role of automated detection in reducing cyber fraud, The

Abstract

The roller coaster ride of Internet stocks masks an underlying fact: cyber commerce continues to grow and along with it, cyber fraud.

Experts say fraud is increasing and that the number of people committing fraud is burgeoning as techniques for committing fraud, once reserved to technological elites, now become available to a wider pool of criminals. The right individual armed with a computer can do more damage to a company than a conventional criminal.

Frictionless electronic commerce lowers transaction costs and speeds the supply chain, but it also enables criminals to attack with anonymity, sometimes hitting hundreds or thousands of companies at the same time and from parts of the world where they can be relatively immune from prosecution.

The trick for credit grantors to prevent fraud when conducting business on the World Wide Web is to use tools in the cyber world that are similar to those that protect them in the real world. One tool is money - spent on developing and managing digital certificates that help to verify the identity of an applicant, to encode sensitive information and to build firewalls. These efforts will help to keep unauthorized people out of a credit grantors' systems, and to ensure that documents are sent to, and received by, only authorized business partners.

But what if the authorized partner turns out to be a fraudulent business? Simply adding the encoding, process improvements and digital certificates cannot guarantee success. Fortunately, new and improved solutions for detecting higher risk are available to predict which business partners are likely to be fraudulent before their credit is approved.

Fraud is hardly new. What is new is the ease and speed with which fraud can be committed. While criminals have always preyed upon the gullible, the greedy and the unwary,1 the digital era's "new economy" offers those who practice deception for profit an unprecedented opportunity to score big - and get away with it.

The Opportunity Online

The Internet is the ideal medium in which to run a scam: low start-up costs, nearly impenetrable anonymity and global reach to millions of potential victims. Criminals can hide in foreign countries, steal identities or use high-tech tools including encryption, cellular phones, desktop publishing, and algorithm-generating software to construct valid credit card numbers.

Meanwhile, law enforcement is handicapped by a pre-digital legacy of investigative limits and jurisdictional boundaries. Few online fraudsters are tracked down; fewer still incur serious penalties.

Fraud has already hit many business-to-consumer websites. Credit card criminals especially covet electronic gear, sports apparel, and computers. Business Week recently reported that 13% of purchases made last year at casio.com, an electronic equipment e-commerce site, were fraudulent. Nike.com, which sells sporting apparel, estimates that 20 percent of purchase requests it receives are fraudulent. Expedia.com, an online travel agency, estimates $6 million in losses due to credit card fraud.

Some experts estimate the nearly 10% of online sales involve fraudulent use of either credit cards or offline debit cards.

Business-to-business (B-to-B) online commerce is likely to be attractive to high-tech criminals for several reasons.

First, auctions, no matter where they are held, are targets for fraud. Indeed, consumer complaints have already put online auctions at the top of the list for Internet fraud.

Now, as Business Week reports, business is picking up the electronic gavel, and trade at B-to-B auction sites will eclipse anything on EBay.

B-to-B online commerce is especially suited to industries in which components and supplies are standardized and traded at auction or in spot markets. Office supplies, factory supplies, electronic components, and medical supplies are all good candidates for B-to-B online markets - and for illicit markets in stolen goods. Forrester Research predicts that 40 percent of all electronics and computers (already the leading target of Internet criminals) will be sold online in five years.4

And criminals will follow for the same reason Willie Sutton said he robbed banks - because that's where the money is.

How High The Crime Wave?

It's a chilling thought, but the risk of being victimized by white-collar crime is probably many times higher than official statistics indicate. Data on commercial fraud in particular, although reliably reported and maintained in some sectors, is fragmentary, inconclusive or simply non-existent.

Credit card fraud is well documented. In the United States., annual losses to credit card fraud overall - that is, online and offline exceed $1 billion, amounting to roughly 9 cents for every $200 of goods purchased by credit cards.5 In Canada, where credit card fraud runs at about three times the U.S. rate, banks sustained $150 million in losses in 1999.6 (How much of this is Internet fraud is hard to say because all losses are aggregated together).

