Author: Ady

Introductory Guide to Phishing Emails – Common Techniques and Prevention Methods

Post author By Ady
Post date December 5, 2023
Categories Fraud

Phishing scams are becoming more and more common. Every day hundreds of people around the globe face many problems with phishing emails. Understanding how phishing emails work can go a long way in helping you prevent phishing attacks.

In 2014, Sony Picture Entertainment became the victim of a major phishing attack. During that time, hackers sent phishing emails to top executives of Sony Pictures, the emails that looked like they appeared from Apple, contained a malicious link that prompted users to enter their Apple ID information into an online form.

Over time, criminals stole over 100 terabytes of sensitive information. The overall attack cost Sony more than $100 million.

Phishing scams gained traction in 2021, over 83% of all organizations experienced similar attacks.

In this guide to anti-phishing, we’ll take an in-depth look at what phishing is, how it works, and the different techniques used for phishing scams.

What is Phishing?

Phishing is a type of social engineering. It happens mostly in emails. In phishing emails, the primary objective of scammers is to trick legitimate users into revealing confidential about themselves or their organizations.

In a phishing scam, attackers may trick victims into clicking a link that will lead them to a fake website. The website will ask you to enter sensitive information. Other types of scams involve directing victims to download attachments that will infect their devices with dangerous malware or ransomware.

Any domain can become the victim of a phishing attack. This is because a huge number of people use the same username and password on multiple accounts.

According to Google’s 2019 security survey, 65% of people reuse passwords for multiple accounts. Over 60% of people keep using the same password even after a data breach.

Most phishing attacks happen with fake email messages that pretend to come from a legitimate company. Attackers also use text messages, phone calls, or social media scams to achieve the same goal of accessing sensitive information.

How Does Phishing Attacks Work?

Based on the FBI’s 2020 Internet Crime Report, phishing was the most common cyberattack type in 2020. By 2021, it had become one of the biggest concerns for IT professionals.

Modern phishing attacks have become highly sophisticated. You may have heard of the Nigerian prince scams, it’s one of the oldest phishing scams. The scams of today use several skillful social engineering tactics to manipulate victims and steal personal information.

The best scammers impersonate legit organizations, make lookalikes of their email addresses, and send emails to look like they’re from the real organization.

The fake emails often contain a malicious link to track the activity of the victim and to steal the user’s personal information.

The links can also lead to malicious websites that can infect the victim’s device and track all user activity.

Commonly Used Phishing Techniques

Here are some of the most commonly used phishing techniques that are commonly used by scammers.

Bait Creation

Scammers create messages, and emails that look and feel legitimate and trustworthy. They often mimic well-known companies, government agencies, or businesses to trick recipients into thinking that the text is genuine.

Social Engineering

Phishers use psychological techniques to manipulate the recipient’s emotions and push them to take action.

They may also create a sense of urgency, curiosity, fear, or excitement. This surge of emotion is what compels recipients to take immediate action without thinking.

Deceptive Content

Phishing emails contain links or attachments that when clicked and opened can lead to malicious websites or infect the devices of victims. On first look, these links and attachments look real, but they’re designed to steal login credentials and personal information.

Fake Websites

Scammers make up fake websites that look like the real websites of big brands. For example, a user receives an email from john.amazon@gmail.com about a discount offer with a link to the product. Once the user clicks on the link, they’re redirected to aamazon.com, when they should be led to amazon.com. This is a common scam that happens to thousands of users every year.

Once the victim places the order and enters their banking information, all the information is stolen and the money is lost forever.

Credential Theft

Fake websites prompt victims to enter the usernames and passwords of specific accounts. Once this information is added, the scammer steals the information and uses it to conduct scams.

Types of Phishing Attacks

The most common types of phishing techniques include:

Standard Email Phishing

The scammer shares several fake emails asking the receiver to share personal information or login credentials. These attacks are aimed at large organizations as most employees have limited phishing awareness.

Spear Phishing

This particular attack targets specific individuals. Attackers assume the identity of a real organization. The attacker then sends personalized emails to the target. As the text often includes specific details about the victim, it appears authentic. Over time, the victim trusts the email sender.

Whaling

A whaling attack targets ‘big names’ such as high-level executives. It involves sophisticated social engineering methods to trick the victims into transferring large amounts of money into the attacker’s bank account.

Business Email Compromise (BEC)

The attackers send fraudulent emails by building a lookalike email of the account owner’s email address to attempt and steal money from the company.

Malware Attacks

In a malware attack, the attacker tricks the victim into downloading an attachment or files that contain malware. As soon as a user downloads and opens the attachment, it installs malware on the device.

How to Mitigate Phishing Scams?

Businesses can protect their people and information assets from phishing attacks by simply following these simple practices:

Implement email security software to protect devices from malicious domains. Also, use anti-virus software to scan all emails and attachments.
Use training and phishing simulations to teach your employees common phishing techniques and how they work.
Make sure that you always use strong passwords and multi-factor authentication to secure accounts and devices.
Discourage users from sharing or reusing the same passwords to minimize the possibility of credential theft.
Ask users to use a password manager to generate and store their passwords.
Prevent users from opening emails and attachments from unknown and suspicious senders.
Educate users on the common “red flags” that are a sign of a phishing attempt.

Tags common phishing techniques, how to prevent phishing scams, phishing emails, types of phishing attacks, what is phishing

Trade-Based Money Laundering

Post author By Ady
Post date November 27, 2023
Categories AML

The AML landscape is evolving continuously, so fraudsters come up with new ways to launder money. One of these new and unique ways to exploit the financial systems and launder money is cross-border trade.

Trade-based money laundering is becoming an issue. To prevent trade-based money laundering, new steps are being taken.

In this guide, we’ll dive into trade-based money laundering, and how it works.

What is Trade-Based Money Laundering?

Trade-based money laundering is when a fraudster moves illegal funds through the international trade system to clean them. TBML practices often include:

Falsification of original price.
Quantity and quality of the imported/exported goods.

TBML takes advantage of the complicated system of the trade system. Especially the international trade system where multiple parties and jurisdictions are involved. Multiple jurisdictions mean overlapping KYC, AML, and CDD rules and regulations.

