Fraud & Identity Management

Small Business Fraud When you hear the word “fraud” it’s unlikely that small business fraud comes to mind. However, in terms of potential losses, business identity theft could be considered as big if not a larger threat than consumer identity theft. Just like consumers, businesses face a broad- range of first- and third-party fraud behaviors, varying significantly in frequency, severity and complexity. Small businesses are especially vulnerable, because they typically do not have the layers of security and oversight, an alert accounting or I.T. department, or the sophisticated security technology that larger businesses may have. Over $8 billion is lost or stolen from small businesses each year and 60% of businesses who suffer business identity fraud close their doors within one year. A first-party, or victim-less, fraud profile is characterized by having some form of material misrepresentation (for example, manipulation or falsification of business filings and records) by the business owner without that owner’s intent or immediate capacity to pay the loan item. Historically, during periods of economic downturn or misfortune, this type of fraud is more common. This intuitively makes sense — individuals under extreme financial pressure are more likely to resort to desperate measures, such as misstating financial information on an application to obtain credit. Third-party commercial fraud occurs when a third party steals the identification details of a known business or business owner in order to open credit in the business victim’s name. With creditors becoming more stringent with credit-granting policies on new accounts, we’re seeing seasoned fraudsters shift their focus on taking over existing business or business owner identities. The rising trend of commercial fraud is illustrated by several key reasons including: One of the most common reasons for this is that commercial fraud doesn’t receive the same amount of attention as consumer fraud. Thus, it’s become easier for fraudsters to slip under the radar by perpetrating their crimes through the commercial channel. Keep in mind that businesses are often not seen as victims in the same way that consumers are. For example, victimized businesses aren’t afforded the protections that consumers receive under identity theft laws, such as access to credit information. Another factor is that most businesses are eager to open a new account for a business, after all businesses spend more than consumers. In some cases, opening a new business account can be even easier than opening a new consumer account. Business also have higher credit limits and the invoicing and payment terms allows identity thieves the opportunity to receive products and services without early detection. Finally, it is much easier to get information on a business versus a consumer. Unlike the protections provided to consumers to protect their identity, their credit information much of a business’s information is public record. Armed with the just a business name, address and EIN (employer identification number) fraudulent accounts can be opened and the game of theft begins. These factors, coupled with the fact that business-to-business fraud is approximately three-to-ten times more “profitable” per occurrence than consumer fraud, play a role in leading fraudsters increasingly toward commercial fraud. To learn more about how to protect your business view our interactive Fraud e-book.

Protecting your customer The impact of fraud on the customer relationship Sadly fraudsters seem to always be one-step ahead of fraud-prevention strategies, causing organizations to play catch-up to the criminals. And as information security tightens and technologies evolve, so does the industrious nature of organized identity and online fraud. It should be no surprise then that fraud risk mitigation and management will continue to be an ongoing issue for organizations. But what continues to drive investment in identity management and online risk tools is the arms race across organizations to deliver superior customer experience and functionality. While the monetary cost of fraud losses can be high and rather detrimental, the impact of lost customers and overall reputational decline due to poor customer experiences can be higher. The key is finding the right balance between identifying and segmenting likely fraudulent customers across the vast majority of legitimate customers and transactions. I want to share a recent interactive eBook we launched which outlines the authentication and identity management balance with a focus on the consumer. We highlight current trends and what organizations should be thinking about and doing to protect their business, institution, or agency and customers. I hope you enjoy this look at the impact of fraud on the customer relationship.    

Increased volume of fraud attempts during back to school shopping season Back to school shopping season will be the first time many consumers' use their chip-enabled credit cards and stores' new card readers. With the average K-12 family spending $630.36 per child in back to school shopping, and more than 1/3 shopping online, according to the National Retail Federation - is your fraud strategy prepared to handle the increased volume? And are you using a dynamic knowledge based authentication (KBA) solution that incorporates a wide variety of questions categories as part of your multi-faceted risk based authentication approach to fraud account management? Binary verification, or risk segmentation based on a single pass/fail decision is like trying to stay dry in a summer rain storm by wearing a coat. It’s far more effective to wear rubber boots and a use an umbrella, in addition to wearing a rain coat. Binary verification can occur based on evaluating identity elements with two outcomes –pass or fail – which could leave you susceptible to a crafty fraudster. When we recommend a risk based authentication approach, we take a more holistic view of a consumers risk profile. We advocate using analytics and weighting many factors, including identity elements, device intelligence and a robust knowledge-based authentication solution that work in concert to provide overall risk based decision.  After all, the end-goal is to enable the good consumers to continue forward based, while preventing the fraudster from compromising your customer’s identity and infiltrating you’re your business.

