Internet fraud prevention

Internet fraud prevention is the act of stopping various types of internet fraud. Due to the many different ways of committing fraud over the Internet, such as stolen credit cards, identity theft, phishing, and chargebacks, users of the Internet, including online merchants, financial institutions and consumers who make online purchases, must make sure to avoid or minimize the risk of falling prey to such scams.

The speed and sophistication of the online fraudulent actors continues to grow. According to a 2017 study conducted by LexisNexis, $1.00 lost to fraud costs organizations (merchants, credit card companies and other institutions) between $2.48 to $2.82 – "that means that fraud costs them more than roughly 2 1⁄2 times the actual loss itself."

Three constituencies have a direct interest in preventing Internet fraud. First, there is the consumer who may be susceptible to giving away personal information in a phishing scam, or have it be acquired by rogue security software or a keylogger. In a 2012 study, McAfee found that 1 in 6 computers do not have any sort of antivirus protection, making them very easy targets for such scams. Business owners and website hosts are also engaged in the ongoing battle to ensure that the users of their services are legitimate. Websites with file hosting must work to verify uploaded files to check for viruses and spyware, while some modern browsers perform virus scans prior to saving any file (there must be a virus scanner previously installed on the system). However, most files are only found to be unclean once a user falls prey to one. Financial institutions, such as credit card companies, who refund online customers and merchants who have been defrauded also have a strong interest in mitigating Internet fraud risk.

History
Internet fraud began appearing in 1994 with the start of e-commerce. The first trend to be seen was the use of "Famous Names" to commit the fraud. Using this method, the person committing the fraud would use stolen credit cards with the popular celebrity of the time's name. This highly unsophisticated plan was only successful because the internet was new and the possibility of fraud had not been considered. Eventually internet merchants implemented rules to confirm the card user name.

Following the "Famous Names" strategies were more technical attacks in which hackers created card-generator applications that came with real credit card numbers. Attacks such as these were commonly targeted toward the same vendor. Merchants had no way to see cross-merchant activity until the credit card associations reported it. After 1996 fraudulent users went on the internet to test the status of stolen credit cards.

By 1998, the internet was filled with e-commerce sites. Fraudsters began to set up "dummy" merchant sites where they could harvest their own credit cards through their own site. Before the charge-backs rolled in, they would shut the doors of the website and leave the country. Soon a trend started of the mass theft of identities from the internet through information provided online under the Freedom of Information Act. One of the counter-methods merchants developed was the use of consumer accounts. The merchant would set up a consumer account the first time the consumer made a purchase. Following the creation of the new account, the merchant would perform a series of third-party checks to validate the information provided by the consumer.

As auction sites like eBay and uBid gained popularity, new fraud methods arrived specifically targeting this new merchant community. From selling bogus goods to misleading the consumer, the fraudsters continued to take advantage of consumers.

Credit card fraud
Credit card fraud is the unauthorized use of a credit card to make a transaction. This fraud can range from using the credit card to obtain goods without actually paying, or performing transactions that were not authorized by the card holder. Credit card fraud is a serious offense, and punished under the charge of identity theft. The majority of this type of fraud occurs with counterfeit credit cards, or using cards that were lost or stolen. Approximately .01% of all transactions are deemed fraudulent, and approximately 10% of Americans have reported some type of credit card fraud in their lifetimes.

While many systems are in place by the card provider to identify fraud, the card holder is left with the ultimate responsibility. Preemptive steps to reduce chances of fraud include installing anti-virus software, keeping and maintaining current records, and reviewing statements and charges regularly. The objective is to provide a first defense in spotting fraudulent charges. Exercising caution on online sites, especially suspicious or non-established sites, as well as in foreign countries is also advisable. The legitimacy of websites should be verified. Checking with the Better Business Bureau is a first step to see how that company has established themselves. Once on a website, the user can check what security or encryption software the website utilizes. A padlock to the left of the URL, can sometimes be found to signify additional security is being implemented. A physical address for the company, or sending an email to one of the contact addresses can further verify the reliability of the company. Even on trusted sites, it is important to be diligent that one has not navigated away from that site. Other safe practices include being cautious of account number distribution, keeping credit cards separate from a wallet or purse, keeping constant sight of credit cards, and drawing lines on blank spaces above the total on receipts. On accounts in which one has saved card information, it is important to have a strong password with a mix of numbers and symbols. Using different passwords for different sites, is also strongly encouraged.

