Skip to main content

Cybersecurity best practices for the booming online and P2P lending space

Alternative finance is on the rise. The number of alternative lenders is rapidly growing, along with the number of new loan origination requests from consumers looking for easy access to small business funds. In fact, Morgan Stanley projects global P2P lending to reach $290 billion by 2020, with an expected compound annual growth rate of 51 per cent.

These online lenders use dynamic data in their screening process to try and automate their underwriting process as much as possible, providing a loan offer bespoke to each consumer or business instantly. However, the continued buzz surrounding online and P2P lending makes it a top target for cybercriminals using stolen identities to create loan applications with synthetic credentials.

The SEC recently stated cybersecurity is the biggest risk to the financial system. For online and P2P lending in particular, the risk is greater as they make their decisions on data without the luxury of sitting across from the loan requester. Compromised identities resulting from recent massive data breaches and malware are exploited by global cybercriminals using cloaking technologies such as proxies and spoofed locations to mask their true identities and whereabouts. These stolen identities and criminally-synthesised false identities drive an increase in fraudulent loan applications.

Another risk these businesses face is the bustout/ponzi fraud scenario, where fraudsters use loans from one lender to pay another. They do this until they inflate the loan value to a very large amount, and then default on the repayments to the loan. Given the short turnaround cycles business owners and consumers have come to expect, it becomes critical for the lenders to accurately differentiate between trusted customers and fraudsters to proactively address cyber risks, enabling online lenders to protect businesses and their customers.

Fraudulent application detection

Online and P2P lenders need a cybersecurity solution that accurately identifies fraudulent applications while preserving simplicity and eliminating friction in the application process for legitimate customers.

To filter out fraudulent applications, businesses should leverage global shared intelligence to gain a full understanding of users’ digital identities, including actions from different devices, locations and accounts. Global shared intelligence can flag if compromised credentials are not being used by their legitimate owner in real time, weeding out fraudulent applications while maintaining a positive customer experience for good applicants.

Account takeover protection

In addition to using stolen credentials to initiate loan applications, fraudsters also use these credentials to access already existing online lending accounts in an effort to carry out fraudulent transactions. In many cases, this happens when an online lending account has been created using the same email address and password that has already been compromised in a recent data breach.

Using a layered cybersecurity solution, online lenders can analyse access requests in real time to identify suspicious patterns, compromised devices and unusual locations (including attempts from known botnets or masked locations).

Cross-device identification

Across industries, consumers are becoming more comfortable using multiple devices across accounts. However, this presents another opportunity for fraudsters to attempt compromising accounts. For example, an authentic customer might set up an online lending account from his or her business computer, update the profile from a smartphone, and apply for the loan itself on a tablet.

On the other hand, cybercriminals recognise this trend and use multiple devices or set up several accounts on one device in an attempt to complete fraudulent transactions. By understanding a user’s complete digital identity — including email addresses, geo-locations, devices and both personal and business personas — online lenders can more effectively differentiate between fraudulent and authentic activity without disrupting the customer experience.

Online and P2P lending momentum isn't going away anytime soon. By placing an emphasis on cybersecurity, businesses in this market can continue to thrive without risking fraud losses or exposing investors’ and applicants’ sensitive information.

Armen Najarian, CMO, ThreatMetrix

Image source: Shutterstock/winui