9 fraud prevention tips and strategies for Cyber Monday

If you sell physical or digital goods online, the time is now to prepare for the Cyber Monday influx of traffic. As everyone knows, it’s a time of increased business as well as increased fraud attempts and chargebacks. Here are some fraud prevention tips so that you can improve over last year’s results and prepare against holiday scams.

• Don’t divide and conquer yourself. Think and meet cross-functionally.
• Leverage what you’ve learned from last year as well as Q12020 (also known as “chargeback season”)
• You’re doing well if you learn from last year’s attacks, chargebacks, and false positives; but you’re doing REALLY well if you prepare ahead of time and target what you want to learn from this year’s traffic influx.
• Check for vulnerabilities: gift card programs, legacy and current infrastructure, customer support
• Ensure that your anti-fraud Machine Learning setup uses explainable AI
• Plan to circle back with your teams to discuss what you’ve observed and learned

Planning now for Cyber Monday fraud attacks is a differentiator. Risk managers need a seat at the decision table because, with a few actions, you can positively impact your revenue by 1. preventing fraud (every dollar of fraud costs three to the business) and 2. avoiding turning away legitimate customers with false positives, which costs you potential revenue and hurts even more.

Don’t make it easy for fraudsters by dividing and conquering your company on their behalf. Try out cross-functional alignment to prevent fraud. Invite all departments to the table to discuss their experience with fraud. Collect perspectives from everyone, even non-obvious candidates---IT, HR, operations, sales/marketing, customer support, and logistics. Most companies can’t even agree on a framework for calculating the fraud problem, so even an imperfect “alpha version” will put you ahead of much of your competition.

Put another way---fraudster crews’ deepest wish is that the departments in your company stay in their silos, resist cooperation, and don’t share findings every year.

If you have a data scientist on staff, great. If you don’t, consider partnering with one. Our firm Nethone is kind of unique in that all clients are paired with their own dedicated data scientists. I asked Byron King, one of the Nethone Data Scientists that is focused on the eCommerce space, What are your tips for companies to prepare for this year's Cyber Monday sales? Here’s what he said:

• Look at previous years’ sales volumes and forecast expected volumes for the current year
• Assess the level of fraud risk in previous years during cyber sales around the holidays
• Gauge the current level of fraud in recent months (has there been an uptick in fraudulent activity in recent months that will bleed over into the holiday season?)
• Use this info (recency of fraud activity, frequency of attacks in recent years, and overall value of fraudulent activity in this time period) to forecast expected fraudulent activity
• Taking this forecast into account, 1) scale up model resources to anticipate increases in volume 2) rebuild models to include both previous years’ data from cyber/holiday season sales + recent fraudulent activity to capitalize on both relevant and recent data)

Of course the last point applies to companies that are using Machine Learning to detect and prevent fraud, which of course we recommend using, but the rest can certainly be applied to non-Machine Learning analysis.

Think of major IT initiatives that you implemented over the past year, such as migrations to new infrastructure. Legacy systems may have vulnerabilities if they’re not fully dismantled, and new systems may have their own weak points.

For example, friendly hackers turned a single dead link from a legacy cloud solution into an account takeover method on EA/Origin. One of the important takeaways from the report about the "friendly" incident: "It is important that organizations with customer-facing online portals, and such like, carry out proper validation checks on the login pages they ask their users to access. They must also perform thorough and regular hygiene checks on their entire IT infrastructure to ensure they have not left outdated or unused domains online."

To prepare for this year’s shopping season, look inward and find out what major IT initiatives were implemented by your organization, and consider the implications.

When fraudsters don’t feel like taking on fraud prevention tools head on, they may look for another vulnerability: customer support, the front-line heroes of the Cyber Monday and holiday season. Customer support departments usually work under a great deal of pressure during the latter part of the year, usually don’t usually have fraud prevention training, and have access to a great deal of data that is precious to fraudsters (CS has the “Keys to the Kingdom, to quote Karisse Hendrick). They will be targets of “classic” social manipulation scams, so training and readiness are useful. Also, invite the customer support teams to the fraud prevention table to hear their experience with scam attempts. Keeping track of types and descriptions of fraud attempts is one of the best initiatives that you can commence. We’ll repeat it again before the post is over.

KC Fox makes an interesting point in “The Key to Preparing for E-Commerce Fraud": “EMV chip cards achieved their original intended purpose: they effectively reduced card-present (CP) fraud for in-store retail sales by 80 percent between 2015 and 2018. However, decreased CP fraud attacks subsequently increased activity in card-not-present (CNP) e-commerce transactions, particularly with gift cards.” Nethone has explored the topic in blog posts and webinars: gift cards, as they’re typically assembled, are loved by fraudsters and carders in the digital age. At the same time, they’re terrific for generating revenue and enhancing the brand of merchants. It’s useful to check in with the team that created your gift card program and consider its vulnerabilities. Then train your teams in recognizing gift card-related fraud.

Fraudsters are always innovating, but they also love to go with classic techniques as long as they still work. Consider these classic online fraud techniques, and find out whether your staff in various departments (again, think cross-functionally) has experienced some or all of them. How often has it happened? How would they describe it? What information have you collected about it?

• Chargeback fraud/friendly fraud
• Phishing/spoofing
• Carding/payment fraud
• Account Takeover (ATO)
• Synthetic identity
• Social engineering
• Vishing
• Data breach
• Denial of service
• Malware/scareware
• WhatsApp fraud (popular in Brazil)
• Fake websites and social media accounts of your business

(For more fun facts about fraudsters’ online behavioral characteristics that you can use in your fraud prevention meetings, have a look at our post "Fast Facts about Fraud Detection."

In the past, fraudsters had to comb through the Darknet Markets and pastebins to find stolen username/password login credentials. DNMs and pastebins still exist and are useful to fraudsters, but these days sellers of stolen accounts just make their wares available on the publicly accessible internet, also known as the “Clearnet "Wikipedia's page on the Clearnet").” You can even just search Twitter or Discord for the account vendors with some easy to find hashtags. Here is a screenshot of a popular Clearnet market where you can buy stolen accounts and gift cards:

ATO is longer the fringe scam category; it has gone mainstream and is available to anyone who wants to do it, including amateur scammers! If your firm’s user accounts, rewards plans, and gift cards are traded in third-party online stores, it is wise to plan accordingly.

If you operate an online e-commerce store, then partnering with a machine learning-based fraud prevention firm is recommended. But ensure that your partner offers “explainable AI,” and not some impenetrable black box that makes decisions that no one can… explain. The research firm Gartner published an excellent January 2020 report entitled “How to Create a Payment Fraud Detection Strategy at the Organizational Level” which we highly recommend. Gartner notes that there is often a lack of transparency from machine learning models for fraud detection. Explainable AI is hard to do, but it’s certainly not impossible, so insist on a product that gives human-readable recommendations and reasons for decisions.

Simply asking teams to record and describe fraud attempts and false positives would be a huge win for many merchants. After Q1, also known as “Chargeback Season,” circle back with your teams and compare notes. We guarantee that if your firm completes this loop and successfully engages in cross-functional alignment around the issue, you will reduce losses and increase revenues in 2021 and beyond.

Follow us on LinkedIn

If you are interested in our fraud prevention tips and wish to implement an advanced fraud solution with frictionless customer UX, we are here to help.