TBML is slowly becoming a major concern for governing bodies around the world. It rose to its peak during the COVID era when supply chains and the regulatory landscape were disturbed.

Since then, several global firms have embedded supply chain risk management into their AML programs. Over 45% of global businesses claim that they’re focusing on improving the management of supply chain risks in 2023 and beyond.

How Does Trade-Based Money Laundering Work?

Fraudsters use trade-based money laundering in a number of ways, but the most common ones include:

Over-invoicing – The exporter submits an invoice that’s overpriced to the importer, generating a payment that exceeds the value of the goods shipped. Importers often transfer the stated amount on the invoice instead of checking for the real value.
Under-invoicing – The exporter sometimes submits an invoice that has less value than the products. They ship the goods with greater value and then transfer that value to the importer.
Multi-invoice – The exporter sends an invoice to the importer multiple times for the same product/shipment. The exporter then transfers greater value from the importer to the exporter.
Over-or under-shipment – The exporter ships more goods than they previously agreed on. They end up transferring greater value to the importer. Or, the exporter ships fewer goods than agreed on. The importer often pays the original amount without checking the goods.
Misrepresenting the Quality – Goods shipped to the importers are purposefully misrepresented as being of higher quality. The importer pays for the high-quality goods but receives cheaper quality.

Examples of Trade-Based Money Laundering

There are some examples of trade-based money laundering that every business should be aware of. Prevention can only happen when businesses are aware of the latest trends.

Here are the biggest examples of trade-based money laundering:

A letter of credit for a high-value cross-border import is highlighted to have anomalies when it is examined by the routing bank. When the bank investigates deeper, it reveals missing and unrecognized documentation with the import agents. The bank then rejects the transaction and returns the drawing documents.
The first beneficiary of a multi-million dollar letter of credit has to supply medical goods for another country’s Bureau of Health. However, the second and ultimate beneficiary of the credit issues invoices that don’t match those submitted by the first. It’s shown that the first beneficiary has the invoices marked up by 300% and is additionally revealed to have a connection with the firm acting as the agent to the Bureau of Health.
Several shell companies purchase electronics with funds derived from criminal activities and later sell the goods to buyers in high-risk countries that don’t have any due diligence. The shell companies receive the money. The banks that handle the transactions notice a number of red flags. The biggest red flag is that the companies are registered in high-risk countries.

Steps to Identify Trade-Based Money Laundering

Businesses may have an easier time spotting TBML activity if they’re familiar with the methodologies associated with it.

Here are the indicators of TBML:

Unusually complicated or illogical corporate structures, such as the use of shell companies or companies registered in high-risk countries.
Trading entities registered at mass registration addresses with no reference to any specific unit.
Trading businesses that have addresses that don’t reflect the businesses in which they’re engaged.
Missing, counterfeit, or fake trade documents.
Trading businesses that don’t have an online presence or that have an online presence that doesn’t match their business’s stated services.
Trading activities that don’t reflect a stated line of business, for example, car dealers trading in textiles or precious metals.
Payments for imports that aren’t made by parties other than the account holder.
Trading entities that purposefully complicate the use of financial products.
Inconsistencies or discrepancies across trade documents such as contracts and invoices.
Trade documents with values that aren’t consistent with market values or other comparable transactions.
Trading entities that make very late changes to payment arrangements.
Frequent cash deposits are just under the reporting thresholds.

How to Prevent and Detect TBML?

Since TBML can involve multiple parties and jurisdictions, and some of the schemes are very complicated to detect. To mitigate the risk of TBML, compliance teams need to have an understanding of business-wide risk assessments to determine their risk exposure.

Here’s how to prevent and detect TBML:

Robust CDD

To uncover TBML, businesses of all kinds should implement CDD measures that use a combination of technology and expertise.

Businesses need to obtain a clear picture of all entities they do business with. To able to do that, businesses need to verify documents, ownership documents, address documents, and more. Compliance teams should ensure they have access to real-time document verification solution that helps them verify the identity of every entity they have to verify.

Reputable Adverse Media Screening

Since adverse media can be a TBML structural risk indicator, businesses need to make sure their negative news screening solution can differentiate between true adverse media content at scale.

Flaws in Knowledge-Based Authentication (KBA)

Post author By Ady
Post date November 17, 2023
Categories Business

Knowledge-based authentication (KBA) has been the industry standard for over 20 years as a method of identity verification. KBA has been an outdated mode of verification for a long time. This is a flawed approach to verifying identities as it uses stagnant data. The same data has been breached and accessed by thousands of users worldwide. Personal data and knowledge-based question’s answers are readily available on the dark web.

Fraudsters have become more proficient in answering all the credit-based questions than the people who have to rely on the quizzes.

This flaw was first recognized in 2015 which led the National Institute of Standards and Technology (NIST) to limit the use of KBA in their latest version of Special Publication. The latest publication is the most widely used ID verification standard in the United States.

However, KBA is commonly used by state and local agencies to verify identities. The most common uses include motor vehicle registration, online portal access, and notarization.

KBAs are considered to be the backup for manual identity verification. But it’s still not a good enough solution as KBA data has been breached multiple times. Personally identifiable information goes as low as $1 on the dark web.

Current Problem with KBAs

The biggest problem with KBAs is that the data is available with ease almost everywhere on the dark web. Once fraudsters have answers to questions, they’re easily able to bypass security measures and gain illegal access to user accounts.

Fraudsters often find methods of least resistance to gain access to illegal access to systems. If businesses choose to use knowledge-based authentication to verify identities, they are only using a flawed method.

To properly identify identities and verify users with ease, businesses need to move forward from Knowledge-Based Authentication (KBA). Solutions like DIRO document verification tool, and other verification solutions can help businesses verify the identities of users ideally.

DIRO’s document verification solution can quickly and accurately verify identities and prevent the risk of fraud while ensuring the integrity of user accounts.

Why Businesses Shouldn’t Rely on KBA

Hackers and fraudsters have exploited the breaches and data thefts to quickly bypass the login systems. Using solutions like DIRO document verification can help businesses with far more accurate verification and huge cost savings.

1. Flaws in KBA

The biggest flaw in KBA lies in its reliance on static and outdated information. Information like Social Security numbers, addresses, and personal details, are easily stolen.

