There's an old saying that sunlight is the best disinfectant. Shedding some light on just what the bad guys want — and why and how they are angling to get it — means that the financial services ecosystem can effectively head them off at the pass.
Mari Anne Bayliss, senior director of solution management at CyberSource, told Karen Webster that simply relying on machine learning as a weapon against fraud is not enough — not in an age where managing fraud risk during the great digital shift (and unprecedented transaction volumes) is so challenging.
Merchants “have had to pivot, quickly, to an online presence," noted Bayliss. "Some did it really well, and some have struggled a bit.” Among the biggest challenges has been compliance, as so many organizations have had to have call centers, back-end operations and fraud teams work from home.
The challenge has been magnified by broad swaths of consumers who had never before shopped online now embracing online commerce. And for some retailers, it can seem as if every day is Black Friday — not just for larger, well-established players, but also for small to medium-sized businesses (SMBs).
“There is lots of fraudulent activity as well, because the attacks and the fraudsters have been following the money,” said Bayliss.
Among the schemes du jour during the pandemic: phishing attacks, of course. Bayliss noted that well-organized, coordinated phishing attacks could be bewildering to consumers as fraudsters look to gather data and take over accounts — targeting passwords, for instance. In just a few examples, emails and sites have lured victims by claiming to be from the World Health Organization (WHO) or promising to help with stimulus payments.
“It becomes really hard for consumers to differentiate between what’s genuine or not,” she told Webster. “And it becomes hard for merchants to spot this because fraudsters have been taking over good customers’ accounts.”
Lying In Wait
And, of course, the malevolent lie in wait. They don’t strike quickly, or with full force. They may test cards, or not. They may wait six months, 12 months or 18 months. (Remember, the fraudsters are on lockdown themselves.)
But when fraud does occur, victims may blame the banks or the merchants, which Bayliss said can have a “massive” reputational impact.
“What COVID has done is driven up the activity, but [also] has exposed it to merchants who perhaps wouldn’t normally be exposed because transactions would traditionally be in-store. It’s almost like a perfect storm,” Bayliss said. “We’re all strapped to our desktops more than we ever have been.”
That can create vulnerabilities for, say, restaurants that have moved to online ordering and (doorstep) delivery models with customers they’ve never encountered during card-not-present transactions.
“Merchants need to understand who’s shopping online,” said Bayliss. To gain that insight, she said it’s important to partner with firms to outsource at least some fraud prevention efforts. After all, an outsourced relationship can compensate for the fact that most firms, especially smaller ones, do not have fraud experts in-house — and platforms have the benefit of viewing data holistically.
“There’s no silver bullet,” said Bayliss, but successful defenses require a mixture of big data analytics, machine learning and — in these unprecedented times — the acknowledgment that historical data may be of limited use.
“You do still need that human touch,” said Bayliss of this layered approach, looking at and reacting to fraud trends on almost a merchant-by-merchant basis. “As the models look at these different behaviors or start to incorporate these different patterns of behavior, we will be better able to spot pattern changes.”
To get that balance between human- and machine-led efforts to pinpoint fraud, merchants have to let the fraudsters in just a bit to pinpoint anomalous activity and stop it before any transactions get through. As a rule of thumb: You can’t learn about fraud unless you see it.
“If your goal is 100 percent fraud-free, your guest customer decline rate will be huge,” warned Bayliss. “If you’ve got the balance, you’re actually driving revenue.”
After all, Bayliss herself once worked in retail and said her bosses didn’t measure her performance “on how much fraud I prevented, [but] on how many good customers I didn’t decline and the revenue that I drove. … My least important KPI was actually fraud. Of course, I was measured on it, but if I got the others right, fraud took care of itself.”