MySagePay
Login >
 
0191 313 0300

Fraud and the changing threats facing retailers

Published

Find out how you can protect yourself and your customers from the growing risk of online fraud

This September, Opayo ran a live virtual roundtable for its merchant customers: Fraud & Changing Threats to Retailers. Hosted by investigative journalist and tech specialist, Geoff White, and a panel of top fraud and cybersecurity experts [please embed slide that lists the speakers and their companies] shared key advice about how the UK’s businesses can stay safe online. 

To watch the conversation in full – finding out how online fraud is evolving, and how to counter it whilst optimising your ecommerce opportunities – just click here. Or, for an overview of what was discussed, keep reading.

What is fraud – and what is it costing UK merchants? 

Fraud is cheating – finding ways to gain either money, or goods, illegally. As Tali Scott, Head of the Ecommerce Product at Opayo explains, the online fraudsters that are hitting the UK’s businesses are tending to attack in one of three ways:

1. Processing transactions with stolen payment details. 

2. Card testing. Using botnets (networks of private computers that release malicious software) to test batches of stolen card details. The botnets target merchants, attempting low-level transactions to see if any of the stolen card details are still valid. If they are, the fraudsters go on to use those cards to make high-value purchases. At both stages of this fraud process, any transactions that are validated by the merchant result in chargebacks and authorisation fees. This can lead to massive losses. 

3. First-party fraud. This is where a genuine card holder claims a transaction is fraudulent even when they undertook it. There is no single simple solution to first-party fraud, but as a rule of thumb the better the authentication deployed the less opportunity there is for a customer to successfully challenge a transaction. 

Amanda Mickleburgh is Director of Product Merchant Fraud for global payments software company, ACI Worldwide. Her focus is on ecommerce fraud prevention. Like Tali, she highlights the rise in botnet attacks and account takeover, warning that the boom in mobile payments means that we’re likely to see a corresponding uptick in mobile fraud. 

The cost to UK merchants? It’s eye-watering. Candice Pressinger, Director of Customer Data Security at payments giant, Elavon, says that, globally, the World Bank 2020 Report states that cybercrime damage could reach a staggering six trillion dollars over the course of 2021. 

For the UK, the cost of fraud in 2021 amounts to £137 billion. This means that cybercrime is costing us a jaw-dropping five million pounds every day. Yet, in a recent Opayo survey, [please embed relevant slide] we found that 46% of merchants don’t feel they have the right measures in place to cope with fraud attacks. 

And scammers aren’t standing still. Criminals are continually evolving new ways to exploit vulnerabilities in the system. Here’s how the experts think the landscape will change as we adapt to the new, post-pandemic world..

The changing landscape of online payments fraud

Key things merchants need to look out for are new types of fraud, fraud that targets specific industries, and fraud when entering new markets. 

One practice that’s on the rise is automatic push claims. These are requests – purportedly from a trusted source – for large sums of money to be moved into a supposedly secure account, which in fact belongs to a scammer. Typical push payment scams include:

  • Sending fake invoices that look genuine (i.e. from a trusted supplier)

  • Convincing people to transfer money to someone official, such as a solicitor

  • Conning people to transfer cash into fraudulent bank accounts

  • Sending emails pretending to be someone you know asking for money.

A report from UK Finance, which came out in September, said that there was a 71% rise in these automated push payment scams during the first half of the year. They’ve now overtaken card fraud for the first time. 

Another activity that merchants can expect to see more of is synthetic identity fraud. Candice says that this is when criminals use a mixture of real and made-up data to create an imaginary person – for whom they open bank accounts, and build up credit, before cashing in by making high-value purchases for which they never pay. 

She also calls attention to potential weaknesses in particular industries, following the upheavals of the pandemic. The hospitality and the travel sectors have both lost significant numbers of people. This makes them targets for criminals, as it takes experienced people and tools to monitor behaviour and spot the signs of potential fraud. 

Deepak Anand, the Senior Director of Strategic Partnerships at BigCommerce, the leading cloud ecommerce platform for established and rapidly growing businesses, has a final word of caution. It’s key for merchants to think about the potential risks of entering new markets. What is the potential for fraud? For example, how would the returns process work with chargebacks? 

Now it’s time for the good news. However cunning the criminals, there are tools and tactics to reduce the impact of fraud to your business. Here’s what you need to consider...

How can the UK’s businesses protect themselves from online fraud? 

Step 1. Look for weaknesses in your systems

The thing to do, first and foremost, is to understand where there are problems in your system that may need to be fixed. The simple truth is that any weaknesses in your system can make you vulnerable to fraud.