Hackers and fraudsters have exploited these beaches regularly to collect necessary information. Moreover, the easy availability of personal data on the dark web and social media has significantly reduced the effectiveness of KBAs.

2. NIST Non-Approval of KBA

The NIST has made KBAs a non-approved technology in their latest version of Special Publication 800-63-3. This highlights a growing acknowledgment of KBA, which highlights how ineffective the knowledge-based authentication process is.

KBA’s deprecation signifies a need for more secure and sophisticated alternatives to make sure accounts are verified properly.

3. Risks of Relying on KBA

Businesses that solely rely on KBAs are at a serious risk of hurting their business. It makes sense that state agencies use KBA for verifying the identity of users as it’s easy to use and familiar.

With modern cybersecurity threats becoming increasingly sophisticated, businesses and governments need to use a more secure solution.

4. Adoption of Biometrics

Using biometric verification in the identity proofing process can enhance the security of the process. As biometric data is unique to each individual and cannot be easily replicated or stolen.

Technologies such as fingerprint recognition, facial recognition, or retinal recognition can provide a more robust and secure way of verifying identities.

5. Behavioral Analytics

Instead of using biometrics data, businesses can use behavioral analytics data to verify if a user account is hacked. By using a user’s behavior patterns, such as typing speed, mouse movements, or smartphone usage habits are unique to each user.

Any sudden change in the patterns of a user can be an indicator of fraud.

Final Take

Relying on Knowledge-based authentication (KBAs) for identity proofing has been flawed for a long time. Relying on data that has been beached and stolen countless times to identify a user isn’t a great idea.

By using more secure options like the DIRO document verification solution, businesses can quickly and ideally identify user identities.

iGaming Regulations and KYC

Post author By Ady
Post date November 9, 2023
Categories Compliance

Latin America is quickly becoming a fast-growing market for iGaming operators. According to reports, over 70% of iGaming operators plan to expand to Latin American and Central American markets in the next couple of years.

The iGaming market in Latin America is highly diverse and entertaining and it has been growing in recent years. One of the biggest factors behind this is the growing availability and affordability of high-speed internet smartphones. Another driving force is the increasing love for online gaming in Central and South America.

As Latin America represents a complicated map of jurisdictions with 34 countries and union territories, regulation has been a problem. But recently, there has been a positive shift in the regulatory space as well.

To help out both the iGaming operators and the players, we’ve created this guide for iGaming regulations and KYC in Latin America.

iGaming Regulations in Argentina

In Argentina, the gambling regulation is controlled by the country’s 23 independent provinces and the autonomous city of Buenos Aires. Several provinces in Argentina and Buenos Aires have legalized online gambling.

The authority that acts as a watchdog for AML regulations is the Congreso de la Nacion Argentina. It keeps an eye out for all the operators to see which ones aren’t following the regulations.

The regulatory landscape and the licensing regulation vary from province to province. All the operators have to screen players to prevent money laundering and make sure that gaming transactions go through state-owned banks.

iGaming Regulations in Brazil

With a population of over 200 million and a huge fan following for all things sports, Brazil has a quickly growing gambling market. Unfortunately, there’s no regulatory framework right now. Without a regulatory framework, it will be next to impossible for the iGaming industry to thrive.

Brazil has a history of high taxes, and if sports betting is subject to similarly high rates of taxation, it could discourage the investment in the market.

iGaming Regulations in Chile

The future of regulated iGaming in Chile is currently unclear as it attempts to both regulate and prohibit offshore online gambling companies. There’s a land-based gaming industry that’s riddled with lawsuits because of grey market operators.

If there ends up being a regulatory framework in Chile, the platform will be directly under Superintendencia de Casinos de Juego (SCJ) and operators will have to maintain strict security standards.

iGaming Regulations in Colombia

Colombia was the first Latin American country to regulate online gambling. All types of iGaming are allowed and regulated in Colombia, including, casinos, bingo, poker, and sports betting.

Colombia’s national regulator, Coljuegos has built a strong regulatory framework that ensures operators follow all the rules. Coljuegos also allows operators to apply for licenses and submit reports digitally, making the entire process fairly seamless.

This entire framework has led to reliable data and regular reports on the performance of the industry.

iGaming Regulations in Mexico

Mexico is one of the most popular markets for iGaming operators. 95% of the online casino operators are looking to expand to Mexico in the span of the next 5 years.

Mexico has a population of over 120 million and a mobile penetration rate of about 60%. This makes Mexico one of the largest iGaming markets in Latin America.

All the land-based casinos in Mexico are completely regulated. However, the online gaming market is in the grey area of regulations. Online casinos and sports betting operators don’t require digital licenses. They operate in partnership with a land-based license-holder casino.

iGaming KYC Compliance in Latin America

The requirement for financial transfers and the risk of fraud is always a factor of concern for the iGaming industry. To successfully manage fraud, the iGaming industry needs to have proper regulations.

Local compliance is continuously acting as a key barrier in Latin American markets. Businesses are also aware that they are likely to incur additional scrutiny in Latin American markets.

Newly regulated markets attract both wanted and unwanted attention. As iGaming markets open up, it’s more than likely that national regulators will implement strict rules on KYC and ID verification.

iGaming operators will need to adapt to these regulations and implement sophisticated measures to ensure compliance and build customer trust.

FAQs

What is KYC?

Know your customer (KYC) is a requirement for regulated industries. In KYC, businesses have to verify the identity of customers before onboarding them. Businesses must carry out continuous monitoring to ensure customers are legit and they don’t pose a threat to the business.

What KYC checks are available in Latin America?

KYC checks include data, documents, biometrics, and PEPs sanctions list checks. Each business uses a different method of verification. Some businesses combine verification methods to enhance due diligence.

Third-Party Fraud – Definitions and Examples

Post author By Ady
Post date November 3, 2023
Categories Fraud

Third-party fraud is when a fraudster uses an individual’s or company’s information to commit fraud. Third-party fraud is more commonly known as identity theft. It is the type of fraud that impacts most individuals across the globe every year.

In 2023 alone, over 1.4 million cases of identity theft were reported to the FTC. The number is expected to double by the next year.

Third-party fraud is committed by all types of criminals – from individuals trying to use a stolen credit card or take out a loan in somebody else’s name.

