As the world pivoted to online shopping, work, and learning last year, the timeline for mobile usage growth jumped ahead by two to three years in the first half of 2020. Many retailers rolled out shopping apps to meet the new demand for e-commerce and be more competitive in the mobile commerce space. Many added digital wallet payment options and encouraged customers to create digital accounts to shop more conveniently on their phones.
All of this was necessary for retailers’ survival and growth, but it also came with some fraud-related challenges. Here’s what we’ve learned about mobile commerce and fraud in 2020 that merchants can use to protect their revenue and their customer data now.
Retail apps need strong security and brand monitoring
For many retailers, adding apps was a must to survive the restrictions on brick-and-mortar shopping. However, in a rush to get apps to market, many were built without security features to prevent fraudsters from copying the apps, altering them, and turning them into phishing apps that impersonate the retailer’s brand. Even retailers with plenty of development resources had gaps in their app security: a September 2020 study of the top 50 retail apps found security flaws in “most” of them.
Fraudsters who did turn retail apps into phishing fakes had plenty of cover. With many new apps flooding the marketplace and more consumers making mobile purchases for the first time, there were plenty of opportunities for shoppers to download fraudulent apps mistakenly and for thieves to steal their data.
How can retailers with mobile apps prevent hacking and impersonation? IT and cybersecurity team members or third-party experts should review the app’s code to identify and fix any vulnerabilities. Brands also need to monitor app stores to spot and report apps that impersonate theirs.
Digital wallet use makes fighting friendly fraud a challenge
Giving mobile customers the option to pay with a digital wallet like Google Pay or PayPal can increase conversions by reducing the amount of data they have to enter at checkout. After a year spent buying more items online than ever before, the digital wallet habit is strong: 64% of millennials used a digital wallet to purchase between December 2020 and February 2021.
The customer convenience and reduction in cart abandonment that digital wallets can provide are good things for merchants, but they come with a catch. So-called “friendly fraud” has increased since the beginning of the pandemic, as individuals faced economic uncertainty and realized how easy it can be to commit this kind of crime. Friendly fraud happens when a consumer orders an item, receives it and then files a chargeback claiming the item never arrived.
Merchants can dispute friendly fraud chargebacks by providing proof of delivery, and about half the time, those chargeback disputes are successful — if the purchase was made with a credit card. As more shoppers use digital wallets, the problem is that it’s harder for merchants to dispute those chargebacks successfully. One study found that only 5% of digital wallet chargebacks were successfully disputed by merchants.
How can merchants get the benefits of digital wallet payments and reduce the risk of friendly fraud? One important step is to add end-to-end order tracking with delivery verification for all purchases of physical goods. If you can prove that the order arrived, you’re more likely to win chargeback disputes for non-delivery.
Another key is to screen all digital wallet orders using your fraud detection processes instead of relying entirely on the digital wallet provider’s security. This can help screen out orders placed by fraudsters who’ve taken over a customer’s digital wallet account.
Account takeover fraud requires retailers to rethink anti-fraud practices
ATO was already a growing problem before the pandemic, responsible for $16.9 billion in e-commerce losses in 2019. Then, phishing attacks surged by 667% in March 2020, as fraudsters saw an opportunity to exploit consumers’ confusion and fear about the new coronavirus.
This surge included an uptick in emails and websites designed to steal victims’ email, Google, or Microsoft login credentials. With that login information, criminals could quickly take over those accounts. They could also use bots to search for other accounts using the same credentials, like digital wallets and credit card accounts, and hijack them, too.
By October 2020, ATO attacks had increased by more than 280% from the same time in 2019. There was also a 300% increase in stolen credentials being fenced by criminals on the dark web, according to ThreatPost, which means the ATO threat is unlikely to decline any time soon.
What can retailers do to fight ATO mobile fraud?
First, retail apps need strong security, and retailers need to monitor app stores, social media, and other digital channels for impostors and phishing attempts.
It’s also essential to require strong passwords for your customer accounts and encourage customers to create a unique password for their account with your store — one that they don’t use for any other accounts.
Next, retailers should monitor fraud attempts, completed fraud, and false declines by channel. Putting all your fraud data in one bucket prevents you from seeing whether one channel, like mobile, deals with more fraud attempts or is hit by more completed fraud than your desktop channel. Monitoring data by channel also lets you quickly spot trends like a spike in mobile-channel fraud attempts so that you can respond fast.
Finally, ATO fraud’s prevalence means it’s not safe to assume that a returning customer is who they say they are. Retailers need to screen all transactions for fraud, using digital tools and human expertise to quickly evaluate customer behavior, device identity, location, and other real-time and historical factors, without adding friction for the customer or generating false positives.
The other mobile fraud prevention lesson from 2021
The pandemic pushed many of us into new habits at work, in businesses, and at home, using new technology to get things done. But the pandemic also showed us that no matter how advanced the technology and processes, at least two aspects of fraud seem never to change. The first is that fraudsters thrive on chaos, like the confusion that erupted at the start of the pandemic. The second is that merchants must always be on guard and always evolving their fraud prevention practices, as fraudsters try new scams and new twists on old ones.