An Overview of Payment Fraud and Prevention in eCommerce

The future of the online payments industry is looking very promising for consumers and merchants alike, but the always-looming specter of fraud continues to be a material concern.

Naturally, the onset of COVID-19 and its disruption to the marketplace added another layer of complication; with online transactions soaring due to brick-and-mortar closings, fraud is more of a concern than ever in the eCommerce landscape.

I recently hosted a 2Checkout webinar featuring Una Dillon, Managing Director for the Merchant Risk Council (MRC), an international non-profit member organization connecting thousands of individuals and businesses who work in the fraud and payments industry.

During her presentation, “Payment Fraud Prevention: An eCommerce Industry-Wide Perspective,” Una spoke in depth about:

• The importance of collaborating and engaging with peers within your specific industry, as well as through a community like the MRC, to learn more about fraud prevention
• Strong Customer Authentication (SCA)—how it is helping to prevent fraud, and what’s next on the horizon
• The MRC Annual Fraud Survey results, and trends to watch for.

Networking Key to Preventing Fraud

Collaboration within the eCommerce community is hugely important, Una pointed out, and the MRC provides a number of services to facilitate this, including networking opportunities (during the current COVID pandemic these are predominantly virtual), conferences, programs such as an online discussion forums, and other resources including webinars and a member portal with a library of available information.

Una pointed out that 85% of the major global eCommerce brands are members of the MRC. MRC members are mostly merchants (72%), Una shared, followed by solutions providers such as 2Checkout (17%), as well as law enforcement (8%), with 2% from ancillary services and 1% from credit card agencies.

The top business verticals of MRC members are digital goods; travel and tourism; apparel, clothing, and accessories; mass merchant/marketplace; specialty goods; and health and beauty.

SCA: Background, Requirements, and Upcoming Deadlines

Fraud prevention, in eCommerce, and, in particular, within the payments industry, has evolved over time, Una explained. An important piece of PSD, and now PSD2, is Strong Consumer Authentication (SCA), with which compliance is required by the end of December, 2020.

SCA consists of three things to authenticate payments:

• Something you, the cardholder, HAS—a phone, for example
• Something you KNOW—a pin or password
• Something you ARE—a fingerprint or something else that is unique to you

As a merchant, you are required to confirm that your customer is a legitimate buyer, and merchants have been working hard to become compliant with the SCA requirements. Of course, the COVID pandemic has complicated their efforts.

There have been SCA exemptions established by the EBA, Una pointed out, as it became clear, over time, that using SCA was not as critical in certain payment situations:

• Low-value transactions
• Recurring transactions, like Netflix; where only the first transaction must be verified with SCA
• Trusted beneficiaries; a cardholder can white-list a merchant they use all the time
• Secure corporate exemptions, corporate card transactions like travel or hotel
• Transactions that have undergone risk analysis.

Fraud Insights from the Market

In 2019, the MRC, in conjunction with CyberSource, conducted its biennial Global Fraud Survey to provide MRC members with insights on how merchants around the world mitigate online fraud and risk.

Una discussed three key areas of the survey results: the three most pervasive types of fraud attacks; the most popular fraud detection tools in use; and the top challenges merchants face today in fraud prevention.

Three Most Common Types of Fraud Attack

1. Clean fraud, the survey results showed, is the most common, topping the list with 28% of respondents. Una explained that clean fraud is the type where a criminal has jumped through all the hoops to make it look like a legitimate transaction, with a significant amount of information leading the merchant to believe so. 3D Secure and SCA can help eliminate clean fraud, Una said.
2. Phishing/Pharming/Whaling were also among the top attacks, according to the survey results. Criminals sending clever emails with a link—known as phishing—is still widely used and unfortunately a successful ploy with many consumers. With pharming, fraudsters redirect consumers from a site they are viewing to a fake website that looks like a legitimate retail site. Whaling is fraud at the highest level of a corporation, where criminals target a CEO, for example, with an email that might look like it comes directly from the corporation’s own security team.
3. Money laundering was reported by the survey results as the third most common type of attack, Una pointed out. Money launderingis the illegal process of making large amounts of money generated by a criminal activity appear to have come from a legitimate source.

Other types of fraud attacks reported by the MRC survey respondents, in lower numbers, included account takeover, identity theft, coupon/discount/refund abuse, and triangulation schemes.

Fraud Detection Tools in Use

The most common types of detection tools being used by respondents fell into four categories:

1. Validation services—CVN, AVS, telephone number confirmation, etc.
2. Proprietary data/negative customer lists
3. Multi-merchant data/purchase history—shared negative lists, for example
4. Purchase “device tracking,” like device fingerprinting

Una emphasized that merchants who employ a wide variety of tools are generally more successful, and although fraud security can be outsourced, it can be more effective to train an in-house team to do security.

Top Challenges Merchants Face

1. Lack of sufficient internal resources. Cross-training of employees is key, Una said, and ensuring that your fraud tool functionality is strong—“missing certain tools can mean that fraud is leaking through.”
2. Identifying and responding to emerging fraud, which requires time and resources. With international expansion, there are new types of fraud activity to watch out for; additionally, there can be a gap between the fraud and sales teams. The survey report also cited lack of internal expertise in fraud, and not properly updating fraud risk models, as challenges.
3. Increased risks during the COVID pandemic. Criminals are taking advantage of the disruption of the workplace—remote work, employees out sick, reduced capacity—with friendly fraud and account takeovers.

To view the entire webinar and the other insights Una and I shared, please visit our hosted presentation here.