The threat of fraud is significant, persistent and ever-changing, and an unfortunate reality for online merchants trying to grow revenue. Sophisticated and organized fraudsters are patient enough to play the long game for a big score, smart enough to impersonate real customers and frequently switch strategies. Juggling the need to satisfy customer expectations for quick, frictionless transactions while responding to changing threats is a major challenge for merchants. But it’s necessary to build a lifetime relationship with customers.
Several especially troubling trends in e-Commerce fraud emerged this past holiday shopping season. Here are three of the top threats and tips for defending against them.
Trend 1: Mobile Commerce Is Booming. So Is M-Commerce Fraud.
Nearly a third of global eCommerce purchases — which were projected to reach $2.29 trillion by the end of 2017 — were expected to be made with a mobile device, up from 25% in 2015. It’s not surprising then that mobile devices have also become popular with fraudsters.
A recent survey by CyberSource found that e-Commerce retailers expect fraud losses from the mobile channel to fall just below that of their web stores as a percentage of total revenues (0.8% vs. 0.9%), even though mobile commerce still drives a much smaller share of overall e-Commerce revenue (just 22% of dollars spent online in the U.S.). But since 90% of consumers who own a mobile device consider online shopping to be a top activity, it’s clear that retailers need to put special emphasis on identifying and stopping m-Commerce fraud.
So, what can you do?
Tailor fraud strategies and practices to each transaction channel. Keep in mind that signals of fraud for a transaction from the desktop might not be relevant to mobile transactions. For consumers, there are special challenges when shopping with a mobile device (less reliable network connections and more data entry mistakes, for instance). Consumers also tend to shop differently when on a mobile device than they do when using a desktop.
Tracking customer behavior across channels and devices can provide signals that indicate unusual activity. For instance, if a customer who has only purchased small items using a mobile app suddenly purchases a large screen TV, that may be a sign that it’s not a valid transaction. Seems simple. But half of all e-Commerce businesses (and up to 65% of smaller merchants) don’t even track which channels are driving fraud, making it difficult for them to implement differentiated, channel-specific fraud strategies.
Take advantage of data that’s unique to mobile transactions. For example, every mobile device has a unique device ID that can be associated with a person or previous transactions. And since consumers tend to hold on to their mobile numbers, the linkage between a person and a mobile phone number is a powerful signal for verifying identity.
Trend 2: The Upsurge In Downmarket Fraud.
Fraudsters are not only devious, they’re adaptable, changing tactics frequently in response to new fraud prevention strategies and always searching for the point(s) of least resistance. For instance, as merchants have moved to protect themselves against fraud involving high dollar items, often adopting rules to review all transactions above a certain price point, fraudsters recently began to focus on more modestly priced items. Hitting product SKUs that usually track at very high transaction rates allows them to scale quickly.
During the 2017 holiday shopping season there was a significant uptick in account takeover (ATO) fraud that targeted items like sub-$300 laptops. Similarly, trendy sneakers (particularly basketball shoes) have become a hot commodity for both fashionistas and fraudsters. Why? Fraudsters want items that are in demand, easy to resell and fall below the radar of automatic review.
So, what can you do?
Take a layered approach to managing fraud. No single fraud detection technology or solution will ever be enough to stop fraudsters who change tactics and targets frequently. To that end, the analysts at Gartner have outlined a 4-layer strategy for more effective fraud management. In its recommendation, Gartner stresses the importance of placing more emphasis on dynamic data and linkages over static data.
Layer 1: Endpoint detection — identifying devices and their location;
Layer 2: Behavioral analytics — does the user behavior match with previous transactions?;
Layer 3: User centric data — person, address, email, phone number, business; and
Layer 4: Link analysis — are the relationships between data elements consistent?
Organizations that have achieved the highest level of maturity in their identity verification efforts — and are seeing the greatest benefit — have adopted all four layers.
Pay close attention to transaction histories and velocities. People are creatures of habit. They follow patterns in what they purchase, where they shop and how often. So if a grandmother who has historically shopped online for knitting supplies and lawn gnomes suddenly starts ordering expensive high-fashion jeans or Kyrie Irving signature basketball shoes, it may be a signal of fraud. Fraudsters also tend to try and order as much as possible from a stolen account before it can be shut down. So if a customer’s orders suddenly increase in frequency or volume, that can also signal fraud.
Trend 3: Attack Of The Zombie Shopping Bots.
Through human engineering, phishing and/or malware attacks, fraudsters are gaining physical control of their targets’ computers. A consumer who opens an email attachment that appears to be from a legitimate sender could unwittingly download malware. Or they might get a social networking friend request or an email from their bank that directs them to a fake but authentic-looking web site where their credentials are stolen or their machines are compromised.
Once fraudsters have gained access to a computer, they can monitor the user’s browsing behavior and use malware like keyloggers to capture password information. Then they “tunnel” into the unwitting consumers’ machine and use their credentials to remotely place orders from merchants. Fraudsters are even smart enough to hide order confirmations from the computer’s owner by using hidden and unchecked trash folders as an alternate email inbox, allowing attacks to go on for days or even weeks.
For merchants, this sort of attack is particularly troublesome because the customer’s IP address, device ID, location and other device-specific information appear to be legitimate. But fraudsters have effectively turned the consumer’s computer into a shopping zombie.
So, what can you do?
Leverage a wide range of data, including biometrics, in your fraud model. Relying on static data like device ID, IP address, etc. could leave you vulnerable to shopping zombies. But even when a fraudster has control of a user’s device, it may be possible to determine that it’s being controlled by someone other than the customer. Using biometric information — like whether and how a customer uses a mouse or a trackpad — in the analysis can provide signals of risk (or of a good customer).
Look for divergence from previous order patterns and histories. As mentioned above, order history can be a powerful tool to identify unusual purchasing patterns and potential fraud. If a customer is buying different kinds of items, shipping them to new locations, ordering more frequently or shopping at unusual hours, it’s possible that their machines have been compromised. This is also where identity networks can play a crucial role.
The only thing that’s constant in the fight against fraud is that it’s always changing. Identity verification and better automation can help. In addition to reducing fraud losses, identity verification that incorporates real-time data and analyzes the linkages between data elements can reduce the need for unnecessary manual review, prevent good customers from being rejected (false positives) and help you focus on the riskiest orders.
Tom Donlea is Vice President of Global Marketing and leads the global marketing efforts of Whitepages Pro, the definitive identity verification data provider for risk management in banking and online lending worldwide. With over 10 years of online payments and risk experience, Donlea previously was the founding Executive Director of the Merchant Risk Council.