The question, ‘is this a legitimate customer or a criminal?’ can be answered with a new approach to preventing fraud that goes well beyond identity verification.
The surge in online activity in recent years has led to a corresponding explosion in online fraud – a 140% increase in the volume of fraud attacks in 2021 compared to pre-COVID. Even enterprises with strong fraud prevention programs now struggle to confidently distinguish real consumers from cybercriminals.
Confidence in the customer-vs-criminal question and the balancing act of fraud prevention and customer friction have emerged as the top challenges facing the industry. To address them, e-commerce companies need a new framework for predicting fraud so as not to disrupt a smooth customer experience.
Stolen Data in the Customer Journey
As long as consumers embrace e-commerce, so will fraudsters. The sheer amount of stolen data available to cybercriminals is astounding. Last year alone, SpyCloud recaptured more than 1.7B credentials and 13.7B pieces of PII from the criminal underground. By now, fraudsters are adept at using that stolen customer data at particularly vulnerable points in the customer journey, including:
1. New account opening
The fraudster pieces together stolen data from multiple consumers to form a synthetic identity and uses it to apply for a store credit card. Without any previous or negative history for that identity, the account application will not trigger red flags via typical fraud detection mechanisms and the store will issue the card. The fraudster will slowly build credit history by making a series of small orders, working toward a higher credit limit before eventually making high-end purchases with no intention to pay off the debt. This is called “busting out fraud.”
2. Account login
The fraudster takes over a shopping account with credential pairs obtained on the criminal underground or harvested from the consumer’s device using malware. Once in, the cybercriminal changes the mailing address and orders merchandise.
In another scenario, the fraudster takes advantage of a gap in some customer service systems that cannot query against shipping addresses. The criminal places multiple orders to the same shipping address using fraudulent names and email addresses, then later calls customer service saying they never got the item – a twist on the Where’s My Order (WISMO) problem. If customer service teams aren’t able to search on the shipping address to identify the pattern of fraud, the retailer could process multiple refunds or ship replacements to the bad actor, which ultimately negatively impacts business revenue.
Another common ATO scheme is to steal loyalty points or gift card balances, which the fraudster can monetize on the dark web.
Loyalty point depletion is a significant problem for e-commerce businesses. When customers go into their accounts expecting to redeem loyalty points only to find they’ve already been redeemed, tense calls to customer service agents ensue. These situations can also negatively impact brand loyalty because the customer may think that your organization has been breached.
3. Account modification
Using similar ATO tactics to gain access to the account, the fraudster can completely lock out the legitimate customer by changing the notification settings and all the contact information. The account holder doesn’t see any red flags since all the notifications have been diverted.
Account lockouts cause an increase in support inquiries, requiring the customer to call customer service and go through several steps to get their account unlocked. In addition to impacting the customer experience, adding these inquiries to the customer service queue puts more strain on already busy customer service agents that are impacted by the increase in transactions.
Criminals Are Innovating – Are You?
As criminals get more savvy and sophisticated in their tactics, ecommerce organizations must also get more innovative in preventing fraud. The goal is to preserve the customer experience, and the solution is to proactively determine that the customers transacting online are legitimate, and not cybercriminals using stolen information.
That can be incredibly hard without the right tools. New anti-fraud solutions exist that go beyond identity verification to analyze the severity of users’ exposed data from breaches and malware infections. If a consumer is at high risk of account takeover or synthetic identity, shouldn’t that be something we consider in our control frameworks?
It’s a common misconception that because nearly everyone has had their data breached or leaked, that we’ve lost the battle against fraud. But the truth is that the amount of data out there on the criminal underground about each consumer (and the recency and severity of their exposures) provides a strong signal of their risk. And using that data for good to enable faster and more accurate decisions about how to handle online transactions is the change we need at the front lines of fraud prevention.
Customers demand a fast, frictionless transaction experience, and fraud prevention teams want to disrupt criminal activity to reduce fraud losses, avoid unnecessary manual reviews, and reduce chargebacks. The ideal state is to make good fraud decisions upfront to create a more seamless overall interaction.