While third party fraud usually involves using someone else’s personal information to commit fraud, some fraudsters also use synthetic identities.

The primary victims of third-party fraud are financial institutions, retailers, eCommerce stores, and, of course, the people whose identities have been stolen.

Difference Between Third-Party, First-Party, and Second-Party Fraud

If you want to know how third-party fraud differs from first and second-party fraud, it helps to understand the other types:

First-party fraud is committed by a person or a company in their own name. Most common examples of first-party fraud include falsifying information for credit applications, claiming dishonest refunds, or disputing legal transactions to claim chargeback fraud.
Second-party fraud involves using an individual’s or company’s details. But the fraud is committed by someone who has given those details voluntarily. Someone may allow their account to be used for money laundering, or they may work with a fraudster in a “fake merchant” scam.

In both first-party and second-party fraud, the legit holder of the details (or accounts) is involved in the fraud. In third-party fraud, the individual or the company whose details are being used has no idea that their information has been stolen.

Types of Third-Party Fraud

Third-party fraud comes in all shapes and sizes, and fraudsters constantly work to find new and inventive ways to commit the fraud.

Some of the most common types of third-party fraud include:

Account takeover fraud – As the name suggests, this type of fraud involves criminals gaining access to individual bank accounts. Then, they use the bank account to make purchases or divert funds.
Credit Card Fraud – Credit card fraud involves all kinds of frauds that happen due to stolen or cloned credit cards. Once a fraudster illegally obtains a credit card, they use it to make purchases or take cash loans.
New Account Fraud – This type of fraud involves fraudsters opening new accounts using stolen personal details. New account fraud can also happen with synthetic identities or by combining fake and legitimate information.

Examples of Third Party Fraud

Here are some of the best real-life examples of third-party fraud:

In 2017, a fraudster named Kenneth Gibson opened around 8,000 false PayPal accounts in the names of employees of a company he worked for in the past. He kept moving money around in small amounts, which he withdrew via an ATM. It was the repeated trips to the ATM that led to the discovery of the fraud.
Anthony Lemar Taylor stole the identity of golfer Tiger Woods, initially by fraudulently obtaining a driver’s license in his name. He used the stolen identity to purchase goods worth $17,000, which included a car and a 70-inch TV. Eventually, he was caught and sentenced to jail.
In 2018, fraudster David Matthew Read went on a $169,000 “shopping spree” using a replacement American Express Black card that he managed to obtain in the name of the actress Demi Moore.

While these fraudsters got caught, a huge number of third party fraud goes undetected and unpunished. However, a vast amount of third-party fraud goes unpunished.

Third-Party Fraud Trends

Businesses like banks, credit reference agencies, and card providers are the ones who report new trends in third party fraud.

In January 2023, Experian reported that third-party fraud was growing in relation to current accounts, savings, card, and loan accounts.

One particular trend is an evolution in fraudster’s methods to collect personal data they need to carry out the scams. Trends include:

Fake job advertisements
Messages pretending to be family members
Fake investment schemes
Message about fake government assistance grant schemes
Emails pretending to be businesses.

Some other fraudsters look to take advantage of the popularity of crypto investments and use underground fraud as a service.

How to Prevent Third Party Fraud?

Preventing third-party fraud is becoming more and more important for both individuals and businesses.

The basics of preventing fraud, such as using complex and unique passwords, installing cybersecurity software, and being vigilant when using public WiFi networks, are important. Educating your user base on how to stay vigilant is also important.

A huge number of third-party fraud happens due to human error. People need to be trained to recognize spam emails and fake websites.

Businesses should think about investing in third-party software that helps verify the identities of businesses and consumers.

DAC7 Compliance

Post author By Ady
Post date October 27, 2023
Categories Compliance

The COVID-19 pandemic boosted the digital commerce space like never before. The gig economy also saw a boost as companies all over the world looked towards remote workers. The gig economy has always been outside the traditional norms of business. Allowing delivery drivers, vacation property owners, and similar businesses to avoid paying taxes on these transactions.

Due to this, the IRS made new rules for gig economy tax evaders. IRS has made it compulsory to provide reports of income generated from on-demand services and goods and digital platforms.

The EU has also had the same legislation in the works for a long time. If you’re a digital platform owner in the EU or if you have sellers on your platform from the EU, you should be aware of the DAC7 directive.

Let’s dive a bit deeper into DAC7 and what it means for EU businesses.

What is DAC7?

In March 2021, the European Council released the DAC7 directive. DAC7 aims to extend the scope of existing tax transparency laws for digital platforms. The directive requires platform owners to collect and report personal and business information on income realized by sellers using their platforms for commercial services.

The goal of the directive is to ensure that all taxes (income tax & value-added tax) are reported and assessed. The gig economy and sharing economy have been evading tax. DAC went into effect on January 1, 2023. It applies to everything from ride-sharing, food delivery apps, online jobs, and other digital marketplaces.

Even businesses in traditional industries may come under the scope of DAC7. That is, if they connect third-party sellers and users through their website for commercial activities.

Payment processing platforms such as PayPal, Venmo, and Stripe that allow users to only advertise goods or services and platforms that redirect or transfer users to another platform don’t have to comply with DAC7.

Businesses that Have to Comply with DAC7

DAC7 applies to digital platform operations incorporated or managed in the EU. It also applies to tax residents in the EU who engage in commercial activities that don’t fall under general tax rules.

Digital platform owners/operators located outside the EU who host sellers who are EU residents or facilitate the rental of property in the EU have to comply with DAC7 as well.

Here’s a complete list of those who have to comply with DAC7:

Business Types	Examples
Sales of Goods	Second-hand items Collectibles Real estate
Rental of Immovable Property	Co-working spaces Parking spaces Vacation homes
Delivery or Performance of Personal Service	Paid live streaming Food delivery services Ride-hailing
Rental or Any Mode of Transport	Scooters Cars Bicycles

Whose Information Has to Be Reported?

Under the DAC7 directive, any platform that hosts EU resident sellers who conduct business on the platform has to report the seller’s information. Businesses must also report information about non-EU residents who rent immovable property.

On the other hand, government and publicly traded entities are exempt from complying with DAC7. Casual sellers that have less than 30 sales whose amount equates to less than 2,000 euros. Smaller hotel chains and tour operators that have conducted less than 2,000 transactions in a reporting period are also exempt.

