How eCommerce fraud is evolving [Q&A]
Online fraud has gained in sophistication in recent years. As consumers have moved to using mobile devices and have come to expect a consistent shopping experience across platforms, so the fraudsters have never been far behind.
We spoke to Michael Reitblat, co-founder and CEO of eCommerce fraud prevention specialist Forter, which recently published its latest Fraud Attack Index, to find out more about the fraud landscape and how businesses can protect themselves.
BN: How has eCommerce fraud evolved over the past decade?
MR: The defining trend over a decade of increased sophistication is that fraud solely at the point of transaction is a thing of the past. Fraudsters are targeting the merchant-consumer relationship at every touch point, through every channel, and no longer simply relying on compromised credit card information at the point of checkout. As data breaches persist, massive amounts of Personally Identifiable Information (PII) have been compromised. Fraudsters have found that with these breached account credentials, they are able to achieve a bigger payoff than with traditional transactional fraud attacks.
Today's customer expects a uniform shopping experience regardless of the channel in which they interact with merchant brands and platforms -- online via desktop, tablet, mobile application, or in-store. Bolstered by rich wells of PII data, fraudsters are focusing on account-based vulnerabilities to exploit these evolved expectations. As account-based attacks have grown in popularity, fraudsters have introduced more complex and difficult to detect monetization schemes. According to the latest Fraud Attack Index, last year more than 1.5 million victims of existing account fraud had an intermediary account opened in their name first -- a 200 percent increase from the previous high.
BN: What methods of attack are we seeing most often today?
MR: Fraudsters are increasingly carrying out attacks that target vulnerabilities in services designed to reward and encourage customers to have strong brand loyalty. In a highly competitive eCommerce landscape, brands heavily invest in loyalty programs and premium experiences for high-value customers and improve customer conversion. Yet, streamlining these customer benefit services creates increased vulnerabilities within these programs. One such example of this is merchant loyalty programs. Both merchants and consumers fail to recognize that loyalty points are as liquid as cash and vulnerable to exploitation, where fraudsters do. Points accrued in a customer's account are treated like digital goods and fraudsters are regularly able to use these points as free funding sources without raising suspicion. Over the past year, loyalty attacks increased by 89 percent -- the highest of any method of attack.
Loyalty programs are subject to account takeover, new account fraud, and policy abuse (consumers oversharing coupons or promo codes to illegitimately gain rewards points). These forms of attack are being carried out by fraudsters, insiders (merchants' employees with access to accounts), and customers considering themselves to be 'savvy shoppers' by taking advantage of policies associated with loyalty programs. As a result merchants with these types of programs, and who lack proper fraud prevention, have a lot to lose.
BN: What are the most commonly targeted industries and why?
MR: Synonymous with loyalty programs, air travel showed the greatest spike in fraud attacks this past year at 61 percent. Unlike bank accounts, consumers rarely check the status of airline rewards, enabling fraudsters to steal a currency as valuable and untraceable as cash while flying under the radar. Large-scale breaches in the industry, such as British Airways and Cathay Pacific, have led to the availability of additional personal details for account-based attacks.
Money services and cryptocurrency is another industry showing a marked increase. The fact that fraudsters can immediately cash out on financial transactions combined with the difficulty in tracing cryptocurrency transfers makes it an extremely attractive target. Attackers are also taking advantage of the industry being relatively new and many consumers being unfamiliar with processes and associated fraudulent activities. Social engineering is a common form of attack where fraudsters reach out to victims via phone or email and convince them to purchase cryptocurrency with their own legitimate funds, and in the promise of a sizable return, transfer them to the fraudsters' digital wallets.
Additional commonly targeted industries include apparel and accessories, digital goods, electronics, and food and beverage.
BN: What challenges do organizations face in fighting sophisticated fraud?
MR: Customer expectations have never been higher. Today's consumer requires instant gratification, increasingly more personalization in offerings and a friction-free shopping experience. The challenge for merchants is that often meeting these enhanced expectations leaves them more vulnerable to various forms of fraud and abuse.
Fraudsters have evolved their methods of attack to capitalize on streamlined services such as expedited shipping and in-store returns. Fraud rates with express shipping are twice as high as standard rates, premium shipping is three times as risky, and fraud in Buy Online Return In-Store (BORIS) transactions increased by 23 percent this year.
These experience-enhancing services are critical to meeting modern customer expectations. With industry giants such as Amazon and Walmart raising the bar on customer convenience, competitors have no choice but to follow suit in order to remain relevant.
BN: What role does automation have to play in fraud prevention?
MR: In the constant balancing act of enhancing the customer experience while mitigating fraud risk, automation is among merchants' greatest assets.
In years past, merchants would see incidents of fraud and create in-house fraud pattern recognition mechanisms. These rules-based systems were built by merchants writing in flags or blocks to label the fraud patterns they recognized on their platforms. Flagged transactions and accounts then required manual investigation by internal teams prior to an approve or deny decision being made. This retroactive approach creates several merchant pain points.
First, consumers don't have the patience for lengthy purchase approval and fulfillment processes. We conducted a recent survey revealing that half of customers were less likely to make an online purchase if the entire checkout process takes longer than 90 seconds, and buyers tend to pass on purchases if they have to complete more than just three steps in their transaction.
Second, these rules-based systems cannot keep pace with growing sophistication of fraudsters and the evolving methods of attack.
In order to have best-in-class fraud prevention, merchants need to employ a fully automated fraud prevention platform that leverages machine learning models powered by ongoing expert research to stay one step ahead of fraudsters. This allows proactive fraud decisions to be made in real-time and address vulnerable touch points in the customer journey beyond the point of transaction, without adding friction to the customer experience.
Advanced automated systems also account for changes in a shopper's regular habits to prevent legitimate transactions from being flagged as fraudulent, increasing bottom lines and encouraging future transactions from loyal customers.
Photo Credit: Nonnakrit/Shutterstock