The world is living through troubled times as it battles COVID-19. We sat down with Rafael Lourenco, EVP at Clearsale, to talk about how merchants can protect themselves from fraudsters who seek to take advantage of the pain and suffering of others during the pandemic.
Rafael was incredibly generous with his time, providing extremely in-depth answers to questions about how to minimize false positives, the most common fraudster scam being perpetrated right now, what industry is currently seeing the biggest spike in fraud, and more.
In general, how should merchants’ fraud departments be responding to the COVID-19 crisis?
Fraud departments are on high alert, and rightfully so, due to the extreme changes that the pandemic has caused in our e-commerce ecosystem. These are unprecedented times, so it’s difficult to draw from history to inform how we should be protecting ourselves. Instead, we are writing our own playbooks for how to adapt to this new world, which will require a lot of awareness and collaboration. Below are some of the main abnormalities we are seeing in the space, and how fraud professionals need to adjust to them:
Variation in volumes – merchants are seeing spikes of more sales on some items and sales on other goods are taking a sharp dive. These variations affect fraud rates, as generally speaking, when the number of good orders moves up or down, the fraud rate moves in the opposite direction (higher good orders = lower fraud rate, lower good orders = higher fraud rate).
Changes in buyer profiles – Brick and mortar stores are closed, which is bringing in shoppers who have never made a purchase online before. This increases the number of first time buyers which raises the risks, as we don’t have a purchase history for these shoppers. That said, due to the influx of these types of new shoppers, the risk level for first-time buyers is actually lowering and that needs to be accounted for.
Shipping to alternate addresses – many are spending the quarantine in locations other than their known permanent addresses. Some are staying with family or choosing to spend it in a vacation home. New addresses raise red flags, but we need to be mindful of this new world, and look at the recent purchase history that may give you the new address for the buyer. This can be tricky, as it is a common practice for fraudsters to use a new address, and if it works, to use it again. But again, this is a new atmosphere we are in, so careful scrutinization is important.
Recurrency and changes in velocity rules – people are buying online the same goods at a far more frequent pace than before. Algorithms may be flagging orders with these velocity checks, but we have to adjust to the new velocity of buyers to ensure that we aren’t rejecting these orders.
It is important to adapt our understanding– and in a lot of cases — adjust our algorithms, to this “new normal” of buying habits. This is how COVID-19 is affecting fraud KPIs, so fraud teams need to make sure they are aware of the changes and adapting their review process to ensure that it isn’t overly conservative and running the risk of rejecting good orders.
2. Is there any merit in merchants in using the lessons they’ve learned from the holiday season crush right now (increased order volume and fraudster activity)? Or do they have to just learn as they go?
The answer is yes and no. I’ll explain:
On the one hand, sales peaks do give us a taste of some of the adjustments to make when there is a sharp increase in volume, and the possibility of an increase in first time buyers due to sales and promotions. Also, our experience working with merchants during peak sales dates (like the holiday season and Mother’s Day) tells us that customers are fairly understanding and can adjust their expectations during times like these, as long as merchants are transparent and proactive. This means updating your website to reflect new shipping times, being accessible to customers, and creating limits on essential items to ensure that as many customers as possible can purchase them.
On the flip side of the coin, this is a situation we have never seen at this scale before, and it has completely changed the profile of the buyer, so we can’t rely on the same set of standards. Changes in velocity, volume and profiles have totally upended what we used to know about how to flag for fraud. It is more important than ever to make sure that your fraud protection system is agile and equipped for this kind of novel ecosystem, because relying on what we know about the holidays is just not enough to combat these discrepancies and will leave you declining a lot of good orders.
It’s important to remember that this time is highly stressful for a lot of individuals, so having an empathetic and positive stance for your brand is vital. Be transparent about your situation, and make sure you are communicating any delays or supply issues clearly. Make sure that customer service is ready and prepared to be understanding of complaints and do everything they can to meet the customer’s needs. While this is a difficult time, and you may see some losses in trying to appease upset customers, in the end, you may have gained a set of brand loyalists and evangelists who will be dedicated and worthwhile shoppers.
