department of Mathematics, in an email interview.
Card fraud is a moving target
Hand says that in holistic fraud prevention, analysts “build a statistical model which predicts the sort of transactions a person will make the size of transactions, the sort of things this person buys, the time of day that transactions are made, and so on, and flag as suspicious anything that does not conform to that model.”
“Also, some patterns of transaction behavior are intrinsically suspicious: the same card being used in geographically distant locations in a short time span, for instance,” he adds.
Additional “peer group analysis” methods monitor similar customers to predict the group’s behavior: Without this kind of input, card companies would flag expensive purchases around the holidays as suspicious every year. Instead, their models consider customers’ purchasing patterns, including increases in spending around Christmas.
Automated intelligence or machine learning systems feed detectors examples of fraudulent and legitimate transactions so they can build models that evolve as the examples change. Hand says this method shows more potential for catching previously unheard-of forms of fraud.
Experts say almost every payment card transaction is reviewed automatically in some way. All banks and credit card issuers contacted for this story said that they engage in proactive fraud detection, but declined to give details because of the proprietary nature of the methods they use.
But undoubtedly, their methods are a benefit to their bottom lines. Doug Johnson, vice president of risk management policy with the American Bankers Association, estimates that for every dollar lost to fraud in 2012, banks prevented $10 of fraudulent transactions. In 1997, the ratio of dollars lost to dollars of fraud prevented was one to one.
Still, payment card fraud is increasing every year, totaling $82.3 trillion in 2012, according to the Federal Reserve. According to the LexisNexis True Cost of Fraud Study, merchants paid $2.79 per dollar of fraud losses in lost and stolen merchandise, fees to financial institutions and chargeback processing. Small businesses paid more: $2.93 per dollar of fraud losses. The study estimated that fraud totaled 0.51 percent of businesses’ revenue last year on average.
Examples of fraud that banks can detect are becoming increasingly subtle, including purchases for small dollar amounts or purchases made nearby. Johnson had one such experience himself.
“I got a call late one evening from one of my credit card companies, and they wanted to know if that day I had bought motorcycle parts and a diamond necklace,” he says. The purchases were made nearby but didn’t fit the pattern of his regular credit card usage. He never heard more about the fraudsters or how they got his card information.
Detecting slight changes in spending patterns is becoming more important as card thieves avoid making big moves with stolen data. “Often very small transactions are made just to test if the fact that a card that has been stolen has yet been detected,” writes Hand. “I know of cases in which the attempted purchase of small transactions were, of themselves, out of character, and triggered the detection system.”
Johnson says that small businesses are particularly vulnerable to payment card theft because of the growing trend of “spear phishing”: emails or phone calls designed to resemble authentic communications from financial institutions or service providers, which trick individuals into providing information that is later used for fraud. Unlike regular phishing attempts, spear phishing is especially effective because it incorporates specific, convincing information about the recipient.
“We fully anticipate that fraud against all types of bank accounts is going to increase,” says Johnson.
SMBs can help prevent payment card fraud on two fronts: preventing their business accounts from being compromised by a fraudster, and detecting fraudulent transactions from customers that could result in costly chargebacks.
The former requires some cyber-security savvy and careful review of charge card transactions.
Hand adds that SMBs can use their payment cards for categories of purchases to build a pattern, which makes the banks’ detection methods more effective: “If you use a card only for gas station and supermarket purchases, anything else is intrinsically suspicious.”
For the latter, outside fraud detection services allow SMBs and payment processors to review specific transactions for fraud. Transactions may be checked for warning signs, like the location from which a customer is making an online purchase, or compared to previous spending patterns.