Online merchants: These 4 factors shape your fraud challenge (and EMV isn't one of them)
While there is no agreement on the exact effect that EMV adoption in the US will have on online fraud, the opportunity of scaring online merchants into urgent action with a firm deadline was not missed by the security industry. ("Online fraud is coming in October because of EMV! This is what happened in Europe! Buy our tool now!")
But if you’re an online merchant or payment provider the EMV discussion misses the mark. Broad trends in fraud rates are not what you should worry about, since the fluctuation of fraud at your front door depends mostly on other factors. Understanding these factors drives a more strategic approach to fraud prevention, rather than reacting to the EMV scare or to the latest fraud trends “report” issued by one of the industry players (another classic advertising tactic).
In this post I discuss the 4 factors that shape the fraud you should expect. In later posts I’ll examine what can be learned from them, and how this should shape your fraud prevention strategy.
What affects fraud at your door?
The following factors are the ones that determine how much fraud you should expect, and how sophisticated it might be:
The evolution of fraud
Factor #1 : Visibility
As long as your website has not been “discovered” by fraudsters, you can do business online without a lot of trouble. But know that one day, seemingly out of the blue, you might get hit with fraud chargebacks. It’s surprising and enraging, and for many businesses it is the first time they hear about online fraud and chargebacks. (You, however, read blogs to stay informed.)
Once “visible”, there’s no going back. Fraudsters share information, and if your business provides a good Fraud ROI (read on), they will continue to milk it, and invite their friends to the party.
The whole point of a business is to be visible and grow. In an awkward sort of way, being discovered by fraudsters is good news for your business, as long as you’re prepared. Congratulations!
Factor #2 : Your competition
You’re already used to snooping on your competition to see their product offering and price points, but it turns out that their fraud prevention prowess should also be your concern.
As an old maxim goes, in order to protect your house from theft you don’t need to install the world’s most secure front door, just the best one on your street. This holds true online: if fraudsters can steal more easily from other merchants, your fraud prevention capabilities are adequate. But the reverse is also true: as fraud prevention evolves and other merchants (direct competitors or not) are getting their act together, so should you. You don’t want to end up with the flimsiest door on the street.
Factor #3 : The evolution of fraud
In the early days of online fraud the perpetrators were amateurs, almost pranksters, playing around and trying to get lucky. They used to openly share their methods and brag about their successes in online forums open to all, and nothing gave the impression that they were sophisticated or organized. Those still exist, but there’s lots of evidence that they are no longer the bulk of the problem.
Now a lot of online fraud comes from a thriving business underworld, increasingly organized, and capable of sophistication that is on par or exceeding that of the security industry. Even an amateur fraudster is capable of more damage these days just by using the tools that have been developed by this industry. Far bigger problems are caused by the organized, sophisticated fraudster groups. Many businesses underestimate their opponents when it comes to online fraud.
Factor #4 : Fraud ROI
“Fraud ROI” defines how profitable it is for a fraudster to steal your stuff. Basically, it’s how much money they end up with, divided by their expenses: money, time and effort put into stealing something and converting it into cash.
Here are 3 key questions that can help you estimate the Fraud ROI of your business:
1. How hard is it to steal from your business?
This is determined by your fraud prevention capabilities, but also by other, unrelated, factors. Some examples:
Is it easy and quick to check out on your website? Fraudsters, too, appreciate great UX because they need to be efficient.
Do you sell physical goods or electronically delivered items (tickets, software etc.)? The former are harder to steal because the fraudster needs to be able to receive the shipped goods without exposing themselves. This may require some “real world” action, as opposed to the safety and comfort of hiding behind a computer.
Do you ship internationally? Most of the fraudsters are "overseas" (i.e. not where your business is) and need to find a way to get the goods wherever they are.
2. How hard is it to convert the stolen goods into cash?
Most fraudsters are not out to get GoPro cameras. They need to sell the stolen goods for cash. As any merchant knows, this is hard: they need to find buyers and exchange goods for cash. There also needs to be a high enough street value for the goods (even if the “street” is an online marketplace).
Some businesses make life much easier for fraudsters by allowing them to directly steal cash. If your business enables users to receive or withdraw money (e.g. online marketplaces, payment services, wallets etc.) it is a very lucrative target for crooks. In an online marketplace, for example, a fraudster can open a false “seller” account, get paid (by honest victims) for imaginary goods or services that are never provided, and then run away with the cash.
There are many other methods – fraudsters are very creative - but some of the most coveted schemes are the ones in which fraudsters use stolen cards in one account to pay themselves to another account, withdraw the cash, and disappear. Many merchants mistakenly call this type of fraud “collusion” and talk about “fraud rings” attacking them, but the reality is that nothing stops a single fraudster from being on both the paying-end and the receiving-end of this arrangement. In come stolen cards, out comes cash: just like an ATM.
3. How scalable is the fraud at your online business?
As I mentioned before, fraud is increasingly becoming a business run by professionals, but even part-timers who get lucky quickly develop an appetite and come back for more. While occasional fraud may be a cost of doing business, scalable fraud is very costly and can bring down a business. Here's a simplistic example: a fraudster manages to steal a laptop and you get slapped with a $1,000 chargeback - unpleasant. Same fraudster does this several times a day for an entire month, and you’ve lost your merchant account due to 100 chargebacks totaling $100,000 – catastrophe. When fraudsters find ways to scale (or even automate) their work, they significantly increase their ROI.
Enough with the scare tactics! Now what?
So far I’ve described the 4 factors that affect the fraud your business should be ready for. These factors highlight the need for a comprehensive prevention strategy, rather than reacting tactically to EMV or fraud events.
In the next post I’ll discuss what we can learn from the various factors I called out, and suggest how this should shape your fraud prevention plan.