Mitigating signup fraud: What is it and how can merchants prevent it?
The ecommerce sector is thriving. Across the world, online merchants are benefitting as self-isolating consumers surge online to buy goods and services. Global transaction value is set to top $4.1 trillion in 2021 and grow by a rate of nearly 9% over the coming four years.1 But fraudsters are never far from the action. They can see new opportunities to take advantage of unwitting consumers and online stores that have relaxed restrictions on purchases to maximize potential takings. Signup fraud is particularly troublesome, as it opens the door to a range of malicious activity which could lead to serious financial and reputational damage for affected merchants.
To tackle this type of emerging fraud, merchants must look to advanced tools like those provided by PayPal. Easy-to-deploy and highly cost effective, they leverage huge volumes of global data and the power of machine learning to more accurately spot and block suspicious behavior.
What is signup fraud?
Also known as new account fraud or account creation fraud, signup fraud may not get as much press as account takeovers or classic payment fraud. Yet it can affect merchants in a number of ways, eating into profits and undermining efforts to attract and grow new customers. As the name suggests, it denotes the creation of new accounts with the express purpose of committing various types of fraud.
The bottom line is that ecommerce accounts need to be easy to create — otherwise it would put off legitimate consumers from signing up in the first place. But by making it too easy, merchants run the risk of allowing fraudsters to sneak in and pose as regular customers. They’ve become pretty good at it too, using automated scripts, anonymizing tools, and huge volumes of breached identity data to improve success rates.
This makes it hard for businesses to spot fraudulent activity, as does the fact that—unlike other fraud types—there’s no historic customer data to compare it to. The signup process is the first time a merchant has usually seen the new ‘customer.’ Another factor is that new signups are often viewed as a sign of business success, which may delay investigations into whether those new registrants are legitimate are not.
How signup fraud works
There are various ways signup fraud can occur. It all starts with the process of account creation. Typically, the fraudsters are looking for scale to make their campaigns worthwhile, so they’ll use automated tools to manage the signup process. This kind of software is readily available on dark web cybercrime marketplaces. Another option is to use automated bots to sign up for multiple accounts, bypassing account verification measures like CAPTCHA and email confirmations. Once successful, this process will net the fraudster a large number of fake accounts using synthetic or stolen identities. Now they’re ready to use the newly created accounts.
These accounts can then be deployed en masse to:
- Take advantage of new customer offers such as discounted products and gift cards
- Test stolen cards in large volumes to check if they’re still working. These could then be used in payment fraud attempts on the same site, potentially leading to chargeback losses for the merchant
- Test and validate stolen credentials (aka credential stuffing)
- Abuse the time-limited free trials many merchants may offer on their site. By creating new accounts, the trial period could be extended indefinitely. Such services could be sold on the dark web
Fraudsters may use their automated toolsets to perform regular actions, such as logging-in and viewing products, to make it appear as if a legitimate customer is in charge of the account. This only makes it harder to detect fraudulent behavior with legacy tools.
The impact on merchants
Unfortunately, this kind of activity can have a major impact on your brand reputation and the bottom line. Signup fraud can potentially lead to:
- Loss of revenue if signup offers with monetary value are handed out to fraudsters
- Reputational damage when cardholders see where their data and cards have been used fraudulently
- A further financial impact associated with follow-on payment fraud and chargebacks
- Marketing challenges if large volumes of fake signups distort your internal metrics and business planning
PayPal can help mitigate signup fraud
The good news is that fraud prevention technology has advanced considerably from traditional, static rules-based approaches. That puts powerful, highly cost-effective solutions at the fingertips of any merchant today.
At PayPal, we leverage data from our extensive 2-sided network of over 350 million active consumers and over 25 million merchants across the globe and feed this data into predictive machine learning models that can help detect suspicious activity that human eyes might miss. Our machine learning models also are continually optimized to ensure they adapt as the bad guys change their tactics, helping to keep you one step ahead of the fraudsters.
To develop models and rules that help identify potentially fraudulent accounts, we rely on device data, third-party information, session analysis, and information collected during the signup process. We build hundreds of signals on top of the device, email, IP, phone, user, and address information that feeds our models to help detect suspicious behavior. For example, we can create a signal to help detect a mismatch between a user’s real and stated location, or abnormal phrases when typing familiar information such as a first and last name. We also leverage third-party data for rate risk factors around the identity attributes for authentication purposes:
- Device Fingerprint: Uniquely identify a desktop, tablet, or mobile device used to create a new account based on browser, device type, browser language, or operating system (OS), among others with Device Recon
- Identity Scores: Get risk scores and reason codes to help prevent fraudulent users from creating accounts using synthetic or fake identities
- Financial History: Incorporate users’ financial credibility into the scoring or Early Warning. The more history there is, the better the results
- Public Records: Reverse lookups on addresses, names, and phones
- Email Address: Identify if the email used to sign up for the new account is risky or blacklisted by comparing it with external databases
Some third-party sources provide data points that can be used for authentication purposes.
To learn more, visit the manage risk page for enterprises.
1. Statista – Digital Commerce Worldwide, 2021, https://www.statista.com/outlook/dmo/fintech/digital-payments/digital-commerce/worldwide
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.