Transactional Fraud And Abuse – What's The Difference?

By Colin Sims, Forter

As eCommerce has grown exponentially, businesses are turning to more flexible policies to offer differentiation and value for customers. That includes free or extended returns, promotions, coupons, and more. And so of course, this has increased the surface area for policy abuse.

In a recent 451 Research study of online businesses, when asked where they had seen a notable increase in losses, participants pointed out policy abuse (34.7%), friendly fraud (34.7%), and loyalty program fraud (34.1%) among their top five responses¹.

Oftentimes, businesses treat abuse and fraud as one and the same, which can make addressing them even more challenging. Many vendors in the eCommerce optimization market reinforce this perception, promising to address fraud and abuse at the same time. The fact is that fraud and abuse are fundamentally different – they must be tackled with distinct technologies and tactics, or you risk significant and often unintended disruption to customer experience and revenue.

Abuse And Fraud - Not One In The Same

Simply put, fraud can be defined as when someone other than the card or account holder is involved in an interaction. Fraud can only take place as a result of the willful manipulation of a digital identity. And that tells you a lot about how to defend against it. In addition, empirically, we recognize that while the attempted fraud on a given site (what we call “the fraud pressure”) is a function of many things, it is for the most part predictable, with the most critical factor being the nature of defenses that are in place. If your defenses are good and consistently reject bad actors, then fraudsters will migrate to an easier target.

Abuse is another matter entirely. Abusers are users that generally are not hiding their identity. Abuse stems largely from good customers who are making the most of permissive policies, or who have legitimate claims. Consequently, as they aren’t hiding their identity, they know that there is an upper limit on how much they can claim before the retailer will stop doing business with them.

To summarize, abuse is often perpetrated by your customers, and fraud is perpetrated by those who are not.

Let’s dig a bit deeper, as this is an incredibly important point: If fraud is perpetrated by people who aren’t your customers, then you will not recognize them. You, therefore, must block them repeatedly, before they can checkout, and do it consistently or the fraud pressure will persist. That makes fraud detection ridiculously difficult for businesses to address well – they require a broader dataset across businesses to accurately identify fraudsters.

It is important to note, businesses do in fact possess much of the dataset needed to identify abuse. What they lack, however, are effective tools to link together and collapse accounts that are created by serial abusers. While fraud “pressure” is for the most part predictable across eCommerce and is largely a function of your defenses. Abuse pressure is much more idiosyncratic and is almost exclusively a function of policies specific to the business, together with how those policies are enforced (or ignored). For example, we see that when it comes to service chargebacks, legitimate customers – even those who are abusive – do not behave identically on various sites. Consequently, it would be a grave error to universally block those customers at checkout.

Customer service matters. The shipping policy and vendor matters. Return policies matter. And whether or not there is a consequence to their actions matters. Did you try to close their account? Did you deny the INR claim after the third time, the tenth time, etc.? These are the questions on which a business should focus because it ties directly to the fundamental relationship that a retailer has with its customers. Most retailers should, and do, care about this a lot.

Addressing Abuse, The Right Way

Abuse and fraud are considerably different problems. Each is perpetrated by a distinct set of actors, necessitating a completely different set of technologies and tactics. I have managed operations for an eCommerce retailer, and I’m sympathetic to the temptation to build both capabilities in-house, and/or to consolidate vendors. However, now that my perspective is informed by conversations with countless businesses across virtually every vertical, and I’m concerned by some of the trends I am witnessing.

For instance, it has come to light that some fraud detection vendors start to “cover” (where the business pays to shift the chargeback liability) on things like Item Not Received (INR) claims and other service chargebacks. It is understandable why this initially appears compelling to the business. INR claims are indeed on the rise, so it seems to magically make the problem disappear. But there is nothing the fraud vendor can do to manage the risk without interfering in the customer relationship.

I would offer that a vendor should never presume to write the Return Policy for one of its customers, even if that was the root cause of 90% of their abuse. Nor should a vendor decline a buyer who was not manipulating their identity on the presumption that they might file a service claim because people keep stealing their packages. Likewise, it doesn’t seem to make sense to only address service chargebacks after they have already happened (during the dispute process). However, when a vendor takes responsibility for abuse, they have to do all of the above.

“Between Two Evils, I Always Pick The One I Never Tried Before.” - Mae West

Any eCommerce company benefits from enlisting risk management functions to address both fraud and abuse, which as mentioned, are fundamentally different and must be treated as such. But it is important that in doing so, the organization invests the resources that produce both the best outcome for the customer and the best economics for the business. I leave you with two key thoughts that I hope will help frame fraud and abuse:

1. The correct way to think about fraud is to acknowledge that the main value of fraud vendors is to provide you with hyper-accurate fraud detection that scales. The vendor must be able to leverage a unique dataset that spans different verticals and geographies and helps you make decisions about buyers not recognized, even as they manipulate their identity.
    
2. The correct way to think about abuse in any form (returns, INR, promo) is to find a vendor that makes you smarter. That vendor shouldn’t simply shift responsibility; they should help you identify and prevent root causes. You should gain access to better tools for measurement and insight into your dataset, and unique expertise to enable you to apply thoughtful policies that drive the right outcomes.

The most important closing note… Regardless of vendor, solution, or policy - nothing should ever interfere with the sacred relationship between you and your customer.

About The Author

Colin Sims is COO at Forter, optimizing eCommerce customer experience and lifetime value by solving the root causes of fraud and abuse. He spent a decade on Wall Street before entering the tech sector. Prior to Forter, he led the strategic sale of Eats.com and ran operations for retail marketplace, Delivery.com.