The 3 Fraud Trends Up Ahead: Protecting Online Business in 2021
2020 was a year like no other - and like no one had anticipated. The consequences will be echoing for years to come, but at least where fraud prevention is concerned, there are some clear trends that will shape 2021. For many fraud fighting teams, this will mean changing or adding to priorities, altering strategy and adapting to new norms.
Here are 3 trends we see coming in the year ahead that many fraud prevention teams aren’t yet ready to address. None of them are entirely new, but the scale at which they’re now operating is a whole new thing. If you want to protect your online business in 2021, we suggest you take these dangers into account.
Trend 1 - BOPIS Carves Out New Vulnerability
Buy-online-pick-up-in-store has been popular for years, but as with other forms of digital transformation, 2020 saw this shift from an option to a must-have.
Businesses who offer BOPIS, benefit. During the 2020 Thanksgiving weekend, Adobe found that retailers offering curbside pickup had a 31% higher conversion rate of traffic to their sites. Sales through Target's same-day services, including Drive Up and Order Pick Up, grew by more than 270% in a single quarter.
Given the substantial advantage, many businesses have adapted to be able to provide curbside pickup. That kind of convenience is the sort of thing consumers get used to quickly. By the time shopping in stores feels safe again, it’s likely BOPIS will be firmly established.
That means fraud teams need to be ready for it. Unfortunately, the option that’s easy for customers is easy for fraudsters, too. Working out how to get around the shipping address challenge has always been one of the hardest parts of physical goods fraud, for the criminal. With BOPIS, that suddenly disappears. It’s almost like turning physical goods into digital ones. And that sends the risk level shooting right now.
Gig Economy Fraud Drives BOPIS Risk Up
In the past, one of the in-built protections against this type of fraud was the limitation of location. The fraudster has to physically turn up to pick up the package, so they’re restricted to an area they can reach. That’s no longer a difficulty for fraudsters.
One of the effects of the pandemic is that criminals suddenly have access to a huge pool of people who are looking for work which can be done from home, flexible hours preferred. And many of these people are desperate. They’re not likely to raise suspicions or investigate possible ethical issues, as they might do in more normal times.
All this has resulted in a kind of dark gig economy for fraud. It’s never been easier for a fraudster to find someone to do their reshipping for them - or to pick up goods in store.
The scale of this ecosystem is completely new. Fraudsters can now find people to act in this support/logistical capacity almost anywhere in the world. The location limitation of BOPIS isn’t a limitation anymore. It’s just a question of having a network of mules willing to do the pickup work (and subsequent reshipping) for you. And that’s no problem.
Trend 2 - Raging Refund Fraud
If friendly fraud entered the fraud fighter’s lexicon during the 2008-9 financial crisis, refund fraud is the hot trend in 2021.
Times of economic uncertainty drive consumers to be less careful than they might be if things are going better. They’re under stress, have less money than they’d expected, feel betrayed by a system that seems constructed to do them down - and they still want the things they would have bought in better times. If they’re stuck indoors, they want them even more than usual.
Refund fraud is an easy path for a customer to take if they want to have their cake and eat it too (or, have their watch/shoes/game/etc. and keep the money too). They can simply claim that the parcel never arrived (porch pirates are a scourge these days) or that it was broken on arrival. Retailers who aren’t accommodating about refunds tend to receive chargebacks. In either case, it’s a problem for the fraud team.
Refund Fraud at Scale
The reason that refund fraud has taken off like a rocket recently - to the extent that few businesses have really caught up yet with quite how much money they’re losing - is that this has become a winning business model for fraudsters.
Criminals now offer refund fraud services. All the customer has to do is place the order, and the fraudster will take care of the rest. The customer will get to keep their order for free, paying the fraudster a small percentage of the cost of the item. The retailer bears the cost.
From the customer perspective, it couldn’t be easier. Fraudsters who specialize in this area have a smooth ride, too; they get to know all the returns policies on the sites of the retailers they defraud, and familiarize themselves with the customer service norms, scripts and even individual representatives.
If they do need to return the item to get the refund, there are lots of ways of dealing with that:
- Return a box stuffed with heavy cheap items (rocks, potatoes) so the weight on the label matches the weight of the original item.
- Send the return label in an envelope, so it’s processed but not sent to the package reclaim department.
- Most ingeniously, pop some dry ice into the box. The weight will look correct on the label, but the box will be empty by the time it arrives. The item must have been pilfered en route!
The fraudsters will match their trick to the policies and standard processes of the retailer, using whatever will slip under the radar.
One way and another, this has gone far beyond the normal risk of friendly fraud. Refund fraud is suddenly a big business, operating internationally and at huge scale.
