Lorem Ipsum

The Rising Cost of Fraud

An overview of fraud

Chapter 1

An overview of fraud

Chapter 1

Chapter 2

The impact of fraud on businesses

The impact of fraud on businesses

Chapter 2

Chapter 3

How fraud is typically committed

How fraud is typically committed

Chapter 3

Chapter 4

Methods for combating fraud

Methods for combating fraud

Chapter 4

Chapter 5

Strategies to avoid new account fraud

Strategies to avoid new account fraud

Chapter 5

Chapter 6

Ways to avoid account login fraud

Ways to avoid account login fraud

Chapter 6

Chapter 7

Fraud defense checklist

Fraud defense checklist

Chapter 7

Chapter 8

What’s next for fraud prevention

What’s next for fraud prevention

Chapter 8
Chapters

An overview of fraud

From nuisance to massive liability
From the creation of fraudulent bot-generated user accounts to costly takeovers of high-value customers to identity hijacking during the account recovery process, online fraudsters continue to exploit every gap in the security of online accounts. Let’s dive into the world of fraud and how we can help mitigate risk surrounding the topic. 

Ut enim ad min ostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat?

True

False

The impact of fraud on businesses

More than just an inconvenience

Fraud generated by automated bots and real-life bad actors and fraudsters remains a significant threat for nearly two-thirds of midsized to large e-commerce companies. And fraud costs, as a percentage of annual revenue, also are on the rise. Not only can this impact your cost of acquisition by having to pay for fraudulent users in your scalable SaaS systems, but it can lower the customer lifetime value by violating mutual trust between customers and companies.

 

Here’s what you need to know:

In 2022, within the U.S. there were

0k

reports of identity theft
ExperianOpens in a new window.
Cybersecurity threats are up

0%

From 2021
Infosecurity MagazineOpens in a new window.
Fraud costs rise

0%

since 2019 for e-commerce and retail
LexusNexis Risk SolutionsOpens in a new window.
Account takeovers cost 

$0

per incident
 on average
TechRepublicOpens in a new window.
Cost of password recovery is

$0

per reset
InfoSecurityOpens in a new window.

As you can see, without having a plan in place to mitigate the risk of fraud, you can lose millions of dollars. 

 

Let’s explore what types of fraud companies are facing today.

Gated Form

Complete the form to see the rest of the content.

Data breaches

Data breaches are increasing in scope and occurring more frequently. Meanwhile, data farmed from those breaches are used to open fraudulent accounts which, in turn, are used to commit identity fraud and exploit any value your business provides, like free credits or loyalty programs.

Account takeovers and attacks

Taking over existing accounts is fair game for fraudsters, especially when they can extract a monetary value. Even if there is no financial gain to be had, fraudsters can use hacked accounts to troll or spam other customer accounts, devaluing your business. When it comes to account attacks, a contact center staffed with live agents is particularly vulnerable. However, while the contact center is supposed to increase customer satisfaction, introducing complex security steps often has the reverse effect, so businesses think they have to choose between user experience and security. 

SMS Pumping

SMS pumping happens when fraudsters take advantage of a phone number input field to receive a one-time passcode, app download link, or other SMS message. If this input field lacks controls, the attackers can inflate traffic and exploit your app. Fluctuating traffic can cost an organization as the demand on services suddenly spikes and putting unexpected pressure on providers. 

International toll fraud

International revenue-sharing fraud (IRSF), aka toll fraud, is a scheme where fraudsters artificially trigger a high volume of calls to premium-rate numbers on expensive routes and then take a cut of the revenue generated. Though there are many other schemes in telecom fraud, IRSF is the most prevalent and has grown six-fold since 2013. Telephony-based fraud continues to climb with the adoption of VoIP and communication APIs, making it easier to place international calls.

Transaction fraud

Financial gain is the most significant driver for fraudsters. Spoofing, intercepting, or falsifying financial transactions are the most profitable tactics.They’re also the most costly to a business.

