‘Tis the Season for CNP Fraud

It is that time of year again when the credit/debit cards come out—and so do the fraudsters. Phishing campaigns, skimming devices, malware attacks and key logging are all tools and techniques fraudsters use to gain access to financial information. So what happens after they gain access? There are many ways for this information to be used, but perhaps the greatest threat this time of year is card not present (CNP) fraud.

The implementation of chip and signature cards in 2015 helped U.S. financial institutions respond to the growing wave of counterfeit cards. However, similar to what was experienced in Europe after the implementation of EMV cards; the U.S. has seen an explosion of CNP fraud. According to IDology and Experian data, CNP fraud grew by 33 percent between 2015 and 2016 (remember 2015 was the beginning of the implementation of the chip and signature cards in the U.S.).1 What is feeding the alarming growth in CNP fraud are large profits and an explosion in data breaches, leading to enormous amounts of card data being available for sale on the dark web. In 2018, the expected loss from CNP fraud—in the U.S. alone—will exceed $6.4 billion and is expected to cost merchants over $70 billion over the next five years according to IDology and Juniper research.2 With profitability so high, fraudsters can be expected to continue skimming, hacking and accessing consumer data for their nefarious use.

While some fraudsters have continued to utilize card data indiscriminately, opting to make as many purchases as possible prior to being shut down, others have chosen to be more strategic in their approach. In 2013, a major retailer experienced a massive data breach affecting over 70 million customers during the holiday season. Not only were the fraudsters able to replicate the cards (counterfeit), but they also distributed those cards to their network which operated in the geographic areas where the cards were initially used. In other words, the fraudsters learned that if they used the replicated cards in the areas where their victims lived, they would look more like the bank customer and not a fraudster. In short, their activities remained undetected for a longer period because the fraudsters looked like the customer.

So, what can organizations do to counter the growing CNP threat? While there is no absolute countermeasure, regularly improved algorithms, transaction scoring and customer monitoring are a start. Unless merchants and financial institutions can gain a better understanding of customer behavior and activity, it will be difficult for them to have a positive impact on CNP loss. In addition, machine learning and artificial intelligence (AI) are effective means to counter the CNP threat. However, organizations need to understand that AI is not a cure-all. What some seem to miss about AI is that it needs to have someone who can point it in the right direction for data to learn. Absent the right strategy and data behind any AI implementation, effectiveness will be limited.

Going into this holiday season, merchants, retailers and financial institutions should be aware of the CNP threat and be prepared to evaluate their overall fraud strategies accordingly.

Troy Pugh, CAMS, executive director – financial crime intelligence, Sojourn Consulting, Cornelius, NC, USA, tspugh4@gmail.com

  1. “Card-Not-Present Fraud is Skyrocketing,” ClearSale, https://www.clear.sale/infographics/cnp-fraud-is-skyrocketing
  2. Ibid.

Leave a Reply