Step 2. Reassess your appetite for risk 

Merchants who configured their fraud rules and settings pre-pandemic should revisit them to see if they’re still right for their business. 

As an example of services that help to protect you, think about your address verification services. These check whether a customer’s shipping address is the same as their billing address. 

This helps you when you’re selling goods or services – for example, white goods – that you would expect to be bought by a customer and delivered to their home. So, if the addresses match, it’s a good sign of a trustworthy transaction. 

However, if you encounter a new customer asking for a delivery to be made to a different shipping address, this is a transaction to watch. In this instance, you may want to look at your fulfilment options and choose to only offer a ‘signed for’ fulfilment option. 

If you get a number of repeat orders from the same customer and the transactions go through without a problem, you could then choose to start releasing more fulfilment options to them. Your payment gateway will give you default settings that you can configure and test to see which prevents the good transactions from escaping and prevents the fraudulent transactions from getting through. 


Step 3. Authenticate your users

With hybrid working becoming the new normal for many businesses, it’s vital to ensure that your virtual private networks are secure. VPN tokens are a useful security mechanism for authenticating a user or a device before allowing access to your system. 

This is about staying alert. If you think something looks a bit dodgy, get a second opinion before granting access. 

Step 4. Ensure someone at your business has responsibility for monitoring fraud 

Our recent Opayo survey [please embed relevant slide] found that for 35% of the UK’s SME’s, no one had responsibility for monitoring fraud. That could be a very costly oversight. Having ownership of fraud monitoring – and clear key performance indicators for fraud reduction – helps to drive improvements in your processes and awareness. The benefits of having at least one person trained up to monitor for signs of fraudulent activity far outweigh the costs of the damage that fraud can cause. 

But it’s also important not to rely on human monitoring alone. Many scams can only be picked up by automated tools. So, alongside appointing a fraud or security manager, invest in smart web security tools and technology that fit with your risk appetite and user experiences. 

Real-time fraud screening tools usually come as standard via ecommerce payment providers to help you monitor your ecommerce payments activity. Common fraud prevention checks include address and postcode verification (AVS), card security code (CV2) and IP address checks, alongside two-factor authentication from 3D Secure. The benefits of this fraud screening information means you can identify if a transaction is legitimate or fraudulent before you approve dispatch of your goods, and you can set up rules on your account for added protection.

Opayo customers get access to the Opayo Solution or ACI Fraud Management as standard.
 
Step 5. Activate SCA and EMV 3DS

To decode those acronyms – SCA is Secure Customer Authentication and EMV 3DS is a messaging protocol for frictionless consumer authentication when a card-not-present transaction is being made. Along with point-to-point encryption, these improve online security and should be activated as soon as possible. 

The importance of SCA should not be underestimated. Our Opayo survey found that only 10% of merchants viewed SCA compliance as a top priority for their business. But while SCA processes aren’t new, they are now being tightened. Increased security is being introduced around authenticating the identities of both the merchants and the customers. 

There are three different types of authentications: face ID confirmation, push authorisation with a code, or confirmation of a purchase via a banking app. Going forward, two of those three will have to be used for every transaction. And these new, stricter regulations mean merchants now have to authenticate transactions. If you authenticate, you’re protected. 

However, if your volume of transactions means you don’t want to authenticate, you can ask your acquirer for an exemption pass. Whether you get that depends on your acquirer’s policies and on your fraud rate. The lower your fraud rate, the more confidence your acquirer will have in granting an exemption. 

Step 6. Stay alert to the balance between fraud and friction
 
As well as protecting themselves against criminals, merchants also have to consider whether their fraud-prevention tactics are stifling genuine transactions. As a business you suffer reputational damage if fraud happens and a customer is affected. But you also suffer reputational damage if your fraud-prevention techniques mean that your customers can’t complete genuine transactions. 

This is a tricky balancing act. The key is to keep looking retrospectively at transactions. That way you gain a full understanding of what’s being written off, how much is fraudulent, and you can question how much could have been converted to successful sales – and how to adjust what you’re doing in the light of that

Want to know more? Get in touch! 

If you missed our Fraud & Changing Threats to Retailers, or you’d like to watch it again, just click here to see our catch-up video. 

If you have further questions about online fraud prevention, or want to know how we can support you, or need specialist advice and guidance on fraud prevention, call us on 0191 313 0300, email support@opayo.io or visit our hub opayo.co.uk/sca