There’s a lot to be vigilant about between now and the year 2020. Online payment fraud just won’t stop growing. And gift card scams aren’t going away either (but at least here’s a free white paper on how to avoid that problem). Card-not-present (CNP) transactions account for 60% to 70% of all card fraud in many developed countries, according to Juniper Research. And it’s increasing.
Research from Worldpay also provides a grim view of the current online fraud landscape. As we looked through both Juniper Research’s Online Payment Fraud Whitepaper and Worldpay’s Fraud Trends 2016: Latest perspectives on international ecommerce fraud, we thought it will be great to synthesize both reports into one breathtaking article (mostly because we’re still catching our breath from this task). So, let’s take a look at online payment fraud from causation, merchant losses and approaches, all the way to the state of fraud in 2020.
Lil’ Anecdote on Both Reports
Juniper Research’s report delves into the market of ecommerce fraud, methods for overcoming challenges, and a vendor assessment. Worldpay’s report provides quantitative and qualitative research from ecommerce merchants regarding payment fraud.
Here's Something You'll Like
I. Current State of Online Fraud
Merchants in the United States are overwhelmingly targeted by fraudsters. In September 2014, the US experienced 52% of total attack volume, with the United Kingdom, China, and the Netherlands experiencing 9%, 8%, and 6% of attack volume, respectively.
Among ecommerce merchants, airlines are statistically most affected by fraudulent transactions. Nearly half, 46%, of fraudulent transactions come from airline merchants. Money transfer companies are a distant second, representing 16% of fraudulent transactions.
From the retailer perspective, general retail and clothing retail experience 14% of total fraudulent transactions. Online computer and electronics merchants experience 13% of overall ecommerce payment fraud.
II. Potential Causes for Growing Online Fraud
Payment fraud affects both card-present and card not present merchants, but it’s astoundingly more prevalent in CNP transactions. Revenue lost to disputes for card-present merchants are 3 bps, while card not present merchants see losses exceeding 38 bps.
What’s behind the astounding CNP payment fraud rate? Juniper points to five main driving forces: ecommerce growth, increasing money flows, use of mobile payments, frequent data breaches, and the post-EMV CNP fraud influx.
The aforementioned driving forces make sense for growing rates true fraud, but have little relevance when it comes to the types of fraud responsible for over 70% of fraud losses. Research from LexisNexis as well as our own internal data continuously shows that the misuse of chargeback rights is the leading cause of fraud losses, while actual payment fraud committed by identity thieves and other criminals results in less than 30% of a merchant’s overall losses to fraud.
Which then begs the question, why are consumers misusing their chargeback rights more frequently, resulting in increasing rates of online fraud? There are several factors contributing to the rise of chargeback fraud and friendly fraud, including the increased ease with which cardholders can dispute purchases, consumer fear of falling victim to fraud, increased consumer awareness of their chargeback rights, and the exponential increase in difficulty for merchants to identify, aggregate, and submit compelling chargeback responses.
Ease of Initiating a Dispute
In order for a customer to dispute a transaction, they first must contact their issuing bank. Accomplishing this in a time before online banking would involve calling, mailing, or faxing your issuing bank. All of these options were time-consuming and arduous for a cardholder to perform unless they were fairly certain a transaction might be fraudulent.
Furthermore, online banking has also transformed how consumer interact with their bank statements and account activity. Credit card statements are no longer only a monthly occurrence warranting occasional review. Cardholders view their payment card activity in real-time and know the moment a pending charge hits their account.
A customer’s purchase history is often neatly displayed in their issuing bank’s online portal. Every line contains a merchant descriptor, and issuing banks like Capital One include additional relevant information for consumers regarding a specific transaction. With that added contextual information comes the ability to dispute a specific transaction with a click of a button.
A cardholder clicks on “File a Dispute”, answer a handful of questions, and the issuing bank is sent all the information it needs to review the dispute to determine if a chargeback is warranted.
