Skip to main content

Introduction

Any business that offers financial services will inevitably experience fraud. It’s impossible to completely prevent fraud, and some fraud losses are to be expected as part of the operational cost of doing business. 

That said, it’s important to have a well-defined fraud-prevention strategy, one that strikes a balance between enabling business and minimizing losses. In this guide, we’ll review common  patterns of fraud, as well as discussing the tools and techniques you can use to prevent, detect, and respond to them.

Fraud can be frustrating, but it’s important to remember that you’re not confronting these challenges on your own. Unit embraces industry-leading security practices, and we’re committed to helping our clients prevent, detect, and mitigate fraud wherever it occurs. We perform fraud checks during the account-opening process (read more in our End Customer Applications Guide), and we’re always here to answer your questions.

The three types of fraud 

Before we launch into a discussion of different fraud surface areas (e.g., onboarding, payments) and how to mitigate risk, it’s important to understand the three main types of fraud. That’s because how you prevent, detect, and respond to fraud can vary widely depending on whether it’s first-party, second-party, or third-party fraud. We’ll use these concepts throughout the rest of the guide.

  • First-party fraud. This type of fraud occurs when someone knowingly misrepresents their identity or gives false information for financial or material gain. Example: A customer makes a debit-card purchase and then disputes the transaction as unauthorized.
  • Second-party fraud. This type of fraud occurs when someone knowingly gives their identity or personal information to another person so that the second person can commit fraud. Example: A customer gives their debit card to a friend or family member, who makes a purchase. Then the cardholder disputes the transaction.
  • Third-party fraud. This type of fraud occurs when someone’s identity or personal details are used without their consent. That includes manufactured identities (synthetic identity fraud), in which the fraudster creates a new identity using stolen and false information. Example: A fraudster uses the victim’s personal information to apply for a bank account and then commits fraud.

Fraud surface areas & how to mitigate risk

A fraud surface area is a touchpoint you have with your customers, one that is vulnerable to first-, second-, or third-party fraud. The tables below detail the kinds of fraud our clients have experienced, organized by surface area.

Account opening fraud

DefinitionDetection methodsMitigation tools
A fraudster obtains the identity of another individual and attempts to open a new account with the stolen information.Unit or the client may receive notification from the victim because they:

  • Received a card in the mail that they didn’t apply for

  • Received an email they don’t recognize

  • Were notified by an identity monitoring service
  • Device fingerprinting

  • Client’s internal denylist for fraudulent IPs, emails, phones, etc.

  • Unit’s internal denylist for fraudulent IPs, emails, phones, etc.

Account takeover

DefinitionDetection methodsMitigation tools
Account takeover (ATO) occurs when an unauthorized party gains access to a customer's account. Common methods of unauthorized access include social engineering, phishing, and reused passwords that have leaked from other platforms. Once in control of the account, attackers often try to withdraw any available funds.
  • Track User Login Patterns: Monitoring user login patterns helps identify unusual activity that could indicate account takeover attempts.
  • Third-Party Solutions: Using third-party vendors that offer solutions for ATO prevention is recommended. These solutions can provide data on IP addresses, device IDs, and behavioral and biometric indicators.
Known ATO Patterns to Watch For
  • First-time seen IP or device ID for an existing user
  • The same IP or device ID associated with multiple users
  • Multiple logins at unusual hours or locations, especially outside the US
  • Money movement shortly after changing contact information (e.g., email, phone, or address)
Highly Recommended Actions to Guard Against Account Takeovers
  • Require Two-factor authentication (2FA) Before Changes to Personal Information: This includes any changes to the phone number, email, or address.
  • Require 2FA Before Sensitive Actions: Changing a card's PIN and viewing a card's number/CVV requires 2FA and cannot be done without it. It is recommended to require 2FA in additional cases such as transferring large amounts of money out of the account or password change.
  • Important: The verification code should be sent to the phone or email currently associated with the account prior to the requested change or action. Any request to bypass this, whether via email or phone, should be regarded as highly suspicious.
Additional Security Measures
  • Password Strength Rules: Enforce rules requiring at least eight characters, including capital letters, numbers, and special characters.
  • Periodical Password Changes: Enforce users to change their passwords periodically to reduce the risk of unauthorized access.

ACH debit origination fraud

DefinitionDetection methodsMitigation tools
Funds are pulled from a third-party account via ACH debit. In these cases, the legitimate account owner can be either a victim or the one committing the fraud. Learn more in our ACH Debit Fraud Guide.
  • Unit notifies clients of ACH returns via webhook. These notifications include specific reason codes, for example“Customer Advises Unauthorized”, “Stop Payment,” and “Account Frozen.”