Protecting consumers from fraud this summer vacation It’s that time of year again – when people all over the U.S. take time away from life’s daily chores and embark upon that much-needed refresh: vacation!  But just as fraud activity spikes during the holidays, evidence shows fraudster activity also surges during the summer, as the fraudster’s busy season is when we step away for some well-deserved rest and relaxation. With consumers on vacation, identity theft becomes easier.  We all know someone who has been the victim of identity theft, resulting in fraudulent purchases on their credit card, or their bank accounts being emptied.  Consumers are most likely to break from their normal spending habits, and credit card’s fraud analytics teams struggle to differentiate these changes in spending behavior for a family on vacation from a fraudster who has compromised dad’s identity.  To make matter seven more challenging, consumers are less likely to take measures that will help minimize fraud while they are out of town, making the fraudster’s job easier. Identifying risky behaviors, or patterns outside of a consumer’s normal behavior when used in combination with a knowledge-based authentication session can help validate that the individual is indeed who they claim to be.  A knowledge-based authentication solution with a wide variety of question types to complicate the fraudsters ability to pass should be part of a risk-based approach to on-going account management, especially when combined with a risk score and device intelligence. Take measures to incorporate a knowledge-based authentication solution with a diverse range of question types to help protect your business and your customers from being burned while on vacation, at least by fraudsters. For more on travel spending behavior and projections for summer 2015, click here.

Imagine the following scenario: an attacker acquires consumers’ login credentials through a data breach. They use these credentials to test account access and observe account activity to understand the ebbs and flows of normal cash movement – peering into private financial records – verifying the optimal time to strike for the most financial gain. Surveillance and fraud staging are the seemingly benign and often-transparent account activities that fraudsters undertake after an account has been compromised but before that compromise has been detected or money is moved. Activities include viewing balances, changing settings to more effectively cover tracks, and setting up account linkages to stage eventual fraudulent transfers. The unfortunate thing is that the actual theft is often the final event in a series of several fraudulent surveillance and staging activities that were not detected in time. It is the activity that occurs before theft that can severely undermine consumer trust and can devastate a brand’s reputation. Read more about surveillance, staging and the fraud lifecycle in this complimentary whitepaper.

Understanding shelf companies and shell companies In our world of business challenges with revenues level or trending down and business loans tougher than ever to get, “shelf” and “shell” companies continue to be an easy option for business opportunities. Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. Click on the internet and you will see a plethora of vendors selling companies in a turn-key business packages. Historically off-the-shelf structures were used to streamline a start-up, where an entrepreneur instantly owns a company that has been in business for several years without debt or liability. However, selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Creating companies that impersonate a stable, well established companies in order to deceive creditors or suppliers in another way that criminals are using shelf companies for fraudulent use. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” or “executive meeting suites” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a conference room for initial meetings, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy – 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations.  It is possible to avoid being the next victim and refine and revisit your fraud best practices today. Learn more about Experian BizID and how to protect your business.

A recent Experian survey found that while consumers are getting better about protecting their information on a regular basis, many do not take the same precautions when traveling. According to the survey, 1 in 5 consumers has had an item with sensitive information lost or stolen while traveling, and 39% have experienced identity theft while traveling or know someone who has. Organizations can protect themselves and customers by using innovative fraud-detection tools designed to reduce potential losses while preserving the customer experience. >> Video: The reputational impact of fraud and identity theft

