Friend or foe? When your fraudster is also your customer

When we think of an online fraudster, the common stereotype is that of a shady criminal who has successfully stolen an unsuspecting customer’s credentials in order to drain their bank account or to go on a shopping spree with their hard-earned cash. 

Or perhaps, as we discussed in our earlier blog, we presume the fraud is the work of a highly organized criminal gang, which makes use of an arsenal of sophisticated, automated tools in order to evade detection and take over accounts, either before, during or after a transaction takes place.

As is often the case, these stereotypes aren’t always borne out in reality. Indeed, some estimates suggest that a mere 29 percent of fraud incidents can be classed as ‘true fraud’ – where criminals are the actual perpetrators. The rest of the time, it’s by no means a straightforward story of good versus evil. Indeed, more often than not, the person committing the fraud is also the account or card holder; a situation referred to as ‘friendly fraud.’

Friendly fraud comes in many guises

For banks, merchants and payment service providers (PSPs), there is very little friendly about friendly fraud as, in the vast majority of cases, they will be required to investigate and, if necessary, refund the value of any fraudulent transactions to the account holder.

However, friendly fraud does come in several different guises, some more hostile than others.

Honest mistakes

In its most innocent form, friendly fraud can be a result of forgetfulness. In today’s age of contactless and mobile payments, it’s easy to rack up purchases without keeping track. A seemingly rogue transaction on an account holder’s bank statement could be completely legitimate, even if it is in no way memorable.


Confusion reigns

Inconsistencies between company (or brand) names and trading names adds to the confusion. We’ve probably all glanced at our credit card statements and thought ‘that wasn’t me, I’ve never even heard of that company’ only to call the bank and find out it’s the obscure trading name of a well-known retailer.

Furthermore, the rising popularity of subscription-based services means there’s even more for consumers to get in a muddle about. Services provided by the likes of Amazon Prime or Netflix (amongst others) are linked to a single card holder or bank account, but can span multiple devices which are used by different household members.

Unbeknownst to you, your children might be ordering the latest movie releases or game using your card.


Malicious intent

However, not all friendly fraud can be blamed on simple forgetfulness or the complications of modern-day life. Sometimes, the card or bank account holder is complicit in the crime.

Often referred to as ‘chargeback’ fraud, this is when a consumer makes an online, card-not-present purchase using their own credentials, before instructing their bank to cancel the payment, claiming that they didn’t order the goods, never received them, or that they were damaged or lost in transit. If such claims are approved by the bank, the consumer will receive a refund.

In these circumstances the merchant ends up footing the bill in the form of a chargeback from the bank, even though they could have taken all the necessary steps to authenticate the user at the time of the transaction.  Meanwhile the consumer gets the goods and the refund.

To evade detection, sometimes the consumer won’t order the goods or services from their own device or IP address. Instead they will pass their card or login details to a friend, which makes it harder to link the purchase to the authorized card or account holder.


The challenge distinguishing between good from bad

It’s not always easy to spot friendly fraud because the user (or their accomplice) will of course be using legitimate, fully authenticated credentials to undertake a transaction. If the fraud really is just because of an honest mistake, where the customer forgot or wasn’t aware of the transaction made by someone else with access to the account, a simple phone call or SMS can usually help the bank or payment service provider establish the facts with the account holder.

While no refund will be made to the customer – and no chargeback applied to the merchant – there is still an administrative overhead associated with these investigations.

When they customer’s credentials are legitimate, but their motivations are unclear, things become considerably more complicated. It is not always easy to work out if fraud has taken place, particularly in the event that an order didn’t reach the intended recipient.  

Banks, credit card providers and PSPs – particularly in this age of Open Banking and increased competition from fintech challenger brands – may decide to give the customer the benefit of the doubt without thorough investigation, in order to keep their custom.

Indeed, consumers are often afforded a great deal of protection. In most countries, their rights are greater than the rights of merchants, which will end up picking up the ultimate cost of the transaction in the form of a chargeback for the bank or credit card company.


Counting the cost

Fraud represents a massive cost to the industry, indeed, every $1 of fraud is thought to end up costing the financial services industry more than three times that amount. This uplift is due to additional expenses such as chargebacks, fees and investigation, amongst other items.  

Friendly fraud is a key contributor to this problem. estimates that it costs retailers alone more than $11 billion a year. These costs are unsustainable, especially as fraud becomes ever more prevalent.


Identifying friendly fraud

As we’ve discussed, identifying friendly fraud isn’t easy; they’ll be no red flags during the authentication process, the user’s device, geolocation and network environment won’t set any alarm bells ringing, nor will there be any suspicious malware to give the game away.

However, there is a solution. Deep learning techniques – that are able to compare the user’s behavior in one particular session against all their previous interactions – can be deployed in order to look for anomalous or suspicious activity.

After all, every customer has a digital DNA; if one session doesn’t fit their usual pattern of behavior, then it might be worth investigating. 

Posted by Tim Ayling

Tim Ayling is currently the Vice-President EMEA at buguroo. With over 20 years' experience in the cybersecurity and anti-fraud industry, Ayling began his career in technical support, and moved on to System Engineering. He began his leadership career when he established Entrust Inc. in Australia in 2003 and was made Vice-President Asia Pacific in 2006. Ayling has held numerous leadership roles in large cybersecurity vendors, including serving as the Global Head of Fraud Prevention Solutions at Kaspersky Labs, as EMEA Director of Fraud & Risk Intelligence at RSA Security, as well as spending time in the cyber-security practice of KPMG.



Using historic bugFraud data Fraudster Hunter can quickly investigate and identify fraudster activity to help fraud teams rapidly visualize both legitimate and malicious connections to discover accounts being used to commit fraud, and those at high risk of being used for future crimes.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities