Top 5 learnings from 2020's exceptional peak season

Last year's peak season capped an extraordinary year for merchants, who had to adapt rapidly to pandemic-driven changes in customer and fraudster behaviour. We've identified five key learnings from the 2020 peak season, plus three priorities for 2021.

We observed a drive to take friction away from the customer experience with capabilities like mobile POS, contactless delivery and pickup, and voice-based purchasing. However, although consumers love the safety and convenience of frictionless shopping, removing traditional barriers can make things easier for fraudsters. 

To keep shopping channels open and protect genuine customers, merchants must understand the potential pitfalls of low-friction experiences, and adapt their fraud strategies accordingly.

2.  Consumer data privacy

Consumers' data is protected by a raft of regulations; but some individuals want more control over their own data privacy. We saw increased take-up of tokenized email addresses, virtual cards, and numberless credit cards. All can pose challenges for fraud screening tools by limiting the usefulness of scoring systems, negative lists, velocity checks, and other verification techniques — so they're popular with fraudsters, too. 

Merchants should adjust fraud screening tools to pass all related transactions to their review teams, who should be trained to distinguish genuine from fraudulent use. 

3.  Hacking and data breaches

There's nothing new about hacking, but last year saw a marked increase in news articles related to ransomware attacks. Beyond taking a merchant's ecommerce channels offline — leading to lost business — ransomware puts merchants in a Catch-22 situation: pay the fraudster to get the data back, or pay the fine for what is effectively a data breach? 

Data breaches in general increased as the pandemic-driven shift to home-working led to fraudsters posing as managers to acquire passwords or data from unsuspecting employees, for use in subsequent cyberattacks.

So that sensitive payment data isn't vulnerable in the event of a breach – merchants should consider removing it from their own networks using a tokenization service.  

4.  New fraud technologies

In their efforts to circumvent ecommerce website controls, fraudsters continued to innovate. We saw, for example, automated AI-driven bots able to bypass CAPTCHAs and deceive behavioural analytics solutions by mimicking human activity on checkout pages. 

Fraudsters also developed new technologies to scam consumers. Among them, one can include: fake chatbots to harvest card data and other personal information, and rogue mobile apps containing malware that compromises devices.

5.  Evolving fraud methodologies

The shift to ecommerce led to the appearance of a wave of professional refunders, who carry out a type of friendly fraud in return for a share of the refund amount. Merchants should ensure their contact centres understand the trend and that calls are recorded. Additionally, they should flag customers with excessive refunds in their fraud management tool. 

Increased implementation of two-factor authentication (2FA) led to a rise in SIM swaps enabling fraudsters to receive the one-time passwords designed to protect purchases. Flagging device fingerprint inconsistencies and verifying GPS locations can help counter the problem.

Fraudsters also started activating sleeper accounts created earlier in 2020 with data harvested from phishing attacks. Merchants should compare the number of previous purchases with the age of the account, and consider creating rules around typical account anniversary dates, such as 365 days.

Three things to look out for in 2021

SCA – With the advent of PSD2 Strong Customer Authentication (SCA), we expect SIM swaps will continue; and that fraud could migrate to the MOTO channel as fraudsters attempt to avoid 2FA altogether. Similarly, one-leg-out (OLO) transactions being out of scope for SCA could lead to a rise in fraudulent use of non-EEA cards. As well as monitoring MOTO and OLO transactions, merchants should watch out for account takeover attacks, as fraudsters will aim to exploit exemptions available with account-holders' merchant whitelists.

Brexit – In affected countries, an increase in friendly fraud may be on the cards, as longer shipping windows delay goods arriving. Cross-border fraud may drop, while domestic fraud may rise — this means that merchants will need to keep an eye on ratios and adjust resourcing accordingly. Sharing fraud information across borders may become a slower or more complex process. And as with any new situation, fraudsters will look to take advantage, so we may see a surge in Brexit-themed phishing attacks.

COVID-19 – During 2021, fraudsters will doubtless continue to refine their pandemic-related fraud playbooks, tools, and techniques. So merchants must avoid letting their guard down and should continue to adapt their approaches in line with fraud and fraudster evolution.

Recent experience teaches us that fraud strategies must be agile enough to help a business react quickly to new challenges and opportunities. To learn more, download our guide to building more flexible fraud strategies.

These materials and best practice recommendations are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. Recommended marketing materials should be independently evaluated in light of your specific business needs and any applicable laws and regulations. Visa is not responsible for your use of the marketing materials, best practice recommendations, or other information, including errors of any kind, contained in this document.

About Mark Strachan

Mark is the business owner for the EMEA Managed Risk portfolio at Cybersource and a fraud risk professional with over 12 years experience in the card payment and banking industry. His current role as EMEA Managed Risk Principal at Cybersource allows him to work closely with enterprise clients on strategies to reduce risk associated with fraudulent activity and optimise revenue. 

About Cybersource

Cybersource helped kick start the ecommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life – experiences that delight customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all payment types, fraud strategies, and more. Knowing we are part of Visa and their security obsessed standards, you can trust that business is well taken care of – wherever it may go.