The Paypers unveils the Fraud Prevention in Ecommerce Report 2020/2021

All eyes on deck! Fraud Prevention in Ecommerce Report 2020/2021 is now available and it aims to enable our readers have a comprehensive picture of the known and emerging fraud threats, new technologies, and changes in the commerce industry.

Besides looking at the current state of affairs in the commerce industry and checking the emerging fraud threats that risk management teams are dealing with, via the 2020/2021 edition of this Report we aimed to depict valuable views into fraud detection and risk management; new methods of leveraging artificial intelligence and machine learning; and the impact of PSD2’s SCA. This is our way to help players in the payments space to keep pace with the latest trends and developments, fraud challenges, the newest technologies to combat fraud attacks, and the upcoming regulations.

Current state of affairs

In 2020, the industry players have faced quite a bumpy ride so far: not only has the COVID-19 impact been felt by all industries, but both businesses and consumers have had to shift the move to digital transactions.

There has been a rapid switch towards digital payments, and customers’ preferences have definitely been impacted. We can now see more and more cashierless pay points and retailers that offer various benefits via mobile apps, which streamline consumers’ experience. In its Cybercrime Report, for instance, LexisNexis Risk Solutions reveals that mobile device transactions continue to rise, with 66% of all transactions coming from mobile devices in H1 of 2020.

In July 2020, a survey conducted in the UK regarding shopping behaviour found that 63% used more electronic payments as a result of COVID-19, while the same percentage used more card payments in general, and 80% used more contactless card payments.

What is worrying here is the fact that fraudsters are opportunistic, and they will always look for weak loopholes to achieve their goal. So, as ecommerce has risen and fraudsters take advantage, now more than ever everyone needs to be informed and to act efficiently. How can this be attained? With three main steps:

1. Knowing the enemy;

2. Knowing the challenge;

3. Knowing the solution.

Keep your friends close and your enemies closer

This boost in ecommerce brought along new groups that were basically urged to adapt to digital transactions: senior consumers, minor generations, and brick and mortar merchants that had to open up online channels quickly during the lockdown. All these groups are on the list of those most vulnerable. Consumers, in their digital journey, experience high rate attacks in new account creations, yet the largest volume of attacks target online payment transactions, according to LexisNexis Risk Solutions.

Besides the rise of online shopping, Buy Online, Pickup In Store (BOPIS) is another method consumers have adopted, especially during the pandemic, as per the National Retail Federation. This buying trend is referred to as ‘Click-and-collect’ within non-US geographies. However, Kount reports that fraudsters are taking advantage of this shopping trend, as they steal and use credit cards and account credentials, pick-up the goods in-store, and afterwards keep the item for themselves or resell it. After all, ‘Fraudsters go where the money and data are, and they know digital experiences are a prime opportunity’, as Rich L. Stuppy, Chief Customer Experience Officer at Kount, states. The reason why BOPIS is such an easy target is the fact that it requires minimal proof of purchase, so bad actors ‘get in and out without detection’.

In addition, if we consider fraudster’s business model during this lockdown period, we can see that bad actors turn to several attack typologies such as account takeover (ATO) attacks using identity spoofing and chargeback fraud. In fact, Breach Clarity argues that retailers are the most heavily targeted industry segment for credential stuffing attacks that can lead to ATO. Typical merchants do not always deploy stronger forms of authentication than organisations like financial institutions do. A solution would be for strong authentication to become more the norm than the exception; however, until then, Al Pascual from Breach Clarity believes that ‘fraudsters armed with compromised credentials will drive ATO higher among ecommerce merchants’.

In January, Javelin released its Protecting Digital Innovation: Emerging Fraud and Attack Vectors report, which emphasises that CNP fraud and account takeover are top fraud threats for merchants, with 34% and 24% respectively. However, one must take into account that although ATO is harder to detect, it is easier to commit for fraudsters.

Why merchants don’t have an easy road

Javelin suggests that many merchants choose to simplify the checkout process and consumers are enabled to create an account and save their payment information. Once the data is stored in the merchant’s systems, the merchant actually places themselves at a higher risk for fraud. The report unveils that nowadays criminal organisations can attack a wide range of targets with tactics like social engineering and automated credential stuffing, which allow them to defeat rudimentary defences. However, one solution that could make this process safer is through the use of tokenization, which is the process of turning an important piece of data (e.g. an account number) into a random string of characters called a token that has no meaningful value if breached.

Alasdair Rambaud from SecuredTouch talks about the fact that businesses face no-transaction fraud. Although this type of fraud doesn’t result in a direct purchase via a checkout process, it can cause substantial damage to the business and it is hard to detect. Such fraud includes activities like refund requests for goods not actually purchased, coupon fraud where coupon codes are maliciously obtained and used or sold loyalty and reward fraud. The fraudsters’ gain from stealing personally identifiable information (PII) is major as it can either result in identity theft or stolen credentials that are further used in other websites/apps or sold to other malicious actors.

Marqeta’s 2020 Fraud Report, Why consumers don’t understand card fraud, surveyed 4,000 consumers across the US and the UK and discovered that 42% had been hit by fraudsters. 87% admitted they would agree for transactions to take longer to complete, if extra steps for authentication meant their information was better protected. However, while this need is perfectly understandable, it is not that easy to get there. To implement extra authentication steps means data dependency and collaboration between acquirers, merchants, and issuers. And optimising a data sharing scheme along with the customer journey while employing the best risk modelling process is not simple.

Moreover, the upcoming PSD2 with its Strong Customer Authentication (SCA) is aimed at consumer protection and making ecommerce safer. Although PSD2 was to go into effect on 14 September 2019, the European Banking Authority (EBA) granted additional potential exemptions and set the new deadline to 31 December 2020. The fact that there will be further exemptions and out of scope transactions only means that fraudsters will have more options to exploit.

Kurt Schmid from Netcetera believes that ‘[…] if the right technologies are used and processes are optimised, the requirements of PDS2 and Strong Customer Authentication can be met without jeopardising conversion and without having to fear revenue loss’. The question is: are businesses ready? One aspect that merchants can take into account, for instance, is to check out for companies that offer FIDO authentication within their solutions. Nok Nok Labs is a company that provides a FIDO-based solution which replaces ‘passwords with secure and simple authentication measures such as fingerprint and device ID’ and which complies with regulations like PSD2 SCA. Walter Beisheim from Nok Nok highlights why it is important to deliver consistent and secure SCA, and how this can help and benefit merchants.

Finding if every door has a key — the ‘challenge accepted’ game is on

As fraud becomes more sophisticated and as fraudsters obtain access to the latest technology and tools, the question that raises is what can be done? Have we used the current techs to the maximum or should we look into new technologies? If we need to search for new ways and tools for protection, what are those? What is certain is that consumer education is a must and they should stay informed regarding both the risks and the ways to prevent any activities from fraudsters.

While innovations are taking place in the fraud technology space, it is interesting to see how artificial intelligence and machine learning have been evolving. As such, STRATGranat teaches us that an automated machine learning allows the manual review team and fraud manager to manage alerts triggered by the machine learning if there are spikes in decisions not previously seen. In addition, Simility stresses upon the fact that the use of explainability methods allow businesses to gain vital insight into the whole process, from data collection to decision making.

On the other hand, it can be difficult for merchants to test and evaluate the best innovative fraud solution. Why? Because ‘no two merchants are exactly the same’, and what they sell, what their customers are or what fraud challenges they have been all part of what makes their needs unique. Testing can be expensive and outperforming an incumbent solution can be challenging. For this reason, Insparx talks about solutions that are available in payments and how a single API in the fraud orchestration hub can be benefic.

In addition, Mango, like many other merchants, has seen huge spikes in their online channels, as they had to deal with more Internet traffic and to offer new customer journeys. However, with the transition towards digital channels, merchants also face an increase in fraud attempts such as BOPIS, BOPAC, ATO, or chargebacks. So as fraudsters try to steal credentials from legitimate customers, Mango talks about their learnings and best practices on how to focus on good customers, while blocking bad ones.

At the same time, merchants need to detect fraud during the entire customer journey, ‘not just at the time of financial transaction’, as Patrick Finnigan from Dunkin’ Brands suggests. However, businesses new to digital commerce struggle because some have not invested in solutions for the risks associated with the mobile and online channels. Dunkin’ Brands gives a piece of advice on what can businesses do to choose the best protective measures. After all, merchants’ goal is to protect their revenue, customer’s data, and the reputation of one’s brands, isn’t it?

As such, to picture the newest technologies, the final part of the Fraud Prevention in Ecommerce Report 2020/2021 focuses on mapping the key players in the fraud detection, identity verification, and online authentication area, as well as presenting their backgrounds and features via in-depth profiles. The chapter aims to reveal an overview of the solution providers in the fraud prevention space and the most important capabilities of each company, thus helping merchants, fintechs, and payment service providers to grasp the current market opportunities.

We would like to express our appreciation to the Merchant Risk Council, Marketplace Risk, and Fraud Practice — our endorsement partners who have constantly supported us — and also to our thought leaders, participating organisations, top industry players, experts, solution providers, merchants, industry associations, and consultancy companies that contributed to this edition. They’ve enriched our report with their valuable insights and joined us in our never-ending journey to depict an accurate overview of the industry.

Enjoy your reading!