Guest Column | April 26, 2019

What Retailers Can Do About The Rise Of Phishing And Other Fraud Tactics

By Monica Eaton-Cardone, Chargebacks911

Phishing Risks

By this point, it’s no secret that fraud is a serious concern for e-commerce retailers.

Online criminals managed to steal roughly $16 billion from consumers in 2016. Of course, when you consider the ancillary costs of fraud—the false declines, margin compression, risks to merchant sustainability, and more—the real cost is much higher.

Despite advances in our ability to detect criminal activity and verify users, fraud is not going away. On the contrary, the problem gets worse every year.

Phishing And Other Fraud Attacks On The Rise

According to research by Kaspersky Lab, the number of phishing attempts more than doubled between 2017 and 2018, rising from 236 million to 482.5 million. 18.32 percent of consumers—nearly one in five—say they experienced a phishing attack last year.

We can chalk-up part of this increase to new tactics like fake notifications, or to more sophisticated twists on classic email scams. It often takes the form of brand impersonation, which accounts for 83 percent of spear-phishing attacks. In turn, this means businesses are seeing increased traffic from scam artists using stolen information, while those businesses’ reputations are put in jeopardy with actual consumers.

There are other implications for consumer perception as well. For example, increased frequency of phishing attacks makes buyers more wary of fraud. The real problem is that much of consumers’ wariness regarding fraud is misplaced.

Due to a lack of general consumer education about fraud tactics and prevention, buyers run the risk of shutting down legitimate activity, but leaving fraud to proceed unabated. Consumers can be more hesitant to do business online, and faster to turn to the bank and demand a chargeback whenever they have a slight suspicion about a transaction. Yet, despite all that apprehension, fraud attacks keep increasing with no trouble.

The Positive Feedback Of Fraud

We can think of online fraud—and how we respond to it—as an ever-evolving process. We develop new tools and strategies to deal with online fraud as it occupies a greater and greater share of the overall fraud landscape. In turn, fraudsters develop new and more advanced tactics to get around those defenses.

We’re always behind the curve, playing a reactive role to fraud threats as they develop. And, by the time everyone gets serious about one threat or another, it’s already developed into a massive problem.

Take chargebacks, for example. While chargebacks were meant as a form of consumer protection, they’re more commonly used these days as a means to commit fraud.

Attacks described as friendly fraud—the practice of filing a chargeback without proper justification—grow at a rate of 41 percent every two years. Overall, these frivolous chargebacks will cost merchants $25 billion a year by 2020.

Despite that massive liability hanging over the head of everyone in the eCommerce space, decision makers are only now starting to take it seriously. For a long time, in fact, the response was precisely the opposite.

In many cases, friendly fraud isn’t deliberate; it’s produced by a toxic combination of misunderstandings and consumer entitlement. Banks and card schemes unintentionally encouraged this by absolving customers of financial responsibility, not only for identity theft, but even in cases of buyer’s remorse. In just a few short years, well-intentioned consumer protections evolved into consumer fraud.

Of course, consumers aren’t the only culprits. Fraudsters can abuse chargebacks, too. More and more, we see bad actors complete purchases with the intent to turn right around and file a chargeback (a practice known as “cyber shoplifting”).

Retailers Bear The Burden, But Everyone Pays

Consumers can recover funds through chargebacks, and banks can claw their funds back from merchants. Those merchants, though, have nowhere to turn to recoup fraud losses. It’s essentially picking winners and losers. But, while merchants are left holding the bag, they’re not the only ones who end up paying for fraud.

If unaddressed, fraud losses threaten the sustainability of eCommerce. And, as merchants incur more losses, they’re forced to raise prices, and consumers end up paying more for goods. Some sellers are also forced out of business, reducing the range of choices in the marketplace.

We need a comprehensive, industrywide overhaul of our approach to fraud and chargebacks to achieve meaningful change…but that’s not going to happen anytime soon. For now, the only effective solution to online fraud is for merchants to get more adept at identifying it. That presents its own problems, though.

How To Identify Fraudulent Activity

There’s nothing merchants can do about phishing, identity theft, or other threats directly. After all, they can’t monitor customers’ behavior online and stop them from falling victim to criminal scams. However, there are ways to intercept fraud attacks utilizing these methods and prevent fraudsters from completing transactions.

Fraud scoring is an invaluable tool to help identify fraud attacks. Service providers like Kount, Ravelin, and others use a host of techniques, machine learning, and extensive research to analyze transactions in real time and flag probable fraud attacks.

You can’t always rely on just one tool to make an informed decision about transactions, though. Analyzing fraud risk should account for multiple considerations and be based on multiple indicators. This can include:

  • Geolocation: This tool compares a buyer’s IP address with the issuer’s cardholder information. It allows you to gauge whether the buyer is where they’re supposed to be.
  • Transaction Velocity: Fraudsters often try to run through as many transactions as possible before getting caught. If a buyer submits numerous orders in quick succession, consider it a red flag.
  • Shipping Address: If different orders with different payment information all ship to the same address, there’s a good chance the buyer is using stolen information.
  • CVV Verification: The 3- or 4-digit code printed on the card is not a foolproof verification method. But you can at least be reliably sure the buyer is in physical possession of the card.
  • Address Verification: Address Verification Service (AVS) compares the billing information submitted against the billing information on-file. If there’s a mismatch, it’s a sign the buyer doesn’t really know the cardholder’s billing address.
  • 3-D Secure: Although 3-D Secure does add some friction to the checkout process, new 3-D Secure 2.0 technology is a very reliable verification tool, essentially working like a PIN code for online purchases.

Of course, no strategy is foolproof. Even with all these tools at your disposal, there’s still no guarantee you can stop every attack.

Going back to friendly fraud, for example, we’re talking about a post-transactional threat. Friendly fraud is indistinguishable from a normal, legitimate purchase at the buying stage; it only “becomes” fraud once the transaction is settled. The only way to really contend with friendly fraud is to engage it through tactical chargeback representment, and blacklist known friendly fraudsters.

The fight against online fraud is an uphill battle, and it’s highly unlikely we’ll ever really put a stop to fraudulent activity. But, with the right tools and strategies, you can put up a strong defense against current fraud tactics, as well as those criminals will think up tomorrow.

About The AuthorMonica Eaton-Cardone, Chargbacks911

Monica Eaton-Cardone is cofounder and COO of Chargebacks911, a global dispute mitigation and loss prevention company.