3. Is there anything that merchants consider as a ‘standard best practice’ that COVID-19 has actually turned into a vulnerability?
I would say that the biggest vulnerability right now is information security. Fraud prevention departments are generally in-office jobs. This is important due to the amount of personal data that fraud professionals work with daily. Now that we are all working from home, information leaks of customer information is something that needs to be front of mind for any merchant. It is vital to set up VPNs and work with reputable telework partners to make sure that you are protected from hacking and phishing attempts, and that you are constantly monitoring for internal fraud.
4. What are some best practices for limiting false positive declines during the COVID-19 inspired surge in order volume?
Order volumes have a direct impact on rules and algorithms and some retailers have had huge spikes in order volumes. Velocity checks help merchants monitor repeated patterns occurring during a specific time frame and typically velocity filters can help prevent fraudsters that are testing stolen credit card numbers. Given the lockdowns, many people who have never or rarely made online purchases are moving online and the reality is that some of those rules and variables are being misled and concluding some orders as risky when they are not. For instance, we’ve seen customers stock up on toilet paper, often making multiple purchases in a short time frame. Before, we would have thought of these purchasing patterns to be strange, but it is the new norm. Volume increases behave similar to other sales peaks, whereas before you might have had 2% in fraud attempts in a day, now you might have 1%. A decrease in average risk affects how rules and thresholds behave in fraud prevention systems.
It’s important, then, to combine automated fraud detection with careful consideration – looking at a transaction that seems odd to the technology and making a determination on the validity of the purchase during these unusual times. It can still be a tough decision and a tough call, but it will reduce false positives.
False declines can have a compounding effect on a business. More than 60% of customers say that if they are declined on an online channel, they will no longer shop on the site or at least reduce the frequency at which they shop with the online store. In order to avoid this fate, here are some tips that merchants can look into implementing:
- Understand Why Declines Occur – Many systems will prevent certain purchases automatically, such as first-time visitors making exceptionally large orders or orders that originate in certain countries. Knowing what we know about the current environment, you have to look at each transaction and figure out if it is really suspicious. If not, optimize your system to increase the success rate of future transactions.
- Reject Transactions Based on Data, Not Assumptions – Wholesale generalizations (“all orders from China are frauds,” “customers will never want to ship to multiple addresses”) are rarely based in fact. Make sure you’re making decisions based on data, not instinct. If you feel you don’t understand the data, a fraud protection partner can help.
- Contact Customers Directly – A questionable transaction may be an opportunity to forge a lasting relationship with a customer. Most people appreciate the chance to explain themselves rather than being rejected outright. Before flagging a transaction, contact your customer immediately to verify the transaction details. Your customer will appreciate that you’re looking out for them.
- Don’t Rely Solely on Technology / Review Risky Transactions Manually – There’s no denying that our fraud systems, built on machine learning and AI algorithms, are incredibly advanced. But, these are very different times, and there just isn’t enough data that will help our algorithms understand this ecosystem and the changes in behavior. Therefore, it is more vital than ever that you review your transactions manually and put in your due diligence to ensure you aren’t letting your rules decline good orders.
5. What is the role of the human fraud analyst in spotting new fraudster patterns right now? Should merchants be more willing to ‘go with their gut’ than usual?
The unfortunate truth of this situation is that we just don’t have enough data yet from this pandemic to make the necessary adjustments to all of the rules and ML algorithms that will help us allocate and be proactive for this kind of crisis. Because it has only been a couple of months that we have been under stay home orders, and all of the chargebacks haven’t come through as off yet to give us a good data set, so the data just isn’t there.
If you think about the fact that transactions are declined and you know that no system is perfect, then you know you are very likely declining some valid orders – the false declines we’ve talked about. That amount can be as much as 5-6% of your sales volume. To a lot of fraud filters, some situations that may be common during this crisis will trigger those systems – shipping items to a different address or to someone with a different last name. For example, if you purchased something for your parents who live in another state, but your married name is different from their last name, that could get flagged as a fraudulent transaction. The machines only learn what we teach them and a fraud filter that is too basic blocks good orders.
