Holiday
shopping has changed a lot in the last few years with major online shopping
events from around the world gaining popularity in Australia. This year’s Black
Friday and Cyber Monday sales were one of the biggest online shopping days in
Australia, kicking off the pre-Christmas rush. Cyber Monday broke records in
the US hitting US$3.45 billion in online sales, up 12 per cent from last year
with Australia and the rest of the world following suit.
But
with the increase in online holiday shopping comes a commensurate increase in
the instances
of fraud. Australian internet businesses suffer dramatically more card
fraud than the global average, with online fraud rising by 38% between 2014 —
2015, compared to the global average of 13%.
It’s
a lesser-known quirk of the financial industry that, unlike their
brick-and-mortar counterparts, online businesses are responsible for not only
detecting fraud, but also paying the associated costs. On average, every $1 of
fraudulent orders costs an online business an additional $2.69. A couple of
weeks ago a foreign syndicate was busted by the Australian Federal Police for
the theft of more than 30,000 Australian credit cards, spending more than $30
million. A hefty sum, for sure, but nothing close to the US$32 billion that
online retailers spent preventing and remediating hacks in 2015. Online
businesses are also susceptible to a wider range of fraud schemes, including
credit card fraud, payout scams and faux refunds.
So
as the holiday sales kick off, what can online businesses do about it?
The basics: getting started with fraud
prevention
To
begin, businesses should examine
the address verification code (a postcode that matches what’s on file with the
cardholder’s bank), require a card verification code (the 3- or 4-digit code on
their card), and delay shipping. The latter step is especially helpful for
expensive items, as it provides a safety window when the actual cardholder
might flag a large fraudulent purchase.
However,
these checks aren’t foolproof: Legitimate customers can easily enter a typo in
their street address or move and forget to update their billing zip code,
resulting in false positives, and fraudsters are often able to buy stolen
credit card numbers together with their card verification codes.
The
next step is manual reviews: Many business rely on employees to audit
transactions and create complex, custom rules (such as, “temporarily block all
orders over $500 until reviewed and approved”). All of this sound pretty
complicated and manual. The answer? Machine learning.
Let machines do the heavy-lifting
Thanks
to recent advances in machine learning and AI, businesses today can analyse
millions of online transactions and identify buying patterns across large
numbers of retailers, spotting outliers in real-time and flagging odd charges
long before a human analyst would spot a problem.
Sift
Science offers machine-learning-based fraud detection trained on a business’s
data; other tools like Riskified and Signifyd offer chargeback insurance,
screening every charge for a fee, blocking suspicious purchase, and
compensating their customers when they failed to block fraud.
Stripe’s
fraud tool, Radar, constantly learns from the hundreds of thousands of
businesses taking payments through Stripe around the world. This new approach
enabled Watsi, a global funding platform for medical treatments, to block more
than $40 million in attempted fraud over a two-month span, all with limited to
no human involvement.
Don’t leave money on the table
Of
course, the difficulty with fraud is that pre-emptively blocking too many
transactions means foregoing legitimate purchases too. In theory, you could
prevent fraud from Southeast Asia by blocking all transactions from Southeast
Asia; but that approach means you’d also be foregoing legitimate transactions
from one of the world’s most populous regions.
So
even once you’ve implemented tools for preventing fraud, it’s important to
remember that your ultimate goal isn’t blocking fraud — it’s maximizing
revenue. This means you should:
1.
Consider multiple metrics: Don’t just focus on one metric like false positive
rate (legitimate transactions that you’re blocking) or dispute rate. After all,
you can easily make the former zero by not trying to catch any fraud (and the
latter zero by not accepting any payments). Your overall fraud protection
approach will offer a trade-off between false positives and false negatives,
and you should understand what that trade-off is and what is optimal for your
business. This break-even calculator can give you an example of the kind of
calculations it can be helpful to do.
2.
Find your “healthy” dispute rate: Unsurprisingly, fraud varies by sector. For
example, the median fraud rate for retail is 0.02 per cent, while for
nonprofits it’s 0.1%. Once you know your industry’s rate, compare it to your
business’ unique situation and data to identify a “healthy” fraud benchmark.
Trying to drive your dispute rate far below what is natural for your sector can
be more effort than it’s worth.
3.
Always be measuring: No matter what solution you choose, be rigorous in
assessing efficacy. For example, if you’re manually customising rules, you can
evaluate their performance by backtesting them or by running A/B tests in
real-time. Don’t rely on intuition that tells you all payments from a certain
region, or at a certain time of day, are fraudulent. Formulate your hypothesis
and validate it with data!
On
the internet, the only constant is change itself. As consumer behaviour and
fraud schemes continue to evolve, businesses that want to maximise their
revenue this holiday season — and year round — should be using modern fraud
defences that can adapt and help them stay a step ahead of fraudsters.