What Information Has to be Reported?

If you’re a digital platform operator, you’re obligated to start identifying and collecting specific information from sellers on your platform as of January 1, 2023:

Seller’s identity – full name/legal name, primary address, DOB
EU member state of residence
Financial account information
Tax identification number
VAT/Business registration number (for entities)
Consideration is paid or credited per quarter, along with any fees, commissions, or taxes withheld by the reporting platform operator.

If you’re operating a platform that deals with immovable rental property, you’re required to report additional information, including:

Address and land registration number of each property listing.
Total number of days a property was rented.
The total amount paid in the reporting period.
Any fees, commissions, or taxes withheld or charged by the platform in the reporting period.

You, as a business, have to inform the seller in advance that their information will be collected and reported. If the seller doesn’t share their data, you, as a business, are obligated to send 2 reminders. If the seller fails to provide the data for 60 days, the business has to remove the seller from the platform and close the account.

How to Comply With DAC7 Reporting Obligations?

Businesses can comply with DAC7 reporting obligations by submitting all their EU seller information in one member state. If you’re a registered business in the EU, you’ll have to submit your information in the state in which you’re registered.

As a business, you have to submit your reportable information no later than January 31 of the year following the calendar year in which you identify a reportable seller. The final deadline for the reporting period is January 31, 2024.

Once the information is submitted, the member states’ tax authorities will distribute the information among themselves. EU member states are required to exchange information within 2 months of reporting.

You can submit the information yourself or find a service provider to do that for you.

How to Prepare Your Business for DAC7?

If you’re a business operating in the EU, there are some steps you need to take to prepare your business for DAC7. It’s all about how you collect data and how you report the entire process. Here are some initial questions to answer as reporting requirement dates come closer:

Does your business already collect all the data you need from the sellers for reporting? If not, what should you do to collect data? Process and systems-wise, to collect the data?
Do you need to make any changes to the terms and conditions or posted consent policies to facilitate data collection from sellers?
Which steps do you need to take to keep the collected data safe from hackers and data breaches?
Which systems and processes do you need to upgrade or implement to validate the seller’s information before reporting?
Is your business subject to other regulations or laws that require you to collect similar information and have similar reporting requirements?

How DIRO Can Help

DIRO document verification can help businesses comply with the EU’s DAC7 directive.

Our online document verification solution can help you verify businesses and onboard them quickly. You can collect and verify a business’s bank account information, address, incorporation documents, and other valuable data.

DIRO verifies documents directly from the issuing source, eliminating the use of fake and stolen documents.

Application fraud

Post author By Ady
Post date October 19, 2023
Categories Fraud

Let’s just agree on one thing – digitization has changed the financial sector for the good. No more waiting hours, no more visiting brick-and-mortar locations, and the ability to do things instantly.

But, there’s a downside to doing everything digitally. Without face-to-face interaction, businesses become open to application fraud. As banks can’t see the person that’s behind the screen, fraudsters can easily commit fraud.

This is a challenge that financial institutions, realtors, creditors, and other businesses face every day. Even a miniscule miscalculation on the business’s end can lead to huge losses.

Fortunately, there are ways to protect businesses against application fraud. In this article, we’ll go over everything about application fraud.

What is Application Fraud?

Application fraud is when an applicant submits false information to a business for approval. This can include misrepresenting personal or financial information, including:

Falsifying employment history
Inflating income
Providing fake ID documents
Misrepresenting credit history

The biggest example of application fraud is when an individual for credit cards, loans, or other products. A fraudster would use fake information about their financial information, employment, or further relevant details.

If everything goes the fraudster’s way, they will have access to a credit card or a loan that they can use to conduct other financial frauds.

How do fraudsters get access to the fake information? Well, just in 2023, over 4.5 billion personal information records were stolen.

Technology has made it easier than ever to steal personally identifiable information.

How is Application Fraud Committed?

Consumers want instant financial services. So, banks, credit unions, and other financial institutions offer digital products to keep up with customer demands.

Processing online applications puts businesses at a risk of being defrauded. When a person applies for a credit line or loan, they expect a seamless process. To make this happen, companies offer fast approval times. These fast approval times lead to mistakes and invite fraudsters to commit third-party fraud.

When committing third-party fraud, criminals will fill out applications under someone else’s identity trying to trick the organization. If a fraudster has enough information at hand, they can trick the systems.

By the time the company or the individual figures out the fraud, it’s too late. Because of digitization, criminals can submit fraudulent information to as many companies as they want. This is only possible because of advanced tools like bots, cloud infrastructure, and virtual machines.

This is likely why loan application fraud is growing.

Common Methods Criminals Use for Application Fraud

There are a number of ways scammers use to commit application fraud. One of the most common ways is using synthetic identities.

It’s challenging to identify the type of fraud when businesses allow online application submission and application of ID documents. But how do scammers collect this personal information and commit application fraud?

1. Breaching Databases

Data breaches happen to businesses of all scales. Some happen intentionally, while others happen by accident. Accidents such as an employee can create an insecure password. Or leave the password at a place where anyone can access it.

It’s highly common for data breaches to happen when hackers blatantly target an entity to breach their database. Fraudsters use a number of technologies to break into a company’s database. They often use bots that insert millions of variations of a password to brute force a password.

Once a data breach happens, millions of data records can be stolen. Common data includes:

Names
Date of birth
Addresses
Phone numbers
Account details

2. Targeting Call Centers

The Internet isn’t the only way criminals are stealing identities. One of the second most used methods is using call centers. Unfortunately, voice isn’t enough to determine someone’s identity, making it another easy target for fraudsters.

As there’s no way to detect synthetic identities or fraud patterns, criminals can easily use it to their advantage.

3. Intercepted Mails

Intercepting emails are more sophisticated than stealing envelopes from mailboxes and hoping to grab something valuable. Criminals today use USPS informed delivery while applying for credit cards. This is a service that USPS offers to allow users to track mails and packages before they are delivered.

This notifies the scammer when the credit card will be delivered so they can snatch it before the legit customer has a chance to see it.

