Forter is an eCommerce fraud prevention solution that eliminates fraud for merchants and online marketplaces. We sat down with them for an in-depth interview about friendly fraud. Friendly fraud — when a cardholder who authorized the transaction his or herself later claims a chargeback — is one of the biggest, and most intractable, problems facing merchants today.
Our far ranging discussion covers the different types of friendly fraud merchants must watch out for, how the problem affects reshippers, data breach protection, SCA compliance, and more.
1. When merchants think of e-commerce fraud, they think of chargebacks (and sometimes false declines). What is policy abuse fraud, and why should merchants care?
Policy Abuse fraud or ‘Friendly Fraud’ refers to the misuse of a merchant’s policies by good customers. When combined with the concerted efforts of bad actors to abuse a merchant by finding loopholes in the system or vulnerabilities around the enforcement of merchant rules and policies, these behaviours can wreak havoc on a business’ financials.
Merchants should care about Policy Abuse because of the pressures they face to offer a competitive customer experience. Consumers expect generous policies, and the actions of a few, if unchecked, can cause merchants to adopt more restrictive policies. Policy Abuse costs money. Restrictive policies risk turning away good, loyal customers.
Merchants often focus only on chargebacks and don’t realise the gravity or the impact policy abuse or fraud may have on their bottom line. Policy abuse and friendly fraud take many forms; as detailed below:
● Returns Abuse – Returns abuse is probably the biggest concern for retailers right now. With the dilemma of trying to strike the right balance between not making their returns policy too restrictive, while having the right protections in place, merchants don’t want to upset good customers. According to the National Retail Federation, top tactics include returning stolen or shoplifted merchandise, employee-assisted returns fraud, and wardrobing — returning used, non-defective items.
● Sign-Up and New Account Abuse – Consumers create new accounts in order to unfairly reap the rewards of a discount many times. Merchants struggle to control the number of accounts owned by a single user and manage the high cost of identifying duplicates.
● Coupon Abuse – Coupon abuse occurs when coupons are counterfeit or copied, redeemed without a qualifying purchase, or used without meeting the terms and conditions of the offer. Coupon Information Corporation research estimates that businesses lose $500 million from coupon fraud each year.
● Referrals and Loyalty Programs – Consumers undertake mass-referrals to friends (or even to themselves) to earn more loyalty points or redeem credits on a retailer’s website. When individuals use many email addresses for themselves, they are creating problems for merchants, namely using discount codes to make purchases they would otherwise be making, or to buy items at a discount and resell them at a profit, potentially impacting merchant revenue.
2. Can you give a concrete example of the steps a fraudster takes to commit policy fraud?
There are a few examples of returns abuse: a handyman may purchase power tools for one-time use only, subsequently returning them. Returns abuse is more prevalent in the apparel/fashion sector, where someone purchases an outfit, leaves tags and labels in the clothing, and subsequently returns the item after wearing it.
Similarly, with sign-up abuse, retailers often offer new customers an introductory discount on their first order; the same customers may create multiple accounts, under multiple email addresses, to repeatedly take advantage of the offer. This is similar to many online streaming and audio platforms offering an introductory 30-day free trial period; customers use multiple accounts to circumnavigate paying a monthly subscription.
Policy abuse and friendly fraud are difficult for most merchants to identify without overcorrecting their policies and turning away legitimate and loyal customers. As such, merchants require systems that are able to accurately distinguish legitimate from abusive behaviours, while ensuring business policies are implemented and protected.
3. Resellers/Reshipping is a booming business model. Should merchants be cutting these sellers out entirely? Or are there best practices they can follow to sell safely to them?
This type of activity is entirely dependent on each merchant’s risk appetite and business goals. For some brands resellers are simply augmenting overall sales or getting more of their products into the market.
In other cases, the resellers can dilute the merchant’s brand, undermining their pricing in the process. This involves resellers undercutting pricing, and thereby impacting the level of potential revenue merchants are able to capture.
This is often the case in markets where there are more resellers – merchants often put policy rules in place to stop the resellers, limiting the number of items individuals are able to purchase within certain time frames. For example, no more than three purchases of the same item within one transaction, or within a one-week window, otherwise the order will be cancelled.
However, this can become problematic as for example, sometimes a sports team or club will want to purchase more than 20 of the same item all on one day. This is a legitimate purchase from a legitimate customer, but restrictive policies will flag it as abusive behaviour.
4. Refund abuse is a notoriously difficult problem for merchants to counter. What are some of the policies?
Merchants are struggling to keep track of abusers as they tend to use multiple accounts and exploit the omnichannel returns option (by mail, in-store, etc.) to escape detection. ‘Item Not Received’ (INR) claims are also a frequent form of refund abuse that greatly impacts merchants. In these cases, abusers file chargebacks with the merchant, claiming the items they have ordered were never received. In faulty cases, the item has indeed been shipped and received, but the abuser aims to reap the reward of both having received the item as well as getting reimbursed by the merchant for the ‘lost’ parcel.
