Ecommerce platforms are incorporating sophisticated fraud detection measures, but fraudsters, too, are refining their strategies.
In this Help Net Security interview, Eduardo Mônaco, CEO at ClearSale, explains the complexities of ecommerce fraud, discussing the evolution of fraudster tactics, the effectiveness of social footprint analysis in confirming identity, the balance between fraud prevention and customer experience, and techniques to address more advanced fraud types.
In your experience, how have fraudsters evolved tactics to stay ahead of ecommerce fraud prevention measures?
The world of ecommerce is characterized by its rapid pace, intense competition, and constant evolution. The fraud landscape is continuously shifting, influenced by digital tools like mobile wallets, BNPL payments, cryptocurrency, and financial technology. Keeping up with the latest technology is only half the battle, as fraudsters find weak points to infiltrate retailer’s profits, services, or goods.
Machine learning (ML) has recently been used to prevent fraudsters from attacking ecommerce brands; however, fraudsters employ tactics to feed false data, confuse the algorithms, or exploit blind spots in the models to stop these technologies from running smoothly. Card testing has also become popular as fraudsters use automated scripts to test stolen credit card details on sites to determine which cards are still active and usable for future fraudulent transactions.
How effective is social footprint analysis for confirming a cardholder’s identity? What are the key challenges with this method?
Social footprint analysis can be a valuable tool for confirming a cardholder’s identity and detecting potential fraud. It effectively verifies personal information such as name, date of birth, location, etc. It can also uncover behavioral patterns, geolocation data, and relationship data that can be compared against the transaction.
While social footprint analysis can certainly provide additional context and insights, it is not typically used as a standalone method for confirming the total validity of a transaction. Instead, it is often used as part of a broader identity verification process to strengthen the overall risk assessment.
When using this method of analysis, it’s important to keep in mind privacy, data accuracy, anonymity, and the constant fluctuations of variables. It takes a robust platform and team to be able to effectively analyze this sort of data that can be inconsistent. It’s also important to remember that different cultures and generations use social media platforms differently and have different online shopping behaviors. Analyzing social media attitudes and patterns without considering these nuances may lead to biases or misunderstandings.
How can businesses balance implementing robust fraud prevention measures and ensuring a smooth and frictionless customer experience?
Combating fraud is not just a means of safeguarding revenue; it also plays a crucial role in preserving customer relationships and CX. To achieve this, retailers must carefully review each order, even from regular customers, to detect potential signs of ATO fraud, chargebacks, or triangulation fraud. Furthermore, retailers can shield customer accounts from various infiltrations by fostering a robust security culture that includes timely updates for systems and software, anti-phishing measures, and adherence to cybersecurity best practices.
That said, we understand that the adoption of any effective fraud prevention tool can impact CX, and in ways that could be detrimental. It’s part of the problem with protocols like 3DS2 – even with the updated features that consider customer friction, there are still significant barriers created to provide that level of protection.
So, what can retailers do to keep their stores safe without turning away good customers? The answer may be a complicated one because it’s about finding the right balance for your unique business. Understanding what purchases tend to result in fraud or chargebacks, knowing your customer and what they are capable of handling in terms of checkout, and keeping a transparent relationship with them will allow you to find out what the balance should look like. Then, you can implement the right kind of fraud rules for your purchases, the right kind of payment options, and the right kind of communication chain for any risky orders.
How can businesses identify and respond to more complex types of ecommerce fraud, such as affiliate or drop-shipping fraud?
Identifying and responding to more complex types of ecommerce fraud, such as affiliate or drop-shipping fraud, requires a multi-layered approach that combines advanced technology, data analysis, and human intervention. Some of these strategies include:
- Educate staff and customers: Train employees to recognize potential fraud indicators and suspicious activities. Additionally, educate customers about how to protect their accounts and report any fraudulent activity they encounter.
- Comprehensive data collection and analysis: Gather as much data as possible on all transactions and user behavior. This includes user registration details, order history, device information, IP addresses, geolocation data, and more. Utilize machine learning algorithms and data analysis tools to detect patterns and anomalies indicative of fraudulent activities.
