Ecommerce fraud is rising -- here's how to stop it. Catch up with this on-demand VB Spotlight for insight into the most common types of fraud. Participants will come away with a plan for a strategic and technological framework that protects against these threats without disrupting users.
Watch on demand here!
While we all know the pandemic fueled a boom in digitalization in 2020, the ecommerce landscape has been evolving ever since. Ecommerce in the U.S. is expected to surpass $1.3 trillion U.S. by the end of this year. Along with that kind of growth and revenue comes a major uptick in fraud -- businesses lost an estimated $100 billion last year alone. Account takeovers doubled just a few years ago and social engineering is getting a major boost from artificial intelligence.
Drawing on insights from Telesign's recent whitepaper, "Reduce friction and combat fraud in ecommerce," ecommerce experts Michael Lappin, head of solutions engineering at Telesign and Bart Goethals, TeleSign's solutions engineering lead, spoke in-depth about the state of ecommerce today, and how to manage a growing fraud problem.
"On one out of every three platforms, even if it's a multi-billion-dollar company, I am still able today to create a fake account," Lappin said. "That's shocking."
Adds Goethals: "Any business out there in the world is responsible for safeguarding, protecting, and encrypting their data. Every single minute we have a breach going on in the world -- my name, my address, all my information, where I have accounts -- it's up for grabs on the dark web."
Major types of fraud to look out for
There are six prominent fraud risks today. Some are new-fangled and rely on artificial intelligence, some are old school, and all are causing havoc.
They include social engineering, which encompasses both things like phishing and in-person attempts to gain access. Fake account fraud is additionally on the rise, because businesses still don't have many safeguards in place to verify the identity of someone registering. Account takeover is still a major risk, as is promo abuse.
Fraudsters can also very quickly identify any weak spots or loopholes in a promo or coupon, and there are also very few safeguards in place. Chargeback fraud is a never-ending issue, as well as artificially inflated traffic, or AIT, the spiritual successor. And then there's mass pumping, which exploits the communication flow. Fraudsters send a mass of one-time passcodes through an ecosystem to generate traffic, which generates revenue streams for the end network, where fraudsters have revenue-share schemes set up.
Artificial intelligence is making all of these schemes infinitely more sophisticated. There are fraud-as-a-service tools like fraudGPT that can pump out phishing campaigns based on the fraudster's prompts. Private fraud summits on communication channels are also playing a role, making crowdsourcing ideas from thousands of people a reality.
Balancing security and customer friction
Security measures usually require additional steps, for instance double authentication, or needing ID for an onboarding experience. The difficulty is balancing critical security controls with keeping the customer happy and consuming the products and services they want.
"It's always a trade-off between high-friction and low- or no-friction, high security vs. low security, high-cost, low-cost," Goethals said. "By doing multiple combinations, and also multiple combinations spread over solution providers, you're able to set up a quick solution in real time."
For instance, today machine learning solutions can identify the actual real-time risk of a new customer based on a few digital identifiers like phone number, IP and email. Depending on the result you've established a trust factor, which can result in blocking, confirming, etc. But multi-factor authentication, however you set it up, is still critical, Goethals adds, especially because fraudsters are opportunistic. If you make it harder for them, they give up easily, because for them it's a game of numbers.
Investing in technology and the right perspective
It's critical to track any change in an account login, from behavior to device or IP. It requires a risk assessment, and a process for both anticipating and reacting to these changes immediately. For instance, someone who usually has $200 transactions suddenly spending $5,000 -- how does your ecommerce platform handle that?
"Your system needs to be, in an automated way, configured so that it understands, I should allow this or I shouldn't allow this, for example, to deal with chargeback," Goethals said. "The always-on approach is pretty much zero-trust policy. Today, in 2024, you have no idea who is coming to you unless you have a lot of safeguards well-configured in your flows. I think that's the key for today's businesses."
Enterprises on a global scale are looking at digital identity solutions, verification solutions, authentication solutions, behavioral solutions and biometrics as a nuisance cost of doing business, but that's the wrong perspective, he added.
"The way you should look at those things is this becomes an investment," he said. "This is not really a cost, because if you have your safeguards in the right place at the right moment, at the right time, all the time, it's not a cost. It is an investment, and it'll bring you a nice and clean ecosystem at the end of the day with high revenue and good profits potentially."