Fintech versus fraudsters: Behind PayPal’s 4.5 million fraudulent accounts

Fintechs are struggling with fraud. Payments giant PayPal recently identified and removed 4.5 million illegitimate accounts on its platform, reported CEO Dan Schulman during the firm’s Q4 2021 earnings call. After publishing its earnings reports, the payment processor also saw its stock value slump by 25%, the largest single-day drop on record.

What’s happening at PayPal?

PayPal has 426 million accounts registered on its platform, acquiring 120 million of those within the last two years. With the emergence of new payment methods and processors, the firm has been going through a phase of slowing growth. Growth in its total payments volume fell short of analyst expectations, rising 23% in Q4 2021 — the smallest increase in two years. In this context, we look back at PayPal experimenting with its customer acquisition strategy by offering its first-ever sign-up incentive program in 2021, and it makes sense. These incentivized accounts, however, are what eventually fell prey to fraudsters.

PayPal’s risk management team discovered that many of the new incentivized accounts were being created by bot farms, a spokesman for the company said. Bot farms are computer systems that run on automated software, performing manual tasks like filling out sign-up forms, which are often deployed in fraud schemes. 

The firm has since pulled the plug on its incentivized account opening program, on account of it being exploited by bad actors. With that, the firm lowered its forecast for new customers and abandoned its ambition to achieve 750 million active accounts by 2025 — a goal for which it had already spent a lot on marketing campaigns. Revising its customer acquisition strategy, the firm now wants to move away from incentive programs, focusing instead on sustainable growth by getting current customers to engage with PayPal’s apps more frequently. 

What we’re seeing at PayPal is a systemic issue, related directly to identity theft and synthetic fraud, according to Mary Ann Miller, vp for client experience at Prove, which uses mobile devices to ID people.

“The use of weaponizing personal information for bots to attack account creation flow is not a single organizational issue,” she told Tearsheet. “Cybersecurity and fraud teams are regularly waking up to attacks that require immediate attention and remediation.”

An industry-wide view

The Aite-Novarica Group reports that fintech companies have an average fraud rate of roughly 0.30%. That’s double the rate of credit cards, which has historically ranged from 0.15% to 0.20%, and 3x as high as debit cards’ 0.10% average fraud rate.

Neobanks like Chime and payments apps like CashApp, with their fast approval and low-to-no-fee accounts, have also suffered from cases of fraud throughout the pandemic. This has culminated in several rental services eventually blacklisting them. For example, Avis Car Rental last year tweeted out “we accept debit cards and haven't stopped taking them, only Chime cards we no longer accept due to many fraud reports” in reply to a user query.

Investment platforms are also under fire. They emerged as easy ways for thieves to launder money stolen from the government’s pandemic relief programs. Empowered by the speed of registrations, fraudsters used such digital platforms to dump money by creating fraudulent accounts through stolen identities, investigators said. The government estimates that over $100 million of fraudulent funds passed through accounts on four investment platforms, namely Robinhood, TD Ameritrade, E*Trade, and Fidelity.

Fraud incidents are rarely "one and done" events, and bad actors come back time and again until the compromised organization puts the right controls in place. Many organizations are either closing accounts related to attacks or discovering some slipped through the cracks and are actively wreaking havoc — causing loss and taking valuable time away from fraud teams in helping customers who are victims of fraud.

How is today’s digital financial world fertile for fraud?

There is no lack of innovation in the methods that fraudsters use to commit fraud, and some old-school fraud is alive and well. 

In the US, 1 in 5 consumers is targeted by phone scammers. T-Mobile tracks scam calls on its network, and in 2021, disclosed a 116% increase in scam attempts. In addition, between January and November 2021, the traffic identified as ‘scam likely’ by the provider more than doubled, from 1.1 billion to 2.5 billion calls.

T-Mobile found that the most popular scam attempt, in terms of volume, was fake vehicle warranties (51%). Other attempts included pretending to be with the social security office, wireless provider, car insurance company, or package delivery. 

Digital banking actively gives customers much more control over their accounts than traditional banking. Customers who, by and large, are unaware of the security risks they face become more vulnerable. They often write down their passwords or are easily manipulated into sharing data that in turn is used against them. 

Additionally, digital services are used for their capacity to process great volumes of digital transactions, which traditional models of fraud detection and monitoring are inept at dealing with. Fraudsters hence find it easy to slip through the cracks — digital banking potentially makes their job easier.

Digital identity is ‘broken’

In Miller’s opinion, the root issue with fraud is that digital identity today is broken. Nearly anyone with stolen personal information — such as name, social security number, and date of birth — can easily open accounts in another person's name. Service providers can not be sure whether the person at the end of a device is the same person whose information is being presented.

Organizations with weak digital identity-proofing protocols are at a higher risk of fraud, as crooks actively search out such targets. Fraudsters have even organized themselves into a community and share notes on social platforms like Reddit and Telegram.

How can firms begin to fix their digital identity-proofing processes? By asking the right questions.

“Do you have a large book of accounts or users that have been dormant or "took the incentive" and ran? Do you have spikes of fraud from accounts that never had good activity like remote check deposit fraud, ACH fraud, or dispute abuse fraud? Do you see account information like phone number and address changes that are in high velocity? What is your dormancy rate on your books?” Miller asked.

The first step to developing an efficient system may be looking for identity proofing and fraud signals, then incorporating them into the onboarding flow. Many of such signals can be passive, and combining them together can start to paint a picture for better onboarding decisions while maintaining consumer ease of use. Such solutions exist in the market today, and their wider adoption may be a key step in the fight against fraud.

Where are current providers lagging?

Service providers often don’t get really serious about fraud detection until a large loss event occurs. By then, it might already be too late. In many cases, fraud roadmaps are sitting in audit and risk committee decks, but are not prioritized.

“I don't know one fraud leader that says they are getting the support from the C-level that they require – that is an industry issue,” Miller said.

With so much at stake for consumers, the government is taking additional steps to protect them. In 2021, the CFPB updated its Regulation E, which monitors electronic fund transfers. Now, banks and fintechs can’t point their fingers at their partners, making them more responsible for reimbursing their customers who have fallen victim to fraud. Over the year, CFPB has also taken note of individual lapses from different fintechs, opening inquiries on multiple firms including Zelle, GreenSky, and LendUp.