BT Explains: A look at payment fraud, which hits Singapore firms more than in region

NINE in ten Singapore firms lost revenue due to payment fraud in 2020, speaking to the rising sophistication of fraud methods, a survey from Worldpay from FIS showed.

As fraud types go, synthetic identity fraud (58 per cent) and account takeover fraud (60 per cent) rose in 2020 for more than half of Singapore merchants polled.

More generally, 84 per cent of merchants in Asia-Pacific reported losses in revenue due to payment fraud, which puts Singapore's numbers slightly higher than the regional average.

Singapore also trails the region in prioritising fraud detection when it comes to payments.

In Asia-Pacific, improving fraud detection and mitigation is the top-most cited priority among other payment initiatives. Though in Singapore, it is the third-most cited (46 per cent), after investment in emerging technology (50 per cent) and ensuring compliance with regulatory standards (50 percent).

While most Singapore firms are dedicating resources to combating and managing risk, they are fighting a "constantly changing" battle that requires ongoing diligence to defeat, said Phil Pomford, general manager for global e-commerce for Asia-Pacific, WorldPay from FIS. 

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

The Business Times spoke with Mr Pomford to explain common fraud risks.

Synthetic identity fraud

Synthetic identity fraud is a growing trend. 61 per cent of merchants in Asia-Pacific reported higher rates of such fraud – the most among all regions globally.

When merchants were asked which types of payment fraud caused the most operational and revenue losses, synthetic identity fraud was ranked top (52 per cent), followed by account takeover fraud (45 per cent).

This is a complex type of identity fraud where the fraudster uses both real and fake information to create a fabricated identity (e.g. a stolen national identification number combined with a false name and made-up date of birth).

Unlike regular identity theft where the consumer’s personal information is stolen and used without their knowledge, with synthetic identity fraud the account is being held by a fake person altogether, making it harder to track who is behind the crime.

Minors are commonly targeted for their national identification number because they typically have no credit history and are unlikely to find out their national identification number is misappropriated until years later.

In Asia-Pacific, synthetic identity fraud is on the rise despite strong know-your-customer (KYC) practices because fraudsters typically start with low-risk basic services with the financial institution (e.g. opening a checking account), which will not invite scrutiny.

Once they’ve built their reputation and credibility with the bank, the bank then extends credit and other types of loans and products to the fraudster which ultimately lends to huge losses.

For banks or merchants doing a credit check on an individual, what tends to be a red flag is if the individual is 35 years old, but the credit history only goes back a year. Individuals should also remain vigilant and check their credit reports on a regular basis to identify any irregularities.

Account takeover fraud

Account takeover fraud can stem from identity theft fraud, whereby a fraudster uses stolen information to gain access to someone else’s account, and then makes unauthorised transactions via that account.

This is increasingly common in today’s world of social media where personal information (e.g. date of birth, mother’s maiden name) can be easily obtained and used to hack one’s account.

There are different tools that merchants can use to thwart such fraud. For instance, merchants can conduct analysis on a device’s IP and geolocation information at the login stage – if an individual is based in Singapore but logs in from Russia all of a sudden, this is a red flag and should trigger a step-up authentication.

Also, if there are any changes to the personal information on that account, it is best practice for businesses merchants to send an alert to the previous contact details or email address they had on file

For consumers, it is advisable to maintain strong password hygiene and refrain from sharing sensitive information on social media.

Card testing fraud

In Singapore, card testing fraud was shown to rise the most, with seven in ten merchants surveyed reporting increases in such fraud.

Card testing fraud typically begins with the fraudster acquiring compromised card credentials on the dark web. They will then try to determine which card is still valid or active, so that they can use it to make fraudulent purchases.

The fraudster uses various digital tools on a merchant’s website, such as bots or scripts, to test the validity of hundreds of thousands of card details. This type of fraud is commonly seen on travel sites or merchants who offers online gift cards.

For merchants, if an unusually high number of authorisation attempts come through in a day, that’s a clear red flag for card testing fraud. There are also anti-fraud tools available today to help identify errant bots and scripts on the website. Consumers can set purchase alerts on their credit or debit cards to get ahead of such fraud.

READ MORE: 

• MAS taskforce to make clear the liability held by consumers, financial firms in e-payment scams

• Ransomware cases in Singapore more than doubled in 2020