A look at the steps you can take to improve fraud management in your business right now, with minimum effort.
As co-founder of an anti-fraud company, I have seen firsthand how our tools can reduce the costs, expenses and headaches due to fraud.
But even I will have to admit that certain businesses don’t necessarily need to deploy an end-to-end solution or a fully-staffed Risk Ops department.
This is why in this post, I wanted to focus on techniques that every business can – and should – take to protect their customers and reduce chargebacks.
Whether you’re a small eCommerce or a SaaS in any vertical, there’s a lot you can do today to save yourself trouble in the long run – especially when it comes to PSD2 regulations, or GDPR and fraud detection fines. Here is my suggested to-do list:
Educate Users About the Value of Their Accounts
Password manager company Dashlane previously found that the average user has up to 90 online accounts. That’s a lot of login info to keep track of!
So it’s no wonder people become careless. They reuse passwords. They save their credit card numbers everywhere. After all, we all want it to be as easy and fast as possible to login, without friction and complicated authentication methods.
Unfortunately, taking this path of least resistance is what makes it so easy for fraudsters to take over accounts, a.k.a ATO attacks.
Essentially it works like this: people find login details for one account (either via brute force, phishing, or from the millions of breached data records available on the dark web). They then log in to an account and try to see if they can extract any valuable information from there. Could be a saved credit card number, extra email addresses, or linked social media accounts.
The problem is therefore evident: one account takeover means all your accounts could be compromised.
So, the first step in preventing ATO is to educate users about personal risk assessment. This is done via regular security notifications, encouraging the use of 2FA authentication, and highlighting the value of their accounts as often as possible.
Another smart option is to use automation. It’s easy enough to grab the API from a site like HaveIBeenPawned.com, which checks if your email address was found in a known data breach. You can then ensure the user doesn’t rely on it to sign up to your service.
Similarly, here’s a tutorial on how to check if passwords were found in a breach for your online customers, using Cloudflare Workers, just like GitHub does to protect its customer accounts.
While it may seem like it places the burden of security on the user, I find that a clear message about potential security risks can be welcomed by everyone. Transparency is generally a good policy in the digital age, and it’s particularly the case here when it comes to security.
- Why it works: helps customers take necessary precautions themselves.
- How it helps: reduces account takeover, which decreases fraudulent transactions and improves brand trust.
Improve Transparency in Your Product and Services Descriptions
Friendly fraud happens for a variety of reasons. Legitimate mistake, dishonest users, or products bought without the credit card owner’s consent. Whatever the case, it will make you go through a lengthy and potentially expensive chargeback process.
And while there’s not much you can do about dishonest buyers, you can improve the satisfaction of legitimate customers who purchase your products or services. All it takes is a bit of elbow grease in the writing department.
That is to say: you must ensure your descriptions don’t create a wrong impression in the buyer’s mind. We’ve all experienced disappointment with something we’ve bought. And as you know, the temptation to “punish the business” with a bad review or a chargeback request can be hard to resist.
Now, of course, it creates a tough balancing act for marketers and copywriters. You want people to be excited about what they’re going to buy, but at the same time, it shouldn’t create a wrong impression.
Still, I do believe it’s one of those cases where honesty is the best policy – especially if you want to reduce chargeback rates.
- Why it works: Your customers are less likely to be disappointed by their purchases.
- How it helps: reduces chargebacks and rates of friendly fraud.
Implement 3DS, AVS and CVV Dynamically
Next in the set of tools anyone should use are those created by banks to secure payments. Chances are you’re already familiar with them from paying online yourself.
- 3DS, or 3D Secure: A security protocol for online credit and debit card transactions. It is designed as an additional password validated by the issuer, which helps transfer liability to the customer in case of fraud.
- AVS, or Address Verification System: used to confirm a transaction by looking at the U.S billing address and home address linked to a credit card. It’s unlikely people without the actual card have access to it.
