By Mike Cassidy and Bill Marcus
If you’re a digital retailer thinking about the holiday shopping season, it’s showtime.
You are deep into planning promotions, scaling up your teams, locking in your logistics. It’s hard to overstate the importance of the holiday shopping season to the retail industry and even the U.S. economy.
Oh, and it’s hard to overstate the importance to one other constituency, one you rarely consider in the context of trimming trees, roasting chestnuts and picking out the perfect gift: online fraudsters.
What is seen by many as the season of giving, is seen by fraudsters as the season of taking. And just as retailers rev up their holiday planning months before Cyber Monday, an army of outlaw opportunists also goes to work on its holiday scheming.
On average, retailers see 20 percent of their revenue during the holiday season and some sectors, such as jewelry, capture closer to 30 percent of their sales during the period, according to the National Retail Federation.
It’s a lot of money — roughly $123 billion in online spending in 2016, according to the NRF — and fraudsters want their cut of the action.
What are this year’s hottest trends? Forget about fidget spinners, 3D printers, virtual reality headsets and backyard drones. Think instead about the twists and tweaks that fraudsters employ as they try to keep one step ahead of those fighting online fraud.
This year fraudsters are apparently upping their game by going back to school, according to online tech site The Register and PYMNTS.com. The sites reported on a six-week internet course, complete with 20 lectures and five expert instructors, that teaches the criminally inclined how to steal or otherwise acquire credit card information and how to use that information to defraud retailers.
The fraud-school story was based on research by Digital Shadows, a risk management company that found that enrollment in the course, which is taught in Russian, costs $945 and promises a potential ill-gotten income of $12,000 a month.
Think of it as Udacity for those with audacity.
For those big on tradition, fraudsters will be turning to time-tested practices — account takeover and stolen financials — to game the system. Account takeover refers to a fraudster gaining control of a consumer’s account and using that account to make unauthorized purchases.
But it is stolen financials, in which a fraudster gets ahold of a consumer’s personal credit information and creates accounts, that is the loss leader, if you will. It accounts for 93 percent of online fraud, according to the Q1 2017 Global Fraud Index, published by PYMNTS.com and Signifyd.
Both The Register’s and PYMNTs.com’s stories on online fraud schools pointed to a key way stolen financials fraud is facilitated: a network of forums on the dark web that offers credit card and personal information for sale for as little as $6 per account.
In addition to formal education, fraudsters are no doubt cooking up new ways to put the stolen data to use. There is little limit to their creativity. Last holiday season’s hot scam involved criminals setting up phony storefronts on marketplaces such as those on eBay and Amazon.
When an unsuspecting customer ordered, the fraudster gathered the customer’s credit card information. The fraudster either never sent the goods or added an ingenious twist: using the original customer’s credit card information to buy the item from a legitimate ecommerce seller who shipped it to the original customer.
The customer got his or her product. The fraudster got his or her money. And the legitimate merchant was out the cost of fraud. Furthermore, detection of the fraud was delayed at least until the original customer realized he or she had been charged twice for the same product.
Patrick T. O’Boyle, co-founder of payment advisory MSP Consulting, who spoke with us about the scam last year, says that so far this year, MSP’s clients aren’t reporting problems with phony storefronts. (In fact, he says this year’s early trend involves fraudsters testing the viability of stolen cards by making small online donations to non-profits.)
As for other new trends, O’Boyle says at this point, it boils down to “more.”
“That’s the biggest thing that we’re seeing,” O’Boyle says. “More scams. More often. More people having concerns from our client base related to online fraud.”
Good things, and fraud, come in small packages
It might surprise you to learn that fraudsters don’t necessarily go for the biggest-ticket items. Sure, waking up to a glamorous piece of jewelry or a brand-new, bow-bedecked car in the driveway might be a holiday fantasy. But most gifts are quite a bit more modest.
And fraudsters know that.
