Beyond Just Technology: Building an Anti-Fraud “Ecosystem”
Every year, despite the availability of advanced fraud prevention technology solution
Clearly, technology on its own isn’t enough to completely stop organized fraudsters who are constantly developing new tactics for evading detection. Today’s anti-fraud solutions are impressive and unquestionably stop large amounts of attempted fraud, but they’re not a silver bullet. They’re most effective as part of an ongoing strategy that creates a diverse security ecosystem with many elements for resilience and adaptability.
A top-down commitment to a company culture of security
Every company should include a focus on security in its culture, and that should flow from the top down. The most effective security cultures go beyond simply aiming to reduce fraud losses–although this is certainly a good goal. They also view security not as a cost center but as something that adds value to the entire organization.
That value includes cultivating a stronger brand reputation and better customer loyalty by reducing fraud and false declines. In a 2021 Consumer Attitudes on Ecommerce, Fraud & CX Survey of 5,000 online shoppers in five countries, 83% said they would boycott an online retailer after a fraud experience involving their website. Among the same group, 41% would also boycott after a false decline, and 32% would complain about the retailer on social media.
Of course, it’s one thing to say a company has a commitment to security and another to practice that commitment over the long term in a way that affects employee attitudes and behaviors. To be effective, this commitment requires ongoing conversations about security and regular awareness training on specific threats such as shipping fraud and return fraud that target customer service teams. There should also be clear communication pathways for employees to follow if they have security questions or concerns to report, and positive recognition for employees who help make the company more secure.
The need for balanced and diversified layers of security
Any security program that relies heavily (or exclusively) on one or a few modes of protection is more vulnerable than one with multiple layers of defense (aka defense-in-depth). A basic example is a checkout fraud-screening process that only looks for Address Verification Service (AVS) and Card Verification Value (CVV) mismatches. These layers can catch simple fraud attempts made with stolen cards and shipping to the fraudster’s address. But these layers are also likely to miss some forms of account takeover (ATO) fraud, which affected 27% of online sellers in 2022, and they may generate false positives if a real customer ships to a new address.
Additional layers of AI-driven analytics can add the capacity to detect ATO as well as synthetic identity fraud and reduce the risk of false declines, while expert review for questionable orders can resolve the edge cases. In its 2022 Global Payments and Fraud Survey, the Merchant Resource Council found that on average, retailers use 4 different fraud detection tools, while those who used twice as many tools reported lower rates of fraud. The challenge in adding anti-fraud layers at checkout is finding the right balance of fraud and false decline prevention while maintaining a low-friction experience for customers.
Retailers can also use the defense-in-depth approach to minimize friendly fraud, which occurs after the order is complete. In 2022, 32% of businesses operating online reported friendly fraud, in which an otherwise good customer places an order, receives it, and then files a chargeback claiming that the item never arrived. Sometimes these friendly frauds are accidental, because the customer doesn’t recognize the charge on their statement. But they can quickly become a habit among some shoppers – one chargeback mitigation firm found that after a consumer has filed one chargeback, they’re 9 times more likely to file another than someone who’s never charged back a purchase.
To avoid being targeted by serial friendly fraudsters, your organization may need to add layers such as package tracking with delivery confirmation and order-screening rules that flag orders from customers with previous chargebacks. It’s also wise to periodically review your company’s fraud, false decline, and approval-rate KPIs to see what’s working, what kinds of attacks are getting through, and what additional layers may be necessary to fully protect against fraud as attack methods evolve.
A better-connected security community
An internal company mindset can serve as a fortification against fraudsters, but it can also act as a silo unless the company also receives timely information from outside the organization about emerging fraud threats and attacks. Fraud doesn’t happen in a vacuum, and fraudsters attacking your business are almost certainly attacking others in your industry. Sharing information can help protect your entire industry or sector from fraud and other threats.
Participating in trade groups, such as the Merchant Resource Council, that share security best practices and updates is another way to start building a wider security community and to get access to resources you can use for your internal security awareness programs. Regular information sharing with your fraud-prevention and cybersecurity partners can help you identify, understand, and adapt to fight emerging threats.
Joining your sector’s Information Sharing and Analysis Center (ISAC) will give you access to information on specific security threats against your industry, risk-mitigation resources, and allow you to share your own findings. There are ISACs for 27 sectors in the U.S., including IT, retail and hospitality, financial services, health care, and media and entertainment.
Creating a climate where fraud can’t thrive
Each of the elements we’ve discussed here—a security culture, deeper layers of security technology, and connection to an active security community–can make it more difficult for fraudsters to succeed. When all the elements are implemented and work together, companies have the best possible posture for reducing fraud, controlling fraud-related costs, and protecting customer relationships.
Original article at: https://www.merchantfraudjournal.com/building-an-anti-fraud-ecosystem/