If a card is lost or stolen, the card holder must report it immediately, even if no fraud has been detected yet. Once a card is reported lost or stolen, the card-holder is not responsible for erroneous charges.

Identity theft
Identity theft, also called identity fraud, is a crime in which someone steals and uses another person's personal information and data without permission. It is a crime usually committed for economic gain. Stolen personal data includes Social Security Number's (SSN), passport numbers, or credit card numbers, which can easily be used by another person for profit. It is a serious crime that can have negative effects on a person's finances, credit score and reputation.

There are three specific types of identity theft aside from the broad term. Tax-related identity theft is when a criminal uses someone else's SSN to get a tax refund or a job. Victim of this type of theft must contact the IRS. Child identity theft is when a criminal uses a child's SSN to apply for governmental benefits, open bank accounts, or apply for a loan. Medical identity theft is when a criminal uses someone else's name or health insurance to see a doctor, get a prescription or other various medical needs.

Fortunately, there are precautions that consumers can take to prevent identity theft. There are simple ways in which to avoid becoming a victim of identity fraud and an easy way to remember them is the acronym SCAM. SCAM reminds us to 1. Be stingy when giving out personal information to others 2. Check financial information regularly and recognize when something strange has occurred 3. Ask for a copy of your credit report often, and 4. Maintain careful financial records. It is necessary to be aware of phishing and to always be cautious of giving your personal information out through e-mail, website or over the phone. Also be sure that the phone number, name and mailing address registered to your bank account is all correct as there are cases in which bank statements have been sent to false addresses and identities have been stolen. Check these bank statements regularly and be sure that there are no charges to your account that you do not recognize.

Individuals experiencing identity theft can take immediate steps to limit the damage to their finances and personal life. The first step is to contact one of the three national credit reporting companies and place an initial fraud alert. This is done by contacting a national credit reporting company, asking them to put a fraud alert on your credit file, and confirming that they will notify the other two companies of this change. The next step is to order free credit reports from each of the three national credit reporting companies. Lastly, report the identity theft to the FTC and print an FTC identity theft affidavit and then file a police report and ask for a copy of the report.

Phishing
Phishing is a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer (phisher) can use illicitly. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. There are four main type of phishing techniques: link manipulation, filter evasion, website forgery, and phone phishing. Legislation, user training, public awareness, and technical security measures are all attempts to control the growing number of phishing attacks. The damage caused by phishing ranges from denial of access to email to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.

As early as 2007, the adoption of anti-phishing strategies by businesses needing to protect personal and financial information was low. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. These techniques include steps that can be taken by individuals, as well as by organizations. One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback. People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" (or any other topic used by phishers), it is a sensible precaution to contact the company from which the email apparently originates to check that the email is legitimate. Alternatively, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message.

Nearly all legitimate e-mail messages from companies to their customers contain an item of information that is not readily available to phishers. It is up to the customer to use his or her discretion to separate genuine emails from phishing emails and prevent phishing attacks. The Anti-Phishing Working Group, an industry and law enforcement association, has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers. They predict that pharming and other uses of malware will become more common tools for stealing information.

Chargebacks
A chargeback is not necessarily a fraudulent activity. In its most basic sense, a chargeback is when an issuing bank, a bank where consumers acquire credit cards, reverses a prior charge from a bank account or credit card at the request of a cardholder because there was a problem with a transaction. The problem could be anything from a situation where the consumer did not receive the product they purchased, to one where the cardholder was not satisfied with the quality of the product, to a situation where the cardholder was a victim of identity theft. The concept of a chargeback rose as a measure of consumer protection taken by issuing banks and credit card companies. Chargebacks were a measure to protect cardholders from identity theft and the unauthorized transitions from identity theft. Chargebacks also provide incentive to producers and sellers to provide products of consistent quality and efficient customer service.

With the rise of technology, and the resulting increase in online and telephone transactions and commerce, it has become easier to commit fraud via chargebacks. Chargebacks are an interesting concept because the process protects consumers from identity theft fraud, but opens the door for consumers to commit chargeback fraud. Chargeback fraud is also known as "friendly fraud." Friendly fraud is the term for when a consumer authorizes a transaction for an online purchase on his or her credit card, receives the product or products the consumer paid for, but then later the same consumer files for a chargeback. The fraudulent filing for a chargeback results in a consumer keeping and avoiding paying for the products they ordered.

