By Uri Arad, Co-Founder and Vice President of Product, Identiq
There’s nothing about 2020 that has been normal, and the holiday season is no exception. Fraud prevention teams are under greater pressure than ever to protect their companies from loss while also ensuring that customers get the frictionless, fast experience they have come to expect.
The obvious risk is financial; the loss of the business’ income to chargebacks through successful fraud. For this reason, teams tend to focus most of their efforts, tools, research and manual reviews on the point of transaction. This can lead to a blind spot which contains a hidden menace—account-level fraud. And this year, that danger is greater than ever.
New Accounts, New Risk
So much moved online this year—from shopping and meetings, to family gatherings and even concerts and other performances. As part of that shift, huge numbers of consumers set up new accounts with numerous sites and apps.
The overwhelming majority of these accounts are legitimate, belonging to good users who intend to use them appropriately. Unfortunately, the flood of new users also provides the perfect setting for fraudsters to set up new accounts as well, using fake, stolen or synthetic data.
These accounts are dangerous long before checkout. Fraudsters can use their accounts to scope out your processes and find weaknesses. They can also perform various activities that look legitimate, leaving time in between interactions to age the account convincingly and build a “good” reputation. With so many new users to hide behind this season, they can afford to set up many new accounts and age some while trying to monetize others early.
The impact of fakes goes well beyond transaction loss. These accounts may be used to compromise the entire ecosystem, hurting your business reputation and customer experience in many ways.
If product reviews are important on your site, then fake accounts can be a serious risk, polluting the integrity of your reviews. If you’re running a marketplace, then this holiday season is collusion heaven for fraudsters; and as this form of fraud can be difficult to pinpoint at transaction, catching it as early as possible is your best bet.
From a more strategic perspective, fake accounts give you a false impression of your own accounts ecosystem. A high number of fraudulent accounts can lead your team, and your company, to make business decisions based on unreliable information and make it difficult to set reasonable KPIs.
Established Accounts, Different Risk
Your account-level risk extends to known accounts, the ones you should be able to trust. ATO is always a challenge, of course, but this year it’s a greater risk than ever. Back at the start of the pandemic, phishing attacks rose by a whopping 667 percent, and have continued to be a major attack vector ever since.
It makes sense. People are doing their best to work from home, using infrastructure that often isn’t as secure as in an office. They’re frequently stressed and in a hurry, and many are parents dealing with home-schooling as well as work. They’re prime targets for a well-designed phishing campaign.
And that makes your business a prime target for ATO: according to Javelin, ATOs are producing the highest loss rate ever, up a staggering 72 percent over the prior year. That’s a serious threat to your business, and your fraud team’s KPIs.
Concentrating your efforts on checkout won’t be enough. Canny ATO actors pop in and out of an account, sometimes many times, before trying to monetize it. The more they do so, the more they can learn about the typical buying behavior of the user, making it far easier for them to match past purchases and ultimately make a convincing-looking basket. Moreover, their frequent presence may acclimate your system to their IP and location, reducing a suspicious appearance that might otherwise set alarms off.
They can also add new details to the account—new shipping addresses, for example, or payment information—and leave it to age so that it doesn’t look dubious when they come to make a purchase. They can alter legitimate purchases to BOPIS, and arrive to pick up the goods themselves.
There’s also account benefits such as loyalty points to consider; many fraudsters like to target these, because using loyalty points is often not subject to the same scrutiny as monetary payments. You’ll only catch this out if you’re focused on accounts as well as payments.
Beyond this, the account aspect is important in and of itself, because ATO matters to consumers. Sixty-five percent say they would likely stop buying from a merchant if their account was compromised. You can’t afford to wait until the point of transaction to protect your company because your users expect you to be protecting their accounts all the way along.
A Delicate Balance: Frictionless but Protected Customer Experience
At the same time as account-level fraud has become both more likely and riskier than ever, customer experience expectations have increased as well. According to Experian’s latest Global Insights Report, 60 percent of consumers have higher expectations of their digital experience than before Covid-19.
That means that the friction you could add to prevent ATO and new account fraud comes with its own risk. It’s no good stopping the fraudsters if the cost is losing valuable customers. Consumers’ sensitivity to shopping experience makes this a real possibility.
The good news is that you have an advantage when you take account-level fraud seriously and work to stop fraudsters before they reach the point of transaction. At the account level, you have the luxury of time. It’s not a split-second decision, as it often is at checkout. You can take longer to investigate, make decisions and employ judicious friction where appropriate.
You can use that time for identity verification processes to determine whether someone setting up an account is legitimate or whether the person signing into an existing account is really the right person.
When Fraudsters Hand You Lemons, Make Lemonade
The more work you invest in validating customers before a transaction, the smoother their shopping experience will be when they are ready to make a purchase. And much of that validation process can be invisible to the end-user, since it lacks the urgency of transaction checks.
Collaborating with other merchants, particularly in your own space, can be a powerful source of help here. Since fraudsters often specialize in particular industries or verticals, there’s a good chance you’re all seeing similar patterns and even individual fraudsters or rings. Working together makes all of you more effective at seeing those patterns and identifying the actors behind them.
If you use some form of privacy enhancing computation (a Gartner top tech trend) as part of your collaborative efforts, to ensure no personal user data is shared, you can even leverage one another’s knowledge about which users are who they say they are, and should be trusted.
In a way, the menace of account-level fraud which overshadows this holiday season is an opportunity in disguise. Fraud prevention teams who develop their account-level protections and verification processes can improve their fraud prevention mechanisms, protect precious user accounts, and streamline customer experience at the same time. That’s a holiday gift all fraud fighters can celebrate.