By Nick Mothershaw, Director of Fraud and Identity Solutions, Experian
Retailers are so concerned about fraudulent online purchases they are rejecting legitimate transactions from fear they may not be genuine, according to the latest research. It’s a tricky time for retailers. Last year cyber crime and fraud was added to the official national crime survey for England Wales for the first time, and a survey by the Office for National Statistics found fraud was the most common crime in England and Wales.
This year, fraud promises to loom large once again. As we reflect on Safer Internet Day, which took place on February 6, businesses should take a look at the scale of fraud affecting all types of commerce, but especially ecommerce where stolen identities, hijacked accounts and cards, and all kinds of malware can interfere.
Business must contend with criminals who are both organised and creative in their impersonation of honest customers. The best way to counter this is to make use of technologies to better identify the legitimate customers. Yet creating a layered security approach that protects customers without making their interactions and transactions feel less than smooth is no easy task.
Experian’s 2018 Global Fraud and Identity Report found that nearly two-thirds (66%) of consumers surveyed actually appreciate security protocols when transacting online, because it makes them feel protected. In some ways, consumers tolerate the nuisance of common barriers to accessing their accounts (e.g., forgetting their password or having to re-enter other security controls like CAPTCHA or PIN code) because they do understand that these higher frictions are creating better security.
Hearteningly, a lack of visible security was the number one reason why customers abandoned a transaction, by 27% of the consumers surveyed. Nonetheless, when it comes to online engagement, three-quarters (75%) of businesses are still interested in more advanced security measures and authentication processes that have little or no impact on the customer. Building trust through technology without disruption is increasingly the goal, but also the responsibility of businesses with online channels.
So for businesses, there is a delicate balance to achieve. They need to deliver an online experience that instils confidence, with security protocols that make customers feel safe and protected, but they need to allow for easy and convenient access so as not to annoy their customers, too.
It is a great irony that our biggest weapon against online fraud is also the source of our biggest vulnerability, too. The existing account setup process requires consumers to provide extensive personal information, answers to secret questions and passwords – but data breaches have exposed this information to fraudsters. Once stolen, this information can be used to facilitate fraudulent activity, giving personal information genuine value in illicit markets. As the potential windfall from digital fraud grows, so does the cybercriminal’s motivation to stay ahead of the latest detection strategies and technologies.
Cybercriminals are forever advancing the sophistication of their methods. Fraud is now moving between channels — such as web, call center, mobile, etc. — and new schemes, such as synthetic fraud (where criminals combine real and fake information to create a totally new identity), are constantly evolving.
Sadly, business executives aren’t very confident about their ability to protect their organisation and their customers from fraud: 54% of businesses are only ‘somewhat confident’ in their ability to detect fraudulent activity compared to only 40% who are ‘very confident’.
They admit that any existing measures were the product of reactive rather than proactive initiatives. Legacy technology challenges (integrating new and old solutions) also present barriers.
As businesses make strides in introducing innovative ways for customers to open accounts and/or transact online, they are still faced with challenges to overcome. Traditional solutions relied on behaviour patterns that helped businesses detect fraud. New solutions mean new online behaviour patterns, and the old benchmarks used in detecting anomalous activity that might signal fraud are no longer reliable. Consequently, as businesses innovate the digital experience, they feel increasingly vulnerable and not very confident in their ability to spot fraud.
Not surprisingly, pragmatic business executives focus on what they can control. In a climate where businesses aren’t very confident in their ability to address the ever-moving target of fraud detection, they choose instead to focus on happy customers as simply a cost of doing business. In other words, many businesses prioritise convenience over security and have come to terms with acceptable levels of losses.
Businesses are forever grappling with the tension between managing fraud and maintaining a positive customer experience. In most cases, the latter wins out, as evidenced by their willingness to accept higher fraud losses from authentication protocols that they concede might be deficient, but do not disrupt the user experience.
Whether it’s opening a new account, logging into an existing account or making a transaction, more than 50% of businesses say they still rely on passwords as their top form of authentication. Passwords win out among business leaders as their top form of authentication mainly because they are well-understood and customers have grown accustomed to them.
And on the other side of the fence, it’s not as if businesses are resigning themselves to fraud. Quite the contrary, their approach to fraud prevention errs on the side of suspicion and detection (71%) versus permission and trust (29%). They are clearly sensitive to the costs associated with fraud in dollar terms.
More than 67% say that a ‘fraudulent transaction not declined’ is costlier to the business than a ‘legitimate transaction that is declined’ perhaps not taking into account the cost of a negative experience. However, 69% are also concerned with the number of incorrectly declined customer transactions from overzealous fraud detection. That concern likely stems from the possibility of lost revenue, lost potential new customers and a compromised experience for existing customers.
What’s to be done? The more certain you are about a customer’s identity, the easier it will be to spot fraud. Simply put, if as a business you can recognise your customer, you can recognise fraud. When it comes to managing fraud risk, there is not a global one-size-fits-all solution. But there is a promising way forward. As we see it, customer recognition delivered through advanced, multi-layered solutions tailored to the customer experience, is the future of fraud prevention.