andranik123 - stock.adobe.com
New thinking and systems required to tackle online fraud in retail
Online fraud is a growing problem for retail, but are merchants doing enough to update systems and how should they change their actions to address it?
Online payment fraud losses are expected to exceed $206bn over the next five years, according to a study by Juniper Research.
Juniper says the predicted fraud figure between 2021 and 2025 will be the equivalent to almost 10 times Amazon’s net income in its 2020 financial year.
The Fighting online payment fraud in 2021 paper calls on retailers and all merchants to explore the use of machine learning-based fraud prevention platforms and make them an immediate priority. Problems have grown in the pandemic, with Juniper noting a surge in synthetic identity and account takeover fraud, which threatens the security of entire accounts, alongside associated payment data.
Remote physical goods purchases are deemed the leading cause of online payment fraud, accounting for over 47% of fraud losses in 2021 to date. Juniper urges payment fraud prevention suppliers to offer services based on digital identity verification, to boost security and combat the surge in account takeover fraud.
Research co-author Nick Maynard says: “Given the large amounts of online payment transactions globally, it is essential that this transactional data is leveraged to continually detect fraudulent transactions.
“Payment providers which can use this data to identify new fraud sources and tactics will be those who prove to be the most resilient to this significant market loss.”
Mark McMurtrie, an independent payments consultant, says retailers are currently too slow in adjusting their strategies, especially now the touchpaper has been lit under online retail. Since the onset of the pandemic, e-commerce has jumped from around one-fifth of total retail sales to much closer to one-third, according to the Office for National Statistics.
“Retailers’ thinking and systems need upgrading to reflect the increasing volume of payments, the faster pace of money movement and the new attack threats they face,” says McMurtrie.
“We’ve found criminals are faster at adopting new technologies because they don’t have business cases to submit – unlike retailers and banks.”
A retailer’s perspective
Consumer electronics retailer Maplin, which was reincarnated under new ownership in 2019, finds itself in one of the sectors of retail most affected by online fraud.
Ollie Marshall, managing director of Maplin, says large volumes of high-value small items that are particularly resalable makes the sector “rife with fraud”. After bringing Maplin back to life two years ago, the business was instantly under attack from criminals, he adds.
“We were being hit from day one by pretty sophisticated fraudsters,” he says, adding that Apple products and e-scooters are among the products most targeted, with credit card scams among the frequent types of fraud. “There’s a great ecosystem of tools out there to manage it, but it’s a shame it exists.”
Maplin, which now operates as an e-commerce pureplay, outsources fraud monitoring and prevention to a third party. It taps into the expertise of Signifyd, one of a band of modern tech businesses addressing the challenges associated with merchant fraud by using machine learning processes.
Marshall says the partnership has been successful, but acknowledges that there is always going to be fraud: “We see it as a cost of business and an amount of risk to take on as a business. If you’re on top of fraud and collecting the intelligence, it’s manageable.”
New channels fuelling ‘friendly’ fraud
A head office worker at another consumer electronics retailer told Computer Weekly that in-store collections are one of the worst channels for fraud, which is indicative of criminals taking advantage of emerging fulfilment methods.
This is part of a developing phenomenon known as ‘friendly’ fraud, which also involves shoppers wrongly claiming they did not make a transaction or receive a delivery.
“We get a lot of abuse around returns,” Marshall says, explaining that, somewhat bizarrely, there have been multiple instances where the retailer received tins of baked beans rather than an expected returned PlayStation. Evidently, consumers have taken advantage of gaps in communication between payment providers and the merchant to keep the item they said they had returned, while also pocketing a refund.
“We have received devices damaged or broken, but they are shrink-wrapped so they look like new,” he adds.
“People buy something from one retailer and buy from us and return the broken one to us, so we have to be super hot on our serial number tracking and our processes, and really keep a lot of evidence. That’s key to fighting this activity.”
Ed Whitehead, Signifyd
A consumer survey published in September 2020 by Signifyd, which also works with companies such as Lego, Samsung and Wish.com, found that more than 36% of respondents had falsely claimed that a legitimate charge on their credit account was fraudulent in order to receive a refund while keeping the product.
“Consumers have become more stretched during the pandemic, and behavioural change hasn’t always been for the better,” says Ed Whitehead, managing director for Signifyd in Europe.
“The difficult thing for retailers is making sure they don’t block legitimate customers. As much as blocking the bad, you want to make sure you’re not blocking the good – and that’s the real skill, that’s where machine learning-first solutions come in.”
So-called friendly fraud can also occur when someone accidentally or without permission runs up a bill on a family member’s credit card without their knowledge. These incidents, which largely occur in gaming and via in-app purchases, are then reported as fraudulent.
“To tackle this, sensitivity is needed because it may have been unintentional rather than a deliberate fraud attempt, so it could be solved through dialogue and education,” says McMurtrie.
Vigilance in the face of an ongoing battle
Trade association the British Retail Consortium (BRC) published its annual Retail Crime Survey in June, covering the 12 months leading up to 30 March 2020. Although the focus was on growing violence and abuse aimed at shop staff, there was reference to the rising threat of cyber crime.
There were increased attacks and breaches for 54% of the retailers surveyed, with theft of data seen as a high or medium threat by 86% of respondents. Phishing, whaling, credential stuffing and web app-based threats were close behind, according to the BRC, which said cyber crime has increased in retail every year it has tracked it since 2015.
Graham Wynn, assistant director for consumer, competition and regulatory affairs at the BRC, says: “There has been a huge shift to online commerce since the start of the coronavirus pandemic, and processes across the supply chain are being rapidly digitised and automated – from e-commerce, cloud systems and shift patterns to payroll and procurement.
“Greater dependence on these technologies has brought more cyber risk and hackers are becoming increasingly sophisticated in their tactics. Retail firms have spent £160m in the past year on deploying cutting-edge systems to protect their customers and prevent future breaches. But, now more than ever, it is crucial that retailers remain vigilant and adhere to necessary security protocols to combat these emerging threats.”
Together, retailers and tech companies have their work cut out to tackle the challenge of online fraud and cyber crime. The introduction of Strong Customer Authentication regulation later in 2021 is expected to help to some degree.
“People will always try to break the system – for some it’s not even the financial gain, it’s the prowess and bragging rights,” says Whitehead. “We monitor the dark web and forums, and actually someone will love doing it to show they are better than the retailer or better than the fraud prevention solution.”
That’s what retailers face, and it’s one of the reasons why the battle with online fraud remains a going – and growing – concern.
Read more about cyber and retail
- A surge in malicious domain registrations ahead of Amazon Prime Day indicates cyber criminals have set their sights on exploiting vulnerable shoppers.
- The British Retail Consortium has worked with the NCSC to develop a new cyber security toolkit pitched at retailers.