23 NYCRR 500
Regulation for all financial institutions covered by New York Department of Financial Services specifying that covered institutions must adopt robust cybersecurity programs. The 23 NYCRR 500 is part 500 of the NYDFS’s overall body of regulation that requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk.
Account Takeover Fraud (ATO)
When a legitimate customer’s account is illegally accessed for the purposes of committing fraud. A type of Identity Fraud.
Refers to any false or unscrupulous activity meant to generate commissions from an affiliate marketing program.
Anti-Money Laundering (AML)
Is an illegal or unethical way of generating income through a series of steps that makes it look like money is coming from a legitimate source.
Applying for a loan, new account or insurance policy using a stolen or synthetic identity.
A cheating abuse where a player figures out a way to manipulate the odds in their favor. For example placing bets both for and against the outcome of a boxing match.
Opening multiple new accounts (using stolen or spoofed identity data) to take advantage of new player incentives and bonuses, most often in the gaming and gambling industry.
Type of credit card fraud where an individual, using either their own or synthetic identity, establishes a normal usage pattern and consistent repayment history, in an attempt to acquire a high credit limit. The fraudster then racks up numerous charges, maxes out the credit limit and ceases to make payments. A type of “sleeper fraud”.
Call / Contact Center Fraud
Fraudsters are increasingly targeting the contact center because there are often few fraud controls in place. They gather data about customers and then combine high-pressure tactics with spoofing technology to socially engineer agents to perpetrate fraud such as account takeover, application fraud, policy fraud.
Card Not Present (CNP)
This fraud is typically committed online where the card is not present for the transaction. Fraudsters setup fraudulent accounts for example on gambling sites. Another common attack target is e-commerce sites where fraudsters can resell stolen merchandise.
A process where fraudsters test if stolen card information works. They often verify by making random purchases online.
A customer files a chargeback on a legitimate transaction, either claiming they didn't receive the order or didn't place the order, so they can keep the product and receive a full refund on the original purchase. This leaves the merchant on the hook for the lost revenue they would have earned on the sale, plus expensive chargeback fees.
A chargeback is a bank-initiated refund for a credit card purchase due to fraud, a customer disputing the charge, merchandise return or any number of reasons other than the customer’s inability to pay.
A cheating abuse where one player intentionally loses chips to another player at the table. In this type of scenario fraudsters will collude using stolen credit cards to setup multiple accounts and feed chips to one legitimate player who then cashes out.
A fraudster files a false insurance claim to attempt to get a fraudulent payout.
Players work together to game the system by sharing information to manipulate the game and influence its outcome. A single person can even conduct a form of player collusion by playing in the same game using multiple accounts. These players rob others of a fair game, and also tend to work together to take advantage of bonuses and promotions.
Crash for Cash
An insurance scam where fraudsters deliberately stage a crash, often with the vehicles of innocent motorists, to profit from the insurance claim. defrauding an Insurance Company.
Credential stuffing is a common attack method for account takeover. A fraudster will procure a large set of compromised username and credentials pairs and then test them on a website or mobile app oftentimes using bots. They then takeover any accounts they are able to gain access to.
Credit Card Fraud
Fraud committed using a stolen or counterfeit credit card in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account.
Credit Industry Fraud Avoidance System (CIFAS)
A fraud prevention service in the United Kingdom. It is a not-for-profit membership association representing organisations from across the public, private and voluntary sectors. In 2016, CIFAS had over 360 member organisations.
When a legitimate customer transaction is mistakenly declined, generally for suspected fraud.
Data Security Standard (DSS)
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of policies and procedures dedicated to optimizing the security of debit, credit, cash card transactions and protecting cardholders against the misuse of their personal information.
Drop Box Shipping Fraud
Using a stolen or counterfeit credit card to make a fraudulent purchase that is then drop shipped to a location that differs from the billing address. The merchant is often unaware of the fraud until it turns into a chargeback. Besides the lost revenue and lost merchandise, they are also still on the hook for paying the drop shipper.
Electronic Funds Transfer (EFT)
Payment method where a payer electronically debits the payor's bank account.
Europay, MasterCard, Visa (EMV)
Is the global standard for chip-based Debit and Credit Card transactions.
