Natasha Vernier
Mar 26, 2021

Secret Crime Fighters, Episode 11

Our next Secret Crime Fighter uncovered a clever fraud scheme, where companies impersonated real online businesses and layered in a mix of authorised and unauthorised transactions. The scheme involved an e-commerce payment processor and we think this is also relevant for any bank with business accounts because they would be on the receiving end of these deposits.

The Typology

Impersonating E-commerce Businesses

Our Secret Crime Fighter onboarded a number of seemingly unrelated companies, all of whom provided legitimate business details, including the associated directors and beneficial owners. The companies all claimed to be e-commerce businesses, selling heavily discounted items from well known brands.

The companies had websites very closely mimicking the websites of the real businesses which they were impersonating and advertised the websites as the legitimate companies. As a result, customers believed they were ordering from the legitimate sites, making it harder for transaction monitoring models to detect the activity as fraudulent. Actual payment sizes were very low - £40 to £99 - with fairly low daily sales and few card declines.

Layering in Stolen Cards

One of the first indicators our Crime Fighter had that something might be suspect about these e-commerce businesses was when their transaction monitoring system detected a few card payments from potentially suspicious buyers. In addition to receiving payments from scammed customers, the fraudsters were also making a number of transactions themselves using stolen card details.

Change in Activity

With our Secret Crime Fighter now interested in these businesses, some more investigating revealed that the account balances from the payment processor were being transferred to a bank not commonly linked as a deposit account, because the bank issued virtual IBANS.

Following this new thread, our Crime Fighter discovered a high number of recently created business accounts all sending account balances to this same virtual IBAN bank, and all following a similar pattern for item descriptions on their websites, non-commercial email syntax (e.g. gmail accounts) and transaction activity.

And when our Secret Crime Fighter started shutting down these accounts, the activity shifted as the fraudsters tried to get as much money out of the payment processor as they could. Instead of waiting for legitimate customer orders to hit the accounts, they started running stolen cards as soon as the accounts were opened. This also resulted in other obvious-to-spot errors, like reusing the same stolen cards across accounts, further increasing suspicion.

Stopping the Typology

As soon as our Secret Crime Fighter knew that the businesses were all using similar virtual IBAN accounts as their linked accounts, had similar item descriptions on their websites, used the same non-commercial email syntax and were processing payments in the range of £40-99, it was easy to put in place automated rules to flag and stop this typology.

But how can you make sure that such a subtle typology is detected to begin with? It starts with having transaction monitoring rules that look for the most obvious of crime types, like stolen card usage, but it really hinges on the importance of having a culture and mechanism for sharing trends and being able to act quickly. One person realising something was unusual resulted in hundreds of accounts being shut down and the typology being stopped. Financial crime investigators need the time and support to follow unusual threads into accounts, and can’t always be measured on the number of tasks or accounts reviewed in a time period.

Thanks for reading our latest Secret Crime Fighters newsletter. If you have an interesting typology that you’d like to share, we’d love to hear about it! Please email us at [email protected].

Recent Posts

There’s more to read!

Resources