April 14, 2020
eCommerce Fraud and COVID-19
Thinking Through the Impacts of eCommerce Fraud Due to COVID-19
Every fraud prevention team has been affected by the changes brought by the COVID-19 crisis. Scrambling to adapt to the sudden shifts in behavior from good and fraudulent customers alike has been a significant challenge in recent weeks.
Now that the very first shock is over, fraud fighting leaders need to take time to analyze their reactions and results, be aware of how their business fits into the big picture, and take steps to protect their company in the future from the attacks fraudsters are beginning today.
With everything changing around us, from consumer behavior to day-to-day activities, so do fraudsters and their methods of attack. It is our task, as fraud prevention professionals, to anticipate and react to these changes as they come.
The challenges you face as a fraud team as the result of the coronavirus crisis will depend on the industry you are in. It is important to understand where you fit in, so you know what to guard against.
A Flood of Users and FraudstersSome industries, such as home entertainment, education apps and sites, wellness sites and products, delivery services, online gaming, and anything which facilitates remote working, are experiencing a flood of new customers. While that sounds like a "good problem" to have, it makes things difficult for fraud prevention teams who are faced with a flood of fraudsters hiding among the good customers.
This applies to new accounts and to dormant accounts coming to life again. Watch out for account takeover, which fraudsters are using to attack businesses they know are likely to be dealing with more new users than usual. They think ATO will be an easy way to slip under the radar, since by contrast these seem safe. Don't get caught out.
The Challenge with Your Statistical ModelsA big part of the challenge will be that your normal statistical models will be less helpful than usual. They rely on the present being much like the past -- which, right now, it is not. You will need to compensate with ongoing analysis and monitoring of the current state of play in your business and adapt accordingly -- based on the data of what you are seeing.
It might be hard to put the time into manual reviews that you need right now. Your team members who usually work closely together are separated physically and probably still getting used to the new situation. Encourage them to share trends they are noticing with one another -- the more you invest in this kind of strategic communication, rather than just tactically making sure all cases are covered, the better the impact on your fraud fighting efforts long-term.
Just as important is sharing any false positive cases. You might be frustrating many of your best customers who simply behave differently with false declines and added friction. Try to bridge the gap between fraud teams and customer support to quickly identify and fix these issues.
Fewer Good Customers, but the Fraudsters Keep ComingOn the other hand, you may be in an industry experiencing far less traffic as a result of COVID-19. Services relating to vacations and travel fall into this category, as do event planning, ticketing, and so forth.
In that case, one key challenge is probably going to be that while your legitimate traffic has declined, your fraudulent activity may not have gone down by a similar ratio. In fact, some fraudsters will be upping their attacks, using your site as a soft target for card testing or wallet testing to identify stolen payment methods they can go on to leverage on "hot items" elsewhere. One way or another, you will have a notably higher decline rate than usual.
Nothing Is Normal Right NowIn normal circumstances, that would be a sign that you had tightened your controls too much and were declining good orders for the wrong reasons. But nothing is normal right now. You will need to educate the directors or executives who oversee the risk department's work to ensure they understand the reality behind the numbers.
This is even more important if your company is venturing into new areas, such as gift cards, in response to the new situation. It is important that the fraud prevention team be a part of the effort, making sure that other stakeholders outside your department understand the risks involved.
Fraudsters love gift cards, which are effectively like free money for a successful criminal, and that means sensible caution is necessary. Make other parts of the purchase process within your company a part of the discussion to explore how you can identify real customers and collaborate with other merchants who will already know and trust users who are new to you.
Think Long-Term, Even in Crisis ModeIt can be hard to think beyond the immediate needs of the moment at a time like this. But it is crucial for the long-term success of your team and your business.
For example, if you are temporarily receiving fewer orders, use this as an opportunity to strengthen your fraud prevention efforts. When fraudsters do not have as many good customers to hide behind, it is easier to spot them and to see trends or tricks that normally escape you. If you use this time for research, you will be better prepared when things get busy again.