False Decline / False Positive
When a legitimate customer’s transaction is mistakenly declined, generally for suspected fraud.
Friendly fraud is generally used to describe fraud perpetrated by legitimate customers that is either intentional or unintentional. For example, a customer could file a chargeback on a legitimate transaction, either claiming they didn't receive the order or didn't place the order, so they can keep the product and receive a full refund on the original purchase.
This leaves the merchant on the hook for the lost revenue they would have earned on the sale, plus expensive chargeback fees.
General Data Protection Regulation (GDPR)
GDPR (or General Data Protection Regulation), is a set of laws that protects the data privacy rights of all EU citizens.
A fraudster who masquerades as a legitimate insurance broker. Ghost brokers use several tactics to defraud customers, including forging insurance policy documents, falsify details to get a reduced rate, or purchase legitimate coverage and then cancel it without the customer’s knowledge. The unaware customers are left exposed and uninsured.
Know Your Customer (KYC)
Actions businesses use to confirm the identity and potential risk of their customers. This is a legal requirement to comply with Anti-Money Laundering laws.
Knowledge-Based Authentication (KBA)
A method of authentication that uses knowledge possessed by the user to authenticate their identity. The user is typically asked a series of questions for which they know the answer but that aren’t widely known.
The liability for a chargeback to shift from the merchant to the bank. This is a result from fraudulent transactions moving from the merchant to the issuing bank.
Loan Stacking or Application Fraud
Taking out a loan with stolen or synthetic identity, using one loan to pay off another to inflate the loan amount before defaulting.
Taking over a trusted user account to access loyalty points or bonuses that can be used to make purchases or sold to others.
Mid-Term Adjustment (MTA)
Also known as mid-term modification, refers to any change made to an insurance policy after it's started. For example changing an address four months after an insurance policy began would be a mid-term adjustment. This is a common tactic used by fraudsters to takeover accounts.
Providing false information to reduce the cost of a policy, e.g. misrepresenting age or under-reporting average miles traveled per year
National Insurance Crime Bureau (NICB)
A North American, not-for-profit organization that partners with insurers and law enforcement agencies to facilitate the identification, detection, and prosecution of insurance criminals.
New Account Fraud (NAF)
Fraudsters use stolen or synthetic identities to create new accounts to perpetrate other types fraud or abuse such as bonus abuse.
One-Time Password (OTP)
Also known as one-time pin or dynamic password, it is a password that is valid for only one login session or transaction. Often used with two-factor authentication where a user has something that delivers an OTP and also knows something (like a PIN).
Any transaction that is done using fraudulent means such as using a stolen credit card number.
Payment Services Directive (PSD2)
PSD2 is an update to the Payment Services Directive (PSD) that was adopted in 2007 by the European Commission (EC). PSD created the legal foundation for a Single Euro Payments Area (SEPA), essentially establishing a single market for payments (e.g. credit transfers, direct debits, cards) in the European Union.
Player Self Exclusion (PSE)
Either a regulation or policy that is meant to promote responsible gambling and protect problem gamblers. In areas that have enacted self-exclusion policies, an individual can self identify as a problem gambler and request that their name be added to a self-exclusion list which will bar them from future gambling.
Point of Sale (POS)
A transaction that takes place between a merchant and a customer when a product or service is purchased. Often, a point of sale system to complete the transaction.
Fraudster uses a stolen identity or synthetic identity to apply for a fraudulent insurance policy, either as a ghost broker or to make false claims.
New accounts that have been opened in abnormally short times and in rapid succession, usually an indication of fraudulent activity.
Exploiting a customer promotion, for example opening up 100 new accounts to take advantage of a promotion offer to get a $20 credit when you open a new account.
Special Investigations Unit (SIU)
Investigations unit responsible for investigating fraudulent claims.
Strong Customer Authentication (SCA)
Increased requirement under PSD2 for securing online payments using Strong Customer Authentication (SCA). SCA must use two or more of the following independent factors: Knowledge, Possession, Inherence
Fraudsters create a false identity using a combination of real and fake data combined to form a new fictitious identity, then use it to obtain credit, make purchases or open new accounts.
Any fraud involving the electronic transfer of funds.