So, smart fraudsters skip the eye-popping price tags and instead try to mimic actual holiday shoppers. Jamie Ceccato, risk specialist for Build.com, says people are surprised when she tells them the home-improvement retailer’s average fraudulent order is less than $500.
“They’re trying harder and harder and getting better and better at looking like a normal shopper,” Ceccato says of fraudsters. “It’s just all about trying to get something shipped and something that they can easily sell.”
Fraudsters’ perennial favorites include home automation devices, tool kits and small appliances, she explains. But it is difficult to predict what products will be hot at any given time.
“We get hit with the weirdest things, too,” Ceccato says. “We just got hit with these Kohler toilet seats. These items don’t really raise any eyebrows, until you start seeing the trend of the consecutive orders.”
Yes, Ceccato recommends vigilance, including going beyond simply relying on address verification systems and the regulations put in place by the payment industry. She also relies on a sales force of 260, who have built the expertise and customer relationships that allow them to ask the tough questions about orders with odd quantities or puzzling shipping addresses. And she turns to the insights and protection that Signifyd provides by crunching data across 10,000 merchants.
“If I didn’t have Signifyd, I wouldn’t have any of those other merchants’ feedback,” she says. “It’s like a community. How would we ever really know the full picture of fraud if you don’t have that communication?”
Securing your shopping cart
O’Boyle offered another useful tactic to battle fraud when he talked with us last year. He suggested differentiating among customers. If a customer has a poor business history, O’Boyle said, you should carefully manage the account — the email, the name, the card — and not allow any more sales to go through on that card. Those customers who have a good sales history? If they provide a shipping address that is different from their billing address on file, “Well, you’re probably going to trust them if it’s within reason,” he said.
O’Boyle advised against building a guest checkout option that requires only minimal information to approve an order. Those systems are “great for fraudsters,” he said. More elaborate checkout can be a tough ask of merchants who don’t want to slow down the purchase process for fear buyers will get frustrated or change their minds. But O’Boyle argued the trade-off was worth it.
“Well, if you’re going to have that guest checkout, you’re going to continue to increase your chances of fraud,” he tells merchants. “That’s a fact.”
O’Boyle also suggested telling privacy-sensitive customers that personal information is being gathered for security, not marketing purposes, in cases where that is true.
And he said that merchants handling their own fraud security should really watch their step when it comes to international orders.
“You can’t do some of the address verification and proof of delivery requirements that would be needed,” he said.
Are you ready for Cyber Monday?
There are plenty of best practices in ecommerce that merchants can adopt to help reduce fraud. But frankly, with ecommerce growing annually by double-digit percentages, the velocity and scale of ecommerce really calls for outside help.
Both Ceccato and O’Boyle have compelling stories about the difference Signifyd made for retailers fighting fraud.
In 2013, Build.com signed up with Signifyd, which uses a combination of machine learning and human experts to prevent fraud. It draws on data from 10,000 merchants to approve or reject orders with a detailed summary of the reasons for each decision. Most importantly, Signifyd offers a 100 percent financial guarantee against fraud and chargebacks for all approved orders.
Ceccato said that after deploying Signifyd, Build.com saw a substantial improvement, watching its fraud rate drop from 0.17 percent of sales to 0.07 percent of sales.
O’Boyle has his own Signifyd success story.
“We had a client that was seeing their chargebacks approaching 3 percent to 4 percent of their sales at the peak. They were able to reduce that to under tenths of a percentage point – an enormous reduction.”
If you’re a digital retailer, the holiday season has already arrived. You’ve spent months planning and working to make the most crucial period of the year a success. New customers will be visiting your site. Consumers will be spending freely. The opportunity will be there.
Now is the time to make sure you’re not sharing that opportunity with fraudsters.
Photos by Mike Cassidy.
Bill Marcus is a freelance writer covering business and technology. Mike Cassidy is Signifyd’s lead storyteller. Contact him at firstname.lastname@example.org; follow him on Twitter at @mikecassidy.