The Equifax breach threatens to boost holiday season payment fraud

Register now

The holiday shopping season is always a big gift to fraudsters. Meanwhile retailers rarely get what's on their lists— i.e. more revenue, fewer chargebacks, and stronger customer relationships.

Unfortunately, the holiday-season fraud problem is growing year over year. There was a huge spike in e-commerce fraud between 2015 and last year, reaching 33%, according to Experian. The problem could be even worse this year, thanks to a new round of consumer data breaches, including the huge Equifax breach that exposed protected data on more than 145 million Americans. To make the holiday season safer, there are steps you can take now to review and reinforce your store's fraud-prevention practices.

Account takeover fraud, in which criminals hack into store customers' accounts to make their own purchases, was already on the rise before thieves gained access to Equifax data. Now, fraudsters have much more data they can use to identify vulnerable accounts, access them, change the email address and password, and go shopping on the customer's cards. This can lead to major chargeback losses for merchants as well as damaged relationships with customers.
To detect account takeover fraud, you will need to use multiple factors to verify the customer's identity each time they shop with you. Logins from new devices, larger than usual orders, dramatic location changes, and multiple attempts to log in are some of the indicators that the order needs manual verification. You can also configure your site to lock customer accounts after several failed login attempts and send an alert to their email or smartphone.

Fraudsters are always on the move and changing tactics, so static fraud-detection data that was accurate last holiday season may be nearly useless this year. For example, Experian found that of the 100 US zip codes with the highest risk for fraud in 2017, 70 of them were not on the 2016 list. And location alone is not a reliable measure of fraud, because many good customers—especially those with high net worth and disposable income—shop on the go as they travel. Declining one of their orders can cause problems that go beyond lost sales. Many customers will never shop at a store again after a false decline. Some will take their rejection to social media, eroding trust with your target market.

Express or overnight shipping is another example of a factor that could indicate fraud—most fraudsters prefer to get items for resale fast, before their scam is discovered—or could indicate a valid customer who's counting on your business to get a gift to someone on time. Canceling the order based on automated shipping-method flags is going to create ill will with these shoppers. To avoid that, ensure that analysis of orders draws on real-time data and customer behavior, which might require some the human touch.

When an order raises red flags for fraud, it's best to have it manually reviewed. Having a person reach out to the customer on each flagged order can be a logistical and staffing challenge during holiday sales peaks, but meeting the challenge can pay off over the long term. That's because when someone from your business reaches out to the customer, it greatly reduces the likelihood of a false decline, because humans understand context and nuances that machines cannot.

That outreach protects your store's revenue and reputation going forward. It also increases the customer's trust in your store, because he or she knows you're watching out for them. That trust can boost the lifetime value of the customer to your business and help you gain word of mouth referrals. The only potential downside to adding human outreach to order analysis is the time involved. For businesses without the staff or training resources to devote to this, it may make more sense to contract out the customer outreach portion of order analysis.

One other element that could contribute to a spike in account takeover fraud this holiday season is phishing. Experts predicted a phishing frenzy after the Equifax breach. Indeed, Equifax itself got ensnared in a phishing scam when it accidentally directed consumers to a post-breach help page that spoofed its own, which shows just how pervasive the problem is.

Armed with this trove of new data, thieves are already posing as major banks to try to trick consumers into sharing missing pieces of data needed to steal their payment information and identities. Criminals could easily take the same approach by spoofing retailers to steal more data from their customer accountholders. Now is a good time to create a campaign to remind your customers that your company will never ask for their passwords via email, phone, or text.

By reviewing all of these security elements now, before the holiday shopping season kicks into high gear, you can protect your revenue, reduce your chargeback costs, and keep your real customers happy, all things that are at the top of online retailers' holiday wish lists.

For reprint and licensing requests for this article, click here.
Data breaches Retailers Online payments Equifax ISO and agent