Fraud 101: What Business Owners Should Know About Fraud
Fraud may not be something we like to think about, but we should. U.S. businesses will lose an average of 5 percent of their gross revenues to fraud, according to a 2018 report
by the Association of Certified Fraud Examiners. Since small businesses typically have fewer fraud controls in place when compared with larger businesses, SMBs are especially vulnerable and tend to suffer much more dire effects of fraud. More broadly, consumers experienced $905 million
in total fraud losses in 2017, and the prevalence of identity theft continues to grow.
To help shed light on this often feared and misunderstood topic, we spoke with Dean Ad, Fraud Analyst, one of the internal experts here on the Fraud team at Fundbox. In this guide, we’ll discuss the most common types of fraud and what you should know to protect yourself and your business.
In This Guide:
What Is Fraud and What Are the Most Common Types of Fraud?
First of all, what is fraud? In its most basic sense, “fraud” can describe any deceptive activity committed or attempted for financial gain. The word can describe many types of dishonest activity. Generally, when many people hear the term “fraud” what they think of is identity theft. There are actually several different types of fraud. While many of them involve some kind of identity theft, not all of them do.
A few common types of fraud include first-party fraud, second-party fraud, third-party fraud, mule fraud, and synthetic fraud. We’ll talk about each of these next. Then, we’ll look at some expert advice for business owners who want to protect themselves from fraud and identity theft.
An introduction to common credit fraud terms:
- First-party fraud
- Second-party fraud
- Third-party fraud
- Synthetic fraud
- A note about “money mules”
First-party fraud is a form of credit fraud where someone uses their own personal details to apply for and obtain credit or loans with no intention of paying them back.
For example, a customer of a bank might apply for a personal loan, get approved, use the funds to go on a shopping spree and never make a payment. It’s called “first-party fraud” because it involves the one person or entity’s real information, as opposed to a stolen identity. The person committing the fraud is the “first party” and their intention to commit fraud is what makes them different from someone who simply got into debt and could not repay their loan on time. First-party fraud is illegal and can result in criminal charges.
Second-party fraud is similar to first-party fraud, but with a key difference: one person gives their information to another person (that is, a “second party”), with the intention that they will use the information to obtain credit or a loan with no intent to repay the funds.
In this type of credit fraud, the first and second parties are working together to commit fraud. If you gave your personal information (like a bank account and social security number) to a friend so they could apply and get approved for credit that they then spent without repaying it, this kind of fraud also called “friendly fraud.”
Third-party fraud is different from and more common than first-party fraud. When you read about fraud in the news, you’re almost always reading about third party fraud. Third-party fraud occurs when a person or group of people use someone else’s identity to open accounts or get credit without the knowledge of that person.
“In the case of third-party fraud, the fraudster stole someone’s information without them knowing about it,” explains Dean. “Where I come in is when fraudsters then try to use that information in order to apply for a Fundbox account to draw funds without planning to repay. What happens is, a fraudster used information that does not belong to them. They may have stolen that information, stolen someone else’s Social Security number or bank accounts, either using a phishing attack, through hacking or buying that information on the Dark Web. In all of these cases, an innocent person could be victimized.”
According to Dean, third party fraud is one of the most harmful types of fraud because it is so scalable, giving it the power to harm many people.
“One person—one fraudster—can obtain hundreds of different identities or data sets and then use them,” Dean explains. “Whereas with first-party fraud, you can only use your own information, so there is a limit to the funds you can get, and you aren’t trashing some innocent person’s credit by misusing their information.”
Third-party fraud is a significant risk for individuals and business owners. Because most of us conduct so much business online, there are many places where our sensitive personal information could be leaked or stolen without our knowledge or consent. According to Experian
, third-party fraud is also “associated with organized criminal activities, with up to 50 percent of third party fraud seen as part of a fraud ring with frauds linked across multiple identifies.”
Another term you might encounter in discussions of fraud is “synthetic fraud.” According to a report
from the U.S. Federal Trade Commission, synthetic fraud is one of the newest, fastest-growing, and hardest-to-trace types of fraud today.
“Basically, synthetic fraud occurs when a fraudster uses credit reports and other information to create entirely new identities,” explains Dean. “These are synthetic identities for people who don’t really exist.”
Fraudsters then use these artificial identities to open credit cards, apply for loans, and more. According to a 2018 report
from credit reporting agency TransUnion, “outstanding balances of suspected synthetic fraud identities increased 6.6 percent to $885.42 million in Q4 2017, up from $830.25 million in Q4 2016 for auto loans, credit cards, personal loans, and retail cards combined.”
While this type of fraud mostly concerns lenders, individuals and business owners should be aware of it, too. In some cases, bits of personal data from different real people may be illegally obtained in a case of identity theft, and later stitched together to form a new synthetic identity that fraudsters then use to obtain funds. In this way, it’s possible for your real name or social security number to get attached to a totally different, fraudulent identity, causing you significant grief and potential financial losses.
A Note About “Money Mules”
While you’re learning more about fraud, you might encounter the term “money mule.” A “money mule” might be used as part of a second-party fraud or third-party fraud. Money mules are vehicles for moving illicit funds around to hide their true purpose or source. A fraudster may use a “mule” as a way of creating distance between themselves, the money, and its origin.
For example, a fraudster might use borrowed, stolen, or fake information to create a bank account under a false name that they control. That bank account might be under the name of a friend—someone complicit in the fraud—or under the name of a legitimate bank customer or business person who has no knowledge that their personal details are being used by someone else for illegal activity.
Even worse, according to the Associated Press
, money mules are sometimes “people who, unwittingly or not, use their own bank accounts to move money for criminals for purposes they think are legitimate or even noble.” In other words, law-abiding individuals and business owners can be tricked into participating in a money-laundering scheme, all without their knowledge.
