Security and Risk Online: Get ahead of online fraud this holiday season



Holiday shopping has changed a lot in the last few years with major online shopping events from around the world gaining popularity in Australia. This year’s Black Friday and Cyber Monday sales were one of the biggest online shopping days in Australia, kicking off the pre-Christmas rush. Cyber Monday broke records in the US hitting US$3.45 billion in online sales, up 12 per cent from last year with Australia and the rest of the world following suit.

But with the increase in online holiday shopping comes a commensurate increase in the instances of fraud. Australian internet businesses suffer dramatically more card fraud than the global average, with online fraud rising by 38% between 2014 — 2015, compared to the global average of 13%.

It’s a lesser-known quirk of the financial industry that, unlike their brick-and-mortar counterparts, online businesses are responsible for not only detecting fraud, but also paying the associated costs. On average, every $1 of fraudulent orders costs an online business an additional $2.69. A couple of weeks ago a foreign syndicate was busted by the Australian Federal Police for the theft of more than 30,000 Australian credit cards, spending more than $30 million. A hefty sum, for sure, but nothing close to the US$32 billion that online retailers spent preventing and remediating hacks in 2015. Online businesses are also susceptible to a wider range of fraud schemes, including credit card fraud, payout scams and faux refunds.

So as the holiday sales kick off, what can online businesses do about it?

The basics: getting started with fraud prevention

To begin, businesses should examine the address verification code (a postcode that matches what’s on file with the cardholder’s bank), require a card verification code (the 3- or 4-digit code on their card), and delay shipping. The latter step is especially helpful for expensive items, as it provides a safety window when the actual cardholder might flag a large fraudulent purchase.

However, these checks aren’t foolproof: Legitimate customers can easily enter a typo in their street address or move and forget to update their billing zip code, resulting in false positives, and fraudsters are often able to buy stolen credit card numbers together with their card verification codes.

The next step is manual reviews: Many business rely on employees to audit transactions and create complex, custom rules (such as, “temporarily block all orders over $500 until reviewed and approved”). All of this sound pretty complicated and manual. The answer? Machine learning.

Let machines do the heavy-lifting

Thanks to recent advances in machine learning and AI, businesses today can analyse millions of online transactions and identify buying patterns across large numbers of retailers, spotting outliers in real-time and flagging odd charges long before a human analyst would spot a problem.

Sift Science offers machine-learning-based fraud detection trained on a business’s data; other tools like Riskified and Signifyd offer chargeback insurance, screening every charge for a fee, blocking suspicious purchase, and compensating their customers when they failed to block fraud.

Stripe’s fraud tool, Radar, constantly learns from the hundreds of thousands of businesses taking payments through Stripe around the world. This new approach enabled Watsi, a global funding platform for medical treatments, to block more than $40 million in attempted fraud over a two-month span, all with limited to no human involvement.

Don’t leave money on the table

Of course, the difficulty with fraud is that pre-emptively blocking too many transactions means foregoing legitimate purchases too. In theory, you could prevent fraud from Southeast Asia by blocking all transactions from Southeast Asia; but that approach means you’d also be foregoing legitimate transactions from one of the world’s most populous regions.

So even once you’ve implemented tools for preventing fraud, it’s important to remember that your ultimate goal isn’t blocking fraud — it’s maximizing revenue. This means you should:

1. Consider multiple metrics: Don’t just focus on one metric like false positive rate (legitimate transactions that you’re blocking) or dispute rate. After all, you can easily make the former zero by not trying to catch any fraud (and the latter zero by not accepting any payments). Your overall fraud protection approach will offer a trade-off between false positives and false negatives, and you should understand what that trade-off is and what is optimal for your business. This break-even calculator can give you an example of the kind of calculations it can be helpful to do.

2. Find your “healthy” dispute rate: Unsurprisingly, fraud varies by sector. For example, the median fraud rate for retail is 0.02 per cent, while for nonprofits it’s 0.1%. Once you know your industry’s rate, compare it to your business’ unique situation and data to identify a “healthy” fraud benchmark. Trying to drive your dispute rate far below what is natural for your sector can be more effort than it’s worth.

3. Always be measuring: No matter what solution you choose, be rigorous in assessing efficacy. For example, if you’re manually customising rules, you can evaluate their performance by backtesting them or by running A/B tests in real-time. Don’t rely on intuition that tells you all payments from a certain region, or at a certain time of day, are fraudulent. Formulate your hypothesis and validate it with data!

On the internet, the only constant is change itself. As consumer behaviour and fraud schemes continue to evolve, businesses that want to maximise their revenue this holiday season — and year round — should be using modern fraud defences that can adapt and help them stay a step ahead of fraudsters.