Why deceptive marketing should be on your radar

In the fast-moving world of today, we are all too often obsessed with the future. While this has its advantages, it can also be worth it to pause sometimes and reflect on the past. This counts double when it comes to underwriting in the card acquiring space, where the last 10 to 20 years saw massive changes in the modus operandi of both risk professionals and their adversaries.

Paradoxically, sometimes looking back at the past can give us a glimpse into the future – and what challenges lie ahead.

The dawn of online underwriting

The 2000s saw the first major transitions from traditional brick-and-mortar onboarding to digital card-not-present due diligence. This meant that risk, compliance and underwriting teams had to use new tools to identify criminal behaviour and dubious business practices online. It was also the time when many realised that doing so manually was far from efficient.

Third party providers were quick to take advantage. In the beginning, they advertised relatively primitive web crawlers that autonomously scoured merchant websites for “content violations”, often connected with obvious keywords like “cannabis” or “gambling”. This approach worked because, during the transition, many of the old due diligence measures were still not updated. When underwriters don’t prioritize online research, cybercrooks don’t have to be too sophisticated.

Although we saw the first innovations bubbling up at this time, there was still a barrier to more systemic change: Why should acquirers update their tried and tested due diligence routines? Especially for bigger financial institutions, this meant significant investments which wouldn’t yield any returns. Worse yet, better-equipped risk teams might even mean lower numbers of onboarded merchants – which in turn meant diminished profits. It took pressure from outside to change this mindset.

How Mastercard and Visa changed the game – for the better

One of the most crucial factors that contributed to the understanding that underwriting had to adapt to the online environment came from the card associations: Mastercard introduced its Business Risk and Mitigation (BRAM) Program in 2005, and Visa followed suit with their own Global Brand Protection Program (GBPP) in 2011. With this, they introduced economic incentives in the form of significant financial penalties levied against acquirers and other members of the payments ecosystem who wilfully helped cybercriminals.

These frameworks were not just created to punish transgressors; they were also a crucial resource for acquiring banks on how to assemble a sustainable merchant portfolio with manageable risk, even without completely shutting out “high-risk” businesses. Vendors quickly integrated the ever-growing pool of rules into their products and by doing so, steadily improved their capabilities. This lead to Mastercard introducing safe harbour provisions into its BRAM program, which allowed for mitigation in case their members used a licensed Mastercard Merchant Monitoring Service Provider (MMSP).

The fraudsters strike back

With more comprehensive keyword scans and web-enabled background research, the life of professional fraudsters had become significantly harder. While the more amateur criminals perished, the sophisticated ones found new ways to fool the banks. For this, they took a page out of the organised crime playbook: just launder the money!

These cybercrooks found many insidious ways to make a transaction seem legitimate to the acquiring bank. One of the most obvious ones was to maintain online storefronts that sold innocuous products like t-shirts or coffee, while the real goods were peddled through undisclosed websites. There have been many blog posts, think pieces and whole books written about the topic of transaction laundering (some by this author) during the last years. So much so that it seems it is still the biggest problem facing the payments community today.

While the fight against transaction laundering is important and requires constant vigilance, it is also true that service providers have already found technical solutions to the problem. For example, it has become harder and harder for cybercrooks to keep their undisclosed mirror websites under the radar due to advanced crawling routines.

Just to reiterate: The fight against transaction laundering is important, but it is also crucial to not lose sight of the big picture – and there are other threats lurking in the background that need our attention.

The (very expensive) elephant in the room

Deceptive marketing is the practice of misrepresenting the nature of goods and services to dupe customers into buying them. As a phenomenon, it has existed as long as there is economic activity. In terms of its financial – and sometimes existential – repercussions for acquiring banks and payment service providers, deceptive marketing’s impact on the payments industry is significant.

It is an area where regulators around the globe don’t joke around. Financial institutions that enable this kind of abuse by granting fraudsters access to the card network will not only be censured through Corporate Risk Reduction Measures (CRRM) by the card schemes and practically lose their autonomy, they might also face legal action by public prosecutors. One of the most extreme cases that come to mind is the one of PacNet, an Independent Sales Organisation (ISO) that was shut down by the US Justice Department and declared a “Transnational Criminal Organization” for aiding and abetting international fraud rings.

Despite its serious consequences, actively preventing deceptive marketing has been quite ignored in the industry. Yes, red flags like “risk-free trial” are part of the underwriter’s toolkit – but apart from this, it is widely regarded as a quasi-natural feature of the online advertising space. This is wrong.

Deceptive marketing is not an inevitable fact of doing business online. There are techniques that can meaningfully reduce the ease with which fraudsters deceive customers, acquiring banks and PSPs. 

One of these ways is to look at web traffic. Fraudsters often operate websites which look legitimate if you see them in a vacuum but are highly problematic when put into context. By employing dirty tricks like fake virus warnings, prize draws or download buttons, they funnel unsuspecting users through the client on-boarding process for products or services they are not even remotely interested in. Even more frequent, their business model isn’t even traditionally “high-risk”, which makes it even easier for them to get payments card acceptance. As deceptive marketing is not a business model, but a business practice, virtually every merchant type can be susceptible.

Fortunately, there is room for optimism

As we have seen in the past, in the case of online underwriting, things generally get better. It might take some time, but it happens eventually. Case in point, we at Web Shield, for example, are about to launch a solution that will give risk professionals the ability to quickly and comprehensively identify the tell-tale signs of deceptive marketing via traffic analysis. If the past is any indication, the emergence of technical solutions was a major step in tackling the problem effectively – until the fraudsters find a new way to pull one over on us.

About Christian Chmiel

Christian A. Chmiel, the CEO and founder of Web Shield, is responsible for the development and implementation of investigation techniques to identify fraudulent or brand damaging online merchants. He is also a lecturer at the Web Shield Academy and published several books in the fields of fraud, investigations and accounting.

About Web Shield

Web Shield equips the payments industry with tools that protect businesses from merchants involved in illegal or non-compliant activities. Their highly precise solutions provide acquirers, PSPs and other financial organisations with the information they need to make valuable decisions about prospective clients, and alert them when existing clients behave dubiously. With Web Shield, you keep your business out of risky situations, saving time and money.