Credit card fraud aside, financial institutions, while required to report losses, do not always distinguish between losses due to fraud and overall losses. Thus there is little hard data on aggregate losses to insured depository institutions due to fraud, according to the Federal Reserve Board.7

The still separate databases of the several law enforcement agencies and regulatory authorities, to which companies might report different varieties of fraud, make it difficult to get one complete tally. Many cases of fraud are never reported at all. There is unanimous agreement - among law enforcement officials, financial regulators, forensic accountants and business leaders - that reported frauds represent only a fraction of perpetrated frauds. The U.S. Secret Service estimates that hundreds of millions of dollars are lost annually to fraud schemes, while acknowledging that no one really knows because victims do not turn to the authorities out of fear or embarrassment.8

As already noted, many frauds do not meet police criteria for opening a case file: a report may be made only to vanish without official trace. Convinced of the futility of reporting fraud to law enforcement, many companies don't bother. Of course, news that someone has cooked the books or breached online security is bad publicity for any business. Salesgate.com, which processes credit card orders on behalf of online storefronts, fell victim to hackers who stole more than 3,000 card numbers from its files and published them on the Web. In the aftermath, only one case of credit card fraud has been claimed - but the damage to the dot-com's reputation caused a 35% drop in sales.9

Some dot-coms have a vested interest in focusing attention on their efforts to detect and prevent fraud. But most suspicious activity on the electronic frontier never comes to official attention. At an Economic Crime Summit in 2000, sponsored by the National White Collar Crime Center, the FBI's Bob Pocica put it bluntly: "How big is the problem? What are the losses that occur on the Net? Nobody knows."10

Knowledge is the Best Defense

Just as fraud has always been an inherent risk of doing business, the best weapon against deceit has always been knowledge: knowledge of the extent of the exposure to the risk, of the parameters of accepted business practice (like putting provisions in writing and supplying verifiable references), of the signs that a proffered transaction isn't entirely above board, and of the person with whom you are dealing.

Granted, the knowledge required to effectively manage exposure to the risk of fraud is both more extensive and harder to come by in the digital era than it was in the days of the handshake over the barrelhead. Still, many people fall victim to fraud because they failed to use the information available to them. Checking the credentials presented by a prospective customer or vendor against independent sources is probably the single best defense against fraud. Here are some of the areas to review in order to prevent fraudulent applications or vendors from being approved:11

* Ensure the address supports the type of business. For example, residential locations are unlikely for wholesale, retail or manufacturing lines of business. Fraudulent business operations generally use short-term, low-rent locations or use mail drops. Ask how long the business has been in its present location, and then check with an outside source or the building's management to confirm that it is a street address and not a mail service location.

* Fraudulent companies will sometimes mislead by using a name that is very similar to a successful, well-respected company with a sound reputation. Obtain addresses and telephone numbers to confirm the existence and identity of the company and its relationship to other large, well-known companies.

* Check equipment invoices for accurate price representation. A different "ship to" address than what is on the application may indicate the applicant will soon disappear with the merchandise.

* Carefully review the financial statement for any inconsistencies. For example, is the statement heavy on assets but indicates little debt? If it looks too good to be true, it probably is. Also, always check the credentials of the person who prepared the statement.

* Be wary of a vendor who is always in a rush for a credit decision or funding.

A manual review is also time-consuming and, when a company is intent on capturing high-volume trade in ahotly competitive market, it often fails to make the cost-benefit cut. Better, the thinking goes, to sustain some losses in order to generate more revenues, and that is fine up to a point.

The hard lessons of consumer electronic retailers - and the corrective action this sector is taking - are instructive for all companies venturing out on the digital frontier.

The most immediate response has been to bring credit card verification and customer authentication solutions online. Traditional leaders in consumer credit information have been joined by new dot-coms in providing these services to virtual storefronts.

One of the major challenges has been compressing the previously manual and time consuming duration of verifications to seconds. Time runs exceedingly slow on the World Wide Web: applicants expect transactions to close immediately, so a 10 minute wait for a background check would seem slower on the web than in a store or business, where the customer's attention could be diverted. There are no sales clerks to chat up impatient customers while they check out their purchases.