We have to rely more on manual review. AI algorithms, while they can adapt fast when they have a response, but things are too new for those algorithms to find the pattern. Humans are able to comprehend the situation at hand and make adjustments to decisions based on necessary adaptations.
Where a human analyst comes in is in the ability to look at the current situation, to look at a transaction that has been automatically flagged for fraud, and do a multifactor verification. By looking at all of the data points available – has this phone number been used with this email address before, are the address and name correct but the IP address is coming from a foreign location, etc. – these data points taken together and viewed by an experienced human fraud analyst can provide a better determination between a false positive and a truly fraudulent purchase.
6. What kinds of strategies are you seeing fraudsters use to try and take advantage of the uptick in orders from COVID-19?
We are seeing a lot of fraud attempts for the resell of the most desirable products right now. Gift cards, cameras, hand sanitizers, toilet paper, etc. are easy to resell on marketplaces, so these are being targeted by fraudsters.
If merchants have relaxed their velocity checks too much, they may see fraudsters purchasing huge volumes of these desirable items with stolen card info and then reselling them. So while it’s important to be understanding of the changes in buying habits, you don’t want to loosen your rules so much that you end up being taken advantage of.
7. What is the most common fraudster scam you are seeing right now that merchants need to look out for? How can they protect themselves?
Other than the scam mentioned above, Criminals are using public interest in coronavirus to build more phishing and malware sites than ever. Google’s Safe Browsing detected a radical peak in malware and phishing websites from February 2 through February 23, 2020. Phishing websites and malwares are acquiring personal data (including, but not limited to, credit card information) that are used in “identity theft” crimes, CNP fraud included.
These sites are gathering whatever information they can during the confusion of the pandemic and will be using that to make purchases through account takeover fraud (ATO). The more data a fraudster has on you, the more likely the transaction will look legitimate.
This is also a place where we can learn a bit from our past. The major data breaches that we have experienced in the recent years have taught us about phishing attempts and how we can become vulnerable to fraudsters.
8. What industries are currently seeing the biggest surges in fraudulent activity, and why?
We are seeing an anomalous super peak in sales and fraud attempts in the pharmacy realm. This is highly unique. The fraud attempts seem to be centered around drugs related to respiratory illnesses. Fraudsters are taking advantage of those most in need and at risk in this pandemic by fraudulently purchasing these items and reselling them.
There is a similar peak in sales and fraud attempts in home furnishings. We can only presume that this is due to the influx of need for home office supplies and furniture, so this is a key target for fraudulent purchases.
9. Do you think there will be a new fraud reality when the immediate shock of COVID-19 passes, and then there is ultimately (we hope) a vaccine? Or will things just go back to normal?
I think, in the long run, there will be a bright future for e-commerce. We’re likely to face an economic recession, of course, but on the backside of that more companies and more consumers will be ready to conduct business online. The quarantine has essentially driven consumers that hadn’t yet used technology for activities like communications, food delivery and online shopping into that space, and we believe that this will result in more customers overall, as once they see the ease-of-use and benefits of these programs, they will stay online to participate in this ecosystem.
However, that also means that businesses must be ready for the inevitable increase in CNP fraud and make their preparations early. Novice online users means there are a lot of vulnerabilities to look out for.
10. We are seeing globally disruptive events happening with increasing frequency. Can merchants do anything to prepare for the next huge disruption for fraudster patterns in advance of the next crisis?
The best thing that merchants can do is to find a partner that specializes in preventing fraud and outsource that function. Merchants didn’t get into their business to find bad actors, and it’s not their area of expertise. Share the stress and liability with a professional who has invested their reputation on knowing how to reduce the risk overall. Having a trusted partner at your side will result in your business being better prepared for the changes that will be coming in the online shopping arena after this crisis is over. Don’t spend your time trying to keep up with what is happening in the world of fraud. Let the experts who live and breathe this help you.