There are several common cases where a consumer commits so called friendly fraud. One situation is where the consumer claims that they never received the purchase or order when in reality, they did. In this scenario, when a customer files a chargeback, it enables the customer to keep the product while not paying for the product. Another situation is where a customer claims that the product they received was either defective or damaged. In this scenario, a chargeback claim facilitates the customer to get a "two for one" deal because the producer will ship a replacement product. Finally, another common situation is where the customer buys a product, but then files a chargeback with their issuing bank claiming they never authorized such a transaction.

Producers and merchants have responded to the rise of fraudulent chargeback claims and have implemented measures to combat friendly fraud. Chargeback fraud is challenging because the vendor's first reaction is to tighten internal fraud controls and add anti-fraud software tools. While this reduces fraud, it also prevents many legitimate customers from completing online purchases. In addition, it is difficult for merchants to protect against friendly fraud chargebacks because the chargeback process often favors the consumers over the producers. One of the best ways to prevent friendly fraudsters is for online merchants to require signatures for the delivered packages upon their arrival. This will provide very specific information to the producers about the delivery. The drawback to signature confirmation is that it increases shipping costs, which still hurt producers' bottom line. In addition, producers have started to share data of lists of customers who make chargeback claims. This helps producers see trends of customer's shopping habits. This transfer of information among producers helps them maximize profits and forces consumers to stay honest. Producers have also started keeping a record of all communication with customers, so customers who want to file fraudulent chargebacks have a harder time following through with the claim. Finally, e-commerce sites have started to keep track of customer's IP addresses, so when consumers make a claim that they did not make a purchase, it is much harder to lie.

Although chargeback fraud is a problem with the growth of e-commerce and other alternative shopping outlets with dishonest consumers, many consumers who file chargeback claims are honest and have encountered a real problem with their transaction. In some cases, chargebacks can be reduced by implementing more refined tracking tools to measure reasons for returns and employing more live customer service personnel and improving their training.

FBI response
In May 2001, Deputy Assistant Director of the FBI, Thomas T. Kubic, gave a testimony to the House Committee on the Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection on the FBI's response to Internet fraud crimes. Alongside the U.S. Postal Inspection Services, U.S. Customs Service, Internal Revenue Service-Criminal Investigative Division, and the United States Secret Service, the FBI has developed the "Operation Cyber Loss" program to combat Internet fraud. The agency also created the Internet Fraud Complaint Center (IFCC) to help with the operation. The types of fraud that Operation Cyber Loss is investigating are identity theft, on-line auction fraud, credit/debit card fraud, investment and securities fraud, Ponzi/Pyramid schemes, and non-delivery of merchandise purchased over the Internet.

Mitigating the Risk of Internet Fraud
Businesses selling goods and services online bear a large portion of internet fraud costs—according to the 2017 LexisNexis study, fraud costs as a percentage of revenues for online retail (physical goods) and eCommerce (digital goods) are 2.17% and 2.39% respectively, with online gift card fraud being an area of special concern.

Relying on fraud detection software alone has been found to flag too many legitimate transactions as fraudulent: online purchases are either blocked outright or delayed for review such that the customer abandons the purchase. One approach that has been found successful in reducing the number of "false positives" while still reducing fraud is a "layered" filtering. This technique employs fraud detection software based on algorithms and AI/machine learning, combined with manual review by customer service personnel. Real-time fraud detection supplied by software-as-a-service (SaaS) fraud detection firms includes verifying CVV, PIN/signature, check verification, browser malware detection, address verification, device ID fingerprinting, geolocation, authentication by quizzes, cross-checking shared data bases of customer profiles, automated transaction scoring, rules-based filters and other data points.

In response to the prevalence of online fraud, many fraud detection and prevention software service companies have entered the field, employing a variety of techniques, including machine-learning-based behavior analytics and anomaly detection; the use of a "fraud hub" that enables third-party data sources to feed in purchaser information that is used in predictive statistical modeling; and automated remote malware detection. The largest players in this area are Cybersource (owned by Visa), Brighterion (Mastercard), and SAS Institute. Some of the newcomers in the field include Fraudio, Signifyd, Eye4Fraud, Kount, Riskified, Sift Science, Forter and Feedzai.