Catching fraudsters isn’t as easy as just checking the IP address of an order anymore. Today’s fraudsters are smart, well-funded and coordinated, much more so than the merchants they attack. Fraud isn’t perpetrated by a random assortment of individuals; it’s organized crime. It’s “fraud as a Service.” It’s a business. On the darknet, criminals can rent botnets and even get help from friendly customer service types to use them.
It’s a very unfair match, if you ask Skye Spear, VP of eCommerce fraud-fighting firm Signifyd.
“I would not want to be a merchant responsible for managing fraud today,” Spear told Karen Webster in a live online discussion on the topic held last week with an audience of online retailers. “It is a full-time job, 24/7/365, against constantly evolving threats.”
But it’s not all dark storm clouds for merchants. The Global Fraud Index that Signifyd and PYMNTS published based on data from 5,000 online merchants suggests a silver lining: Fraud as a percentage of online sales is actually on the decline and has been since 2015. In the first quarter of 2016, this percentage dropped to 5.5 percent. Twelve months later, it had been slashed by another third to rest at 3.59 percent in Q1 2017.
Good news, of course, but that doesn’t mean the pressure is any less. That’s still climbing and will continue to do so, said Spear. Rather, the decline reflects the adoption of new technologies that use machine learning to mitigate fraud threats, he said.
“Merchants are fighting back against the lifestyles of the rich and cyber-crooked,” Webster noted.
That’s easier said than done. New technologies are making inroads, but they haven’t been adopted across the board, and where they haven’t, merchants are especially vulnerable.
A Tale of Two Algorithms
Classic fraud deflection is rules-based. It uses blacklisting and exclusion and watches for patterns that have been entered into the system in response to past attacks. But fraudsters are constantly innovating, so defending against attacks that have already happened misses transactions that follow new rules.
“Rules-based systems are static and reactive; you have to know what you’re looking for before you know what to stop,” Spear said. “Fraud is dynamic. It follows the path of least resistance.”
On the flip side, a data-driven approach leverages machine learning and real-time analytics to augment transaction data. The system can query deeper if it needs more information to make a confident decision. For instance, if a user inputs a phone number, the system can ask what name is associated with it and where they live.
If the user had to answer all of these questions, it would add friction to the experience and discourage repeat business. But the system is actually asking itself and reaching out through its myriad data connections to find what it needs without troubling the customer with security questions and such.
That’s the sort of system Signifyd implements, and the company constantly tests new models so that its customers are always able to accept the highest percentage of payments possible from their customers.
Machines Make Mistakes
Where new technologies have been adopted, even the smartest machines can make mistakes, and some legitimate transactions get declined because they triggered certain red flags.
Unfortunately, no one’s transactions look perfect. People use a different payment method, move without updating their address, borrow a sister’s credit card to buy a gift for their mom or get their email blacklisted for the wrong reasons.
Online jewelry sales are on the increase, but the category has a higher decline rate than any other. An order with even just one suspicious element can raise suspicion and nix the transaction. But if the defenses were any lower, these merchants could be getting robbed blind: There’s a great secondary market for jewelry and precious metals, and that only adds to popular demand.
Customers who are unable to complete their order due to a false decline will go elsewhere, and they may not come back. It’s impossible to calculate the losses generated by false declines, since from the merchant’s side, those declines looked like successfully deflected fraudulent attacks.
“They might have bought themselves a good night’s sleep but turned away a $100k transaction,” Spear said. “You almost have to accept a couple of things that are borderline in order to start defining what’s a good order and what’s a bad one. Knowing which risky order can or cannot be accepted is absolutely critical.”
The Many Faces of Fraud
It’s hard to fight an enemy you can’t see. That’s why criminals do their best to looks like regular customers. Some even go to the trouble of establishing a fake customer history to trick systems that compare the questionable transaction with historical customer patterns. Algorithms are generally smart enough to tell that back-to-back transactions in different countries are likely fraudulent.
Of the three types of fraud hurting merchants in the eCommerce world today — stolen financials, account takeover and friendly fraud — any of these can be made to look like legitimate transactions from legitimate customers.
Department stores with a partial eCommerce model see a lot of front porch fraud, which involves taking items off someone else’s porch after delivery. That can happen when the person whose porch it is placed the order, and criminals simply steal their package — or, the criminals may have used that person’s info to buy and ship the package during a time when the actual resident would be at work.
It’s so bad in some areas that certain merchants won’t even ship there anymore. More than 20 percent of furniture, appliance and home improvement goods fraud comes from Florida — so good luck getting a blender shipped to your winter home.
The same happens with high-end apparel in New York. Friendly fraud runs rampant in the clothing sector in New York City — people will order goods, decide they don’t want them and demand a chargeback, but never send the product back due to an overcomplicated returns process.
Spear once onboarded a client who refused to ship red couches to Delaware. Specifically red. Specifically Delaware.
It’s the Little Things
Merchants don’t always have the resources fraudsters have, but that doesn’t mean they can’t shore up their cybersecurity defenses. Shipping higher-end items in lower-end boxes (plain, brown, unmarked) can help them slide under criminals’ radars, Spear said, and having a straightforward returns policy counters friendly fraud. But while there are things retailers can do, it’s a battle they shouldn’t fight alone.
Merchants are increasingly handing off the cybersecurity burden to companies like Signifyd so that, if they do get hit, their responsibilities are much less. If the company misses an attack, that’s on them, not the merchant. The client was counting on Signifyd to prevent the attack, so Signifyd pays.
The confidence is good for business. Merchants who aren’t responsible for their fraud costs are more open to shipping to new geographies that may make them wary, Spear said.
It’s not that there’s more fraud overseas; it’s just that an unfamiliar market with an unfamiliar threat always looks more dangerous than “the devil you know.” This way, they feel comfortable growing their business in ways they had not previously considered.