By Shagun Varshney, Signifyd Senior Product Manager, Payment Solutions.
When the good guys and their technology find ways to clamp down one form of fraud, fraudsters storm back with a new scheme. Ultimately, fraudsters are entrepreneurs, constantly probing for new and better ways to take advantage of brands and merchants, who in turn are constantly looking to erect barriers that don’t have a negative impact on transactions and encourage consumers to abandon their purchases.
So with a new barrier in the form of SCA, or strong customer authentication – the new payment regulation in place in much of Europe and coming in the near future to the UK – you can guarantee fraudsters are already looking for areas beyond payments to attack.
The conversation around shape-shifting fraud rings is increasing among fraud experts, which means the talk among fraudsters themselves has been going on for some time now.
“Bad actors are broadening their focus beyond payments, targeting touch points across the customer journey,” according to a recent report by consultancy 451. “While areas such as login, promotions and returns have traditionally fallen outside of the remit of most fraud teams, the proliferation of fraud across the customer journey will increasingly require enterprises to take a holistic view of fraud management.”
SCA will make checkout more secure, but what about the rest of the journey?
The SCA requirement, part of the payment regulation known as PSD2, will undoubtedly make online transactions more secure at checkout. It requires that online buyers use two out of three methods to identify themselves. In short, buyers must be identified by two of the following:
- Something they know (such as a one-time passcode sent via text).
- Something they own (such as a mobile phone identified by digital fingerprint).
- Something they are (such as an actual fingerprint identified through a biometric reader).
The enforcement of SCA is meant to protect consumers and the online merchants and brands they shop with by adding extra assurance that the buyer using a credit or debit card on a merchant’s site really is the rightful owner of the plastic.
There are exceptions in cases in which SCA is not required, but fraudsters will seep into those transactions that make for easier targets.
Fraud rings will broaden their horizons and look beyond traditional payments fraud. Policy and return abuse will become a rich, new field of foul play, for criminals who will settle into new schemes to score free products and refunds that aren’t actually deserved.
Some experts have predicted that such attacks, sometimes called “friendly fraud” or “consumer abuse,” will actually grow faster than payments fraud in the coming months and years. Fraudsters will shift to abuse because that’s where the vulnerability is.
Consumer abuse, including return abuse, has already been on the rise as unscrupulous consumers and professional fraud rings realise the profit potential of cheating brands and merchants. More than 30% percent of UK consumers surveyed by Signifyd admitted they had falsely claimed that an online order never arrived or that a satisfactory order was unsatisfactory when it did arrive. Another 36% said they’d falsely claimed that they never charged an item that actually they had. And 32% admitted to breaking discount or promotion rules by falsely claiming to be a first-time customer or by using a one-time-only discount more than one time.
Professional fraudsters are profiting from policy abuse
There is further evidence in the data that abuse is spreading beyond consumers who see an opportunity to score free goods. Signifyd’s global Consumer Abuse Index saw a dramatic rise in nefarious activity that coincided with the start of the pandemic and has not let up. The index finished 2020 five times higher than it was at the beginning of the pandemic. And it remained elevated, sitting during the first quarter of 2021 nearly 200% higher than it was in early 2020.
Return fraud is also a growing problem, with an estimate that return fraud cost brands and retailers $43 billion last year, when you factor in the cost of return shipping, inspection, restocking or otherwise dispose of returned goods.
And now criminal rings have built return fraud from a cottage industry, into something larger. Return fraud rings swap tips and advertise their returns skill on common internet sites and the dark web. These underground outfits take a cut, say 15% to 40%, of the refund. In return they do the talking with the retailer, fabricating some complaint or customer service flaw, that produces the ill-gotten refund.Sometimes retailers tell the underground return agency to simply keep the product. Other times, after promising the customer they’ll send a product back, the return firms take a different approach. Instead of shipping back those expensive jeans or that smartphone, they ship back a knock-off of the product, a broken version from around the house, or an empty box instead.
Modern commerce protection needs to consider the entire buying journey.
All of which is to say that to whatever extent SCA makes ecommerce transactions more secure, it is only providing one piece of what needs to be a comprehensive protection strategy when it comes to online fraud and abuse.
The new era of ecommerce calls for risk management and fraud protection that anticipates a whole range of orders – some requiring SCA, some exempt, some that require SCA under certain circumstances, but not under other circumstances – and an agile adversary that has expanded their portfolio beyond payments fraud.