Online fraud is very often a crime of opportunity. Fraudsters move quickly to exploit vulnerabilities, then cash out and vanish before they can be caught. That’s certainly the case with fraudsters who instigate chargebacks by making transactions with stolen credit cards, but some cybercriminals have learned the value of being patient.
Bust-out fraud is a strategy that's been around for a long time, but it remains popular among dedicated fraudsters. What is bust-out fraud, and how concerned should merchants be about fraudsters who have committed to playing the long game?
Bust-out fraud is a high-stakes scheme in which fraudsters spend months or even years flying under the radar disguised as normal cardholders before making a big cash grab.
To make things even worse, bust-out fraud usually goes unnoticed until it’s too late. The usual methods for detecting and intercepting fraud don’t generally work on transactions linked to a bust-out strategy, and the victims only find out about it once the final part of the scheme—the bust-out itself—has been executed. At that point, it is extremely difficult to track down the fraudsters and hold them accountable.
Bust-out fraud is a scheme in which fraudsters spend a long time—sometimes years—building up a credit line. Once they have a high credit limit, they max out the card and run off with their ill-gotten gains, never to be seen again.
Bust-out fraudsters will spend months or years making small purchases, paying off bills (usually with stolen funds from other schemes), and requesting credit increases.
Once the card reaches a high limit—in the tens of thousands of dollars, usually—the fraudster will make a few big purchases, then drop off the face of the earth and never make a payment on it ever again.
Needless to say, running a bust-out scheme with your own credit card is a bad idea. You can easily be tracked down and prosecuted, and at the very least your credit score will hit rock bottom. That’s why fraudsters always use stolen or synthetic identities. Once the victimized parties realize that the cardholder wasn’t who they said they were, the fraudster has cut off all contact and cannot be identified.
Obtaining a credit card with a stolen identity isn’t all that difficult. Social security numbers can easily be purchased on the dark web, sometimes as part of a complete stolen identity package with names, addresses, and other useful data.
Children are frequent targets of this type of identity theft, as they have no credit history of their own and are unlikely to notice when an account has been opened up in their name. These days, however, many fraudsters prefer to use synthetic identities, which can be even harder to detect.
A synthetic identity is a fake identity cobbled together out of different elements of real and made-up identities. A synthetic identity could have a real social security number, a different real name, and a phony street address.
Fraudsters like synthetic identities because it’s not as easy to spot them. Stolen identities are often found out when the victim realizes their credit score has plummeted, but it takes longer for banks and reporting agencies to connect the dots between the disparate elements of a synthetic identity. This gives the fraudster more time to carry out their schemes, resulting in higher payoffs.
Even though a synthetic identity never starts out with a valid credit history, it’s not too difficult to build one up. Fraudsters can get store cards and gas cards without a credit history, and the application process alone is sufficient to get the ball rolling for offers to start coming in.
The immediate financial impact of bust-out fraud falls squarely on the issuing banks and credit card networks who provided the fraudsters with payment cards in the first place. But it doesn’t stop there.
While it is uncommon for bust-out fraud to result in chargebacks, acts of fraud in which the damage runs into five, six, or even higher figures can have a disproportionate effect on consumer confidence, processing costs, and other elements of the economic landscape in which merchants operate.
Merchants aren’t the front line of defense against bust-out fraud. It’s really up to issuers to ensure that they aren’t giving cards out to people who aren’t why they say they are. Here’s what they should be watching out for:
Merchants are, however, in a position to notice when the bust-out is about to happen. It’s a red flag when a customer, who previously had only been making small purchases, suddenly buys big expensive items with a high resale value.
While bust-out fraud is more likely to cause direct losses for financial institutions as opposed to merchants, some of the tactics it utilizes—such as synthetic identity theft—can be used in schemes that do target merchants and lead to chargebacks, such as account takeover fraud. It’s not easy to stop fraudsters hiding behind synthetic identities, but there are ways.
Security solutions that make use of artificial intelligence, machine learning, and behavioral analytics to identify fraudulent patterns can look beyond the obvious signifiers and spot fraudsters with uncanny accuracy.
If you’re worried about high-tech fraud, work with your trusted partners in payment security to help you come up with equally high-tech defenses.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com