It’s never been easier for customers to dispute a purchase. As a result, it’s likely that more consumers are doing so due to its convenience. If it’s easier to dispute the purchase than it is to contact the merchant for information, then consumers will most often choose the path of least resistance.
Consumer Fear of Falling Victim to True Fraud
It’s not just merchants who understand that fraud is a growing threat. In 2014, identity theft was the number one concern expressed in the Consumer Sentinel Network, which is a Federal Trade Commission database of consumer complaints. Among these identity theft complaint cases, 17% represented situations where thieves tried to use stolen personal data to commit credit card fraud.
Making matters worse, consumers in the United States have very little faith in the issuing banks’ ability to protect sensitive information. A 2014 survey revealed that just 9% of Americans were “very confident” that their credit card issuer would keep their data secure. At the same time, 29% of respondents said they were “somewhat confident”.
Clearly, consumers are fearful of falling victim to credit card fraud. Due to this fear, cardholders act swiftly to identify and report any and all transactions that appear mildly suspicious. Thereby resulting in more instances of disputes initiated for transactions that were actually authorized by the cardholder or a member of the cardholder’s family.
Increased Awareness of Chargeback Rights
It can be argued that the ongoing meteoric rise of ecommerce would not happen without chargeback rights. Chargeback rights provide cardholders with the necessary foundation of trust and faith so they may use their payment cards without fear of liability. These rights were first guaranteed by federal law aimed at protecting consumers, and are now expound upon by each major credit card company.
Once again, in a time before the abundance of information available on the internet, a cardholder would most likely have to sift through hundreds of pages of terms and agreements documents to learn about the scope of these rights. But in today’s world, card networks utilize their own zero liability guarantees as product differentiators in advertising and marketing messages to consumers. As such, consumers on the whole are more aware of their rights when they make a purchase using their credit card.
We recently surveyed customers actively participating in a returns process, and found that the majority of respondents knew what disputing a charge on their credit card meant. We found that 21% of respondents were unsure if they had ever disputed a charge, likely indicating they were unsure or unaware of the existence of their chargeback rights.
Merchants are at a disadvantage regarding customer disputes. This alone could contribute heartily to the rise of successful chargeback fraud and friendly fraud.
III. Types of Fraud Ecommerce Experiences
The Juniper Research study outlined numerous different attack methods used targeting ecommerce. All but one of the described methods were potential causes of true fraud, even though those losses represent just 29% of what a merchant losses to fraud in total.
Methods Resulting in True Fraud
The most popular ecommerce attack methods are, in order of prevalence: clean fraud, account takeover, identity fraud, affiliate fraud, and reshipping.
- Clean Fraud – Clean fraud is used to represent a transaction where the fraudster has managed to steal every piece of data required to carry out a purchase that passes a merchant’s typical preventative solutions.
- Account Takeover – A fraudster gains access to a cardholder’s funds by adding their information to the account or changing information like address and email.
- Identity Fraud – The fraudulent acquisition and use of sensitive personal information to conduct numerous crimes, including payment fraud.
- Affiliate Fraud – The fraudulent use of a company’s lead or referral programs to make a profit.
- Reshipping – A fraudster uses an unknowing participant (or “mule”) to package and reship merchandise purchased with stolen credit cards.
In order for fraudsters to apprehend the information needed to carry out clean fraud, account takeover, or identity fraud, they deploy several methods to get their hands on sensitive information. Juniper’s study provided botnets, phishing, whaling, pharming, and triangulation as the most commonly used methods of apprehension.
Methods Resulting in Chargeback Fraud or Friendly Fraud
The only method provided by Juniper as a the root of over 70% of fraud losses was friendly fraud. While that is correct, it’s only half of the story. The misuse of chargeback rights, either friendly fraud or chargeback fraud, are the methods by which the majority of fraud losses are surrendered.
In both chargeback fraud and friendly fraud, the merchant receives a chargeback because the cardholder denies making the purchase or receiving the order, yet the goods or services were actually received.
