In 2020, Black Friday will take place on November 27. Black Friday was already growing quickly in Brazil before the force multiplier of COVID hit the country and motivated everyone to increase their online purchases. Online criminals love to hide in crowds, so you can expect an uptick in fraud attempts and chargebacks that will continue well after the 2020 holiday shopping season has finished. Also, PIX launches on November 16, just 11 days before Black Friday. It will be amazing for sellers and buyers, but fraudsters will target it too.
“Even with the reopening of stores, more than a third of people continue to use the digital environment as their main channel.” –Fabio Coelho, President of Google in Brazil
Black Friday will be big in Brazil in 2020. Brazilians are estimated to have spent R$ 3.2 billion shopping online on Black Friday 2019, with more than R$ 2.6 billion in sales in a single day—an increase of 29% from the previous year. More than 5.3 million orders were processed on the last Black Friday, an equivalent of 25% over the previous year. Brazilians have embraced the date and research has shown that at least 44% of e-shoppers will use this opportunity to begin their Christmas shopping.
So it’s recommended to be ready for the increase in business as well as for the increase in fraud attempts against your organization. It is well documented that fraudsters like to hide in crowds. Also, fraudsters operating in Brazil are an enterprising bunch and are already attempting to take advantage of the numerous (and exciting) changes to data privacy and PIX that have been recently introduced to the country.
What can businesses do to protect themselves from online fraud on (and after) Black Friday?
Nethone has been in the online fraud business since 2016 and has observed and successfully protected organizations against Black Friday fraud attempts for several years. As everyone knows, it’s a time of increased business as well as increased fraud attempts and chargebacks. Here are some preparation tips so that you can improve over last year’s results.
The quick version:
- Don’t divide and conquer yourself. Think and meet cross-functionally within your organization.
- Leverage what you’ve learned from 2019 as well as Q12020 (also known as “chargeback season”)
- You’re doing well if you learn from last year’s attacks, chargebacks, and false positives; but you’re doing REALLY well if you prepare ahead of time and target what you want to learn from this year’s traffic influx.
- Check for vulnerabilities in the fraudsters’ typical targets: legacy and current IT infrastructure and customer support departments
- Ensure that your anti-fraud Machine Learning setup uses explainable AI
- Plan to circle back with your teams after the holidays to discuss what you’ve observed and learned. Pay attention to PIX-related fraud attempts.
- Remember that the chargebacks and friendly fraud for purchases made during Black Friday won’t really start until January 2021. Q1 = chargeback season.
Planning now for Black Friday fraud attacks is a competitive differentiator. Risk managers need a seat at the decision table because with a few actions, you can positively impact your revenue by
- preventing fraud (every R$ of fraud costs 3 R$ to a business) and 2. avoiding the turning away of legitimate customers with false positives, which costs you potential revenue and hurts even more in the long run.
Recommendation #1: think and meet cross-functionallyDon’t make it easy for fraudsters by dividing and conquering your company on their behalf. Try out cross-functional alignment to prevent fraud. Invite all departments to the table to discuss their experience with fraud. Collect perspectives from everyone, even non-obvious candidates—IT, HR , operations, sales/marketing, customer support, logistics. Most companies can’t even agree on a framework for calculating the fraud problem, so even an imperfect “alpha version” will put you ahead of much of your competition. Put another way—fraudster crews’ deepest wish is that the departments in your company stay in their silos, resist cooperation, and don’t share findings every year.
#2: bring a Data Scientist to the fraud prevention decision tableIf you have a data scientist on staff, great. If you don’t, consider partnering with one. Our firm Nethone is kind of unique in that all clients are paired with their own dedicated data scientist. I asked Byron King, one of the Nethone Data Scientists that is focused on the eCommerce space, What are your tips for companies to prepare for this year's Black Friday sales? Here’s what he said:
- Look at previous years’ sales volumes and forecast expected volumes for the current year
- Assess the level of fraud risk in previous years during online sales around the holidays
- Gauge the current level of fraud in recent months (has there been an uptick in fraudulent activity in recent months that will bleed over into the holiday season?)
- Use this info (recency of fraud activity, frequency of attacks in recent years, and overall value of fraudulent activity in this time period) to forecast expected fraudulent activity
- Taking this forecast into account, 1) scale up model resources to anticipate increases in volume 2) rebuild models to include both previous years’ data from the Blacka Friday/holiday season sales + recent fraudulent activity to capitalize on both relevant and recent data)
Of course the last point applies to companies that are using Machine Learning to detect and prevent fraud, which we recommend using, but the rest can certainly be applied to non-Machine Learning analysis.
