It’s human nature to navigate life based on a series of axioms beginning with “everyone knows.”
But the truth is, everyone knows successful retailers know better than to lean on those old chestnuts. The world of commerce changes too quickly and competition is too fierce to rely on a set-it-and-forget-it strategy in any aspect of the business. Instead, successful retailers rely on the data. And data shatters myths all the time.
The latest: PayPal as-is, is solidly secure when it comes to fraud protection. Given its step-ups and monitoring, fraudsters are too smart to even try to attack PayPal payments.
Not true and Signifyd has the data to prove it. In fact, Signifyd detected a steady increase in fraud attacks on PayPal transactions beginning in the late spring and accelerating through the summer in both the U.S. and Europe.
Fraud attacks on PayPal increased 12x in August over the fall
In the U.S, attacks on orders executed using PayPal in August were nearly 12 times higher than the level in November 2020. In Europe, the pattern was the same, though not as pronounced. By August, Fraud attacks on merchants’ PayPal orders were up nearly 150%.
Signifyd defines fraudulent orders for the purposes of this report as those that contain enough red flags to be classified as very high risk and presumably fraudulent. PayPal’s pattern of such orders reflects the ebb and flow of online fraud in general. Attacks will intensify and subside based on vertical, season, trends, product and merchant. Successful fraud protection will also ease fraud attacks as professional fraudsters become frustrated, move on, and spread the word to their networks.
In the case of the latest PayPal fraud increase, it was notable that a large majority of the fraudulent orders, more than 82%, were cases of so-called friendly fraud. Friendly fraud is distinguished from typical financial fraud by the fact that the fraud is committed by the rightful credit-card holder — for instance when a consumer claims they didn’t make the purchase or that their order never arrived or that the product was significantly not as described.
‘Fraud can certainly make its way past the step-ups’
“PayPal as a channel provides more step-ups or two-factor authentication requirements in general. Making it through those challenges can be difficult for fraudsters so merchants feel like they’re protected because of the barriers. But they’re not necessarily,” said Signifyd Director of Product Marketing Ashley Kiolbasa. “We see that fraud, especially friendly fraud, can certainly make its way past the step-ups.”
While merchants who protected their PayPal transactions with Signifyd’s solutions did not suffer losses during the intensified attacks, the data provides evidence that fraudsters and customers with ill-intent were having success against other merchants. The key clue there: The number of attacks increased from April through August in the U.S. and from May through August in Europe.
The increasing number of fraudulent orders is an indication that word of PayPal’s vulnerability was spreading. Fraudsters and everyday consumers who found success attacking PayPal as a payment channel likely shared their success stories with others, who also gave it a try. Meantime, those who first found success continued trying their luck.
Fraud attacks on PayPal in the U.S. climbed steadily throughout the summer
In the U.S, for instance, the fraud attacks started their upward climb in May, when fraud pressure rose 50% higher than the November benchmark. In June, the pressure was up nearly 200% above the benchmark. It increased to more than 900% above November levels in July and hit nearly 1,200% higher in August.
In Europe, fraud pressure in June rose 85% above the November benchmark. By July it was up 142%. In August, it reached 148% above the benchmark.
Again, throughout this period, Signifyd’s constantly learning models were declining the fraudulent orders, but given the continued attempts it would appear those attempting fraud were having success somewhere — presumably with merchants who were not members of Signifyd’s Commerce Network.
It is important to note that PayPal itself does offer merchants a fraud safety net, called Seller Protection for Merchants. But Seller Protection comes with certain caveats, including requiring a signature as proof of delivery for orders over $750, and carve-outs, such as not covering claims that an item that arrived was significantly not as described. In some cases, some sellers have found the Seller Protection for Merchants to be insufficient.
And so it could be that merchants using PayPal for payments should consider deploying additional, more robust solutions. That is a common strategy for merchants using other payment methods, platforms and gateways that offer fraud protection but aren’t in the business of fraud protection.
Because it seems, when it comes to what everyone knows about PayPal and fraud, everybody now knows something new.
Photo by Getty Images
Want to learn more about protecting your PayPal transactions? Let’s talk.