Apple eschewed banks for a retailer focus onstage at their Worldwide Developers Conference (WWDC) when it spoke to payments. I sense this is an intentional shift – now that stateside, you have support from all four networks and all the major issuers – Apple understands that it needs to shift the focus on signing up more merchants, and everything we heard drove home that note. That includes Square’s support for NFC, as well as the announcements around Kohls, JCPenney and BJ’s. MasterCard's Digital Enablement Service (MDES) - opposite Visa’s Token Service - is the tokenization service that has enabled these partnerships specifically through MasterCard’s partners such as Synchrony – (former GE Capital) which brought on JCPenney, Alliance Data which brought on BJ’s, and CapitalOne which enabled Kohls. Within payments common sense questions such as: “Why isn’t NFC just another radio that transmits payment info?” or “Why aren’t retailer friendly payment choices using NFC?” have been met with contemptuous stares. As I have written umpteen times (here), payments has been a source of misalignment between merchants and banks. Thus – conversations that hinged on NFC have been a non-starter, for a merchant that views it as more than a radio – and instead, as a trojan horse for Visa/MA bearing higher costs. When Android opened up access to NFC through Host Card Emulation (HCE) and networks supported it through tokenization, merchants had a legitimate pathway to getting Private label cards on NFC. So far, very few indeed have done that (Tim Hortons is the best example). But between the top two department store chains (Macy’s and Kohls) – we have a thawing of said position, to begin to view technologies pragmatically and without morbid fear. It must be said that Google is clearly chasing Apple on the retailer front, and Apple is doing all that it can, to dig a wider moat by emphasizing privacy and transparency in its cause. It is proving to be quite effective, and Google will have to “apologize beforehand” prior to any merchant agreement – especially now that retailers have control over which wallets they want to work with – and how. This control inherits from the structures set alongside the Visa and MasterCard tokenization agreements – and retailers with co-brand/private label cards can lean on them through their bank partners. Thus, Google has to focus on two fronts – first to incentivize merchants to partner so that they bring their cards to Android Pay, while trying to navigate through the turbulence Apple has left in its wake, untangling the “customer privacy” knot. For merchants, at the end of the day, the questions that remain are about operating costs, and control. Does participation in MDES and VEDP tokenization services through bank partners, infer a higher cost for play – for private label cards? I doubt if Apple’s 15bps “skim off the top” revenue play translates to Private Label, especially when Apple’s fee is tied to “Fraud Protection” and Fraud in Private Label is non-existent due to its closed loop nature. Still – there could be an acquisitions cost, or Apple may plan a long game. Further, when you look at token issuance and lifecycle management costs, they aren’t trivial when you take in to context the size of portfolio for some of these merchants. That said, Kohls participation affords some clarity to all. Second, Merchants want to bring payments inside apps – just like they are able to do so through in-app payments in mobile, or on online. Forcing consumers through a Wallet app – is counter to that intent, and undesirable in the long scheme. Loyalty as a construct is tangled up in payments today – and merchants who have achieved a clean separation (very few) or can afford to avoid it (those with large Private label portfolios that are really ‘loyalty programs w/ payments tacked on’) – benefit for now. But soon, they will need to fold in the payment interaction in to their app, or Apple must streamline the clunky swap. The auto-prompt of rewards cards in Wallet is a good step, but that feels more like jerry rigging vs the correct approach. Wallet still feels very v1.5 from a merchant integration point of view. Wallet not Passbook. Finally, Apple branding Passbook to Wallet is a subtle and yet important step. A “bank wallet” or a “Credit Union wallet” is a misnomer. No one bank can hope to build a wallet – because my payment choices aren’t confined to a single bank. And even where banks have promoted “open wallets” and incentivized peers to participate – response has been crickets at best. On the flip side, an ecosystem player that touches more than a device, a handful of experiential services in entertainment and commerce, a million and a half apps – all with an underpinning of identity, can call itself a true wallet – because they are solving for the complete definition of that term vs pieces of what constitutes it. Thus – Google & Apple. So the re-branding while being inevitable, finds a firm footing in payments, looks toward loyalty and what lies beyond. Solving for those challenges has less to do with getting there first, but putting the right pieces in play. And Apple’s emphasis (or posturing – depending on who you listen to) on privacy has its roots in what Apple wants to become, and access, and store on our behalf. Being the custodian of a bank issued identity is one thing. Being a responsible custodian for consumer’s digital health, behavior and identity trifecta has never been entirely attempted. It requires pushing on all fronts, and a careful articulation of Apple’s purpose to the public must be preceded by the conviction found in such emphasis/posturing. Make sure to read our perspective paper to see why emerging channels call for advanced fraud identification techniques

