With retailers facing huge losses as a result of cyber crime, it’s never been more important to ensure that the right fraud prevention measures are in place.
Four years ago, Stockport women’s young fashion indie Eternal Envy received an online order for about £600 within the first six months of trading. However, rather than the cash till ringing, it rang alarm bells for owner Maria Telford. “I’m a strong believer in the old adage that if something seems too good to be true, it usually is,” she says. A phone call to the bank revealed the order was suspicious, with 36 bank cards registered to the one email address.
The transaction was a lesson in online fraud for Telford, who quickly took steps to bolster her website’s security. But Telford was one of the lucky ones. The growth of ecommerce is a double-edged sword for retailers, with £77.3m lost to fraud in the past year, according to a survey by the British Retail Consortium (BRC).
Retailers fall victim to various types of e-crime, from online identification to hacking attacks. In its report, the BRC found the most common in the past year was card-not-present (CNP) fraud – the use of unauthorised credit or debit card details without the card being present.
One indie in the north of England fell victim to CNP fraud in May when a ‘customer’ in the Far East emailed an order for handbags and asked that the owner pay a particular shipping agent to send the items, with the total shipping costs and order paid for by the customer.
The owner became suspicious after two weeks of silence from the shipping agent, so did some online research. “I found a number of references to this type of scam,” she admits. A month later her card processor rejected the transactions and she had to return the money. She lost £1,200.
To fight online fraud, retailers need the right prevention tools in place. One of these is 3D secure, more commonly known as Verified by Visa, MasterCard SecureCode or American Express SafeKey. These card schemes attempt to verify that the person placing the transaction is the legitimate cardholder.
Retailers can also set up their own tools to detect when a transaction might be fraudulent. Etailer BrandAlley has its own “very effective system” that can check the address given with any account to verify it, explains chief executive Rob Feldmann. “If the address is not one normally used or flags issues, we will hold off sending out items and contact the customer via phone or email for proper verification,” he says.
Many fashion retailers partner with third-party companies such as CyberSource and ReD, which provide e-crime prevention tools such as fraud screening. For example, when a customer enters their account details on a website, CyberSource assesses whether the transaction is fraudulent and the retailer can then decide to approve or decline the order.
Middlesbrough indie department store Psyche works with payment gateway provider Skrill using a variety of real-time and bespoke ‘rules’ to accept or deny transactions. Web manager Martin Green says the tools check “the plausibility of the transaction, information contained on our blacklists, the velocity of transactions placed using the order details and the address verification service results”. These checks then provide a risk score on which to approve or deny the order.
However, with criminals becoming more sophisticated, retailers need to constantly review and update their fraud prevention approach. Kieran Macey, head of risk for ReD in Europe, Middle East and Africa, says one of the latest technologies to prevent e-crime is purchase behaviour recognition, which looks at how a shopper moves through a website before buying.
BrandAlley is also developing its technology to cross reference the IP address of orders with those on blacklists. But retailers face online fraud becoming more widespread as consumers become more connected through devices such as mobiles and tablets. Daniel Mitchell, director of network support company Lifeline IT, says the prevalence of wireless networks “opens these devices to exploits from online attackers, particularly when transactions are being made exposing personal information”.
These devices also throw up further issues for retailers. “The challenge of payment fraud screening for retailers is that the profile – for example, the time of purchase and what is being purchased – through a mobile may well be different to that from, say, a PC at work,” says CyberSource director of products and services Dr Akif Khan. “According to the rules of some fraud management strategies, a genuine transaction from a mobile device may therefore be perceived as fraudulent.”
While expanding online overseas presents retailers with opportunities, it also opens them up to the possibility of further e-crime and challenges as each country has its own ecommerce guidelines. Jennifer Clarke, fraud prevention specialist at lingerie etailer Figleaves, warns that retailers “have to be much more vigilant as they’re not able to rely on the same processes used for screening domestic orders”.
Before entering new markets, retailers should also get to grips with the variations in payments, warns Feldmann. “In the UK it’s standard to pay by PayPal or credit card, but in Germany a lot of consumers are invoiced for purchases payable 30 days after the order. This means they have received items in many cases before they pay.”
The recent BRC report showed that retailers lost £111.6m on genuine business being rejected because of measures to prevent online fraud, demonstrating the difficult balancing act they face. Clarke says an effective fraud process will help retailers find and maintain the equilibrium needed to accept the right transactions. “Retailers must decide what level of fraud risk they’re willing to take to maximise revenue from good customers,” she adds.
However, they’re also faced with what they describe as a lack of support from the police, meaning many don’t feel encouraged to report the crime. Clarke says that unless the fraud is of a significant value then law enforcement authorities are unlikely to follow up.
“For transaction values into the tens of thousands the story might be different, but for a retailer whose average transaction value is less than £100 our fraud isn’t of interest to the police,” she says. “This does discourage us from reporting cases, when in fact we would be very keen to work with the authorities to bring prosecutions where possible.”
The BRC has previously spoken out on how it is keen to work with law enforcement and the government, using the report as a call to develop a consistent, centralised method for reporting and investigating e-crime.
BRC crime policy adviser Catherine Bowen says following the report, the organisation is now “privy” to discussions about online fraud with [the lead police force for fraud] the City of London Police and bodies such as the National Fraud Authority, and will push to achieve its centralised reporting goals.
River Island head of safety and loss Steve Frame says fraudsters continually adapt and can communicate across the world, meaning “the risk landscape is constantly changing. It is difficult to be able to keep up all the time”.
One way retailers could help fight online fraud is through sharing data. “If one retailer has stopped a fraudster at the door, they can help others do the same by sharing this information, without detriment to their own business,” argues Clarke. “Where prosecution isn’t likely, the fraudster will simply move on to the next retailer. If every retailer is forewarned this can be prevented.”