While most people associate cybercriminals with hacking and security breaches, many of them have begun exploiting vulnerabilities in the e-commerce industry as well, using a new scheme called transaction laundering. By using transaction laundering, cybercriminals have found a way to bridge the gap between sellers of illicit (and often illegal) merchandise—drugs, counterfeit products, prostitution and the like—and the legitimate payment world. This, in essence, allows for the existence of a highway of illegal commercial activity going through the legitimate payments infrastructure.
Luckily (for them), gaps in online security and financial monitoring have made it easy for hackers to cover their tracks and disguise their transactions from banks, payment processors and law enforcement. In fact, criminals who process payments for illicit purposes through “legitimate merchant accounts” have become almost impossible for banks to detect. This new scheme has quickly pervaded the payment ecosystem, leading banks to unknowingly process illegal transactions, which result in millions of dollars in non-compliance fines, not to mention the huge reputational risk to their brands.
The emergence of transaction laundering
Before the widespread adoption of the Internet, cybersecurity was, to some extent, insignificant. During its early days, the Internet simply didn’t provide much incentive for cybercriminals. There was neither enough data to steal nor money to be made. But as technology has evolved so, too, have opportunities for cybercriminals.
Online banking, for example, allows us to conduct banking transactions safely and (mostly) securely from the comfort of our homes, but it also provides new opportunities for hackers to exploit vulnerabilities that didn’t exist in the past. This is specifically true for cybercrime‘s manifestation in e-commerce. Technological advances today have made it possible and even easier for criminals to launder transactions, due to two key technological developments.
The increase in the number of payment systems on the market (such as PayPal, Venmo, Facebook Messenger, Google Wallet and Square) has created a new layer of complexity that makes it harder for banks to understand from where money is coming and to where it is actually going.
This payment-systems proliferation has been accompanied by a “micro-merchant movement”, which, thanks to instant website-creation technology, allows criminals to set up fake businesses and pretend to sell anything they want.
The enormous number of new merchants using ever-growing methods of processing payments creates a very huge and unmanageable data overload, making it difficult for payment processors to filter out fraudsters, and creating an opportunity for these fraudsters to engage in criminal activity with little to no interruption. In fact, as much as 6 to 10 percent of the activity entering the payment ecosystem today comes from unknown sources or unregistered merchants.
Combine these two layers together, and you’ve got a smokescreen of sorts that allows fraudsters to get into the payments system without anyone ever realizing it.
So how does it work? Transaction launderers are able to take advantage of holes in the systems—such as expedited onboarding—in order to operate under the radar of the payments industry.
An example can be seen below. The acquirer underwrites an online flower shop after it passes all website-inspection requirements, including scans for content issues. The acquirer believes it has a low-risk online business on the books, but in reality the flower shop is serving as a “faux storefront” for a web store that sells illegal prescription drugs. As the drug dealer’s transactions process through the “flower shop”, the fraudulent merchant makes sure to cover the trail by making each transaction appear like a legitimate purchase from within the flower shop itself.
Originally, many processors lacked the appropriate tools to verify these unique types of transactions, meaning that after gaining access into the payments system, fraudsters would sell whatever they wanted, making it difficult to see if the merchant was actually selling what they said they were.
This problem was initially solved by processors deploying crawlers that would systematically browse each merchant’s website and identify content that was unrelated to what the merchant was supposedly selling. The processors identified them using specific keywords that were able to help them identify the unruly fraudsters.
It didn’t take long, however, for fraudsters to adjust their tactics in order to continue operating effectively and efficiently. Soon, rather than using the actual registered site to sell their illicit goods, they kept their original site as it was and set up other, new, seemingly unrelated sites in other domains. They then took the credit-card information obtained through the unregistered sites and funneled them through their legitimate website that had been approved by the banks and processors.
Transaction laundering is money laundering
We can also look at this issue through the lens of traditional money laundering and terrorist financing. As the word “laundering” suggests, transaction laundering and money laundering are closely related.
While money laundering has existed for centuries, what we are seeing today with transaction laundering is very unique. Today, you don’t have to go through a complicated process such as the A1A Car Wash operation made popular in “Breaking Bad”. Now you can essentially buy 1,000 “car-wash stations” and make your laundering so much harder to detect without any of the costs. In just minutes, you can set up a website, be it a “furniture shop” or a “flower shop”, and sell illegal goods and services from a “legitimate storefront”.
Transaction laundering has made money laundering easy. The scale of transaction laundering today has the capacity to create a highway for money launderers, and banks need to be aware of this huge blind spot in their anti-money laundering (AML) regime that is exposing them to enormous regulatory risks.
Here’s what banks should know:
Transaction laundering is a significant and growing problem within the online space, further intensifying the urgency for managed service providers (MSPs) and other payments-industry stakeholders to become as agile and efficient as the fraudsters themselves. Yet in the evolution of online merchant fraud, the old tactics never completely disappear; the evolution is cumulative, with new types of fraud layering onto the old. The resulting challenge is complex and therefore requires a multi-faceted solution.
The following recommendations can provide a good place to start:
- Leverage technology to expose actual merchant risk: The transaction-laundering threat requires a fundamental change in how the industry goes about vetting and monitoring online merchants. This involves moving beyond what is obviously known to the bank and building a broader intelligence picture about the merchant, which would not be directly visible to the bank. Solutions that rely on manual steps simply won’t make it in this atmosphere; they must be automated so that they can effectively scale. Along with their scalability, automated technologies are ideal for discovering repeatable patterns and then reporting on them in near-real time. This speeds up the decision-making process for merchant onboarding. While current automated risk-monitoring systems typically require some level of human interaction for quality assurance, the cumulative intelligence these solutions are capable of gathering will likely decrease this need over time.
- Awareness and training: The MSP’s entire business is centered on serving merchants and managing risk; therefore, all associates in the value chain have a role to play in spotting the “bad apples”. Risk management is a team sport, and it is imperative to raise awareness of the transaction-laundering issue among stakeholders. This includes not just underwriters and risk analysts but also sales, fraud investigators, chargeback specialists and service-provider partners. For example, analyzing chargeback records can help identify problematic trends and potential transaction-laundering activity. Salespeople can help by evaluating whether the merchant’s forecasted transaction volume and value is rational and supported by the logical inventory and warehouse demands. Efforts should be focused on identifying any key indicators or trends around this activity, and departments throughout the organization should receive frequent training to reinforce awareness and communicate new insights that can help flag the signs of transaction laundering.
- Collaboration is key: Shared intelligence stops fraudsters from just going somewhere else. As a community, payments-industry players must work together to help each other combat scammers’ moneymaking schemes and relentless pursuit of abusing their online merchant accounts for criminal gain. Fraudsters have a sophisticated network and rarely operate independently. They interact with their likeminded counterparts in an effort to stay ahead of industry detection methods. Knowledge sharing and collaboration beat them at their own game.