Customising the user experience – for fraudsters

Many previously retail-only merchants installed ecommerce options quickly in early 2020 and experienced fraud losses. Then, after remediation, they felt like that problem was solved. But are they ready for the next wave of fraud against ecommerce environments?

To properly identify and prevent subsequent attacks, merchants should expand their abilities to include identifying consumer intent, locating sleeper accounts, and blocking impossible customers. 

Identifying consumer intent

Most merchants identify their ideal customers and build purchase experiences accordingly. Merchants may have entire departments that define purchaser personas and optimise all systems for these buyers. The gap in this approach is that fraudsters can mimic any persona and align with these purchase paths. To address this issue, merchants should build personas for fraudsters and define specific checkout approaches for these avid shoppers. But first, fraudsters need to be found.

It is difficult to know what is in a shopper’s mind, but retail environments have the extra benefit of watching the behaviours of their shoppers – actually seeing them acting ‘sketchy’. Online merchants also have this ability, but they rarely identify the opportunity to ‘watch’ how their shoppers act.

Behaviour for online shoppers can be determined through monitoring the mouse or clicks from various perspectives. Some approaches may require a vendor, while others can be executed directly by the merchant.

These are not perfectly analogous to intent or action, but they can allow merchants to apply frictions, security protections, or other actions, which can drive a deeper understanding of shoppers’ intent. The message here is that people are not perfect. Support the imperfect shopper and be wary of the perfect one.

Locating sleeper accounts

Some fraud trends require the use of trusted consumer accounts already in place on the merchant’s system. While some thieves focus on account takeover (ATO), others are loading ‘sleeper’ accounts to be used in the future. Merchants should be on the lookout for both approaches but the path that seems to take more merchants by surprise is the ‘sleeper’ approach. 

Fraudsters are creating accounts on merchant sites where no transactions are being executed immediately so the merchants who use ‘Customer Since’ dates to trust purchases can view any future actions positively. For these types of accounts, created months earlier, the same actions taken to protect from ATO attacks are warranted. 

The length of inactivity, profile changes taken upon reactivation, and lack of ‘shopping’ but speedy ‘buying’ should all be triggers to merchants. These actions should tell merchants to apply the same scrutiny to reactivated accounts that they would use for new suspect accounts. Furthermore, device identity and proxy-pierced IP information can be used to tie multiple synthetic identities together to create a comprehensive picture of these accounts and their creators.

Blocking impossible customers

For many merchants, there is little review of ‘impossible customers’ and this opens a window for potential fraud. Some merchants have installed an ecommerce velocity prevention scheme, but rarely define the personas who are being blocked by these volumes, or block these behaviours only during purchase, but not during account updates.

The definition of ‘impossible’ will vary by merchant/product type, but some items can be documented. First, is the purchase commonly made away from home? If not, watching the distance between the device and the claimed consumer address can locate a potentially invalid purchase. 

Next, how many cards does the customer truly have? Customers with multiple cards may be persistent but too many cards can reflect a fraudster. But dive deeper. How many cards does a true customer have from the same issuer? When a customer gets a new card from the same bank, that issuer commonly replaces the first card with the second card – they do not issue a second card to the same cardholder – and certainly not a third or more. Velocity checks will stop some attempts but miss a few from the same BIN.

Furthermore, some purchases are made with address information in invalid checkout fields or in all checkout fields. If Address Line 1 also contains City, Region, Postal Code, and Country, is this really what a person would enter? If Address Line 2 is not null and perfectly matches Address Line 1, wouldn’t a true customer repair this entry? 

For any of these, or other potentially fraudulent purchase attempts, build a unique checkout experience for the ardent ‘shoppers’. Change tab order, add ‘human verification’ steps, create perpetual checkout loops, or any other behaviour that irritates fraudsters. Create personas and experiences for buyers you want to frustrate as well as buyers you want to court – they are equally important.

Merchants may be shifting focus again, but they cannot afford to stop looking at all portals. Every avenue for sale is also a path for loss so don’t divert your attention. Watch the portals you manage because fraudsters certainly are!

This editorial is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Sally Baptiste

Sally Baptiste co-founded Payment Operations Group. Having run merchant payments for 16 years and worked for an acquirer for 13 years, she is able to leverage multiple perspectives to deliver comprehensive approaches to payment processing for audiences around the world.

About Payment Operations Group

Payment Operations Group is a consultancy of payment professionals with over 40 years’ combined experience in the payments industry – from acquiring and ISOs to merchant perspectives. Our focus is on educating our clients with our end-to-end approach to payment processing, helping them navigate the complex ecosystem and strengthening their position in their chosen processes.