Now that you’ve got a handle on the most common types of fraud, you might be asking what you can do to prevent it. Keep reading for information about what you can do to help protect your business from fraud.
How to Protect Yourself – and Your Business – from Fraud
With so many individuals and criminal groups working hard to steal personal information and commit credit fraud, business owners should stay up to date on the risks, and actively protect themselves.
Fortunately, there are a few simple actions everyone can take to safeguard their data and reduce the chances of becoming another fraud victim.
1. Use strong passwords.
You’ve probably heard this before, for good reason. One of the most important things you can do to protect your personal and business data online is to use strong passwords. For extra protection, change them frequently.
“Definitely be aware of your passwords and change your banking password regularly,” Dean recommends. “Do not use easy, simple passwords on important things like your banking credentials.”
Do not give in to the temptation to use a single password for all of your important accounts, either. If that one password is stolen, hacked, or compromised in any way, you’ll be putting multiple accounts at risk instead of just one.
Since it’s nearly impossible for the average person to remember the dozens of strong passwords for all the apps and accounts needed to run a business (or just live a modern life), consider using a secure password management system, such as Zoho Vault, 1Password, or LastPass. There are many password managers to choose from, depending on your budget and needs.
2. Be aware of phishing.
Phishing attacks can come out of nowhere and irreparably harm an entire business or cause significant damage to an individual’s finances and digital life. The purpose of most phishing attacks is to steal data from the unsuspecting victim, often with the intent to use that data to commit fraud.
“Definitely try to keep an eye open for phishing schemes in your inbox,” Dean advises. “If you get a message and you see a website that doesn’t have the URL, that’s a red flag.”
There are a few patterns to look for that many phishing schemes follow, typically using email and text messages.
“As an example, let’s say you received an SMS, a text message with a link that looks like it came from your bank,” says Dean. “You click on it and notice that the web address is not what you usually see with that bank. Don’t log in! It could easily be a fraudster’s website, built with the intention of tricking you into handing over your login credentials. Really open your eyes for people who try to use phishing websites to steal your information.”
3. Don’t click suspicious links.
Closely related to phishing, always look closely before you click any suspicious links.
What are “suspicious links”? Any link in an email or text message that came from san email address or phone number you don’t recognize, or any link that seems to be hiding its real content.
“Avoid opening links that are suspicious, that you don’t recognize,” says Dean. “Don’t click a link from a strange email, and then log in to your account from that link. If you need to log in to your bank account online, go directly to the bank URL you’re used to by typing it into the search bar of your browser and logging in normally. I never, never log in through links that are being sent either by email or by SMS.”
Does this mean you should avoid all mailing lists and never click a link again? Of course not. However, to be safe, you might want to make it a policy to never click links relating to your financial accounts, and always log in to those directly, as Dean suggests.
4. Put an alert or freeze on your credit.
There are two levels of security that you can choose to add to your credit, depending on your comfort level: a security alert, and a credit freeze.
A fraud alert
makes it harder for anyone to use your information to open an account or apply for a loan in your name. You might choose to do this if you’re concerned that your private information was exposed in a data breach or otherwise compromised. With an active fraud alert, any business or entity must double-check with you before issuing new credit, giving you a chance to personally review any credit activity—and giving you some valuable peace of mind.
To place a fraud alert on your credit, contact any of the three major credit bureaus: TransUnion, Equifax, or Experian. (There’s no need to contact all of them. According to the FTC,
if you place an alert with one of them, that bureau will inform the others.)
When you contact them, tell them you would like to place a fraud alert on your credit, and be sure to confirm your current contact information. It should be free to place the alert, and the alert will remain active for a year before you’d need to renew it. Confirmed victims of identity theft may get a free extension on their fraud alert for seven years.
“I would suggest for anyone who is concerned about identity theft to put a fraud alert on their credit report,” says Dean. “That way, you make sure that you know every time your credit gets pulled.”
A credit freeze is similar to a fraud alert but even more secure. If you opt for a credit freeze, you’ll lock your credit reports against any new activity. With a freeze in place, no one will be able to open any new credit accounts in your name—not even you—unless you lift the freeze by providing your consent and an individual personal identification number.
Credit freezes don’t prevent you from getting unscreened credit offers, but they do make it much harder for any identity thieves to use your name without your knowledge by blocking all access to your credit reports. In most cases, if a lender can’t review your credit report, they won’t issue new credit.
To place a credit freeze, you’ll need to contact each credit bureau individually and set it up, according to the FTC. Make sure to confirm your contact info with each one, and keep your individual password or PIN in a safe place. As long as you have your password or PIN handy, you can always call back and unfreeze your credit immediately, should you need to use it.
5. Only share info with businesses you trust.
When it comes to sharing your personal information, it pays to do some research. When choosing to provide personal info or connect software accounts, consider the trustworthiness of the business or vendor.
For example, if you’re considering applying for financing from an online lender, make sure they’re using industry best practice security protocols. You might also look to see if they have earned any well-recognized certifications and accreditations. Some business technology and financial firms will display certifications and badges from the Better Business Bureau, attesting to their track record of handling and resolving any customer disputes in good faith.
You may also look for certifications from Norton or MacAfee (or both). These can indicate that the site in question supports encrypted data transmission, and is free of malware and is monitored for security vulnerabilities. In other words, for any new vendor, lender, or potential online business partner, these designations can help raise the trust factor significantly.
Finally, one more good way to gauge the trustworthiness of a business is to check out their reviews. This might take a few extra minutes, but it’s an easy way to uncover any big red flags. For instance, when choosing between two vendors, both of whom want you to share sensitive personal or business data, you’d probably rather connect with the one that has 1,000 five-star reviews, rather than one with only 100 reviews, or one that has a more mixed review history and more negative reviews.