In instances of friendly fraud, the order might have been placed by a family member who is indeed authorized to use the credit card. Or, the cardholder could fail to recognize the merchant descriptor or simply forget the purchase was made. Ultimately, in friendly fraud there is no willful misuse of chargeback rights, just a misunderstanding.
Conversely, in cases of chargeback fraud, the cardholder is willingly and intentionally taking advantage of their right to dispute a transaction in order to retain the goods or services rendered as well as the monetary value associated with them. Chargeback fraud is essentially online shoplifting.
IV. Actual Costs Associated with Fraud
Merchants are losing much more than the replacement cost of goods lost to fraud. They’re also losing revenue to the shipping and insurance costs associated with the fraudulent transaction. Unfortunately, it doesn’t stop there. Merchants surrender even more revenue to the investment and operational costs of fraud-prevention solution, manual reviews, false positives and chargebacks.
Cost of Fraud Prevention Solutions
Fraud losses aren’t increasing due to a lack of fraud prevention. LexisNexis’ True Cost of Fraud 2016 study displayed clearly that fraud losses are increasing despite companies investing more in fraud prevention. Ecommerce merchants lost 1.39% of revenue to fraud, on average, in 2015, even though approximately $115,000 was spent annually on fraud mitigation.
Cost of Manual Reviews
Juniper found that manual reviews are still widely used by ecommerce merchants even though hundreds of thousands of dollars is spent annually on sophisticated fraud prevention solutions. Large merchants manually review around 7% of all orders. While small merchants review around 42% of all orders. Overall, the average manual review rate is 27% and 2.3% of those orders are rejected.
Cost of False Positives
False positives are a huge contributing factor in fraud losses — even larger than true fraud losses themselves. False positives, or legitimate transactions that are declined, run rampant in ecommerce. Financial institutions authorize over 96% of card present transactions, while less than 80% of card not present transactions are authorized.
In 2014, $118 billion in revenue was lost to false positives and $9 billion was lost to actual payment card fraud. Furthermore, the false positive decline rate is over 3 times the rate of existing card fraud.
Cost of Chargebacks
Payment processors and acquiring banks tack on chargeback fees. This results in more losses than the initial transaction amount for the merchant. The acquiring bank will settle the funds collected less their processing fees, network fees, and interchange fees. Individual chargeback fees range from $5 to $30 per chargeback. However, if disputes escalate to arbitration, merchants can incur fees in upwards of $500.
But it’s not just the fees associated with the chargeback for which merchants are responsible. They’re also losing the hours spent crafting chargeback responses and communicating with their payment processors and/or acquirers about the disputed purchase. How much revenue is your time worth? Furthermore, what opportunity costs are you incurring by not spending your time elsewhere?
V. How Merchants Approach Fraud
Worldpay’s study revealed that there is a general consensus among merchants that the more data, the better. Data points like Device ID are essential because they’re rich sources of insights and collected without creating friction in the customer experience.
More data translates into better transaction risk assessment and external data sources are even more valuable. Unfortunately, these external data sources such as device and behavioral information are not readily available within a business.
Data: An Aspirational Fraud Combatant
However, merchant’s also admitted the plethora of data available isn’t being fed into their fraud system. Furthermore, despite the fact that many businesses deploy real-time risk assessment, they feel that there is always more data that could be used to fight fraud.
Worldpay found that 58% of respondents know there’s lots of useful customer information within their business that’s not being used to fight fraud. In addition, respondents felt strongly that they could do more by creating fraud feedback loops with data they already have available. One of the respondents in Worldpay’s survey said, “[Often] the information is all there, and I could have told you it would result in a chargeback, but we did not have the data points.”
When it comes to the specificities of how merchants are looking to approach data as a fraud combatant, social media is a valuable external source and machine learning could hold the key in putting the hoards of data to use.
