As retailers have enhanced their technical and business operations to better serve consumers across several channels, there has been a gap in dealing with fraudsters who are also adopting a cross channel approach. In this respect, it is interesting to see all the exceptions to a standard ‘purchase’ transaction, particularly returned goods, which has been a specific area where different customer points of interaction did not properly communicate with each other. This means that fraudsters are targeting the loopholes that have appeared due to the lack of connectivity across channels.
Edgar, Dunn & Company (EDC) has found that many retailers do not treat different customer points of interaction individually, instead they take into account consumer behaviour and location to build a fraud strategy for each point of interaction – whether it is call centre, in-store customer service desk, a click and collect service desk, online, or at the point-of-sale. Retailers are aiming to ensure a seamless customer experience across channels and they should equally tackle fraud across all channels. They need a cross-channel view of their customer’s purchasing history, browsing history and preferred channel history – in-store, on a smartphone, on a tablet, on a laptop, on a desktop, via an in-store kiosk – to ensure that a customer is a good customer and not deviating from their normal channel behaviour. Transacting with retailers is now omni-channel.
Declining a customer that is a good customer can lead to dramatic and detrimental customer behaviours. This is commonly the case where a customer could be known to be ‘good’ on a certain device but then uses a different device and he is declined when engaging with the retailer simply because the fraud detection rules are not updated for the new device.
As merchants aim to serve customers across channels, fraudsters are also using the lack of joined up thinking by impersonating a service centre. They will cold call a customer, for example, claiming that their credit card or bank account has been subject to fraud during the transaction with the retailer. This will determine the customer to reveal information about the transaction and fraudsters will be able to change the arrangements for collection of the goods. The call will seem genuine and fraudsters will often quote titbits of the individual’s confidential transaction history information, such as their full name, address, account numbers, etc. – all information that the fraudster gleaned from an earlier hack of a retailer or financial institution. The ability to create a profile of a target customer is progressively easier to achieve by organised criminals operating at a distance.
Usually, the fraudster will spoof the collection arrangements and change the location to a store more convenient from him to pick-up the goods. This information is meant to make the conversation more credible, luring the customer into revealing additional information that can be used to arrange the collection of their new purchased items. These products can afterwards be quickly sold on auction websites.
Another example would be fraudsters who send targeted phishing emails on behalf of the retailer or the bank in order to capture information about the customer.
Fraud protection vendors are most concerned about evolving methods of phone fraud, especially because it is the least protected area when it comes to card-not-protected (CNP) transactions, and therefore, the most vulnerable means of attack in a multi-channel environments, as found in large modern retailers.
Alternative forms of payment
A lot of retailers and fraud prevention vendors commonly collect fraud statistics for legacy products such as debit and credit cards. The more innovative retailers are issuing and accepting mobile wallets, carrier billing, prepaid payment products, loyalty and reward products, gift cards, social and peer-to-peer payment products. Multichannel retailers are even starting to accept bank transfers such as Barclay’s Pingit. As consumers become more familiar with Apple Pay and in-app purchases they are expected to gradually become more adventurous in the selection of different methods of payment in different points of interaction with the retailer. If the store is closed, Pingit app can be used by scanning a QR code on the shop window next to the goods on sale. However, the point of interaction could most likely be on an advertisement at a bus stop or at the back of a taxi, not necessarily in the store.
Fraudsters are able to program a smartphone to act as a false POS terminal, deface a QR code to redirect funds to another account, or even make a smartphone to act as a false payment card. An attack that used to require insightful hardware engineering at the POS to by-pass EMV technology is now just a software app. The emergence of new sales channels (and the integration between these channels) unfortunately enables fraudsters to ‘play one channel against another’, or identify potential cracks in omni-channel processes.
Fraud is an ever-evolving art and fraudsters are very creative in leveraging the retailer’s lack of fully integrated multi-channel solutions. They are already preparing for a new wave of alternative payment methods in order to trick consumers at a wide variety of retailer interactions.