Ecommerce is a rapidly growing industry with many exciting innovations happening all the time. Customer expectations have never been higher – they want more personalization, instant gratification and fewer hoops to jump through at checkout. Merchants are evolving to deliver these seamless customer experiences.
Unfortunately, where great opportunities exist, so too do people trying to exploit them. Online fraudsters are also innovating to develop more sophisticated techniques to take advantage of the explosion of ecommerce and the steady rise in new customer accounts.
In meeting customer expectations, merchants can unwittingly become more vulnerable to certain forms of fraud and abuse. In fact, friction-free customer experience can hinder a merchant’s ability to detect and prevent fraud.
While retailers are already wrestling with well-known types of ecommerce fraud, such as chargeback fraud, friendly fraud and phishing, there are several new and growing forms of fraud businesses need to be aware of.
Fraud isn’t just taking place at the point of transaction. It’s now taking place across the entire customer journey. Every time a merchant and customer connect, that’s an opportunity for fraudulent activity. While not an exhaustive list, here are some examples:
Creating an account at an online store provides shoppers with a seamless and personalized shopping experience, access to special offers and a pathway to loyalty programs. But it’s also fertile ground for synthetic identity fraud.
As the name suggests, instead of stealing another person’s identity, these fraudsters create an entirely new fake person using a combination of fake information (e.g., burner phones, fake email addresses) and real identity information (e.g., stolen social security numbers).
Armed with this fake identity and some established credit history, fraudsters go shopping online, then disappear — leaving behind a trail of outstanding balances. Although the identity is false, the activities are real: spending time at online stores simulating genuine use, filling out forms and creating accounts before a transaction ever takes place.
This human factor makes synthetic identity particularly challenging for merchants to combat. This is especially true because they want to prioritize customer experience versus over-scrutinizing accounts to find the bad apples.
Whereas our first fraud touchpoint focused on the bad actor creating a fake account, this one looks at legitimate activity that leaves honest consumers and merchants vulnerable.
In account takeover fraud (ATO), a fraudster gains access to a customer’s ecommerce account. This can occur through any variety of methods including the purchase of stolen passwords or security codes or deploying a phishing or malware attack. Years of data breaches have provided fraudsters with a treasure trove of personally identifiable information (PII) that can be leveraged for ATO.
Once the fraudster has control over the account, they will update more subtle pieces of data like phone numbers, emails and addresses and then begin making expensive purchases with the goal of reselling those goods or benefitting from personal use – before the breach is detected.
ATO is a serious form of identity theft and can be very damaging to a merchant’s reputation.
Have you ever seen “pending charge” while reviewing your credit card statement online? If so, you’re seeing payment authorization in action. Once a shopper confirms their purchase, in seconds a chain of events unfolds between multiple parties including the merchant, payment gateway, payment processor and the issuing bank.
It’s at this critical touchpoint that fraudsters take advantage. Card testing fraud happens when fraudsters gain access to stolen credit card numbers through theft or by purchasing them through the dark web. They may not know the credit card limit or whether the credit card number is even valid, which is why bots are employed to test thousands of credit card numbers on extremely small purchases – quickly. These initial small purchases often go unnoticed. Once fraudsters know that a credit card number works, they up the ante with much more expensive purchases.
Both merchants and impacted customers tend to realize that they have been victims of card testing fraud once larger purchases have been made. By that point, fraudsters may have been able to make several significant purchases.
If buy online, pick up in store (BOPIS) was previously an omnichannel experiment, 2020 was the year it really took off. According to ACI Worldwide, merchants who had BOPIS available as an option pre-COVID-19, experienced a bump of 70% by volume and 58% by value in 2020. And 2020 was also the year that the highest number of merchants implemented BOPIS delivery for the first time.
What’s not to love? Consumers get the convenience of shopping at home combined with the speed of in-store or curbside pick-up and don’t have to pay for shipping.
But lurking in the shadows are the fraudsters ready to take advantage of this promising touchpoint. In addition to the growth of BOPIS, BOPIS fraud has also seen a significant increase, with a 7% fraud attempt rate compared to 4.6% in other delivery channels. Using the same stolen credit card used to place the order, fraudsters simply pick up the order with the confirmation receipt they received.
This ability to place a fraudulent order online then pick it up in person removes many of the checkpoints that merchants rely on for verification, including different billing and shipping addresses, distance calculations and other red flags.
Reluctant to ruin the customer experience, store associates will often bypass checking a valid form of identification to see if the person is who they say they are or to see if this person even exists. And because of this, the fraudster is able to walk away with their loot the same day.
If retention is a hallmark goal for merchants, a loyalty program is one of the mechanisms to help achieve it. Aside from increasing customer retention and reducing customer acquisition costs, loyalty programs generate a goldmine of data which can be used to fine-tune offers and personalize the experience. Customers receive special recognition, access to exclusive offers and have a foundation to cement a relationship with the merchant.
Sounds like a win-win, right? Well not exactly as there’s a third player that’s increasingly becoming involved in the loyalty equation: the fraudster. Unlike their bank account or credit card balances, consumers don’t often check loyalty account balances.
