Fraud Risks and Scenarios
    • 14 Nov 2023
    • PDF

    Fraud Risks and Scenarios

    • PDF

    Article summary

    Common Fraud Risks

    Below are some common fraud risks that you may face as a company. It is important to evaluate the customer and transaction types you are allowing, which will give you a sense of your risk profile and controls.

    • Identity theft - Fraudsters may steal personal information to open accounts, apply for loans, or make transactions in someone else's name. They can exploit weak identity verification processes or use data breaches to gather personal information. These schemes may include using stolen credentials to link an external account to an account opened with your app and then withdrawing those funds either through ATM, wire, or a P2P app such as CashApp.
    • Account takeover - Cybercriminals use various tactics, like phishing or malware, to gain access to your customer's account. Once in control, they can make unauthorized transactions, transfer funds, or even change the account's security settings. This may include changing identity information and passwords to make it more difficult for the customer to take back control of their funds and accounts.
    • Payment fraud - This involves unauthorized transactions on an account, often using stolen credit or debit card information. Fraudsters might make online purchases, transfer funds, or initiate other unauthorized transactions. One common type of payment fraud involves exploiting companies that allow their customers to access immediate funds availability after the customer pulls funds from an external account through ACH. A fraudster may exploit immediate funds availability by initiating the pull, accessing the funds and withdrawing it, and then cancelling the initial pull.
    • Application fraud - Criminals may submit false or manipulated documents to create accounts or obtain loans. They might use stolen or synthetic identities, inflate their income, or provide fake employment information to bypass credit checks and other safeguards.
    • Money laundering - Fintechs can be targeted by criminals seeking to launder illicit funds. They may establish accounts with multiple neobanks and move money between them to obscure the source of the funds, making it difficult for authorities to trace the origin of the money.
    Fraud Rings and Cybercriminals
    Criminal and fraud rings may systematically exploit your products and payment methods if they detect weaknesses in your controls and this can result in a sudden flood of fraud attempts - particularly during the first 30-90 days of your launch. Examples of this include testing your onboarding flows and using stolen identities to onboard, testing your transaction limits and ease of withdrawal, and initiating social engineering scams by impersonating your staff and contacting your customers.

    Fraud Controls

    Your fraud controls should include a combination of required controls within the Synctera platform to mitigate fraud and controls that are based on your company's risk profile, which is driven by the customers, payment methods, and products you provide. As an example, companies within the cryptocurrency space can attract additional fraud and money laundering attempts, which requires heightened onboarding and transactions monitoring controls.  

    Required Controls

    • Identity Verification - All potential customers will undergo Synctera (or an approved vendor) identity verification, which includes comparing provided data against various public data sources and to assess potential fraud risks at onboarding. As an example, this includes assessing the correlation of different PII data points such as name, address, and social security number. It also includes assessing the validity or age of phone numbers and email addresses. Customers that fail an initial screen must provide government-issued documentation to prove their identity.
    • Payment Limits - Payment limits allow you to mitigate the exposure of fraud and make it less attractive for fraudsters to target your platform. In particular, managing withdrawal limits or the ability to move money outside your platform to other apps that can be used to withdraw money quickly (e.g. via CashApp, PayPal) can be a valuable preventative tool. When requesting limits, it is good to assess and consider your limits as a whole. For instance, large deposit capabilities combined with the ability to easily wire or make cash withdrawals will make you an especially attractive for fraudsters. One way to counter this risk is to have more stringent limits for earlier customers to ensure there is no suspicious activity before relaxing those limits. Typically, fraudsters will make attempts of fraud within the first 30-90 days (note that there are fraud schemes that involve exhibiting good behavior before making a large withdrawal).
    • Fraud Transactions Monitoring - Transactions that occur over your platform will be subject to fraud rules that are designed in conjunction with your fraud strategy. These rules will prevent transactions from occurring that have suspicious or unusual patterns. As an example, fraud rules may include the velocity rules or geography rules that detect if there are multiple transactions in quick succession or transactions that are occurring from locations outside of what you would expect of your customer.
    • Reserve - Your company is responsible for fraud losses and will maintain a reserve with your Sponsor Bank that absorbs any realized losses. The reserve is set aside as funds with the bank. When losses or exposures increase, the reserve may also require adjustment - the reserve is meant to help ensure your company is always able to take on fraud losses without disrupting the financial condition and stability of your company. 

    Other Controls

    • One-Time Password before Account Opening - Prior to opening an account with a customer, collecting their phone number and email address can be one way to mitigate fraudulent onboarding. This will include sending them a one-time password (OTP) that they must confirm and re-submit to the app before proceeding. While this is not 100% foolproof for fraudsters who have stolen identities or who provide false email addresses, it can add some friction to your process that will discourage some fraudsters.
    • Two-Factor Authentication - Require two-factor authentication for onboarding, profile changes, new devices, and lengthy times between log-in.

    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.