As more consumers shop online, the ecommerce sector is catching the sharp eyes of the world’s fraudsters. A study by Juniper Research estimated the industry loses nearly $50 billion to payments fraud each year, with the figure continuing to rise. And with developments in artificial intelligence (AI) accelerating both innovation and risk, merchants are grappling with increasingly sophisticated attacks – from refund scams and fake ID verification to cyber assaults from insidious organised crime networks.
How can they strike back against the bad actors? Collaboration plays a crucial role – both across the industry and with adjacent sectors, such as social media platforms. It can help merchants find the right strategic mix of customer experience, compliance, and fraud prevention.
Fraud at an industrial scale
“There’s constant attacks from all over the world,” said Julie Fergerson, CEO and Co-Founder of the Merchant Risk Council (MRC). “One scary statistic I’ve heard is that 37% of all internet traffic is malicious bots, so there’s a whole lot of activity that’s trying to commit fraud.”
Fergerson explained how there are a number of facilities now located across the globe that are home to hundreds of thousands of people dedicated to carrying out scams.
“They’re incredibly well organised,” she said. “They have quotas and use all kinds of tools: there’s developers, there’s technology, and there’s people who have been trafficked and can’t leave.”
“These facilities exist in outlying countries, like Myanmar. I love a Star Wars analogy and would liken them to the Death Star. They’re in a growing phase and it’s a tough problem for merchants and banks to solve. If we cut off their communications channels, they will find another way to connect. And if we liberate these people, we’ve freed half a million people who know how to commit fraud and don’t have an economic path to success other than continuing to do what they’re doing.”
The first step for merchants is to map out potential vectors of attack and then bake controls into their business models as they scale.
“I’ve spent a lot of time in the payments industry, and so have brought a structured way to think about fraud and risk,” said Ismael Ghozael, Vice President of Products & Platforms, Decathlon, which has 1,800 stores in 79 countries and a rapidly growing digital footprint.
“I tend to put them into three different categories. These are customer account takeover fraud, financial instrument fraud – such as unauthorised card transactions, and then seller/reseller fraud, which is one to watch closely when you operate as a marketplace. We have different strategies for each, and these will continue to evolve as we grow.”
Exploiting the rapid pace of change
Fraud is further fueled by the relentless speed of market development and the ability of criminals to then exploit any gaps that appear.
“The AI era is moving at an incredibly fast pace – even faster than the growth of the internet,” explained Fergerson. “This opens up loopholes and other ways for fraudsters to get in as all the traditional patterns of traffic go out the window. Marketing and product teams are keen to implement the new technology, but they need to make sure that legal and compliance are part of the conversation from the start.”
Many merchants report that reseller fraud is becoming a huge issue because AI tools allow fraudsters to replicate a website from just a screen capture. Refund fraud is also a growing threat, with people buying two identical products at the exact same time and then claiming they’ve got a duplicate charge on their card – even though in reality they are two legitimate orders.
“Fraudsters are figuring out these vulnerabilities because they can test them and brainstorm very quickly with AI tools,” Fergerson added.
AI can be considered a sword with two edges. “With one, we can unlock new efficiencies,” said Felix Efren, a Senior Fraud Analyst at Bolt, the ride-hailing and food delivery giant. “But fraudsters use the other to commit refund fraud and other crimes. For example, it’s becoming easier to get fake IDs verified within a platform by using ChatGPT. And it’s difficult to combat these threats because the naked human eye will never know the difference.”
Collaboration will be central to crafting an effective industry response. “We’re working with local authorities via integrations that can actually verify an ID matches the information in their databases,” added Efren. “As fraudsters become more advanced, so must we, combatting the threat with more advanced tools and integrations.”
Often, once a loophole is found within a certain country, the fraudster will be quick to share the tip over social media, and it can become viral.
In such scenarios, social media platforms also have a responsibility to try to reduce and limit fraud. “We have free speech, so you can’t censor conversations per se,” said Fergerson. “That said, I would say most social media companies are good citizens, so if you highlight a scam, they will act to take it down. Cooperation and communication are essential, and that also applies internally between a company’s teams.”
Keeping localisation front of mind
Fraud varies by market, with each region experiencing different local activities.
“Latin America is very different to Europe, which is in turn different to Oceania and Asia,” said Efren. “As companies grow bigger, they will often attract organised crime groups, who will try their luck within their platforms.”
As companies expand across borders, it’s important they fully understand the local payment methods they are integrating at their checkouts. “Sometimes we enter a new country with a new payment method that we’re not used to doing business with, and sometimes fraudsters can exploit those vulnerabilities,” explained Efren.
“Fraud in essence is more local,” agreed Ghozael. “We have a centralised payments engine that represents perhaps 80% of our investment in payments capabilities, but then you also have to ensure you can become relevant for your customers by adopting local payment methods safely. So the other 20% is targeted at customizing risk rules and adapting to local trends.”
“Decathlon is part of a family of brands so we have the advantage of being able to pool resources and invest in a concerted manner. That’s true for payments innovation but also for fighting fraud at a larger scale. By pooling data to understand our customers and their behaviour, we can separate the bad transactions from the good ones while enhancing the user journey.”
Ultimately, the battle against fraud can be likened to a never ending race against the fraudsters, who will continue to evolve and iterate their tactics.
“It will never end because where there is value, there will be people trying to steal it,” concluded Efren. “This has been an issue for 5,000 years. Fraudsters are always innovating – they have the time to sit down and explore the vulnerabilities in your system to turn it into a monetary gain. We therefore have to continue to focus on customer experience while proactively addressing problems as they emerge.”
Check out our recent Pay it forward podcast episode to unpack the latest fraud trends and find out more about how businesses can innovate without compromise.