Repeat INR claims or clear abuse can result in significant losses to the merchant. In order to detect this kind of habitual abuse, merchants require a sophisticated fraud prevention platform armed with a rich network of data and known persona behaviours, to distinguish legitimate customer returns from abusers making repeat faulty claims for an easy cash out.
5. Promotions are a huge driver of sales and customer acquisition for merchants. Can you cite the worst case of this type of fraud you’ve ever had to deal with? What lessons can merchants take from it?
Examples of the most serious cases of promotion fraud include consumers oversharing coupon codes, shoppers creating multiple new email addresses to capitalise on new user discounts, and referral abuse where users spam random addresses with codes to try and keep the money for referring to all of their ‘friends.’
Merchants need to strike a balance between offering these beneficial coupons and discounts while being aware of the fact that they can be misused. The only way to safely ensure this type of abusive behaviour does not occur is to deploy a fraud prevention platform that is able to make the right connections between users in order to distinguish between legitimate customer behaviours and fraudulent or abusive ones.
6. You talk about ‘content integrity’. What are some of the trends you’re seeing with scammers and spammers as we start 2020?
Scammers and spammers – or what may be deemed as marketplace abusers – are a growing phenomenon. Likewise, buyer-seller collusion, wherein fraudsters work together to benefit one another in marketplace settings, is increasingly common. The ability to identify this kind of activity requires a sophisticated fraud prevention platform that is able to link identities to uncover connections that indicate collusion.
Fake reviews are also an issue for many businesses. Merchants want to ensure that their brand integrity is preserved. Fake reviewers or abusive content across their sites can lead to poor customer experiences, increased cart abandonment, and diminished brand reputation. Merchants should be looking to partner with fraud and abuse prevention providers that can accurately assess the legitimacy of users on their site and thereby preserve brand and business integrity.
7. Along the same lines, one of the most dangerous threats for merchants is data breaches. What are some of the ways merchants can screen for these threats and eliminate them?
Data breaches are notorious for exposing information on individuals, as we’ve seen recently with high-profile data breaches in the travel and hospitality sectors. These can then be used to create fraudulent accounts, while an individual’s stolen data can also be sold on the Dark Web, enabling fraudsters to sign-in to legitimate accounts.
Merchants therefore need to work with a provider that can make decisions at all touch points of the customer journey, including during account sign-up and at login. This will help prevent the creation of fraudulent accounts using compromised identities. Forter’s comprehensive solution can protect 100% of the customer journey.
Ultimately, ensuring that your fraud prevention provider has the market’s highest data security accreditations and is GDPR compliant is an essential component to the selection process for merchants. A company that values data security and makes clear that it is one of their company pillars, is the only option when selecting a provider.
8. Strong Customer Authentication (SCA) was supposed to eliminate a lot of the risk around many of the policy abuse scenarios you protect against. What are SCA’s limitations, and how should merchants be thinking about security beyond its requirements?
Merchants ultimately want to deliver a frictionless experience for customers, without opening up the floodgates for fraud. PSD2 has been a major step forward to solve this.
With up to 26% of consumers admitting that they would abandon a purchase if the checkout and payment process is too long, it’s crucial for merchants to get this balance right. This is where merchants need to work alongside a fraud prevention provider that offers Adaptive Authentication, reducing added friction by determining in advance which transactions require stronger levels of authentication.
9. What are some of the trends in AI that you are seeing fraudsters use to continue to get around multi-factor authentication as a fraud prevention method?
Social engineering is definitely on the rise. In these cases, fraudsters are manipulating vulnerable individuals. They pose as IT support or technical help, asking for personal/private information, and then access those accounts or leverage remote desktop control protocols to gain access to their devices and commit fraud within the accounts.
10. If you could give one tip to merchants looking to avoid policy abuse fraud, what would it be?
Merchants need a sophisticated fraud prevention partner that is able to leverage a wealth and depth of data from across industries, merchants, and geographies to distinguish good and legitimate customer behaviours from fraudulent or abusive ones. This is only possible through the analysis of every transaction and customer touch point, instead of those that only appear fraudulent on the surface.
This allows for an increase in the approval of transactions that would otherwise be declined by a rules-based system, that looks only for anomalies. This is crucial in ultimately providing a seamless shopping experience for customers, with minimum friction throughout the purchasing process. However, if a merchant’s policy is too restrictive, it will turn away good customers.
Interview conducted with Aaron Begner, GM of EMEA, Forter