4. Using Cloud Infrastructure

Criminals also use virtual spaces to commit identity theft and application fraud. This includes using the same cloud services businesses use daily. Fraudsters use the cloud to run automated scripts and bots to conduct large-scale fraud attacks.

Bots can also be used to brute force attacks by hacking into accounts by entering different variations of PINs and passwords. It’s not uncommon for fraudsters to search for available credentials. This is when fraudsters use a collection of personally identifiable information.

How to Detect and Prevent Application Fraud?

Security Measures for In-House Personnel

Employees are the first line of defense against fraudulent attempts, so they should be educated about fraud applications. To detect and prevent application fraud, businesses should educate employees on:

Common areas of fraud
Scenarios where fraud happens the most
Anti-money laundering training for our team
Third-party verification of data
Verify incorporation documents
Verify underwriting data with third-party vendors

Machine Learning Solutions

Artificial intelligence and machine learning are revolutionizing the industry. AI and ML technologies can make it possible for companies to detect and prevent various types of fraud. Financial institutions use rules engines and a mix of supervised and unsupervised machine learning.

But these technologies become outdated, so you need solutions that can evolve. If solutions are not updated, engines and rules-based systems can become susceptible to false positives.

AI for Application Fraud Detection

Financial institutions also use AI-based document verification tools for fraud detection. Some AI solutions use existing data sets to verify information provided by customers.

This offers more efficient and ultimately automated document fraud leading to fewer loan write-offs. Using AI for fraud detection is excellent for organizations that process dozens or even thousands of applications every day. This leads to a lower risk of fraud and improves user experience.

Conclusion – Fight Application Fraud

Digital transformation is an ongoing trend for modern businesses. Organizations are becoming quick to adopt new technologies to streamline operations, improve customer experiences, and boost competition.

But as businesses increasingly rely on interconnected devices, the risk of fraud is also increasing. Application fraud poses huge risks to businesses, which can lead to huge financial and reputation losses.

Businesses should rely on all available methods such as DIRO to prevent application fraud. DIRO document verification verifies documents from the issuing source to prevent the use of fake and stolen documents. This helps businesses improve the entire onboarding process and reduce user experience.

Protecting Yourself from Holiday Shopping Fraud

Post author By Ady
Post date October 9, 2023
Categories Fraud

The holiday season is upon us, with Black Friday and Cyber Monday just around the corner. As the festive shopping rush begins, it’s important to stay vigilant against potential fraudsters who are gearing up to exploit the season’s hustle and bustle with different holiday shopping fraud.

Whether you’re a retailer hiring seasonal workers or a shopper making wish lists, staying informed about common scams can help you safeguard your financial security.

Here are five prevalent scams that are expected to show up unexpectedly this holiday season.

5 Ways to Protect Against Shopping Scams?

There are some basic steps everyone can follow to prevent holiday shopping fraud. Without proper vigilance, it’s almost impossible to distinguish between legit sellers and scammers.

1. Vigilance Against Phishing Attacks

Phishing attacks are the biggest concern that intensify during the holiday season. At this time of year, fraudsters often deploy emails or text messages designed to lure recipients into sharing personal information or clicking malicious links.

These messages may appear to come from legitimate businesses and offer enticing rewards or promotions for minimal effort.

For instance, fraudsters may exploit the increase in package deliveries by sending fake tracking notifications or emails that claim there’s an issue with a shipped package. The end goal is to prompt recipients to enter sensitive information.

To defend against these scams, it’s crucial to exercise caution and critically evaluate suspicious offers. Ask yourself whether a legitimate organization would request payment details or personal information through such means.

If in doubt, reach out directly to the business using verified contact information to confirm the legitimacy of the message.

2. P2P/Zelle Scams: Be Wary of Unsolicited Calls

Scams involving peer-to-peer (P2P) payment apps like Zelle are an ongoing concern. Use of these apps tends to spike during the holiday season. Fraudsters love to impersonate banks or credit card companies, making unsolicited phone calls to victims.

They may claim there’s been fraudulent activity on the victim’s account and instruct them to transfer money to a purportedly secure account—owned by the fraudster.

In addition, fraudsters may manipulate consumers into making payments through P2P apps outside the legitimate shopping websites.

For example, they might pose as sellers on popular marketplaces and entice buyers to make direct payments through P2P apps to evade fees or secure exclusive deals.

To avoid falling victim to these schemes, stick to the official payment methods offered by trusted websites and never make direct payments to individuals.

3. Guarding Against Account Takeover

Account takeover scams, a time-honored tactic, continue to pose threats during the holiday season. In these scams, fraudsters gain access to victims’ accounts and exploit their credentials to make unauthorized transactions, often targeting e-commerce and retail accounts.

Be vigilant for notifications about unusual orders, shipping addresses, or other account changes. Amid the holiday rush, it’s easy to overlook such notifications, so be proactive in monitoring your accounts.

If you suspect any unauthorized activity, act promptly to secure your account and prevent further fraudulent actions.

4. Promotion Abuse: Don’t Fall for Too-Good-To-Be-True Offers

Holiday sales often tempt consumers with irresistible promotions. Scam artists capitalize on these offers, exploiting promotions that involve referrals, sign-ups, or Buy Now, Pay Later (BNPL) services.

They may open fraudulent accounts to cash in on these promotions or leverage bots to automate the process. Be cautious if you receive confirmation emails about new accounts you didn’t create.

While you might not directly suffer financial losses, the prospect of fraudsters using your personal information illicitly remains a concern.

5. Vigilance Against Fake Websites and Seller Accounts

Fraudsters deploy fake websites and social media accounts to impersonate legitimate businesses, thereby enticing users into divulging personal information or downloading malware.

These fake websites are designed to closely mimic authentic ones, even appearing in search engine results and sponsored ads. Similarly, on e-commerce platforms like eBay, fraudsters create counterfeit seller accounts to trick consumers into paying for nonexistent items or services.

Exercise caution while clicking on links in emails or social media posts to mitigate these risks. Verify the legitimacy of websites before entering personal information. If a deal seems too good to be true, it’s wise to approach it skeptically.

Secure Your Shopping Experience

While the holiday season offers joy and celebration, it also presents an opportunity for fraudsters to exploit unsuspecting consumers.

To protect yourself, remain vigilant, and adopt a skeptical approach to unfamiliar offers or communications. Staying informed about prevalent scams and following best practices can ensure that your holiday shopping remains safe and secure.