Fraud Prevention: Gaining insight fraud throughout the customer lifecycle & future trends Earlier this week, I had the pleasure of chairing the annual Grad School session during CNP Expo 2015. The group was energized by the participation of the attendees and we hope that all gained insight into issues regarding fraud throughout the customer lifecycle as well as future trends in payments, identity and cross border growth. For those who were unable to join us in Orlando, the CNP Expo Grad School focused on the importance of creating a comprehensive fraud strategy to protect your organization throughout the customer lifecycle. To help articulate the varied fraud challenges posed at each stage, we brought an esteemed group of fraud experts, who collectively have served in the industry for over 100 years. We kicked off Grad School with Lawrence Baldwin, CIO of myNetWatchman. He described how fraudsters can transform low value credentials, which can be purchased on the black market for fractions of a cent, into high-value validated credentials that facilitate burgeoning Account Takeover attacks. Jeramie Driessen, a Sr. Risk Analyst in Experian’s Fraud and ID group, then delved into the challenges merchants need to address when evaluating new account opening for merchants and card issuers. Yours truly covered the various stages of Account Takeover and described the evolving fraud vectors that are targeting existing accounts. During part two of the three-hour Grad School, Angela Montoya, Product Management Analyst for Experian Fraud and ID, and David Stewart, Manager of Corporate Security at Virgin America, shared their insights about transaction fraud and dived deep into the nuances of sniffing out crime rings and setting up new fraud teams. We ended with Dan Elvester, Sr. Director of Business Development at Experian, sharing facts and market trends around ecommerce growth, cross-border expansion and emerging fraud tools just before Cherian Abraham, Sr. Consultant with Experian’s Global Consulting Practice, covered advanced topics regarding Apple Pay, Tokenization and the future of Identity Verification. Overall, the CNP Expo 2015 Grad School reinforced our central theme of creating a multi-layered fraud strategy that places controls not just on the monetary transactions executed on your website but also on the account management, origination and even acquisition phases of your customers’ lifecycle. Thanks again to our speakers and attendees for your engagement and interest in Experian’s ongoing efforts to stop fraud. To follow along the topics that were covered a copy of our grad school presentation can be viewed here:

Credit card declines Surag Patel, vice president of global product management for 41st Parameter, led a panel discussion on Digital Consumer Trust with experts from the merchant community and financial services industry at this week’s CNP Expo. During the hour-long session, the expert panel – which included Patel, Jeff Muschick of MasterCard and TJ Horan from FICO – discussed primary research explaining the $40 billion in revenue lost each year to unwarranted CNP credit card declines and what businesses can do to avoid it. Patel began the Thursday morning session by asking the audience how many have bought something online—of course, everyone raised their hands. He then asked how many had been declined—about half the hands stayed up. “Of those with your hands still up,” he said, “how many of you are fraudsters?” The audience chuckled, but the reality of false positives and unnecessary declines is no laughing matter. Unnecessary declines cause lost revenue and damage the customer relationship with merchants, banks and card issuers. The panel cited a 41st Parameter survey of 1,000 consumers and described their responses to the question, what do you do after you get declined? While many would call the card issuer or try a different payment method, one in six would actually skip the purchase altogether, one in ten would purchase from a different online merchant, and one in twelve would go buy the item at a brick-and-mortar store. So regardless of who the customer blames, ultimately, when a good purchase is declined, everybody loses. Jeff Muschick, who works in fraud solutions for MasterCard, spoke about the need for a solid rules engine, and recommended embracing new tools as they emerge to enhance their fraud prevention strategy. He acknowledged that for smaller merchants, keeping up with fraudsters can be incredibly taxing, and often even at larger organizations, fraud departments are understaffed. For that reason, he highlighted a tool that many fraud prevention strategies are leaving on the table, and that’s cooperation: “We talk about collaboration, but it’s not as gregarious as we’d like it to be.” TJ Horan, who is responsible for fraud solutions at FICO, encouraged merchants, banks, and card issuers to mitigate the damage of good declines through customer education. He observed that “if there was a positive thing to come out of the Target breach (and that’s a big ‘if’), it is an increase in general consumer awareness of credit-card fraud and data protection.” This helps inform customers’ attitudes when they are declined, because they realize it is probably a measure being taken for their own protection, and they are likely to be more forgiving. Click here for more information about TrustInsight and how online merchants can increase sales by approving more trusted transactions.