Login credential fraud

User login credentials can be compromised in a number of ways. For example, who hasn’t walked past a coworker’s desk and seen a password written on a piece of paper and taped to a computer monitor? As a business, you have no control over that, and once a fraudster gains access, they can break into your user’s account and your application to commit fraud.

Account recovery fraud

As cybercriminals find new avenues to exploit, you’ll also need to consider protecting the process of account recovery. If you use passwords to protect your users’ accounts, you’ve undoubtedly designed and implemented password reset procedures. The vast majority of applications today send an email with a link to reset forgotten or expired passwords. Unfortunately, if the email address tied to an account has also been taken over, sending an account reset email does no good.

So how is identity proofing typically done?

Email: Simple but not always secure
A vast majority of businesses identify online accounts by user email addresses. This practice gained a foothold early on since an email address is unique to an individual, customers rarely forget their own email address, and email is the best way to contact the account holder. However, it’s almost impossible to determine if an email is fraudulent or not.

Biometrics: Newer, not necessarily better
Biometrics promised trustworthy identity confirmation to correctly determine who is using a device by capturing, storing, and comparing physical attributes—like fingerprints or iris scans. But in practice, capturing and storing biometric data doesn’t make it impervious to 
mass data breaches.Opens in a new window.
 Once a person loses control over their biometric data, it’s not possible to change it like you would a password. In combination with other privacy issues—such as biometric data collection practices, storage, and cybercrime vulnerabilities—this has led to
valid concerns and lawsuitsOpens in a new window.
 regarding the use of biometric data in the security verification and user authentication.

Multiple data points: Too much too soon?

Another method of verifying that a real person (not a bot) is behind your signup or password reset request is to ask for numerous pieces of personal information. This step dramatically improves the chances that new account signups are from real people, but it also introduces user friction into the process. This approach is not suitable for every scenario. Providing this data to open a bank account makes sense, but might be overkill when signing up for a ride-sharing app.

SMS: Useful but limited
Most frequently used to provide two-factor authentication (2FA) and one-time passwords (OTP), it allows users to verify their identity from information sent to them in a text message on their mobile phone. The simple, straight-forward nature is why it works so well for users and organizations leveraging the technology. It, does however, leave an organization open for man-in-the-middle schemes, SS7 attacks, and doesn’t ward against SIM swaps. SMS wasn’t originally designed for authentication originally and verification technologies need to be in place to mitigate fraud. 

Use methods that simplify user flows and reduce friction

When a customer wants to open a new account with your business, the last thing you want to do is make that experience cumbersome. At the same time, you want to cultivate their confidence in your commitment to keep their information safe. So, how do you build a frictionless experience while garnering trust? 

Let’s walk through the steps to avoid new account fraud:
  • Step 1: Remove unnecessary activation steps - Boil your onboarding process down to the minimum viable checkpoints to simplify the user experience.
  • Step 2: Meet customers where they are - Use the customer’s preferred channels to verify their identity.
  • Step 3: Passively confirm user identities - Confirm their presented identity with phone intelligence data to ensure a match
  • Step 4: Prioritize reliable deliverability - Choose the right vendor to help execute verification strategies to avoid customer frustration.
QUICK TIP
Phone numbers reveal useful information that can be used to verify the authenticity of an account.

First, phone numbers are identified as either a landline, mobile, or Voice over Internet Protocol (VoIP). Second, phone numbers are associated with countries of origin. Lastly, phone numbers can be tied back to telecommunications carriers. These attributes help businesses filter out potentially fraudulent traffic from specific geographies while also identifying phone numbers associated with real devices owned by real people. Wow!

Step 1: Re-authenticate the user

What your client really wants to do is get in, get what they need, and get on their way. Offer them a frictionless, yet secure, login flow with two-factor authorization such as 
silent network authorization.Opens in a new window.

Step 2: Enable step-up validation

When additional risk signals are raised or more sensitive information is accessed, quick and effective automated validation and step-up security (like asking for additional information) are key to ensuring the right people are buying the right things. This reduces risk to both the user and the business. 