Remember, your awareness and proactive response against frauds are powerful tools in thwarting fraudsters’ attempts and preserving the joyous spirit of the season.

FAQs

1. What does “Holiday Shopping Fraud” refer to?

Holiday shopping fraud involves various deceptive activities that target shoppers during busy holiday seasons, aiming to steal personal and financial information, money, or merchandise.

2. Why is holiday shopping a prime time for fraud?

During holidays, people are often in a rush and more willing to make purchases online or in-store. This creates opportunities for fraudsters to exploit vulnerabilities in payment systems, websites, and customer behavior.

3. What are the common types of holiday shopping fraud?

Common types include phishing emails, fake websites, identity theft, counterfeit products, gift card scams, and online auction fraud, where buyers pay but don’t receive items.

4. How do gift card scams work?

Scammers might request payment via gift cards for various reasons (e.g., fake tech support, overdue bills). Once the gift card codes are given to scammers, they can’t be traced or refunded.

5. What should I do if I suspect a phishing attempt?

Don’t engage with the message. Report it to your email provider and the relevant authorities. If it’s from a legitimate organization, contact them through official channels to verify the communication.

Biometric Verification

Post author By Ady
Post date October 3, 2023
Categories Verification

Proving ourselves online has become a relatively recent problem. As the world becomes interconnected, it becomes harder to distinguish between legit users and people who imitate a legit user. Document verification and identity verification methods are essential when high-risk transactions are involved.

ID verification and other similar methods have become necessary for the identity-proofing process.

Several methods exist to verify our identity, including biometric data, faces, fingerprints, eyes, and voice.

What is Biometric Authentication?

Several biometric verification methods allow us to prove who is online. Biometric authentication is commonly used for device security, authenticating online transactions, immigration controls, and patient identification in healthcare.

All biometric recognition solutions use a comparison of the digital representation of a physical or behavioral feature with a previous template.

Biometric systems must operate on pre-determined recognition accuracy and meet the speed and organizational resource requirements.

Advantages of Biometric Verification

Using Biometric verification is different from relying on third-party verification solutions. That doesn’t make biometric authentication inferior to other solutions.

Here are the advantages of Biometric authentication:

1. Fast and Convenient

Some types of biometric authentication are faster than others. Almost all verification can be done within seconds. Biometric verification is a convenient and secure method for protecting against ID fraud.

Biometric authentication is enough and doesn’t require PINs, passwords, KBAs, or other responses. Eliminating the need for remembering passwords. The best part of biometric authentication is that there’s no need to carry credentials.

2. High-Level of Security

Unlike KBA, biometric authentication has no information that hackers can steal. Cyberattacks and data breaches don’t risk the stealing of biometric data. To have a chance at stealing biometric data, hackers have to target specific individuals.

To imitate an individual’s physical characteristics, fraudsters have to sophisticated circumvention of scanners or camera sensors in a biometric system. Stolen and impersonated biometric data can still be verified with liveness checks to ensure the person is legit.

3. Tough to Fake Genuine Presence

Biometric verification is trusted because it’s directly related to the genuine presence of the owner.

The US National Institute of Standards in Technology evaluates and ranks liveness detection technology to ensure that only the best is used. Combining biometric authentication with liveness checks makes biometric systems hard to imitate.

Disadvantages of Biometrics Authentication

It’s not all good when it comes to Biometrics authentication; the solution also has some drawbacks. Such as:

1. False Biometric Matches Can Happen

While it is rare, a false biometrics match can happen. It happens when the biometrics data of two individuals need clarification. Most of the time, it occurs in the case of two similar-looking siblings. If the biometrics data used is incorrectly recorded, then the chances of these mistakes happening increase dramatically.

To reduce the false approval rates in biometrics authentication systems, the system should be able to capture high-quality biometrics data. It should also be able to update biometrics reference data regularly to match with users.

2. Can Reject Legit Users

Instead of giving out false positives, biometrics authentication can reject a legit user. This can happen when a person’s biometric traits change (with age/due to some accident/weight gain or loss). Poor image capture can also cause result in false rejections.

To prevent this, ensure that systems’ sensors capture high-quality biometric samples and templates.

3. Biometrics Bias

Biometrics verification systems run on machine learning algorithms. In past studies, the US National Institute of Standards and Technology showcased that African-American and Asian people experienced 10-100 times higher FAR.

There should be special care to train these algorithms on all-inclusive data sets that don’t discriminate against races and demographics. The best authentication systems should follow ISO standards to ensure no discrimination or disadvantage for any group.

4. Secure and Smooth Digital Experience

Brands are built on trust and excellent customer relationships. A great digital experience and a safe experience matter to businesses and customers. ID verification systems must balance these out and adjust between security and convenience according to the organization’s needs.

Multi-biometrics systems can combine authentication checks against several biometrics features.

It makes sense to layer identity data verification checks to provide an ideal level of speed and security in biometrics authentication. Verify names, date of birth, and addresses alongside biometric verification to establish trust in a person’s identity.

Tags advantages of biometric verification, biometric verification, disadvantages of biometric verification, importance of Biometric Verification

Protecting Against Authorized Push Payment (APP) Fraud

Post author By Ady
Post date September 19, 2023
Categories Fraud

As online transactions continue to surge across industries, concerns over authorized push payment (APP) fraud are growing among businesses worldwide. During the first half of 2022, APP fraud constituted a staggering 75% of all digital banking fraud. This type of fraud poses serious risks to both businesses and their customers, leading to financial losses, reputational damage, and erosion of trust.

To counter the evolving tactics of fraudsters, businesses are actively seeking strategies to mitigate APP fraud risks and ensure the security of their customers’ financial information. This not only involves the implementation of robust security measures but also extends to educating customers about how to avoid falling victim to scams.

In this article, we will delve into the concept of APP fraud, explore various forms it can take, and provide insights into effective strategies that businesses and customers can employ to thwart fraudulent activities.

What is APP Fraud?

APP fraud involves scams in which criminals manipulate individuals or businesses into transferring funds to fraudulent accounts. Fraudsters employ diverse techniques to gain victims’ trust, often by masquerading as legitimate entities or individuals.

