Many consumers and small business owners see fraud as an isolated or random problem, but the fact is that ecommerce fraud is an organized global industry that takes many forms.
In the wake of multiple major breaches of consumer data, there's a robust underground market in stolen identities and card numbers. These are the raw materials fraudsters use to commit crimes ranging from simple online payment fraud to more complex schemes that can combine bots, stolen data, online purchases, account hijacking, and in-store fraud. Fighting criminals who are organized, widespread, and armed with millions of data files requires more than just consumer and merchant awareness. Every player in the ecommerce ecosystem has a role to perform in the fight against fraud, and those roles interlock to make a more resilient, fraud-resistant environment.
Consumers are at the heart of the ecommerce ecosystem, making purchases and driving demand for particular products. They're also at the heart of online fraudsters' business, because stolen data on creditworthy consumers can fuel lucrative schemes. Personal finance experts encourage consumers to monitor their accounts, beware of scams, shop only on secure sites, and report stolen cards and suspicious transactions. But the federal government's page on reporting consumer fraud shows why it's so hard for consumers to fully protect themselves: the list of fraud tactics is very long.
Ecommerce merchants are constantly fighting fraud. During peak sales seasons, up to 43% of the orders they get may be fraudulent, according to LexisNexis' 2017 True Cost of Fraud Survey. Blocking those orders requires multiple layers of security measures provided by internal teams, third-party consumer information providers and screening services, and machine learning tools. Merchants also have to guard their clients' data with good internal security practices and careful selection of secure vendors to prevent breaches. When breaches are detected, merchants are responsible for reporting them to law enforcement and affected customers.
The third-party services many merchants rely on to screen orders for fraud or authenticate customers' identities must make sure the data they use to build algorithms and check identities is correct, complete, and continuously updated with client feedback. Like ecommerce merchants, these service providers must maintain networks that shield their clients' data from would-be intruders.
Banks that serve merchants have to fight fraud on more than one front, just as their customers do. Banks reward merchants who keep their chargeback fraud rates down by charging lower processing fees, and they penalize merchants who don't control fraud by charging penalties, raising fees, and in some cases, closing those merchants' accounts. Banks also have to watch out for fraudsters who want to open accounts with false credentials or hijack existing customers' accounts. To reduce their risk, proactive banks carefully validate customer data, implement identity security measures for their customers, and get to know their customers and their banking habits.
Banks work with card companies, who also impose penalties on merchants with excessive fraud. Card companies also deal with reports of card loss, theft, and fraud from consumers and flag suspicious transactions for their customers to review. Brands like Visa and MasterCard publish a tremendous amount of information for businesses on best practices to prevent, detect, and combat fraud. They also report information to credit bureaus.
Credit bureaus and credit monitoring services are a nexus in the ecosystem where information from consumers, merchants, banks, and card issuers comes together. Besides collecting information that lenders can use to evaluate applicants, credit bureaus also work with individuals to freeze credit files on request, correct errors in credit reports, and help with identity theft recovery. Because credit bureaus handle so much prized consumer data, they are also a target for data thieves and fraudsters, as the 2017 Equifax data breach showed. That means they, like merchants, banks, and other service providers in the ecosystem, have a duty to keep their systems up to date and fully secured.
Tech companies are part of the ecosystem too, because fraudsters often try to use their email services and social media platforms to take over accounts, scam users, and commit other crimes. NPR recently reported on the rising number of tech firms that are staffing their fraud-investigation teams with former law enforcement agents, from local police departments to the Secret Service. These experts ferret out fraud and alert law enforcement when there's evidence of a crime, which protects the tech companies and individual users.
Law enforcement may not get much press in discussions of ecommerce fraud and identity theft, but in the US, filing a local police report is always the recommended first step for consumers who've been the victims of credit card or identity theft. And although fraudsters are hard to catch, international agencies do coordinate major roundups of fraud suspects, with support from other ecosystem players including banks and merchants.
Prosecutors and the courts are another little-discussed part of the fraud-prevention ecosystem. Even fraudsters who serve prison time may revert to their previous habits, which is why agents will sometimes work with convicted fraudsters to help them "switch sides" and help agencies and private companies fight fraud instead.
The fact that so many agencies, businesses, and individuals have to work together shows how valuable consumer data is to criminals, and how persistent criminals are in pursuing and exploiting that data. To fight fraudsters effectively, each player in the ecommerce fraud prevention network needs to monitor their own information and share data only with trusted partners. Most importantly, they need to keep communication open with others in the ecosystem, because the more information fraud-fighters have, the safer everyone's data will be.
About the Author: Rafael Lourenco is Executive Vice President at ClearSale, a Card-Not-Present fraud prevention operation that protects ecommerce merchants against chargebacks. The company's flagship product, Total Guaranteed Protection, is an end-to-end outsourced fraud detection solution for online retailers.