On This Page

Digital payments fraud in the utility sector is a growing concern. The shift from traditional paper checks to digital payments within the industry has opened new avenues for fraud1.

Here are some key points:

  1. Digital payments in utilities: Utility companies have started to shift from paper checks to digital payments to improve customer experience, reduce costs, and mitigate payments fraud1. However, this transition has also exposed them to new risks.
  2. Fraudulent practices: Fraudsters have developed various methods to exploit digital payment systems. For instance, they disguise collect requests as fake cashback offers, QR codes, or create spoofed virtual payment addresses (VPA) for refunds and disaster support2.
  3. Mitigation measures: To counter these threats, many platforms have implemented stringent know-your-customer (KYC) requirements and ongoing transaction monitoring3. Additionally, the use of digital portals for payments can inherently reduce fraud risk as these require passwords and multi-factor authentication1.

The utility sector, a critical component of our daily lives, is not immune to fraudulent activities. Among these, account takeover (ATO), synthetic identity fraud, and card testing fraud are particularly prevalent.

ATO involves unauthorized individuals gaining access to consumers’ utility accounts, often leading to financial loss and disruption of services. Synthetic identity fraud involves the creation of fictitious identities to open fraudulent accounts, causing significant financial and reputational damage to utility providers. Card testing fraud is a practice where stolen credit card information is tested on utility websites, often leading to unauthorized charges and potential service disruptions.

These fraudulent practices pose significant challenges to the utility sector, necessitating robust security measures and constant vigilance. Let’s dive in a little deeper.

ATO: A popular fraud technique in the utility sector

ATO fraud is a form of identity theft where a cybercriminal obtains credentials to online accounts. This type of fraud is on the rise, especially in sectors that have seen a significant shift toward digital payments, such as the utility sector.

In the utility sector, companies typically collect payments from their customers digitally. However, when utilities need to make payments back to their customers to resolve an overpayment, return security deposits, pay damage claims or rebates, send efficiency bonuses, or help with disaster recovery, these types of transactions can be a fraudsters target for financial gain4.

ATO fraud can occur through various methods, including phishing attacks, brute force attacks, or credential stuffing. The latter is a process where stolen credentials are used to gain access to a user’s account.

The rise of digital payments in the utility sector has been driven by the potential for improved customer experiences, reduced costs, improved ESG ratings, elimination of unclaimed property, and mitigation of payments fraud. However, the convenience of digital payments can expose businesses to fraud.

Despite the challenges, there are solutions available to prevent ATO fraud. A layered approach to fraud detection and prevention can significantly protect businesses and their customers throughout the credit lifecycle. This includes using technologies such as artificial intelligence to combat cybercriminals.

Synthetic identity example

Synthetic identity fraud is a type of financial crime where perpetrators combine fictitious and sometimes real information, such as names and social security numbers, to create new identities. These identities may then be used to defraud financial institutions, private industries, government agencies, or individuals. This type of fraud is reportedly the fastest-growing type of financial crime in the United States5. Synthetic identity fraud rises because of validation of information by bot attacks/card testing, ATO, and data breaches, making sensitive information available on the dark web.

In the context of the utility sector, synthetic identities are used to open accounts with utility companies. The fraudster consumes the utility provider’s services without any intention of payment, leading to financial losses when the account defaults.

For example, if I interacted with Jim, asked him some questions about himself, and engaged with him in a friendly way. I might have received his credit card information if he went to go pay at a restaurant. I then intersected or skimmed it, Googled Jim’s name, found out where he lives, his area code, and his cell phone number.

I would then create a new email address called [email protected] and use some of his real information, plus some of his synthetic identity information that I’ve now created. I’m now placing orders, paying my utility bills, and buying other items with this fake account. If my information is verified through an outbound reach, I could say yes, this is Jim. Yes, I did buy those sneakers, and yes, I am paying my utility company.

Card testing example

Top fraud threats that are really aimed at stealing credentials are called hard resting or card testing. It is commonly known as bot attacks, which are automated scripts that use credit cards and try to test the CVV or expiration. Fraudsters wait to get a response to indicate whether that card is good or not. Once fraudsters know they have a good card, they will use that credit card or resell it.

The rise of card testing is a significant concern in the realm of cybersecurity. This fraudulent activity involves the use of automated scripts or bots to test the validity of stolen credit card information. Here’s a brief overview of how it works:

  1. Bot attacks: Fraudsters use bots to automate the process of entering stolen credit card information into online payment forms.
  2. Testing CVV or expiration date: The bots attempt to validate the credit card by testing various combinations of the card’s CVV or expiration date.
  3. Waiting for response: The fraudsters wait for a response from the payment gateway or financial institution to indicate whether the card information is valid.
  4. Utilization of valid cards: Once a valid card is identified, it is either used directly by the fraudsters to make purchases or resold in the underground market.

These types of fraud pose a significant threat to individuals and utility companies alike, emphasizing the importance of robust cybersecurity measures across all sectors. It’s crucial to stay informed about these trends to implement effective preventative measures and safeguard against potential financial losses.

Erika Dietrich, ACI Worldwide’s Head of Risk Services, notes, “Billers need to remain vigilant and ensure that they are not only aware of new tactics, but also armed with the latest fraud fighting tools to protect their customers and their bottom line.”

ACI Worldwide is advancing its tools, technology, and training to combat these evolving fraud trends. Click here to learn more about how you can stay ahead of the fraudsters and improve your customer’s entire utility payment processing experience.

Sources

1 How digital payouts can offer big gains for the utilities industry. Larson McNeil, J.P. Morgan. June 15, 2021.

2 Digital payment frauds in 2023 and ways to counter them. Animesh Jha, The Times of India. March 17, 2024

3 Managing financial crime risk in digital payments. McKinsey Article. June 24, 2022.

4 Account takeover: what it is and how fintechs can stop it. Tom Sullivan, Plaid. February 12, 2024.

5 Mitigating Synthetic Identity Fraud in the U.S. Payment System. The Federal Reserve. July 2020.

Principal Business Executive Telecom & Utility

Tarun is a computer engineer with business strategy expertise. As a world-class leader with more than 15 years of proven experience in large-scale telecom and financial domains within a global corporate enterprise, Tarun’s focus has been on the need to dramatically increase customer satisfaction and operational stability, promote new business models within the marketplace, and drive ideas for new revenue streams and growth. He has worked in several different countries and can speak five languages fluently, driving his passion for fostering diversity and inclusivity in the technology sector. He actively supports initiatives that create new opportunities and mentorship to aspiring professionals.