When PayPal announced that it had discovered 4.5 million fake accounts in February 2022, it brought to light one of the largest cases of account fraud in history. This news should have put online businesses on high alert because of the sheer magnitude of the account fraud. Instead, news coverage focused almost exclusively on the fact that PayPal had falsely inflated the growth of new accounts on its platform.
On the day following the disclosure, PayPal stock declined by 25%, representing a $62 billion drop in market capitalization. PayPal now faces a class action lawsuit by shareholders alleging that it turned a blind eye to illegitimate accounts to inflate the number of net new active accounts (NNAs).
Four Key Takeaways From The Paypal Account Fraud Case
- Cybercrime is leveraging targeted account fraud tactics. The PayPal case demonstrates the level of sophistication of today’s cybercriminals, who can launch fake account attacks at tremendous scale. Using personal information that they’ve stolen in data breaches, they can create millions of fake or synthetic accounts, and they can deploy bots to attack companies with thousands of fake account registrations. The reality is that no online business is safe from this type of organized, targeted account fraud.
- Marketing and fraud teams must collaborate in advance. The case also highlights the conflict of interest between Marketing departments and Fraud/Security teams. During 2021, PayPal ran marketing campaigns that offered $5 or $10 to new customers if they signed up for PayPal or Venmo. The problem began when fraudsters targeted PayPal with bots designed to automatically register for new accounts and capture millions of cash rewards. By allowing the account fraud to continue, PayPal’s management chose to ignore the fraud, showcase its account growth, and accept millions of dollars in wasted marketing spend on accounts that would not use the service.
- Who’s watching for account fraud? The account fraud attack on PayPal highlights a gray area in how online businesses deal with account fraud. Historically, fraud departments have focused on transaction fraud, such as credit card fraud, payments fraud, and chargebacks, which occur after customers have logged into their accounts. Account fraud, which occurs at the point when the customer registers for a new account or logs into an existing account, is usually not the responsibility of fraud departments.
The department that traditionally manages user accounts is the Identity and Access Management (IAM) team. However, their responsibilities are mostly focused on self-service registration, password management, and authentication. If cybercriminals successfully bypass IAM controls and create fake accounts, then IAM teams may be unaware of fraud risk lurking in existing accounts.
- Wasted marketing costs are just the tip of the iceberg when it comes to account fraud damage. The big takeaway from the PayPal case is the fact that many companies underestimate the risk of allowing fake accounts to proliferate. In the PayPal case, the fraudsters were clearly focused on stealing cash for account signups, but there is a much longer list of potential damages that can be inflicted by fraudsters, who can weaponize fake accounts or bots to:
- Commit financial fraud, by transferring legitimate customers’ money to fake accounts, by taking out loans using fake accounts, or claiming medical benefits using fake accounts.
- Compromise gambling and gaming platforms by manipulating game play, creating spam, and stealing in-game assets.
- Create fake product reviews that compromise the integrity and authenticity of digital platforms.
- Gain access to legitimate user accounts or probe for vulnerabilities that can be exploited by hackers.
What Is Needed to Fight Account Fraud?
Fighting account fraud requires a delicate balance. Companies must block access by bad actors, while at the same time minimizing friction for legitimate customers, who despise complex sign-up processes and security challenges.
Verosint provides a new approach to fighting account fraud, signal-based identity assurance, which allows businesses to assess the risk of users as they register and login to web applications, stopping account fraud before it can cause downstream damage.
Verosint helps online businesses detect and prevent account fraud in two important ways:
- First, Verosint can detect fake accounts that are already in customer data repositories. By analyzing all accounts, assessing them for risk, and correlating accounts to each other, Verosint can identify and target these illegitimate accounts for removal, essentially “cleaning up” customer accounts that were created using fraudulent means.
- Second, Verosint can stop future account fraud at the point of login, assessing risk and working with IAM tools and business systems to challenge and block fraudulent registrations and logins, continuously maintaining the “cleanliness” of customer accounts.
Learn more about Verosint here, or request a demo today!