Trend 3 - Take a Good Hard Look at Your Accounts
The integrity of your accounts ecosystem is crucial for understanding the position of your business. In 2021, you’ll need extra scrutiny to ensure that 1) your accounts are what you think they are and b) they’re safe from being taken over.
Fake Accounts Like Never Before
Lots of new folks came online in 2020, or started using online services such as shopping, gaming and banking more than they’d ever done before. That provides the perfect cover for fraudsters, who can hide among the crowds, setting up accounts with fake, stolen or synthetic data.
Fraudsters can afford to take their time with these fake accounts. Remember the gig economy issue? It’s a problem here, too. Fraudsters can find people from different (safe looking) IPs to set up the accounts for them, and even visit them periodically to search for products and add details like shipping or payment info, making the accounts look legitimate. By the time they come to purchase, the account might be months old and perfectly respectable in appearance.
The impact of fake goes well beyond transaction loss. These accounts also confuse your perspective of your accounts ecosystem, which could lead the business to make mistaken decisions based on inaccurate information. Moreover, fake product reviews and marketplace collusion are on the cards if you leave this risk untended.
ATO at Scale
Back at the start of the pandemic, phishing attacks rose by a whopping 667%, and this has continued to be a major attack vector ever since. Add that to the many data breaches of the last few years (or even just 2020) and you have a truly enormous wealth of stolen data out there.
Bear in mind that the most popular password is still 123456, and you start to see the scale of the problem here.
The result won’t be a surprise to any fraud prevention professional: According to Javelin, by late 2020 ATOs were trending at the highest loss rate so far, up a staggering 72% over the prior year.
Fraudsters have been particularly willing to take their time with some ATOs recently as well. While they attempt to monetize some right away, others have been saved for a more gradual approach, with fraudsters visiting the account regularly to establish their IP, scope out loyalty points and learn about buying history from past purchases (so that they can match new orders to look legit).
The gig economy comes into play here as well, since fraudsters have more scope with shipping addresses than before. A new address can look plausible, if it’s chosen with care. And it might not be that new - if the fraudster is taking their time about it.
3 Problems with 1 Solution: Collaboration
What’s interesting - and frightening - about these 3 trends is that they’re not amenable to many of the kinds of detection and mitigation techniques that fraud prevention teams usually rely on.
The gig economy growth throws a spanner into traditional IP analysis and address protections. BOPIS, now possible at scale, makes physical goods much riskier than they used to be. There’s a huge amount of stolen data available, making passwords even less useful than they used to be.
All this in the context of a world where consumers are more online than ever - giving fraudsters plenty of cover - and with higher expectations than ever: 60% of consumers have higher expectations of their digital experience than before Covid-19. Plus, it’s harder for teams who are working remotely to compare trends they’re seeing.
And typical fraud prevention tools won’t work against refund fraud, which is carried out by the person who really does own that identity, address, credit card and account - you can’t see that they’re being helped in the background by a professional fraudster who could be anywhere in the world.
The solution that does work is one that seems almost too obvious to be seen. Retailers, marketplaces and financial institutions have to start working together, directly. They need to pool knowledge about users, both good and bad.
Once you know that a customer has a string of refunds under their belt from the last 3 months, you can make an informed decision about what you want to do with their new order. When you know that a particular IP and name have never been seen together before, you can add friction as necessary. When you discover that a particular email, IP and device have never been seen together before, you can draw your own conclusions.
Final Prediction: Privacy Enhancing Computation Saves the Day
This is our final prediction for 2021. Gartner has predicted that Privacy Enhancing Computation will be a top tech trend of 2021. We think it’ll be game-changing in fraud prevention, too. (Why should tech get all the best stuff?)
What Privacy Enhancing Computation means, in the context of fraud fighting, is that companies can collaborate to share knowledge in the way we just described - without ever sharing any personal customer information. No PII. Nothing. Nada. Zip.
They don’t need to share with other companies, or with the network that connects them. We know, because we are that kind of network. You don’t need to share personal information anymore. It’s that simple (No, it’s not magic, it’s math - you can read about it in this ebook, if you’re interested.)
You can get more out of it if you don’t share it - because you can validate things like credit card numbers, which you probably don’t want to share even with fraud prevention solutions or data enrichment tools.
This kind of collaboration isn’t vulnerable to the weaknesses that more traditional methods show when compared to the problems coming this way during 2021. It’s based in the consensus of many companies, who have tremendous experience of users and their identities, and who are willing to pool the trust in those identities that they’ve built up over the years.
That’s too bad for fraudsters, of course. But with a year ahead like this one looks to be, there’s no sympathy to spare for the criminal fraternity. Even if they are being clever.