We are pleased to welcome Mark Dawes, former Vice President – Sales & Partnerships at Accertify, for this Q&A session as part of our thought leadership series with industry experts and regulators.
Q: What are the most common types of merchant fraud in 2021 so far?
A: Payment fraud continues to be the biggest problem faced by merchants in 2021. However, this is often the byproduct of fake account creations or account takeovers/stolen credentials, which is where the set-up for payment fraud first begins.
More recently, many retailers have been experiencing a huge spike in returns abuse. Returns abuse happens when fraudsters return orders with either part or all of the order missing, or with items that have been used/worn. In some cases, a free gift with purchase may be missing from the return.
In the most malicious of cases, the returned package has rocks or other junk in it, in place of the previously purchased goods. By the time the retailer does discover a problem with the returned package, the fraudster may have committed this type of fraud several times with the same merchant.
Q: What are the top indicators for these types of fraud?
A: A history or previous patterns of fraudulent behavior and returns fraud are always the most useful predictors as to whether an order is likely to be fraudulent or not. However, this is generally not helpful to merchants who are seeing orders from a new identity or freshly minted synthetic identity.
Given the prevalence of online shopping, a synthetic identity with no match against previous transaction metadata should be a red flag in and of itself and warrant further inspection. Other indicators of high-risk transactions are a high velocity of orders from the same credentials over a short timespan, or elements of metadata such as an email address or credit card connected with multiple locations.
Q: What are the most important data points merchants can use for detecting fraud?
A: As we all know, information is power. The more information a merchant has on their hands to properly review an order for any signs of fraud, the more equipped they will be to stop fraudulent transactions. If there is only limited information available when reviewing an order, it is critical to have access to the delivery address, email, device ID/true geolocation, credit card and previous transaction history, if possible.
However, I would stress that a retailer will generally not be able to operate a successful fraud mitigation strategy without two things:
- Access to comprehensive transaction payload data
- A sophisticated fraud engine which incorporates machine learning techniques to detect patterns of behavior within the transaction and across the community of transactions.
Q: What are the limitations of IP addresses for fraud detection?
A: There are four significant problems with relying on the use of an IP address for detecting fraudulent transactions.
- IP addresses are not accurate and often do not show an end user’s true location, rendering it next to useless.
- IP addresses often lead to a corporate or private VPN, once again making it useless for identifying the end customer’s true location.
- Many shoppers connect via internet service providers that use dynamic IP addresses as opposed to static IP addresses. This means that the end user’s IP address is constantly changing, and it is useless to a merchant who may be tracking it for connection consistency.
- Many people use their mobile devices to shop online, and mobile IP addresses have little to do with a user’s true location. Mobile IP points only to the carrier who activated the device – not where the user actually is.
Q: What are better location data points for fraud detection, and why?
A: The best method for determining a customer’s true location is to triangulate off nearby mobile networks or available Wi-Fi connections. (But this does require a customer to enable location sharing.) Looking for the consistency of the ISP and connection speed are also good secondary checks to ensure that the user’s location remains consistent. These data points are better than IP addresses because location is typically one of the variables that a fraudster will try to spoof to hide their true identity.
Q: How can merchants, payment providers, fraud vendors and others in the merchant ecosystem work together to combat fraud in 2021 and beyond?
A: Silver bullets for wholesale fraud elimination sadly do not currently exist, and fraud prevention is an ongoing evolution. All companies must continuously adopt a curious mindset and continually be on the lookout for new ancillary fraud solutions to add to their armory. Collaboration between merchants and anti-fraud solution providers to create a strong transaction feedback loop (e.g., knowing when a transaction resulted in a chargeback) is also critical. This enables solution providers to monitor and adjust their models as and when required.
Industry bodies such as EMVCo have helped set standards for the industry. I believe the payment schemes will require additional global standards as technology to combat fraud becomes more readily available, less expensive, and easier for less tech-savvy online sellers to implement.
For now, the next step in closing the card-not-present fraud (CNP) gap is continued and better alignment between fraud mitigation vendors and payment processors. Examples are the sharing of enhanced authorization information between fraud vendors and acquirers, and the flagging of potential chargebacks as early as possible by issuers. This approach won’t eliminate CNP fraud, but it will help slow it.
Check out the previous articles in our thought leadership series:
- Karen Boyer, VP, Financial Crimes & Fraud Intelligence, People’s United Bank
- Jarod Koopman, Director, IRS – Criminal Investigations (CI), part 1 & 2