Recently, I sat down to answer three questions for “The Year of Payments - 2015: One Quarter in” for PYMNTS.com on the topic of mobile payments in regards to: How Q1 2015 is different than Q1 2014 What’s the most significant development so far this year? If “Payments 2015” were a brand and had a tagline, what would it be and why? A significant factor in shaping the next frontier in fraud management is the continued rapid growth in online and mobile payments as the preferred methods of doing business for many consumers. With more than a third of customers interacting with a single business in five or more channels and more than 85 percent of consumers using online or mobile to conduct business, the need for omnichannel fraud prevention becomes a requirement. These trends make mobile-device intelligence as important to the authentication process as traditional personally identifiable information. As a result, the need to integrate device intelligence into the authentication process to associate a consumer to a known device is critical. Companies already are beginning to incorporate device intelligence into their authentication strategies. The ability to verify a customer through his or her device is a huge benefit to the overall customer experience and not only makes it easier for the customer to do business with you, but also adds an additional layer of validation. The challenge with any new emerging business or new technology is maintaining a frictionless customer experience foremost because fraudsters are always the early adopters. Make sure to read our perspective paper to see why emerging channels call for advanced fraud identification techniques and what myself and other industry leaders had to say on the topic of mobile payments:

At the start of the Vision 2015 Conference, Experian® announced a new dedicated enterprise Fraud and ID business in North America. This newly established business unit allows Experian, the leading global information services company, to more aggressively address the growing variety of fraud risk and identity management challenges businesses, financial institutions and government agencies face. “The rapid progression of wide-scale fraud and data breaches have led to a significant increase in identity theft related risk, and potential fraud losses on a larger scale than ever anticipated,” said Charles Chung, president of Decision Analytics, Experian North America. “For nearly two decades, we have been helping clients solve the difficult and ever-changing problems of fraud detection and identity management. Our core expertise was further enhanced by the recent acquisition of 41st Parameter which added device identification as another important layer of sophistication to our suite of fraud detection tools. Now the creation of a new fraud business unit brings all components of our Fraud and ID services together to better serve all markets through our innovative authentication techniques, advanced analytics and Big Data insights.” Having one comprehensive operation allows Experian to deliver greater value across its various addressable markets through customized approaches that balance privacy, security and compliance requirements with client reputation, customer experience, convenience and efficiency. The integration brings together a wide set of enterprise services ranging from identity and device risk assessment and anti–money laundering to consumer identity monitoring and alerts, letting Experian continue to proactively meet client needs surrounding the complex risks they face. Dr. Jon Jones has been appointed to lead the new business unit as senior vice president and general manager of Fraud and ID for Experian North America. “Data security and fraud management affect many industries as identity data has become so compromised that authenticating consumers through traditional means is not enough to safeguard against fraud. Modern fraud risks now absolutely require Big Data assets and the proven ability to derive predictive analytical capabilities to meet these challenges,” said Jones. “Today, online and mobile commerce, and customer demands for convenience and speed are intersecting with the increasing sophistication of criminal fraud networks. Experian’s new integrated fraud business delivers next-generation holistic fraud management services, leveraging our vast data landscape to identify customers’ risk for fraud even when no threat has been detected to stay ahead of the growing market demands.” Accounting for the real risk of identity compromise over time continues with the launch of Experian’s Identity Element NetworkSM which identifies real-time fraud volume and velocity linkages across multiple industries to predict when consumers are showing risk of identity compromise. Experian monitors and predicts when seemingly random identity element linkages become meaningful risk clusters, including: When an identity likely has been compromised When an identity is victim of a data breach When a transaction is part of an identity theft scheme, particularly an account takeover When consumers’ identities are exhibiting identity theft, visible by monitoring a broad portfolio of breached or compromised consumers "Cybercriminals continue to rapidly escalate their assault on sensitive data across a variety of industries, with no end in sight," said Julie Conroy, research director at Aite Group.  "This requires fraud prevention capabilities to undergo a similar rapid evolution, with a new, more advanced approach to identity management sitting squarely in the middle of risk mitigation. Simple personally identifiable information is no longer enough to verify identity; the next wave of fraud and cybersecurity services needs to employ robust data and advanced analytical capabilities in order to make faster and more informed identity decisions." Experian’s Identity Element Network service can be utilized through its flagship fraud enterprise platform, Precise ID®, using its data assets and analytics alongside 41st Parameter’s FraudNet to deliver a comprehensive view of the Customer Life Cycle of traditional identity, device confidence and risk assessment. Learn more about Experian’s Big Data fraud service for breach identity compromise detection for your business.

