I’ve fallen in love with a handbag I’ve just seen on the internet. I pop it into my virtual basket and then seal the deal from my sofa by scanning my thumb print. That’s secure payment no one else can copy.
Until that moment arrives, online retailers face an ongoing fight against fraudulent payments. With about 9% of clothing sales now online and expected to rise to 25% in the next 10 years, according to ecommerce expert Javelin Group, the battle is only going to get bigger.
Ecommerce fraud rose 0.4% year on year to £140.2m in 2012, with 3p in every £100 spent via fraudulent credit cards, according to banking industry body Financial Fraud Action UK (FFA UK). A survey by payment services company Ogone found that 0.8% of online sellers’ turnover in the UK was affected by fraud.
Clothing retailers are among the most likely to face fraud attacks, suffering up to four times as much fraud as the average retailer in any given country, according to Ogone. The size of the transactions makes it worthwhile for criminals to take a risk, and as clothing is also prone to genuine shoppers falsely claiming they haven’t received goods, it’s a tricky nut to crack.
Ogone’s research found that up to a fifth of online clothing transactions suffered from fraud over the Christmas period, for example.
Sach Kukadia, buying director at etailer SecretSales, says: “If you find yourself [unwittingly] sending out a fraudulent delivery, you must be aware that without the correct checks, you are likely to have not only lost the price of the product but also the money you received as payment, as this may be requested back by the bank. The authorities find it difficult to catch the fraudsters and therefore without tighter disciplines, illegal online activity will always be present.”
Smaller retailers may also face higher risk.
The Federation of Small Businesses (FSB) says cybercrime costs its members about £785m a year, about £4,000 per business. Nearly a third of its members have been affected by fraud, with 10% suffering ‘card not present’ financial crimes.
Most worryingly, a fifth of the FSB’s members said they had not taken any steps to protect themselves against cybercrime. Those who do not take preventative action are increasingly likely to face widespread attacks as communities of fraudsters spread the word.
“Fraud is like water, it will go to the weakest point,” says Michael Archer, head of the consumer financial services practice at advisory firm Kurt Salmon.
A key risk for smaller businesses is the lack of security on customer data that may not be handled and stored safely. “Criminals will target those that do this poorly in order to use personal data to socially engineer individuals
and perpetrate fraud,” says FFA UK.
Kukadia says SecretSales has tried to tackle this problem using its back-end technology.
“We have stringent checks in place to flag any irregularities with orders and our site is regularly scanned by a security service to highlight high-risk areas. Our system alerts us if the same delivery postcode is used under separate names, allowing us to blacklist certain addresses.”
New technologies and tactics have helped bring the rate of fraudulent online payments down from a peak in 2008, but retailers are increasingly facing new types of fraud, from fake versions of their websites selling copycat or non-existent product, to identity-theft where organised gangs collate detailed information from social networks and other sources in order to pose as a genuine shopper.
For retailers, the potential losses are not only financial. Shoppers are likely to avoid buying a brand online if it is widely copied and used by fraudsters as a honeypot to draw victims, while genuine websites with poor payment security may also make the customer think twice.
Top of the list for any retailer wanting to give their shoppers peace of mind should be signing at least one of the 3D security schemes, such as Verified by Visa or Mastercard’s SecureCode, which ask shoppers to put in a password via their card providers’ system.
Archer says these systems may be more expensive and require the upgrading of a site’s back-up systems, but he points out: “Any costs in getting the system or processor up to the necessary standards pays back in not having
to reimburse customers, or by securing sales from someone who didn’t trust the site before.”
Archer says it is important that etailers communicate the use of such security measures carefully. “Making too big a deal about such systems can put off shoppers. It should appear only at the point where shoppers are actually making the payment with perhaps a hotlink explaining its presence for those who want more details,” he adds.
Rob Feldmann, chief executive of discount etailer BrandAlley, says it has taken measures to ensure customer assurance on its site. “We use Verified by Visa to give shoppers confidence when checking out. Although we don’t currently store payment card details, we are considering it - it’s the balance of convenience for the customer
while making them feel secure and in control.”
New tools that major card providers are working on include ‘real-time scoring’, which identifies and captures fraudulent transactions while they are happening by picking up on particular types of behaviour.
Another development is the adaptation of the gadgets already used by many banks to generate random passwords for online transactions, so they can be used in a retail environment.
All these ideas can be helpful, but tackling fraud gets trickier when retailers open their websites to transactions from new countries.
It might be assumed, for example, that it’s possible to check a cardholder’s address against their delivery location everywhere in Europe - this is not the case. The system is really only in place in the US and UK.
Shoppers in some countries are also not happy to use the 3D security systems. In Spain, for example, the system is not widely adopted and so some retailers turn the system off for that country so their sales aren’t affected.
“They need a protection system working alongside the process to compensate for that choice,” says Julian Wallis, head of sales for the UK and Ireland at Ogone, which offers a service that can tailor protection for the requirements
of different countries.
Germany is also prone to a particular form of fraud. That is because a payment method called ELV, which is very popular in Europe’s biggest market and works like a direct debit, allows shoppers using this system to recall their payment quite easily, with little reason.
Some retailers therefore choose to avoid offering ELV, but that can result in lost sales. “Better make sure you have got a decent credit database behind your service or you will face all sorts of potential problems,” says Wallis.
Expanding abroad can also attract criminals who use well-known labels to either sell counterfeit goods or to gather card details from unsuspecting shoppers.
A fifth of shoppers searching for some brands find themselves on fake sites, according to Charlie Abrahams, vice-president and general manager, EMEA at MarkMonitor, which helps retailers tackle fraudsters.
Brands that want to reassure their shoppers can offer a URL-checking service where potential shoppers can ensure the site they want to buy from is a genuine distributor. Hair straightener manufacturer GHD already does this.
Buying international domain names that feature your brand can help ensure shoppers don’t stray, but this is only cost effective for a certain number of permutations. As some brand names may be featured on as many as 10,000 fake sites, other tactics need to come into play.
Julie Deane, founder of leather accessories brand Cambridge Satchel Company, says: “We have had letters and emails from customers wanting to return a poor quality satchel, or to find out why their orders were not filled. When we check the order numbers, we find that they were not ordered from the official Cambridge Satchel Company, but from one of the fraudulent sites. We have worked with our lawyers to take these sites down, but they come back with new names and new approaches.”
As a result, it hired MarkMonitor, which took action against 1,000 counterfeit Cambridge Satchel product listings on exchange sites, and detected 29 ecommerce sites selling counterfeits and 76 sites cybersquatting Cambridge
Satchels by using the brand in its domain name.
That a relatively new brand faced such significant attacks only shows how fast fraudsters are prepared to move.
Retailers need to move faster.