With loyalty program fraud, the criminal will utilize ATO or synthetic identity fraud to redeem or steal credits, points or other forms of value. Typically the fraudster will redeem gift certificates and then sell them on the black market for a percentage of their face value. And because many loyalty programs include other data points on the customer, accessing a loyalty account offers the fraudster easy access to PII — including date of birth, household size, marital status, annual income and other nuggets which make it easy to perform more acts of fraud.
A flexible, customer-friendly return policy has a significant impact on a shopper’s likelihood to
purchase. And it’s this very flexibility that makes returns another target for fraudsters. Return fraud happens anytime a fraudster abuses a merchant’s return policy.
Of the $428 billion in merchandise that consumers returned to merchants last year, approximately 5.9% of those returns were fraudulent, amounting to $25.3 billion according to the NRF.
Many fraudulent returns are carried out by individuals. Here are some of the ways individual consumers abuse merchant return policies:
Purchasing multiple items to receive free shipping or other merchant benefits, with the full intent to return many of the items.
Wardrobing which refers to a consumer using an item before returning it as new.
While individual return fraud is damaging, the more sinister forms of return fraud are being carried out by organized crime rings (OCRs).
Once these organized fraudsters have breached a customer’s account through credit card theft, ATO or synthetic identity fraud, they use the credit cards to purchase merchandise. The merchandise is then returned without receipt for a merchandise credit or gift cards, which can then be turned around and sold for cash to businesses, individuals or third-party gift card retailers.
Aside from lost revenues from returns abuse, there’s the added operational cost of processing returns, shipping and restocking inventory. Return abuse can be challenging to detect and stop, as the organized crime rings are sophisticated — often setting up new accounts and payment methods to avoid detection and hide their identities.
If ecommerce fraud is happening throughout these customer journey touchpoints, the challenge is to detect it early — before the damage occurs.
Before fraudsters can return stolen items, they need to receive the goods.
Before receiving the goods, they need to submit payment.
Before submitting a payment or stealing loyalty points, they must create or update an account.
Before any of this, fraudsters do what legitimate customers do. They initiate an ecommerce session.
And with the advent of fully automated fraud prevention platforms, powered by machine learning models, merchants can detect suspicious behaviors across the customer journey, and across all sessions — not just at the point of transaction.
While it’s easy for fraudsters to mimic real customers’ credentials, their behavior is more vulnerable. It’s not whether the user name and password are entered correctly, but how they are entered. How a fraudster scrolls through a page, types on a keyboard, transitions between fields using the mouse or tab key and swipes, can be just as unique as their fingerprint — and it can be compared to a legitimate user’s known patterns.
It’s the difference in these subtle “tells” that forms the basis for a new and growing form of fraud prevention: behavioral biometrics.
Running continuously in the background of every ecommerce session, behavioral biometrics leverages machine learning to build up legitimate user profiles. By verifying good users first, the model then adapts to new and unknown threats. Because it is passive and behind the scenes, it doesn’t cause friction for shoppers or merchants until a session is identified as high-risk.
If a fraudster is prey and behavioral biometrics is a predator, here’s how it works:
The fraudster initiates a normal ecommerce session, unaware of the predator lying in wait behind the scenes
In this particular session, the keystroke dynamics, type speed and other biometrics raise a red flag, but not quite high enough for the predator to pounce
The session is flagged as the fraudster goes to create a new account
As the fraudster continues onward to create a new account with a synthetic identity, warning bells start going off because the biometrics in this session are decidedly different from that of a legitimate customer
Because the fraudster has already been flagged, it’s time to pounce: put the unknown identity through additional fraud checks before the order can be placed and fulfilled.
Instead of erecting unnecessary obstacles throughout the shopping journey, behavioral biometrics adapts to user behavior and authenticates legitimate shoppers. And for sessions which are deemed fraudulent, merchants can terminate the session, ask users to re-authenticate, or even suspend the account. Ultimately, this real-time, final barrier against a potentially fraudulent transaction helps merchants preserve the customer experience.
As the ecommerce industry continues to innovate, so too will the fraudsters. In this constant cat-and-mouse game, it’s possible to stay one step ahead. Instead of only securing the point of transaction, merchants must realize that fraudsters reveal themselves throughout the customer journey — through every keystroke and in every session.
Thankfully, innovations in machine learning technology and behavioral biometrics make it possible for merchants to recognize and stop these fraudsters in their tracks – before they have their opportunity to inflict real financial damage — to the tune of $130 billion by 2023.
Frictionless customer experience or stronger fraud detection and prevention measures? Now merchants don’t have to decide between the two. They can have both.
Chelsea is a Product Marketing Manager at Bolt, where she develops product positioning, sales enablement, and GTM efforts for Bolt’s shopper accounts and financial products. Prior to joining Bolt, she worked at Feedzai, a fraud prevention company for banks and acquirers. Chelsea has also worked in a product support role at Naehas, a marketing automation company, and account management at Oracle.