Unlike other types of fraud, APP fraud entails victims willingly authorizing fund transfers, frequently through online banking or phone conversations. This makes recovery challenging and can result in substantial financial losses for victims.

As APP fraud continues to rise, financial institutions are implementing countermeasures. However, businesses and individuals must remain vigilant and adopt precautionary measures to safeguard themselves against these scams.

Examples of APP Fraud

APP fraud manifests in various ways, with fraudulent actors utilizing an array of tactics:

Impersonation Scams

Fraudsters pose as legitimate entities and request victims to transfer money to fake accounts. For instance, they may impersonate a bank employee and claim there’s an issue with the victim’s account, demanding a payment for resolution.

Invoice Fraud

Fraudulent actors send fabricated invoices to companies or individuals, requesting payment for nonexistent goods or services. Companies may receive invoices for services they never ordered, leading to payments to fraudulent accounts.

Investment Scams

Fraudsters promise high investment returns, persuading victims to transfer money to fictitious accounts. Examples include Ponzi schemes that promise lucrative returns on cryptocurrency investments.

Romance Scams

Fraudsters build relationships on online dating platforms and request funds to be transferred to fraudulent accounts. The notorious Nigerian prince scam is an example, where fraudsters impersonate wealthy individuals and request money for various reasons.

CEO Fraud

By posing as CEOs or high-ranking executives, fraudsters coerce victims to transfer funds to fake accounts. For instance, a scammer might impersonate a CEO and request an urgent payment to a supposed supplier.

Social Engineering

Social engineering uses psychological manipulation tactics. Fraudsters use impersonation techniques such as impersonation. They assume the identity of big companies to get them to surrender account information, and login details, or authorize payments.

Phishing

Phishing scams are prevalent. Fraudsters impersonate the identity of a trusted institution via email or text to get the victim to click on a link or download harmful files. Once the user opens the link/file, the fraudsters can access and collect their personal information.

ATO

ATO or Account Takeover Fraud is when a criminal takes control of an account that belongs to an individual or organization to cause harm or steal money. One of the most common methods is when a fraudster uses a hacked social media account to ask the victim’s friend to send money.

Confidence Scams

These scams work when a fraudster gains someone’s trust to access their account or manipulate them into handing over money. Usually, it involves a romantic angle or a business opportunity.

Tech Support Scams

Fraudsters masquerade as tech support personnel, demanding payment to resolve fictitious computer issues. Victims receive pop-up messages prompting them to make payments to remove nonexistent viruses.

Protecting Customers Against APP Fraud

Businesses bear the responsibility of implementing effective security measures to safeguard customers against APP fraud. This involves educating customers about fraud risks, verifying payment requests, utilizing secure payment methods, monitoring accounts, implementing fraud prevention measures, and promptly reporting incidents to authorities.

Customers also play a pivotal role in protecting themselves against APP fraud:

Verify Requests: Customers should verify payment requests, especially those from unfamiliar sources. Authenticity should be confirmed before authorizing any transfer.
Use Secure Payment Methods: Secure payment methods requiring two-factor authentication, such as card payments or bank transfers, should be favored. Avoid cash or insecure money transfer services.
Beware of Phishing Scams: Customers should exercise caution regarding phishing scams, refraining from clicking links or downloading attachments in suspicious emails or texts.
Protect Personal Information: Strong passwords, two-factor authentication, and prudent sharing of personal and financial data are essential safeguards.
Keep Software Updated: Regular updates to software and devices help guard against malware and cyber threats.

Fraud Detection and Prevention Tools

Advanced tools like Stripe Radar and secure payment hardware, such as Stripe Terminal, empower businesses to prevent APP fraud by offering:

Real-time Transaction Monitoring: Stripe Radar monitors transactions in real-time to detect anomalies and high-risk activities, enabling swift intervention.
Behavioral Analytics: Behavioral patterns are analyzed to identify unusual activities and potential fraudulent actors.
Two-factor Authentication: Secure payment hardware ensures dual authentication before transactions are authorized.
Data Encryption: Payment hardware and software use encryption to protect sensitive customer information.
AI-based Fraud Detection: Machine learning and AI algorithms detect patterns and anomalies to identify potential fraud.

Role of Liability Sharing in APP Push Fraud

The UK Payment Systems Regulator (PSR) made the news when they announced the 50/50 liability proposal and published their APP Fraud Performance Report. While the UK made the news the most, the proposal is not just limited to the UK and we’re seeing several countries across other regions. Several regions taking regulatory steps to fight scams that are enabled by real-time payments.

Several countries are taking steps to implement data sharing among one another to prevent fraud. The UK has taken the highest steps compared to other regions with the 50/50 Liability Announcement. It’s only a matter of time before other countries start implementing similar regulations. This is already apparent with the Monetary Authority of Singapore’s proposed framework for liability sharing.

Pros and Cons of Liability Sharing

Pros	Cons
Uncover more mule accounts	Reputational damage & customer switching.
Reduce scam losses	Increase in opportunistic and first-party fraud.
Better customer protection	More financial exclusion

With better data sharing among several regions, financial institutions (FIs) can make more accurate decisions to prevent fraudsters from opening a mule account.

Moreover, businesses will be able to judge better if a new customer account is part of a mule network. However, with the reporting comes potential risks. Above all, data sharing will lead to reputational damage to organizations that were hacked or attacked. Customers will better understand how well their financial institution protects them and how likely a particular institution is to be attacked.

Another benefit of sharing information between financial institutions and cross-industry collaboration is that it leads to a significant reduction in scam losses.

The ability to highlight certain red flags on specific fraudulent transactions in real time can significantly reduce the risk of fraud. The enforced reimbursement of customers opens the door for first-party fraud. Account holders can claim that they were victims of a scam when they’re trying to scam the system.

The focus of the regulation is to protect the victims of scams and more customers will be safeguarded. FIs will need to prove that the customer purposefully was a part of the scam to be reimbursed.

Final Take

By fostering collaboration between businesses and customers and promoting awareness of emerging threats, APP fraud can be effectively curbed. As both parties unite to combat fraud, they enhance security measures and reduce vulnerability.

Tags app fraud, app fraud detection, app fraud prevention, authorized push payment, authorized push payment fraud, what is app fraud