- CVV, or Credit Verification Values: you might have noticed you have to enter them every time you make an online purchase. It’s because merchants aren’t allowed to store them. This improves the chances that the buyer is actually holding the card at the time of the transaction.
Now an interesting point is that being familiar with these tools could be the reason you’re hesitant to implement them on your site.
What I mean is that extra payment verification tools can be a pain for users. And we all know that businesses want to reduce friction as much as possible to increase conversions. For instance, Amazon doesn’t ask for CVV numbers by default to speed up the transaction process.
So it’s another balancing act. You want payments to be easy and seamless. But here again, I truly believe it’s not worth keeping the door wide open, which could hurt your fraud rates.
However, at this point, I should point out that a good solution exists: dynamic verification.
It is an automated system which allows you to trigger extra verification steps based on the analysis of a user’s digital footprint. It does require a dedicated tool, so I’ll leave a link here that shows how it can be done with online gambling users, for instance.
- Why it works: you are adding security layers that make it harder for fraudsters to complete a transaction with a stolen credit card number.
- How it helps: reduces transaction fraud, chargebacks, mail fraud…
Get Your Business Audited By White Hat Hackers
White hat hackers, also known as ethical hackers, are the good guys in the fight for online security and cyber-justice. Their job is to find security flaws and vulnerabilities in your system so you can fix them.
And you’ve guessed it, they are available for hire as consultants. Before you jump the gun, just make sure they are certified (Certification is obtained through the EC-Council, as a CEH, or Certified Ethical Hacker), and try to gain an idea of how long the process would take.
This step may seem over the top for small businesses, essentially seeing how white hacking is a high-paying, fast-growing job.
In fact, big companies usually work with hacking bounties, such as the one Facebook has in place, offering independent researchers up to $40,000 for finding vulnerabilities that could result in an account takeover. But it could be more affordable than you think!
- Why it works: find out what security flaws exist with your business so you can fix them.
- How it helps: usually more of a cybersecurity issue, but can also help reduce phishing attempts, which in turn decreases account takeover, multi-accounting or transaction fraud.
Enrich User Data Manually At Signup
One of the questions I get asked often is: where’s the best place to catch suspicious users. And my answer is always the same: the earliest point possible.
For most online businesses, that’s the signup or onboarding stage. But this immediately begs another question: how do you gain more intelligence with very little available data?
It is precisely to answer that question that we created a Chrome Extension that allows anyone to enrich data based on an email address, phone number, IP or location.
That single data point is cross-referenced with a number of open-source, third-party databases that help gain additional information.
It may sound surprising, but it can be a tremendously powerful weapon for protecting your business.
As for how risky users are based on that info, it should be pretty self-explanatory. You can see if the login details look suspicious, if they are obviously created multiple times by the same user, or if they use the stolen ID from someone else.
This is why you won’t need a whole risk management team to perform manual reviews. Simply ask yourself if there’s too much fishy data in the lot, and accept or reject new users as needed.
- Why it works: you can learn a lot about someone’s digital identity based on enriched data.
- How it helps: reduce multi-accounting, transaction fraud, win chargeback disputes…
Key Takeaway: Education is Prevention
The fight to protect your business is a constant game of cat and mouse. Anytime a new security measure pops up, fraudsters find a workaround. Anytime the bad guys discover a new attack vector, we build a tool to stop them.
But the good news is that you’ve got allies on all sides in this fight: fraud-prevention companies, of course, but also banks, payment gateway fraud tools, and even your own users – if you can educate them about the problem of fraud.
And while nothing will ever beat the success rates and efficiency of SEON, our full, dedicated fraud management solution, I believe it’s also our job to educate businesses and train fraud managers about simple, or multi layered fraud prevention measures. So I hope this is what you got from this post today!
See a live demo of our product
Bence is the co-founder and COO of SEON whose vision is to create a safer online environment for merchants in high risk verticals.