When it comes to fraud prevention strategies, we usually identify two approaches:
The risk-oriented approach, where the goal is to stop fraud as early as possible. It's better to decline a few legitimate transactions, which might slightly lower conversion rates than to suffer the grim consequences of fraud.
The growth-oriented approach, where the goal is to accept as many transactions as possible to create a frictionless customer experience while acknowledging that fraud risks might occasionally occur. This approach can improve the checkout experience and increase sales for a while, but it's a bet that could lead to fraud issues that can escalate with alarming speed over time.
The impact on the customer journey is at the foundation of both strategies, which must strive to be frictionless and secure. However, besides streamlining CX, equally crucial is unmasking and mitigating that part of fraud that might be overlooked, causing both revenue and trust issues.
To identify the ‘danger zones’ across the customer journey where fraud can slip through and affect the CX, we’ll be looking at three perspectives: the buyer’s journey, the seller’s journey, and let’s not forget about the fraudster’s journey.
Platforms, like any other online business, are keen to grow not only their customer base but also their customers' loyalty and retention. A strategic approach to achieving this involves building a community where users sign up, log in, purchase, enjoy discout codes, gain loyalty points or other incentives, and come back for more. This account-based approach is great for encouraging growth and loyalty. However, it comes with its own set of risks that require careful management, such as those below.
Abuse. One such risk is multi-accounting, where individuals create several accounts to exploit the system or unfairly benefit from new member deals. This compromises the platform's integrity and can mess up data analysis and the overall UX.
Trust. Platforms need to make sure that returning members are who they claim to be. Authentication measures need to be strong enough to prevent unauthorized access while being user-friendly so as not to discourage legitimate users from re-engaging with the ecosystem.
Account Takeover. This risk involves unauthorized access to someone else's account, leading to a breach of privacy and potential financial losses. When fraudsters gain access to an account, they can exploit stored data, including credit card information and personal details.
Financial losses: CNP Transactions, which are common in online ecosystems, increase the risk of credit card and payment fraud. Fraudulent activities can cause businesses direct financial losses and operational costs.
If we consider the buyers’ journey on an online platform, here are the stages that the users go through:
Sign-up: This is where the journey begins with the user creating an account by filling out details such as name, surname, email address, and other identifying information.
Login. Once an account is set up, the user logs in by entering their username and password to gain access.
Account settings. After gaining access, the user may interact with various account settings. Security risks may arise if the user tries to change essential identifiers such as email or phone number without a clear reason.
User flows and policies. This involves interactions with internal website policies, linking accounts, and adding new payment means.
Checkout stage. This is where users find items, add them to their cart, and proceed to checkout by entering payment details. Given that there is no physical verification, the threat of CNP fraud is particularly high here.
Post-transaction and returns: After completing a purchase, the post-transaction phase involves abuse of post-sales capabilities such as return policies that could be exploited by fraudsters, or false claims of INR - Items Not Received - which trigger automated compensations or sending new items to the user.
Fraudsters go through the same steps, introducing risks at each step as depicted below.
Multi-factor authentication is often seen as a solution against such threats. Yet fraudsters are creative enough to fool the system. Sensitive data can be easily acquired on the dark web, enabling fraudsters to mimic the actions of legitimate users, insert legit information and credentials, and ultimately bypass authentication measures. To make the worst of both worlds, online businesses might end up with increased friction for their users and with fraud too.
Fraudsters are known to purchase credentials from the dark web to gain access into user accounts. They deploy malware, which is often available as a service, to get user credentials through phishing campaigns or malicious advertisements. They also acquire device fingerprints and use residential proxies to hide their true identity and location.
What’s more, cybercriminals frequently use bots, especially on messaging platforms, to capture or acquire one-time passwords from their targets. These bots are readily available through services tailored for fraudulent activities, eliminating the need to have technical proficiency in coding or bot creation.
Fraudsters aiming to exploit platform websites initially seek to acquire a stolen account, often purchased from the dark web. To avoid raising suspicions with unusual activity, they evaluate the account's shopping history and mimic the legitimate owner's behavior, gradually warming up the account by browsing products and making small purchases, including sending items to the account owner's address.
They engage in activities to appear as legitimate users, such as contacting customer service to build rapport and using tools to automate browsing. Their tactics involve social engineering and a lot of patience to deceive anti-fraud systems. Fraudsters continuously adapt, employing a trial-and-error approach to refine their methods, which means any machine learning models that platforms train must also continuously adapt and evolve as well. These models should integrate regular updates and retraining to recognize new fraudulent patterns and tactics as they emerge.
When sellers sign up, log in, or update important details like their bank information, platforms should employ strong security measures. This is because fraudsters often target these processes in attempts to steal funds by changing bank account details. The key point to watch for fraud is when sellers move money from their marketplace account to a bank account.
KYC checks involve the collection of sensitive documents like IDs and passports. It's important to check this information against official records to make sure it's correct. Often, platforms rely on other companies that specialize in verifying users' identities, but this approach can have gaps in coverage and isn't always reliable.
While rigorous KYC can prevent fraud, it can't catch everything. On the dark web, individuals can buy fake IDs, utility bills, and other documents to bypass KYC checks. Nowadays, advanced generative AI can create very realistic-looking fake documents quickly, making fraud even easier.
Fraud is a combination of resources like privacy extensions, antidetects, credentials, behavioral biometrics, and tactics like network anonymization, spoofers, malware and more. However, every fraud method has its weaknesses.
By sharing new modus operandi within the community, we neutralize these fraud methods. It's not just about relying on AI, despite all the hype around it. Understanding the problem comes first. We need to gather detailed insights before we can teach AI models to spot fraud.
The quicker we learn and apply this knowledge, the fewer chances fraudsters will have to steal money.
Do you have a fraud challenge you need to get to the bottom of? We’re happy to look into it and find the right solution for you. Contact us here.