#3: consider major IT events from the last several months
Think of major IT initiatives that you implemented over the past year, such as migrations to new infrastructure. Legacy systems may have vulnerabilities if they’re not fully dismantled, and new systems may have their own weak points. For example, friendly hackers turned a single dead link from a legacy cloud solution into an account take over method on EA/Origin last year. One of the important takeaways from the report about the "friendly" incident: "It is important that organizations with customer facing online portals, and such like, carry out proper validation checks on the login pages they ask their users to access. They must also perform thorough and regular hygiene checks on their entire IT infrastructure to ensure they have not left outdated or unused domains online." To prepare for this year’s shopping season, look inward and find out what major IT initiatives were implemented by your organization, and consider the implications.
#4: prepare your customer support team to be targeted for scams
When fraudsters don’t feel like taking on fraud prevention tools head on, they may look for another vulnerability: customer support (the front-line heroes of the Black Friday and holiday season. Customer support departments usually work under a great deal of pressure during the latter part of the year, usually don’t usually have fraud prevention training, and have access to a great deal of data that is precious to fraudsters (CS has the “Keys to the Kingdom, to quote Karisse Hendrick). They will be targets of “classic” social manipulation scams, so training and readiness are useful. Also, invite the customer support teams to the fraud prevention table to hear their experience with scam attempts. Keeping track of types and descriptions of fraud attempts is one of the best initiatives that you can commence. We’ll repeat it again before the post is over.
#5: learn about the classic fraud techniques
Fraudsters are always innovating, but they also love to go with classic techniques as long as they still work. Consider these classic online fraud techniques, and find out whether your staff in various departments (again, think cross-functionally) has experienced some or all of them. How often has it happened? How would they describe it? What information have you collected about it?
- Chargeback fraud/friendly fraud
- WhatsApp fraude (used with PIX scams, see below)
- Phishing/spoofing (used with PIX)
- Carding/payment fraud
- Account Takeover (ATO)
- Synthetic identity
- Social engineering
- Data breach
- Denial of service
- Fake websites and social media accounts of your business (used with PIX)
The last point—fake websites and social media accounts of your business—deserves special attention because online promotions are extremely popular in Brazil. Turning once again to Google’s Fabio Coelho—“Google studies point to three items as most valued by Brazilian consumers in their searches. First are promotions. We have a Brazilian with less money. This is a reality.” Fraudsters pay attention to Google studies as well, and will probably attempt to create fake promotions paired with fake websites to steal customer accounts, personal information and of course payment account credentials.
Another way fraudsters can use fake websites is with phishing schemes looking for users’ PIX information (PIX launches on November 16, just 11 days before Black Friday!). As a number of financial institutions have already reported, this particular scam is already quite popular. The user is invited through email, SMS, WhatsApp, or other messaging apps to enter a page that looks like an official PIX website. Of course the users are asked to register their PIX keys or face some type of made-up punishment or repercussion. When the person places his personal data, the scammer steals his information. Since PIX is still a new concept, scammers are hoping to take advantage of customers who aren’t aware of the official channels of communication for payment matters.
(For more fun facts about fraudsters’ online behavioral characteristics that you can use in your fraud prevention meetings, have a look at Chief Product Officer Aleksander Kijek’s excellent post "Fast Facts about Fraud Detection."
#6: prepare for the true chargeback season (after the holidays)
The job of preventing fraud and minimizing chargebacks and friendly fraud, for better or worse, is a year-round endeavor. Here is a timeline that shows the typical ebb and flow of the fraud season. The peak season for chargebacks is typically the first quarter of a calendar year. The fact that they are mostly filed around 45-60 days after the purchase indicates the spike correlates with the Black Friday/holiday shopping season. The figures are terrifying; chargebacks filed during Q1 typically represent a massive 41% of the total yearly number!
And what is the real cost of chargeback for a merchant? It’s not only the cost of purchased goods and the refund, but also the fee from the acquiring bank, which covers the costs of processing the chargeback. It is estimated that in 2018 every dollar of fraud cost e-Commerce companies around three dollars. If we imagine 100 R$ of the average 420 R$ spent during the holiday season was fraudulent, that means the merchant lost almost ¾ of their income on that particular client. And the loss is not immediate.
#7: Choose your Machine Learning tools and partners wisely
If you operate an online e-commerce store, then partnering with a machine learning-based fraud prevention firm is recommended. But ensure that your partner offers “explainable AI,” and not some impenetrable black box that makes decisions that no one can… explain. The research firm Gartner published an excellent January 2020 report entitled “How to Create a Payment Fraud Detection Strategy at the Organizational Level” that we highly recommend. Gartner notes that there is often a lack of transparency from machine learning models for fraud detection. Explainable AI is hard to do, but it’s certainly not impossible, so insist on a product that gives human readable recommendations and reasons for decisions.
Conclusion: Even the minimum effort is valuable
Simply asking teams to record and describe fraud attempts and false positives would be a huge win for many merchants. After Q1 2021, also known as “Chargeback Season,” circle back with you teams and compare notes. We guarantee that if your firm completes this loop and successfully engages in cross-functional alignment around the issue, you will reduce losses and increase revenues in 2021 and beyond.