How to recognize an online fraudster

What makes an online fraudster? Can you tell by looking at their age? Gender? Billing address? When they shop? 

The answer is both yes and no, according to a recent report called “The United States of Fraud,” produced Sift Science, a fraud detection and prevention software company. They identified factors including age, billing address, shipping address and purchase value that are more likely to signal fraud. 

This is especially important given the U.S.’s ongoing shift to EMV credit cards. With cards being harder to clone to then use in-store, fraudsters are predicted to shift their efforts online. 

[ ALSO ON CSO: Consumer Alert: Debit card fraud at Walmart discovered in 16 states ]

“EMV technology makes it so much more difficult to duplicate a physical credit card,” says Jason Tan, CEO and co-founder of Sift Science. “They’re still looking to make their money, and doing their business online is a lucrative channel because it’s scalable and anonymous.”  

A profile for fraud

For this study, Sift Science analyzed 1.3 million transactions with shipping or billing addresses in the U.S. from August 2014 to August 2015, transactions that were drawn from their customers’ servers (they work with AirBnB, OpenTable and Pebble, to name a few). Sift Science then cross-referenced with third-party data from FullContact to identify gender and age. 

Some of the findings were surprising, even bizarre. For example, the report found that users identifying as 85 to 90 years old have the highest rates of fraud. They are two-and-a-half times more likely to be fraudsters than the average user. 

This doesn’t mean your grandparents are ripping people off. “We think it might be that, for a lot of online businesses, they will be more forgiving if you look like an older person because they’re unlikely to be fraudsters,” Tan says. “Maybe fraudsters have figured that out and are trying to sneak themselves in by using that forgiveness.”  

The study also found that men are slightly more likely than women to be fraudsters. They identified when fraud is more likely to happen, too: 3 a.m. is the most likely fraudulent time of day, but they also found that fraudsters are more likely to transact online during the workweek than legitimate users. 

As for value, the study found that purchases worth $20 or less are 2.16 times likely to be more fraudulent. 

The report looked at geography, too: Orders shipped to Delaware, Florida and Georgia have the highest fraud rate based on shipping address. Alaska, Delaware and Arizona have the highest fraud rate based on billing address. County with the highest fraud rate: Miami-Dade County in Florida. 

“Oftentimes what we see if that fraudsters will use [an] intermediate address that is in the United States because a lot of time, online businesses are mistrusting of an international address,” says Tan. “They ship that electronics, that camera that they bought with a credit card to a U.S. based address first so it doesn’t flag any suspicion, and then they reship it from there to somewhere else.” 

Alaska, he says, could be high on the list simply because, with drop-down menus used to fill out billing information, Alaska is typically listed first. 

What to do next

Tan says that this information can be useful, but that “these are disparate series piece together in one report. If you as an ecommerce business are looking for people who are 90-years-old, who are purchasing at 3 a.m., who are purchasing for less than $20, you’re likely going to miss other fraud that’s happening outside of those parameters.” 

But knowing who to flag and not will become more important given the U.S. shift to EMV credit cards, which are designed to stop card-present fraud. 

“The U.S. is the last big market to make the switch over to EMV,” says Gilles Ubaghs, senior analyst of financial services technology at Ovum. “What we’ve seen in every single other market is other forms of fraud increased.” 

According to the Federal Reserve, card-present fraud reached $2.4 billion in 2014. Ovum predicts that if the U.S. achieves a theoretical 100 percent implementation of EMV, that card-present fraud would drop to $1.75 billion a year by 2020. However, because of this shift, Ovum estimates that in the U.S., card-not-present fraud could reach $2.6 billion by 2020. 

Ubaghs adds there’s also the possibility for more “traditional” forms of fraud, like muggings and pick-pocketing. ATMs won’t be completely safe, either. Criminals can wedge paper into the card slot so that it gets stuck, wait for the user to leave for help, then use pliers to take out the card. How do they get the PIN number? With a tiny, almost invisible camera.

Ubaghs adds that consumers might let down their own guard, too, thinking that having a chip on their credit card guarantees absolutely security. “We think great, that was a big changeover, I can relax now,” he said. 

That’s not going to be the case – to which I can attest. My new chip-enabled credit card was used by a fraudster less than a week after I activated the card. I wasn’t surprised. It’s the new normal.