Interviews, insight & analysis on digital media & marketing

Shape-shifting fraudsters will always be on the lookout for new weaknesses to exploit, despite SCA

Shagun Varshney, Senior Product Manager, Payment Solutions at Signifyd 

When new technology paves the way for ecommerce retailers to clamp down on one form of fraud, you can count on fraudsters to find a new scheme just as quickly. Ultimately, fraudsters are entrepreneurs, constantly testing and searching for new and better ways to take advantage of brands and merchants online. And no matter how quickly merchants try to fight back, batting between protecting themselves from fraud whilst maintaining a safe and seamless customer experience for customers, the fraudsters will frequently be one step ahead.

So with a new barrier in the form of SCA, or strong customer authentication — the new payment regulation in place in much of Europe and coming in the near future to the UK — fraudsters are already looking for more complex ways to attack that go beyond the payment process, disguising themselves seamlessly into the wider customer journey.

The conversation around shape-shifting fraud rings is increasing among fraud experts, which means the talk among fraudsters themselves has been going on for some time now.

“Bad actors are broadening their focus beyond payments, targeting touchpoints across the customer journey,” according to a recent report by consultancy 451. “While areas such as login, promotions and returns have traditionally fallen outside of the remit of most fraud teams, the proliferation of fraud across the customer journey will increasingly require enterprises to take a holistic view of fraud management.”

SCA will secure the checkout process but don’t overlook the impact on the rest of the journey

The SCA requirement, part of the payment regulation known as PSD2, will undoubtedly make online transactions more secure at checkout. It requires that online buyers use two out of three methods to identify themselves. In short, buyers must be identified by two of the following:

  • Something they know (such as a one-time passcode sent via text).
  • Something they own (such as a mobile phone identified by digital fingerprint).
  • Something they are (such as an actual fingerprint identified through a biometric reader).

The enforcement of SCA is meant to protect consumers and the online merchants and brands they shop with by adding extra assurance that the buyer using a credit or debit card on a merchant’s site really is the rightful owner of the plastic. 

There are exceptions in cases in which SCA is not required, but fraudsters will seep into those transactions that make for easier targets.

Fraud rings will broaden their horizons and look beyond traditional payments fraud. Policy and return abuse will become a rich, new field of foul play, for criminals who will settle into new schemes to score free products and refunds that aren’t actually deserved. 

Some experts have predicted that such attacks, sometimes called “friendly fraud” or “consumer abuse,” will actually grow faster than payments fraud in the coming months and years. Fraudsters will shift to abuse because that’s where the vulnerability is. 

Consumer abuse, including return abuse, has already been on the rise as unscrupulous consumers and professional fraud rings realise the profit potential of cheating brands and merchants. More than 30% of UK consumers admitted they had falsely claimed that an online order never arrived or that a satisfactory order was unsatisfactory when it did arrive. Another 36% said they’d falsely claimed that they never charged an item that actually they had. And 32% admitted to breaking discount or promotion rules by falsely claiming to be a first-time customer or by using a one-time-only discount more than one time. 

Professional fraudsters are sharing tips and tricks to profit from policy abuse

There is further evidence in the data that abuse is spreading beyond consumers who see an opportunity to score free goods. Signifyd’s global Consumer Abuse Index saw a dramatic rise in nefarious activity that coincided with the start of the pandemic and has not let up. The index finished 2020 five times higher than it was at the beginning of the pandemic. And it remained elevated, sitting during the first quarter of 2021 nearly 200% higher than it was in early 2020. 

Return fraud is also a growing problem, with an estimate that return fraud cost brands and retailers $43 billion last year, when you factor in the cost of return shipping, inspection, restocking or otherwise disposing of returned goods. 

And now criminal rings have built return fraud from a cottage industry, into something larger. Return fraud rings swap tips and advertise their returns skill on common internet sites and the dark web. These underground outfits take a cut, say 15% to 40%, of the refund. In return they do the talking with the retailer, fabricating some complaint or customer service flaw, that produces the ill-gotten refund. Sometimes retailers tell the underground return agency to simply keep the product. Other times, after promising the customer they’ll send a product back, the return firms take a different approach. Instead of shipping back those expensive jeans or that smartphone, they ship back a knock-off of the product, a broken version from around the house, or an empty box instead.

A modern approach to commerce protection needs to consider the entire buying journey.

Although SCA makes ecommerce transactions more secure, it is only providing protection in one major area of fraud, but we know that fraud is quickly expanding beyond the transaction stage, and therefore requires more vigilance across the entire customer journey. When it comes to online fraud and abuse, merchants cannot be too well-protected from the ever-evolving professional fraudsters.

The new era of ecommerce calls for risk management and fraud protection that anticipates an agile adversary and a whole range of different order types — some requiring SCA, some exempt, some that require SCA under certain circumstances, but not under other circumstances. In short, protection that has expanded holistically to protect ecommerce retailers beyond payments fraud.