  • Clients should monitor for accounts with excessive return rates. We are happy to help clients establish what constitutes an excessive return rate, as well as parameters for when to freeze or close such accounts. We will also notify you if your overall return rate is problematic.

  • Clients can monitor rejected transactions exceeding daily limits or ACH transactions approaching daily limits via webhook notifications.
Unit clients are contractually obligated to keep unauthorized ACH debits below 0.05% of all ACH-debit originations. High return rates can result in the suspension of ACH-debit origination for a given client. As such, we recommend the following preventive measures:

Check deposit fraud

DefinitionDetection methodsMitigation tools
As with ACH-debit fraud, funds are pulled from a third-party account, resulting in losses. Fraudsters will write and/or attempt to deposit bad checks, altered checks, fictitious checks, and checks that have already been deposited.
  • Unit reviews check images using a combination of technology and manual reviews.

  • Unit monitors responses from the check-image SDK.

  • Unit monitors return volumes.

Card activity fraud

DefinitionDetection methodsMitigation tools
In these cases, fraudsters take advantage of card-processing rules regarding merchants (such as gas stations, rental cars, and restaurants) where the temporary authorization can be less than the final amount charged. Such fraud occurs when the fraudster spends more than they have in their account, or spends their balance twice, causing the account to become overdrawn.
  • Unit and the client review overdrawn accounts to identify customers with suspicious behavior.

  • The client can review for excessive card declines and take action if they feel the account activity is suspicious.
  • Customize your authorization flow.

  • Unit implements card-transaction risk-based rules.

  • Take action on overdrawn accounts; for example, communicate with the customer, block their card, and/or close the account.

Disputes (first-party fraud)

DefinitionDetection methodsMitigation tools
The customer makes a purchase, receives the goods or services, and proceeds to deny the purchase by raising a dispute, claiming that the card was lost or stolen.

If the merchant proves that the purchase is legitimate and that they have taken sufficient measures to authenticate the cardholder (e.g. chip+pin, 3D-secure), or if the disputed amount is under $25, the liability (and loss) lies with the issuer.
  • The client and Unit should monitor dispute trends for unusual activity.

  • The client should monitor customer support interactions for red flags, such as preemptive inquiries about the dispute process.

Disputes (third-party fraud)

DefinitionDetection methodsMitigation tools
This is similar to first-party disputes fraud (above), except that the cardholder did actually have their card details compromised and did not authorize the transaction(s).
  • Unit and the client monitor disputes.

  • Unit and the client monitor for atypical transactions, e.g., outside the cardholder’s area of residence and/or normal spending patterns

Marketing-generated fraud

DefinitionDetection methodsMitigation tools
Announcements about new financial features, rewards programs, or even company news (e.g., fundraising) can cause a spike in fraudulent signups.
  • Unit and the client monitor application volumes. We look for patterns of unusual behavior associated with applications (foreign IPs, etc.).

  • Clients may be able to detect changes in volumes associated with customer-service inquiries.
  • Device Fingerprinting

  • Implement minimum qualifying events in order for customers to earn rewards or access high-risk features such as ACH-debit origination or check deposits.

Fraud prevention tools: a deep dive

Some tools are used by Unit as a default across all clients. They include tools at the onboarding phase (ID verification, address verification, document verification, Unit platform denylists), card-transaction scoring, AML monitoring, ACH name-match review, and check-deposit review. Other opt-in tools are covered below.

ToolBest forHow does it work?
Device fingerprinting
  • Detecting identity theft during onboarding

  • Detecting fraud attacks from outside of the US
We recommend implementing device fingerprinting. The collection of this information helps Unit determine whether there are risks associated with the device being used to apply for the account—for example, the detection of mobile emulators, proxies, foreign IP addresses, VPNs, and whether the same device was used to initiate multiple applications on the Unit platform.
Plaid Balance
  • Detecting insufficient funds to complete an ACH transfer
We require implementing Plaid Balance checks when initiating an ACH debit. This allows you to verify the balance in the counterparty account prior to initiating the payment. It’s not foolproof; the balance in the account can change before the ACH payment has settled. However, it’s a good baseline. This check helps prevent potential fraudsters from attempting multiple ACH transactions to accounts with insufficient balances.
Plaid Identity
  • Detecting account ownership discrepancies for ACH-debit origination
We require implementing Plaid Identity for “me to me” payments, to verify that the owner of the account being debited matches the name of the Unit account holder.

