If you sell physical or digital goods online, the time is now to prepare for the Cyber Monday influx of traffic. As everyone knows, it’s a time of increased business as well as increased fraud attempts and chargebacks. Here are some preparation tips so that you can improve over last year’s results.
The TL;DR version:
- Don’t divide and conquer yourself. Think and meet cross-functionally.
- Leverage what you’ve learned from last year as well as Q12020 (also known as “chargeback season”)
- You’re doing well if you learn from last year’s attacks, chargebacks, and false positives; but you’re doing REALLY well if you prepare ahead of time and target what you want to learn from this year’s traffic influx.
- Check for vulnerabilities: gift card programs, legacy and current infrastructure, customer support
- Ensure that your anti-fraud Machine Learning setup uses explainable AI
- Plan to circle back with your teams to discuss what you’ve observed and learned
Planning now for Cyber Monday fraud attacks is a differentiator. Risk managers need a seat at the decision table because with a few actions, you can positively impact your revenue by 1. preventing fraud (every dollar of fraud costs three to the business) and 2. avoiding turning away legitimate customers with false positives, which costs you potential revenue and hurts even more.
Think and meet cross-functionally
Don’t make it easy for fraudsters by dividing and conquering your company on their behalf. Try out cross-functional alignment to prevent fraud. Invite all departments to the table to discuss their experience with fraud. Collect perspectives from everyone, even non-obvious candidates---IT, HR , operations, sales/marketing, customer support, logistics. Most companies can’t even agree on a framework for calculating the fraud problem, so even an imperfect “alpha version” will put you ahead of much of your competition.
Put another way---fraudster crews’ deepest wish is that the departments in your company stay in their silos, resist cooperation, and don’t share findings every year.
Bring a Data Scientist to the fraud prevention decision table
If you have a data scientist on staff, great. If you don’t, consider partnering with one. Our firm Nethone is kind of unique in that all clients are paired with their own dedicated data scientist. I asked Byron King, one of the Nethone Data Scientists that is focused on the eCommerce space, What are your tips for companies to prepare for this year's Cyber Monday sales? Here’s what he said:
- Look at previous years’ sales volumes and forecast expected volumes for the current year
- Assess the level of fraud risk in previous years during cyber sales around the holidays
- Gauge the current level of fraud in recent months (has there been an uptick in fraudulent activity in recent months that will bleed over into the holiday season?)
- Use this info (recency of fraud activity, frequency of attacks in recent years, and overall value of fraudulent activity in this time period) to forecast expected fraudulent activity
- Taking this forecast into account, 1) scale up model resources to anticipate increases in volume 2) rebuild models to include both previous years’ data from cyber/holiday season sales + recent fraudulent activity to capitalize on both relevant and recent data)
Of course the last point applies to companies that are using Machine Learning to detect and prevent fraud, which of course we recommend using, but the rest can certainly be applied to non-Machine Learning analysis.
Consider major IT events from the last several months
Think of major IT initiatives that you implemented over the past year, such as migrations to new infrastructure. Legacy systems may have vulnerabilities if they’re not fully dismantled, and new systems may have their own weak points.
For example, friendly hackers turned a single dead link from a legacy cloud solution into an account take over method on EA/Origin last year. One of the important takeaways from the report about the "friendly" incident: "It is important that organizations with customer facing online portals, and such like, carry out proper validation checks on the login pages they ask their users to access. They must also perform thorough and regular hygiene checks on their entire IT infrastructure to ensure they have not left outdated or unused domains online."
To prepare for this year’s shopping season, look inward and find out what major IT initiatives were implemented by your organization, and consider the implications.
Customer support is a Cyber Monday target
When fraudsters don’t feel like taking on fraud prevention tools head on, they may look for another vulnerability: customer support, the front-line heroes of the Cyber Monday and holiday season. Customer support departments usually work under a great deal of pressure during the latter part of the year, usually don’t usually have fraud prevention training, and have access to a great deal of data that is precious to fraudsters (CS has the “Keys to the Kingdom, to quote Karisse Hendrick). They will be targets of “classic” social manipulation scams, so training and readiness are useful. Also, invite the customer support teams to the fraud prevention table to hear their experience with scam attempts. Keeping track of types and descriptions of fraud attempts is one of the best initiatives that you can commence. We’ll repeat it again before the post is over.
Gift card programs are also a Cyber Monday target
KC Fox makes an interesting point in “The Key to Preparing for E-Commerce Fraud": “EMV chip cards achieved their original intended purpose: they effectively reduced card-present (CP) fraud for in-store retail sales by 80 percent between 2015 and 2018. However, decreased CP fraud attacks subsequently increased activity in card-not-present (CNP) e-commerce transactions, particularly with gift cards.” Nethone has explored the topic in blog posts and webinars: gift cards, as they’re typically assembled, are loved by fraudsters and carders in the digital age. At the same time, they’re terrific for generating revenue and enhancing the brand of merchants. It’s useful to check in with the team that created your gift card program and consider its vulnerabilities. Then train your teams in recognizing gift card-related fraud.
Don’t forget about the fundamentals
Fraudsters are always innovating, but they also love to go with classic techniques as long as they still work. Consider these classic online fraud techniques, and find out whether your staff in various departments (again, think cross-functionally) has experienced some or all of them. How often has it happened? How would they describe it? What information have you collected about it?
- Chargeback fraud/friendly fraud
- Carding/payment fraud
- Account Takeover (ATO)
- Synthetic identity
- Social engineering
- Data breach
- Denial of service
- WhatsApp fraud (popular in Brazil)
- Fake websites and social media accounts of your business
(For more fun facts about fraudsters’ online behavioral characteristics that you can use in your fraud prevention meetings, have a look at Chief Product Officer Aleksander Kijek’s excellent post "Fast Facts about Fraud Detection."
2020 is the Year that Account Take Over (ATO) went mainstream
In the past, fraudsters had to comb through the Darknet Markets and pastebins to find stolen username/password login credentials. DNMs and pastebins still exist and are useful to fraudsters, but these days sellers of stolen accounts just make their wares available on the publicly accessible internet, also known as the “Clearnet.” You can even just search Twitter or Discord for the account vendors with some easy to find hashtags. Here is a screenshot of a popular Clearnet market where you can buy stolen accounts and gift cards: ATO is longer the fringe scam category; it has gone mainstream and is available to anyone who wants to do it, including amateur scammers! If your firm’s user accounts, rewards plans, and gift cards are traded in third-party online stores, it is wise to plan accordingly.
Choose your Machine Learning tools and partners wisely
If you operate an online e-commerce store, then partnering with a machine learning-based fraud prevention firm is recommended. But ensure that your partner offers “explainable AI,” and not some impenetrable black box that makes decisions that no one can… explain. The research firm Gartner published an excellent January 2020 report entitled “How to Create a Payment Fraud Detection Strategy at the Organizational Level” that we highly recommend. Gartner notes that there is often a lack of transparency from machine learning models for fraud detection. Explainable AI is hard to do, but it’s certainly not impossible, so insist on a product that gives human readable recommendations and reasons for decisions.
The minimum is golden: keep track of Cyber Monday fraud in 2020
Simply asking teams to record and describe fraud attempts and false positives would be a huge win for many merchants. After Q1 2021, also known as “Chargeback Season,” circle back with you teams and compare notes. We guarantee that if your firm completes this loop and successfully engages in cross-functional alignment around the issue, you will reduce losses and increase revenues in 2021 and beyond.
Follow us on LinkedIn