Over half of respondents, 52%, in Worldpay’s survey indicated they would like to make better use of social media data. Almost 60% of respondents are already using social media in their fraud review processes.
However, it’s inclusion is often limited to the manual review process, thus is viewed as time-consuming and largely subjective. Those performing the manual review typically make an assessment on validity of identity through factors including quantity of photos, conversations, and posts.
Another way merchants are using social media data is through social logins. The majority of merchants, 56%, reported that they would place greater trust in a customer who used social logins. But only if the profile is valid – which is difficult to ascertain without robust, automated means to determine profile validity.
Worldpay concluded that usage of social media data in fraud mitigation is still informal. Yet it is extremely useful when merchants have formalized, consistent, and time-efficient processes to harness it.
Hackers brag; friendly fraudsters openly confess. There is just so much user-generated data out there that you can use to challenge a chargeback. This article explains how to use this data promptly and effectively, so that the issuing bank takes your side in a case. Read more here.
Merchants largely agree that automating data analysis is useful for uncovering underlying trends that indicate fraudulent behaviour. Machine learning, when used a fraud prevention solution, seeks out customers behaving ‘unusually’ and provides suspicion scores, rules, or visual anomalies.
Whatever the output might be, it’s meant to be used as an indication of the likelihood of fraud. Merchants understand this fact, Worldpay reported that most business were aware that correlation does not equal causation. Yet merchants find considerable value in what’s uncovered, with one respondent saying, “We get things popping up in big data that no one would have thought to ask.”
However, there is a significant cost-benefit challenge for small and medium sized merchants seeking to incorporate machine learning into their business’ fraud prevention stack. “If your business experiences $1,000 in fraud losses each year and it would cost $3,000 per year to purchase fraud detection software,” writes Armando Roggio of Practical Ecommerce, “It might make more financial sense to suffer the fraud losses and move on.”
AI is here to stay and grow. So you might as well use it to your advantage for fraud prevention, dispute resolution and more responsibilities related to chargeback management. Here’s our take on how AI will shape these responsibilities. Let us know what you think. Read more here.
VI. Fraud in 2020
What does the future hold for online payment fraud? We already know that by 2020, ecommerce is expected to lose $31 billion to chargebacks. As such, 93% of fraud and payment experts responded to Worldpay’s survey indicating that they’re constantly planning ahead and are very interested in new technologies.
On the Business Level
Despite the future-focused outlook, just 63% of respondents felt completely in control of how fraud might impact their business in the future. They know that even though ecommerce companies are deploying better fraud detection solutions, fraudsters are cooking up ways to bypass those safeguards.
Moving forward, businesses understand the need for a portfolio of techniques to identify fraud. Items like Device ID are increasingly being paired with other aspects of user identity and the online journey. One respondent in Worldpay’s survey remarked. “The future will be much more data-driven — the decision has to be a yes or no and move on.”
However, the strides towards collecting large volumes of data and increasing automation does not mean an end to manual reviews. There is still an importance placed on manual reviews for high-risk transactions, where human interpretive and analytical skills are paramount. Worldpay concluded that effective fraud prevention strategies use machine learning not only to automatically approve or decline overtly legitimate or illegitimate transactions, but to also focus human resources on only high-priority cases.
Fraud’s Macro View
The Juniper Research study provided a more macro look at fraud in the future. Every party impacted by fraud (merchants, issuers, acquirers, processors, and service providers) understands the need for a collaborative approach to handling ecommerce fraud.
Unfortunately, existing legislation does not foster a collaborative approach. Instead each party is trying to pass the fraud liability to a different party downstream.Merchants, issuers, acquirers, processors, and service providers need to take a shared approach and commitment to combatting fraud on an enterprise and industry level.
The rising tide of ecommerce sales is also lifting the ships of fraudsters. Your company needs to be prepared from the beginning to the end of the transaction process — and we’re here to help. Schedule a free solution analysis today to see where your company stands now and what steps it needs to be protected from fraud losses in the future.