Think Like a Fraudster to Protect Your Customers
Dec 6, 2008 4:00 AM PT
The holiday season has come to signify not only a time of celebration among family and friends -- it's also usually a period of joy for retailers. This year, however, the lagging economy threatens to dampen everyone's holiday spirit, and retailers who depend on a large holiday season sales boost should prepare for a much smaller increase: Forrester Research analysts have projected that sales will grow at just 12 percent this holiday season, compared to a 21 percent jump last year.
But even achieving this number will be challenging given the latest comScore report. comScore notes that U.S. retail e-commerce grew just 1 percent year-over-year in October, compared to 19 percent year-over-year growth the previous October, and marks the sixth consecutive month of slowing growth.
Add to that rather disconcerting picture a backdrop of increasing fraud. Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. "There's been a marked increase in the number of attacks and the number of successful fraud attempts," Litan, who plans to publish a formal report in December, recently told Forbes.com. "This is the busiest my practice has ever been."
If the current economic crisis and spike in fraud has the impact it threatens to, online retailers will need to find new ways to maximize the revenue from what is looking to be a tough holiday season. It is, however, often a fine line to walk between finding new ways to maximize profits and retaining customer loyalty. Retailers should be looking to cut out fraudulent holiday purchases as one of the best ways to boost revenues while keeping prices reasonable -- and customers happy.
There are a number of ways retailers can cut down on fraud for the holidays, but it will be important to factor in measures that ensure "good" customers still have a pleasant, hassle-free shopping experience. Because especially this year, the only online shoppers who need to feel more of a pinch are the fraudulent ones.
Time for a Fraud Check-Up
To start, think like a fraudster this holiday season. Retailers know their data and their systems better than anyone, and should therefore know where their biggest vulnerabilities might lie. Companies looking to cut down on their fraud risk should put themselves in a scammer's shoes: If you were them, what are the weakest points you would attack? How would you find names, Social Security numbers, dates of birth, addresses and phone numbers stored in your systems? What social engineering techniques could you use to get inside your own company?
Once retailers understand the vulnerabilities by which they could be compromised, they can effectively build policies to monitor and disrupt the attempts at fraud. After examining and understanding their risk exposure, merchants should estimate the probability of a breach and then allocate appropriate funds for compliance and dealing with potential losses. Now is a good opportunity to take a step back and ensure a fraud prevention strategy is securely in place to block fraudsters who are looking to take advantage of the frenetic shopping activity around the holiday season.
The Evolving Fight Against Fraud
There are also a number of technology strategies available to implement for keeping fraud away from a retailer's site -- and their customers. To fight fraud, merchants have been forced to look toward an increasingly multi-layered approach -- each of which come with their own pluses and minuses. This can include methods such as the following:
- CVV2 or CVC2
- VbV, SecureCode
- IP geo-location
- Postal address verification
- Negative and positive lists
- Order velocity monitoring
- Identity authentication systems (out-of or in- wallet challenge)
- Customer behavior analysis
- Device fingerprinting
In addition, many retailers rely on manual reviews before making a final purchase decision. While effective at weeding out potential fraudulent orders, this strategy can cause time delays and frustration on behalf of legitimate customers.
And a quick look at the manual review numbers doesn't quite add up: Nearly 98 percent of online transactions are legitimate, but most fraud management solutions focus on the 2 percent that are fraudulent -- keeping in mind that 2 percent, while seemingly small, can translate into millions of lost dollars in revenue for larger e-commerce sites. In order to keep their fraud rate low, online businesses refer more than 1/4 of all of their transaction requests on for manual reviews. Yet after this review stage, more than 2/3 of all merchants accept more than 8 of every 10 questionable orders.
To put it simply: The largest online businesses spend big dollars annually to manually inspect orders -- the majority of which wind up being accepted in the end. Ironically, this money and time spent on manual reviews is used to protect against the small amount of actual fraudulent transactions -- and while the real goal of fraud prevention is to protect a company's good customers, they are the ones who are most inconvenienced in the process.
All of these efforts have traditionally had a hand in helping retailers fight fraud. As fraudsters become increasingly sophisticated, online retailers have had to add more and more combinations of these fraud detection tools to stay one step ahead. Now fraudsters are banding together in new ways to tackle legitimate businesses as a unified front. For example, "spear phishing" is a term used to describe how highly targeted personalized e-mail scams are making inroads in tricking consumers to provide personal information to fraudsters, who then use it illegally on retail sites -- or sell it to each other. Many business Web sites now exist where criminals can buy and sell stolen identities. Just look at the DarkMarket, a recently shuttered, invite-only Web site where online criminals marketed stolen credit card information and shared tips and tricks for cybercrime.
This "social" element presents an ever-increasing challenge for retailers this holiday season. Fraudsters are targeting the weakest links and using their collaborative methods to exploit every opportunity.
It Takes a Village
In fact, the greatest vulnerability that merchants have in fighting back against fraud is that most are still doing it alone, while the fraudsters form increasingly sophisticated cyber-gangs to perpetrate their crimes. And, as they do, they get better and better at making their junk orders look like the real thing. It's time online retailers took a page from the fraudsters' book.
Joining together -- collaborating to share experiences, detect patterns faster, and effectively separate good business from criminal activity -- is the next step forward. From LinkedIn to open source to Web 2.0 mashups, companies are utilizing collaboration to solve their business problems -- fraud prevention included.
Retailers operating in an online environment want to be able to make the most informed decisions possible about the orders sent their way. By uniting with other companies to share best practices, fraud fighting tips, and actual past order experience information -- both good and bad -- this can be achieved.
By using common sense, implementing available security technology and working together to share actual order information, retailers can make sure that they stay on their customers' "nice" list this year -- and that fraudsters end up on the "naughty" list with a stocking full of coal.
Andre Edelbrock is the CEO of Ethoca, a leader in collaborative fraud management.