Electronic commerce is also drawing on past lessons. Credit card losses soared in the early 1990's, too. Fortunately, a new application of a cutting edge technology was available to reverse the trend: software-based modeling systems called "neural networks". In contrast to traditional computing programs, which follow instructions in a fixed sequence, these systems' processing elements are networked to identify patterns in input data. The system's ability to perceive, remember and apply patterns is analogous to the human brain's ability to learn. Given a range of data, neural network programs were able to identify with remarkable accuracy consumers who were most probably criminals.

Commercial Fraud Tools

Until quite recently, fraud prevention solutions like these were available only to electronic retailers. However, new tools have been designed to red-flag potential fraud in business-to-business relationships. Some of these automated tools look for discrepancies between the information submitted by the applicant and obtained from the commercial bureau. For example, an exception code or warning would be raised if the system identified a significant difference in the stated number of years in business or primary industry. Further protection is available through automated business rules - standard instructions that reflect the credit policies of a business - which have been preprogrammed to highlight applicants that represent themselves differently across multiple transactions.

A third approach to fraud detection is the use of higher risk models. These models are used to assess whether a business's intentions are likely to be fraudulent. Fraudulent behavior includes any activity that resorts to deceitful practices or devices with the intent to deprive another of rights, or to cause economic injury.12

A neural network model designed to detect fraud can capture rare and hard to find cases more effectively than traditional regression methodologies. This modeling technology, that dynamically reflects changing conditions of a business, captures the way multiple variables interrelate to produce a reassuring, or an alarming, picture.

The neural network model can penetrate layers of legitimacy - a long-history at a bona fide business address, for instance - to detect patterns of activity that may indicate a company has been commandeered by criminals for a "bust-out." Similarly, it provides an extra measure of assurance that the brand-new business being run from a residential address is actually a small office or home office and not a front.

To effectively predict fraud, the model must be developed based on a robust sample of higher risk businesses - that is, companies (or companies whose principals) have been found to have misrepresented themselves in one or more categories of critical identifying or business performance information or to have engaged in fraud or other illegal activities.

A representative sample of higher risk businesses combined with a sample of "good" businesses is used to train the model ("training sample"). Although the incidence of business fraud is less than .1%, the sample design can over-sample fraudcases to provide the best learning environment possible. Through this training the model learns the patterns of characteristics that are highly indicative of fraud. Once the patterns are learned, a "testing sample" is used to measure the performance of the model and to detect over-fitting. Finally the neural network algorithm is used to predict the likelihood that a newcase will exhibit the same highly suspicious behavior. The accuracy of these predictions determines the ultimate model performance ("validation sample"). (See figure 1).

The model sifts through data on companies, looking for patterns, making associations, comparing and contrasting current activities with previous events. To detect fraudulent patterns, the model looks at an array of business characteristics, including payment and financial data, public filings, demographics, as well as critical intelligence from an array of third party sources, including databases listing cell phone numbers and mail drop addresses (See figure 2).

The model assigns a score that indicates how closely the subject business looks like a confirmed fraud. Based on models developed by D&B, 96% of U.S. businesses will score low risk for fraud. These businesses possess the least risk of future fraudulent activity. About 3% of all businesses score in a medium risk range when elevated risk factors are present. Approximately 0.6% of businesses possess the highest risk of future fraudulent activity. Among businesses that score high risk, the incidence of fraud is 43 times greater than the average (See figure 3).

In tests conducted by D&B, on company portfolios from a cross section of business segments including wireless communications, office supply, and financial services, a model achieved notable results in capturing business fraud. Figure 4 illustrates the gains realized from using a model versus making random decisions about the business.

In one test, an equipment financing company applied a model to a sample of 28 confirmed cases of fraud. The scores were applied based on data 6 to 12 months prior to the time they were confirmed to be frauds. 87% of these cases scored in the medium to higher risk categories.

One case flagged as a high risk concerned a business that claimed to have been a medical laboratory: however investigators could not confirm its industry. Other information discrepancies included inconsistencies in the business' claimed start date and the actual date when the business license was filed. The business principal was linked to previous businesses that were confirmed as higher risk, and the business was not listed with directory assistance. The model identified a combination of higher risk characteristics such as riskier industry and geography segments as well as the age, size and the lack of available information and trade experiences.