This will help reduce the risk of unauthorized returns and the potential for losses. Keep in mind that Plaid Identity is not available for all financial institutions, and it does not prevent first-party fraud. Additionally, Plaid Identity may not be an option when allowing a customer to originate ACH debits from a third party (e.g., a business customer sends an invoice to be paid by ACH).
Limits
  • Reducing loss exposure

  • Deterring fraudsters
Unit enforces limits on various payment types. Set reasonable limits that you think the vast majority of your customers can reasonably be expected to stay within. Do not set limits based on edge cases, as you may unnecessarily expose yourself to risk.
Clearing periods
  • Reducing loss exposure

  • Deterring fraudsters
Funds that arrive as part of originated ACH debits or check deposits are subject to a clearing period. That means the funds are held in a dedicated account and are not made available to the customer until the clearing period is over. Longer clearing periods often result in fewer returns and less fraud, for the simple reason that it gives legitimate account holders longer to detect and report fraud on their accounts. Learn more in our ACH Debit Fraud Guide.
Product tiering
  • Reducing loss exposure

  • Deterring fraudsters

  • Giving VIP customers a better user experience
By using what you know about an applicant to assess their risk level, you can assign them to different tiers within your financial offering. For example, low-risk customers may be assigned higher account limits and more attractive rewards, while gaining access to certain features like ACH-debit origination or mobile check deposit. Medium-risk customers might be offered lower limits and less favorable terms. Finally, high-risk applicants could be kept off your platform altogether. This allows you to offer a better experience to low-risk customers while reducing your exposure to higher-risk customers. Learn more in our KYC Guide.
Marketing
  • Preventing identity theft

  • Increasing the likelihood that you’re onboarding customers who will actually engage with your product
Focus your marketing materials on your target audience and limit referral programs to those that encourage account use. Fraud risk is reduced when eligibility requirements are implemented, such as requiring direct deposit or a certain number of transactions before receiving rewards. See our Rewards Guide for more details.
Freezing and closing accounts
  • Reducing loss exposure

  • Deterring fraudsters
Unit monitors account activity in several key areas that are known to be targets for fraudsters. We may reach out to you about activity we regard as suspicious and discuss how to proceed. We may also provide recommendations.

If fraud is detected or strongly suspected, the client may freeze an account; however, accounts should not remain frozen without further action for more than five business days. Clients may receive increased complaint volumes for frozen accounts and cards; consequently, the reason for freezing the account should be retained and documented.

Using webhooks to monitor for fraud

We recommend that clients monitor the following webhook events that Unit provides, as they can be indicative of fraud. Unit may also notify clients of unusual activity or behavior patterns that are indicative of fraud and allow clients to decide on account closure.

  • Originated ACH returns. Both Unit and the client should monitor ACH returns that could be indicative of fraud. These include ACH payments that are returned as Unauthorized, Account Frozen, or Stop Payment.
  • Received ACH returns. Both those that are frequent/large in number and those that have a high dollar value. You can identify those by listening for new return transactions.
  • Disputes. Clients will be notified via webhook of all disputes and dispute updates.  Clients can use these notifications to compare to customer service inquiries or other Client specific interactions such as log-in attempts to their application to determine if these disputes appear suspicious.
  • Check Deposit: Unit reviews deposited checks prior to processing them; we’re looking for possible alterations, checks that have already been deposited, and counterfeits. We’re also ensuring that the payee name matches the account-holder name. If we detect any unusual checks, we’ll notify you via webhook and allow you to decide whether an account should be frozen or closed.

Suspicious account activity and how to address it

When there is unusual activity on an account, feel free to use the tools at your disposal to freeze or close the account. If you’d like to consult with Unit, you can fill out a support form or send us an email. (If you’re using Zendesk, just share a ticket with us.) Below are a few final examples of account activity that may be indicative of fraud and warrant further investigation:

  • Customer requests to change their phone number or email address 
  • Customer reports multiple lost cards and/or requests for new cards
  • Customer will not provide verification information 
  • Customer provides incorrect verification information
  • Customer waits long periods before providing verification information
  • Customer provides inconsistent information
  • Customer requests frequent limit increases
  • Customer wants their request processed immediately, regardless of normal procedures
  • Customer becomes hostile or irate
  • Customer contacts customer service on a new device or with a new email address
  • Customer contacts customer service from a location outside of the United States
  • Customer contacts customer service and gives a name other than the one on the account
  • Customer interacts with support using inconsistent grammar

Conclusion

Fraud is a reality of financial services, and the tactics that fraudsters use will continue to evolve.  Unit will monitor the ecosystem and update our systems and controls to account for any trends we observe. Please reach out to your CSM or compliance lead if you have any questions about the contents of this guide.