Step 3: Leverage preferred channels, securely

Customers want to edit their preferences, passwords, and channels simply. Allow them to avoid the support site while you reduce costs by answering their questions on their preferred channels, securely.

STEP-UP SECURITY: Email verification vs. phone verification

Unlike email, it’s hard work to fake a phone number. That’s because phone numbers are harder to obtain and are typically unique to an individual. And while its reasonably simple to automatically generate thousands of email addresses to create bogus accounts, doing the same with phone numbers is difficult, time-consuming, and expensive—all things cybercriminals look to avoid.

Follow these 10 steps to avoid fraud

Create seamless points of validation. Use friction-free authentication that relies on deterministic connections to mobile carriers where available with fallback alternatives such as push notifications, SMS, or voice.

Ensure accuracy. Get the full phone number, including the country code, and make sure the national formatting protocol is correct. This is important, as phone numbers are formatted differently worldwide.

Simplify for mobile. On mobile platforms, where the device itself might have a phone number directly associated with it, use push verification to keep customers in your app.

VerifyOpens in a new window.
validity. Just as emails can be fraudulent, so too can phone numbers. The most common method for confirming a working number belongs to the account holder is by sending a one-time code—usually a 4 to 6-digit token—via SMS and asking the recipient to enter that code back into the application. 
Consider voice alternativesWhen you are 
sending a SMS-based codeOpens in a new window.
, offer the option of a voice call, having the code read aloud over the phone, or 
other messaging channelsOpens in a new window.
 like WhatsApp, Facebook Messenger or Google Business Messages.

Bolster contact center security. Fraudsters commit call center fraud  by contacting an organization’s call center pretending to be someone they’re not. Having agents ask the caller to respond to a phone number verification process before continuing with a conversation will help stop many instances of fraud in their tracks.

Protect transactions. Block financial accounts opened with an email address/password pair from making withdrawals until a user’s identity is verified by phone number. This presents the account owner with a clear trade-off: provide a phone number, and you can access your money. 

Build strategies to fight toll fraudIRSF attacks are difficult to detect before calls wrap up, and by then, the damage is already done. Unfortunately, there is no silver bullet for toll fraud. The best prevention strategy is a combination of measures to limit a fraudster’s access to your calling capability.

Implement 2FA. Consider implementing a 
cloud-based two-factor authentication protocolOpens in a new window.
 into your app. Once a user verifies their identity via a registered phone number, each subsequent login will require an authentication token that a fraudster wouldn’t have access to: your user’s mobile device. Without that second factor, the impersonator can’t log in and commit fraud.
Consider SIM swap detection.Opens in a new window.
 SMS is also vulnerable to SIM swap attacks. Once the fraudster has a mobile operator convinced that they're you, they can have a new SIM card issued with your mobile number, gaining the ability to access your two-factor authentication (2FA) codes. But it’s not common for a user to do a SIM swap before making a large external funds transfer or other high value transaction,so checking for a SIM swap before sending a OTP is a great way to deter fraudsters. 
Verify Silent Network Authentication combines deterministic SIM data from our unrivaled partner network of mobile carriers globally with authoritative data signals to verify whether a user is genuine. This means companies can automatically weed out fake users with no input required from genuine users. It provides a completely passwordless, pain-free, and more secure way to sign up or sign back on.
Silent Network Authentication
Fraud Guard
Fraud Guard (included in Twilio’s Trusted Activation product) prevents SMS traffic pumping (aka Artificially Inflated Traffic) related fraud by monitoring SMS traffic anomalies. 

Ultimately, enhancing authentication and fraud prevention solutions is really as easy as finding the right partners with the right tools. 

Curious about how much money is at risk in your organization?

Check out our Fraud Calculator

Not looking for a Fraud calculator? No problem. Here are a few other resources you might find helpful: 

Learn about Trusted ActivationTalk to Sales