Automating Fraud Detection

Companies can most effectively use a commercial fraud detection model as a screening tool that assists in prioritizing accounts for investigation during the new account approval process. Rather than investigating all accounts with the same level of detail, a commercial fraud score enables companies to focus their resources on the accounts most likely to be higher risk.

For example, a business rule could be added to flag all small business applicants that score high risk, for a manual background check, to price for risk or to establish up-front payment terms. Companies that score medium risk may have a rule that specifies conducting further review and monitoring for changes in behavior. Applicants that score low risk can automatically proceed to the credit evaluation process. These applicants can then be checked for credit worthiness with commercial delinquency and failure scores (See figure 5). In addition, a commercial fraud model can be used to periodically score existing accounts and identify current customers who arc exhibiting higher risk characteristics.

Used in concert with scores that measure creditworthiness, a commercial fraud score is an added line of defense against the risk that a potential business partner will not live up to its commitments, whether because of an unexpected change in circumstances or because that was never the intention. Companies can benefit from automated fraud detection by capitalizing on e

Commerce opportunities with confidence, responding to customers quickly while being protected from potential loss and minimizing the cost of maintaining an in-house investigative capability.

In the end, the electronic frontier will be tamed. Cyber fraud will be brought down to more manageable levels - though never completely eliminated. Fraud will be a persistent undercurrent in the new economy just as it has been in the old. Companies will find that their surest risk management strategy will mix new technology with traditional precautionary due diligence.

1 In his Fraud Identification Handbook, (Highlands Ranch, CO): PP Preventive Press, 1998) George B. Allen notes that Thomas Hoving, past director of the Metropolitan Museum of Art, dates the earliest cases of art fraud back to second millennium BC Phoenicia.

2 Business Week Online, "Special Report: Internet Fraud," April 3, 2000. op. cit.

3 Patricia A. Murphy,. "Taking Aim at Internet Fraud," The National Retail Federation's Stores, October 1999. http://www.stores.org/eng/archives/oct99cover.html

4 Douglas A. Blackmon, "Where the Money Is," Wall Street Journal, April 17, 2000

5 Steve Lohr, "Policing the Internet: Anyone but Government," New York Times, February 20, 2000.

6 _____, "Credit Card Fraud Cost Banks $150M Last Year: More Prone than U.S.," Financial Post, March 29, 2000.

7 The Federal Reserve Board's (FRB's) "Report to Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud," March 1997. http://www.federalreserve.gov/boarddocs/RPT Congress/privacy.pdf

8 U.S. Secret Service "Investigations-Financial Crimes Division,." http://www.treas.gov/usss/financial crimes.htm

9 Fred O. Williams, "Amherst, N.Y., Company Sees Sales Suffer after Hacker Breaks into Website," Knight-Ridder Tribune Business News: The Buffalo News - New York, April 11, 2000.

10 Bob Sechler, "Web Crime Experts: Old Schemes Rampant on New Tech," Dow Jones News Service, May 9, 2000.

11 Dun & Bradslreet, "How to Protect Yourself From Business Fraud," http://www.dnb.com/communities/credit/resource_center/how_to_protect_yourself/0,2280,3-223-1012-0-0-0-0-1 ,00.html

12 Dun & Bradstreet, op. cit.

13 Dun & Bradstreet, "Understanding the Higher Risk Score," 2000

14 Dun & Bradstreet, op. cit.

Jan B. Rowland, Ph.D.

Jan Rowland is Vice President of the Analytical Services Group at Dun & Bradstreet. Her group has extensive experience conducting statistical analyses that impact the profitability and performance of businesses through increased customer response, reduced delinquency, improved retention, and strengthened customer loyalty. Prior to joining Dun & Bradstreet, she held various management positions at J. P. Morgan, American International Group, and Citibank where she directed analytical units. Dr. Rowland graduated from the University of Pittsburgh with a B.S. degree in Mathematics and Psychology. She earned a Ph.D. in Epidemiology with a specialty in statistics from the University of Pittsburgh. She also graduated from the New York University School of Business with a certification in Marketing Statistics. Jan may be contacted at rowlandj@dnb.com

Copyright Credit Research Foundation First Quarter 2003
Provided by ProQuest Information and Learning Company. All rights Reserved