- Thorough vetting and monitoring of affiliates: Implement a thorough screening process for affiliate marketers and drop-shipping partners and keep a close eye on their activities. Regularly audit their performance, traffic sources, and conversions to detect any suspicious trends or abnormal patterns.
- Set purchase and refund limits: Set limits on the number of purchases and refunds allowed within a specific timeframe. Unusual spikes in these activities could indicate potential fraud.
- Human review: Combine automated fraud detection with human intervention. Assign a team to review suspicious transactions manually, especially for high-value orders or those involving new affiliates or drop-shippers.
By combining these strategies, businesses can significantly reduce the risk of falling victim to affiliate or drop-shipping fraud while maintaining a positive customer experience. However, it’s essential to strike a balance between fraud prevention and not creating unnecessary friction for genuine customers. Regularly monitoring and adjusting the fraud prevention measures will help achieve this balance.
Are there any red flags that a merchant should immediately investigate, and how should they respond if they suspect fraud?
Several red flags indicate the need for further investigation or verification, such as:
- Unusual purchasing behavior: such as buying a large number of bulk products, multiple transactions in a short amount of time, or a large order from a first-time visitor.
- New device logins can indicate someone has hacked an account and will result in ATO fraud
- Shipping address changes: fraudsters typically send products to nearby homes and steal them once they are delivered or use addresses associated with social media accounts when making a fraudulent purchase.
- Location addresses do not match: shipping address, billing address, and IP address should be the same in most authentic purchases. Also, be mindful if the shipping destination of the goods happens to be a re-shipper or a freight forwarding company.
- A large order from a suspect country: largest fraud rates occur in China, Brazil, Pakistan, Indonesia, and Venezuela.
- Unfamiliar devices: Customers typically shop from a small cluster of personal devices. An unfamiliar device may suggest an unauthorized buyer.
If a merchant suspects they may be the victim of CNP fraud, they should:
1. Gather all the relevant transaction details, including order numbers, customer names, email addresses, billing and shipping addresses, IP addresses, and any other data associated with the suspicious transaction(s). Take screenshots or save copies of all related communications and order confirmation emails.
2. Transparency with the customer is key, so if you believe certain transactions are fraudulent, contact the affected customers to confirm the legitimacy of the order(s). They may not be aware that their payment information has been compromised, or they may be able to provide you with the verification you need.
3. If you aren’t able to verify the transaction(s) directly, you can contact your payment processor or gateway to inform them of your suspicions. They might be able to provide insights into the situation, and in some cases may be able to take immediate actions such as flagging or stopping the payment(s).
4. And lastly, but possibly most importantly, is to secure your bottom line with a fraud protection partner that can not only assist you should this happen again but help prevent it from the start.
How can businesses protect themselves from fraudsters who make multiple purchases using different cards within a short timeframe?
Effective techniques to thwart card testing scams involve the utilization of AVS and CVV matching, continuous monitoring of IP addresses, and the implementation of velocity checking.
Sophisticated methods of stealing credit card details, such as breaching less secure retailer databases or deploying skimmers, often fail to provide the fraudster with both the billing address and the CVV number alongside the card number itself. These basic verification checks prove highly effective in preventing a substantial portion of card testing and fraudulent activities.
Additionally, anti-fraud protocols like 3D Secure can serve as a capable defense against card testing attempts. Each retailer must assess the most suitable tools and solutions for their specific needs and diligently measure their effectiveness in combating fraud.
Could you elaborate more on the role of fraud detection software in identifying potential scammer activity, especially with suspicious email addresses or IP addresses? What are the main features to look for when choosing such software?
Fraud detection software plays a crucial role in identifying potential scammer activity, particularly when it comes to identifying suspicious email addresses or IP addresses. Such software utilizes advanced algorithms, ML, and data analytics to assess patterns and attributes of transactions and user behavior, enabling businesses to proactively detect and prevent fraudulent activities.
If you are considering a fraud prevention partner, here are some questions that are important to ask:
- How well does the solution balance CX, UX and fraud protection?
- How easy is the integration process?
- How accurately does the solution detect fraud?
- Does the solution protect you from chargebacks?
- Is your business and customer data safe?
- What fraud solution costs are involved?