With more than one-third of customers interacting with a single business in five or more channels and more than 85 percent of consumers using online or mobile to conduct business, omnichannel fraud prevention has become a necessity. Implementing a layered approach to authentication and integrating device intelligence into the process to associate a consumer with a known device are critical components of a fraud mitigation strategy. In addition to providing another layer of validation, verifying a customer through his or her device makes it easier for the customer to interact with the business and is a huge benefit to the overall customer experience. Perspective paper: Protecting the customer experience - The impact of fraud on the customer relationship

Gift cards are the most requested gift item and have been for the last eight years. Merchants love gift cards because they take up very little space and the recipient often ends up spending more than the value of the gift card.

Cont. Understanding Gift Card Fraud By: Angie Montoya In part one, we spoke about what an amazing deal gift cards (GCs) are, and why they are incredibly popular among consumers. Today we are going to dive deeper and see why fraudsters love gift cards and how they are taking advantage of them. We previously mentioned that it’s unlikely a fraudster is the actual person that redeems a gift card for merchandise. Although it is true that some fraudsters may occasionally enjoy a latte or new pair of shoes on us, it is much more lucrative for them to turn these forms of currency into cold hard cash. Doing this also shifts the risk onto an unsuspecting victim and off of the fraudster. For the record, it’s also incredibly easy to do. All of the innovation that was used to help streamline the customer experience has also helped to streamline the fraudster experience. The websites that are used to trade unredeemed cards for other cards or cash are the same websites used by fraudsters. Although there are some protections for the customer on the trading sites, the website host is usually left holding the bag when they have paid out for a GC that has been revoked because it was purchased with stolen credit card information. Others sites, like Craigslist and social media yard sale groups, do not offer any sort of consumer protection, so there is no recourse for the purchaser. What seems like a great deal— buying a GC at a discounted rate— could turn out to be a devalued Gift card with no balance, because the merchant caught on to the original scheme. There are ten states in the US that have passed laws surrounding the cashing out of gift cards. * These laws enable consumers to go to a physical store location and receive, in cash, the remaining balance of a gift card. Most states impose a limit of $5, but California has decided to be a little more generous and extend that limit to $10. As a consumer, it’s a great benefit to be able to receive the small remaining balance in cash, a balance that you will likely forget about and might never use, and the laws were passed with this in mind. Unfortunately, fraudsters have zeroed in on this benefit and are fully taking advantage of it. We have seen a host of merchants experiencing a problem with fraudulently obtained GCs being cashed out in California locations, specifically because they have a higher threshold. While five dollars here and ten dollars there does not seem like it is very much, it adds up when you realize that this could be someone’s full time job. Cashing out three ten dollar cards would take on average 15 minutes. Over the course of a 40-hour workweek it can turn into a six-figure salary. At this point, you might be asking yourself how fraudsters obtain these GCs in the first place. That part is also fairly easy. User credentials and account information is widely available for purchase in underground forums, due in part to the recent increase in large-scale data breaches. Once these credentials have been obtained, they can do one of several things: Put card data onto a dummy card and use it in a physical store Use credit card data to purchase on any website Use existing credentials to log in to a site and purchase with stored payment information Use existing credentials to log in to an app and trigger auto-reloading of accounts, then transfer to a GC   With all of these daunting threats, what can a merchant do to protect their business? First, you want to make sure your online business is screening for both the purchase and redemption of gift cards, both electronic and physical. When you screen for the purchase of GCs, you want to look for things like the quantity of cards purchased, the velocity of orders going to a specific shipping address or email, and velocity of devices being used to place multiple orders. You also want to monitor the redemption of loyalty rewards, and any traffic that goes into these accounts. Loyalty fraud is a newer type of fraud that has exploded because these channels are not normally monitored for fraud— there is no actual financial loss, so priority has been placed elsewhere in the business. However, loyalty points can be redeemed for gift cards, or sold on the black market, and the downstream affect is that it can inconvenience your customer and harm your brand’s image. Additionally, if you offer physical GCs, you want to have a scratch off PIN on the back of the card. If a GC is offered with no PIN, fraudsters can walk into a store, take a picture of the different card numbers, and then redeem online once the cards have been activated. Fraudsters will also tumble card numbers once they have figured out the numerical sequence of the cards. Using a PIN prevents both of these problems. The use of GCs is going to continue to increase in the coming years— this is no surprise. Mobile will continue to be incorporated with these offerings, and answering security challenges will be paramount to their success. Although we are in the age of the data breach, there is no reason that the experience of purchasing or redeeming a gift card should be hampered by overly cautious fraud checks. It’s possible to strike the right balance— grow your business securely by implementing a fraud solution that is fraud minded AND customer centric. *The use of GC/eGC is used interchangeably