Similarly, if you are struggling with statistical models that just cannot adapt fast enough to all the changes, this might be a good time to work on one that can help you during the crisis -- and in future crises, too.
Thinking long-term should impact your approach to sleeper accounts, too. It will not be uncommon at the moment to see customers setting up accounts which they do not end up using. Things are in flux for your users as well as your business, after all. But some of these will be fraudsters thinking ahead, planning to age accounts to use later when you are not expecting it. Take steps to verify good customers now, while they remember your site and might be enticed back to it.
Fraudsters Are Pulling Victims into Their SchemesPhishing is nothing new, but the scale on which both phishing and vishing operations are being conducted at the moment is startling. Coronavirus themes are common, with criminals pretending to be providing vital information about health recommendations or statistics, or even representing a new government or local organization set up to help people in the crisis.
Beyond that, there is a psychological element. Fraudsters flourish on FUD -- Fear, Uncertainty, and Doubt. Fraudsters are taking advantage of the fact that users are more likely to be stressed and uncertain than usual. Plenty are having to use new sites, apps, and services for the first time, while juggling numerous other difficult changes. All this makes phishing far easier. Even normally clued-up users may fall victim at a time like this.
Fraudsters may be setting up sites to sell items in high demand like masks, hand sanitizer, and gloves, or setting up fake sites to collect donations to support people and communities struggling with the current pandemic.
Be aware that all this phishing and vishing activity makes both ATO and stolen financial attacks more likely -- not just now, but in the future as well. Organized criminal groups are likely to plan ahead in this way, gathering details now while it is easy so that they can put them to work later, when your guard might be down.
In terms of your own company, it is a good time to reach out to your users to remind them how you typically contact them, applying good anti-phishing and anti-vishing practices. You do not want your own business to become another victim. You can make this a positive message for customers, explaining that you are protecting them and helping them to protect themselves.
You may also want to proactively look for any "clone" sites that the fraudsters may have built, pretending to be yours, taking advantage of people's good intentions or needs, or even asking for their donations and patronage at time of crisis.
Make Sure You Keep Mules in MindAnother trend to watch out for is mules. Darknet forums have been full of criminals gloating about the sudden easy expansion of their mule empire. There are plenty of real people looking to work from home at the moment, making them easy targets for unscrupulous actors. Many will not have any idea that they are receiving stolen goods and repackaging them to send on as part of a criminal enterprise.
This is particularly tricky for fraud prevention departments, because at the moment you will have less proof than usual that a package made it to the right address. Companies like FedEx and UPS, which normally insist on signed proof of delivery, are responsibly protecting their employees and their customers by using social distancing. That means no one is signing for their packages.
Collaboration with other companies is the best way forward here in terms of prevention. Mules will typically be directed by their "minders" to move on to site after site, not making so many orders on any single one that they look suspicious early on. The more you are in touch with fellow fraud fighters in other companies, the better your chances of protecting your company against this threat. Especially, try to work with fraud departments in the same or a similar industry, because the organizations behind mules often specialize in particular verticals.
Prepare for ChargebacksOne unfortunate outcome of the current situation is that many people's plans have changed, whether it is trips and activities that got canceled or just having a harder time making ends meet. In all cases this may mean that many items that people have purchased are no longer needed. With stringent return policies and tighter wallets, consumers are likely to turn to chargebacks as a way to recover some money.
Moreover, in cases where fraud does not decline as quickly as your good traffic, you may be seeing a surge in chargeback rates that may extend for the next few months.
It may be important to rethink your company's return policy, whether by allowing longer return windows, or going as far as "no questions asked" returns. You may have to take a lot more merchandise back, but you might gain customer loyalty for life.
Stay in Touch, Stay on Top of Trends, and Stay HealthyStaying in touch with your industry and fellow fraud fighters is a good policy in general, right now. There is a lot going on, and things are changing fast. You will need to stay abreast of the developing "new normal" in your industry, and also of the evolving fraud attacks and tactics. The more we can all support each other and work together, the better for everyone -- except the fraudsters.