Fraud in E-Commerce: “What The Fraud?” Podcast

THOMAS TARANIUK: This is “What The Fraud?”, a podcast by Sumsub, where digital fraudsters meet their match. I’m Thomas Taraniuk, Head of Partnerships at Sumsub, the global verification platform, helping to verify users, businesses and transactions.

Here’s a terrifying statistic to kick off today’s episode. Between now and 2027, it’s expected that cumulative losses due to online payment fraud will exceed 343 billion US dollars globally. E-commerce has rapidly expanded since the COVID pandemic in 2020, and with this expansion has come a massive increase in fraudulent activity in the sector.

Identity theft, chargeback fraud, card testing and promo abuse are all common ways that fraudsters extract as much money as possible from online retailers and customers. Although companies are putting in measures to stop this from taking place, the question we’re asking today is ‘is it enough?’ 

Our guest is Adam Sherlock. Adam is the Fraud and Payments Manager at international footwear brand Fitflop and has previously worked at Leisure Pass Group and Amazon. He is highly experienced in developing internal processes and building effective teams to combat fraud in commercial business. Adam, thank you for joining us on “What The Fraud?”.

ADAM SHERLOCK: Thank you for having me. 

Types of fraud in e-commerce

THOMAS TARANIUK: There are so many unbelievable statistics I could use to illustrate the scale of the problem in e-commerce fraud. Here’s one that I used at the end of the last episode, that the industry loss in 2022 was estimated at 41 billion US dollars, and this amount grew to 48 billion US dollars by the end of 2020. What are the primary types of fraud affecting the e-commerce industry and how do they impact merchants and consumers? 

ADAM SHERLOCK: So there’s three predominant forms of fraud that we see on e-commerce. They are account takeover, ATO, there is card fraud, and there is concessions fraud or refund fraud.

Suggested read: Fraud and Money Laundering in E-commerce: How Proper Identity Verification Can Prevent It (Guide 2024)

1. Now, account takeovers, the predominant action there that the fraudster is trying to do is one of two actions. One, they’re hoping that there’s a payment card on the account, and they will then compromise that account, use that customer’s details, including their payment card, and attempt to place an order. The reason they’re doing that is because they’re trying to circumvent the fraud rules, knowing that fraud screening is looking for brand new accounts, basically. So if an account is established, there’s a greater likelihood the transaction will be avoided by the, the fraud screening process. The second reason for taking over accounts is to get the customer’s information. There’s a lot of valuable information on accounts that people don’t realize that they leave on there. You know, their, their name, their address, their phone numbers. There was quite a famous case from about 10 years ago where a fraudster got access into an Amazon account, saw all the customer’s details, the last four digits of all their credit cards on there, then contacted Apple and using those last four digits and the address details, managed to get the reset into an Apple account, and then remotely wiped a laptop and a phone that belonged to a journalist. And the journalist lost about two years worth of work, which ended up being quite a big story for the journalist, obviously. And that was simply just an account takeover where they’d compromised the information in the account.
2. The second form is card fraud. So the frauds will be using a stolen card with the hopes of getting a transaction out of it. They could be using the card holder’s address or they could be making it up. That’s probably the most predominant sort of fraud that you’ll see on e-commerce. There is a sub shoot of that, which is called triangulation fraud. And with that, the fraudster sets up a selling account, usually on a site like eBay or something along those lines, and will list products at average prices. They won’t go for too good to be true prices, they’ll go for average prices, but they will target products that are in high demand, for example iPhones and products like that. They will get legitimate orders from customers who want to buy off them, but of course the fraudster doesn’t have any stock. So they will go to a third company and use a stolen credit card to place an order to ship to their legitimate customer. And so it ends up being a double bubble, right? Exactly. And so the business ends up losing goods, gets the charge back. The fraudster will deliver the product to the legitimate customer who will often leave them five star feedback saying, great. And the sites like eBay are none the wiser that anything nefarious is going on.
3. And the last form that is definitely growing in Europe and the UK is concessions abuse or refund abuse. And that is where the customer will be placing the order on the knowledge that they are then going to attempt to claim goods never showed up or have received the goods. It’s not the correct item. They’ll send the goods back. They’re looking for a concession or a refund. This fraud can also be outsourced to third party companies. There is a book called Bob’s Refund Guide that tells people step by step on how to go through these refunding processes for a lot of the major companies. And they will also do it on your behalf. If you want to pay a percentage of the transaction value to these fraudsters, they will attempt to do the refund for you. 

Suggested read: New Account Fraud—How to Protect Your Business

THOMAS TARANIUK: That makes sense. And that’s not a push to the audience to go look up this guide as well and commit fraud on their side. But it sounds, from the perspective of the second type that you mentioned there, the consumer doesn’t lose out as much as the business itself loses out.

And if we’re speaking about eBay and these concession frauds, they’ll have it in place where it’s part of their loss in terms of their book, in terms of making these refunds to keep the customer happy and keeping these fraudsters out and actually creating these accounts on Amazon, on eBay. It must be a top priority, right?

ADAM SHERLOCK: It is very hard to detect, though. How do you detect between a fraudster that’s setting up a fraudulent account and a new customer that simply has an unwanted Christmas present that they want to sell? There is KYC screening and checks that you can do. But again, these are not infallible processes. They can be circumvented quite easily.

In a global context, North America has, from what we’ve seen as well, the highest fraudulent transaction value globally, counting for over 42 percent of e-commerce fraud worldwide. But on the other side of the Atlantic, we’ve got Europe, where statistics suggest that Germany and France are the countries that are impacted the most by this type of fraud as well.

THOMAS TARANIUK: So from your experience, Adam, do the above statistics ring true for you? 

Statistics and trends

ADAM SHERLOCK: Definitely. Interestingly, after the introduction of 3D Secure in the UK, we saw fraud rates. We did see that migration of trends to the US, where it is far easier to get transactions through for the fraudsters. The number of credit cards that are circulating in the US is huge, and the geographical area size is just, it makes it very easy for the fraudsters to hide there. 

THOMAS TARANIUK: If we talk about contributing factors for each one of these regions as well, why do you think fraud is more likely to happen in one place compared to another? 

ADAM SHERLOCK: Well, the anonymity of the internet is the greatest advantage to the fraudster.

They will then tie that in with living in a high density urban area. And the reason for that is they can hide their activities far easier. If you’re living in a rural location where there is only one courier that comes there and you’re getting a hundred packages a day delivered to that address, the courier is going to remember you and understand, you know, something’s not right here.

Whereas into a high rise apartment building, there’ll be multiple couriers coming day after day, and it’s easier to hide their behavior. Plus they will have access to buyers. Most of these fraudsters don’t want the goods when they do e-commerce fraud, they want cash. And so they want to convert that product into cash.

And by living in an urban area, there will be buyers. They can go down the local pub and, Hey, I’ve got this. Anybody want to buy that? And there’ll be buyers for that sort of. Yeah. 

THOMAS TARANIUK: And it’s not like, um, high ticket items. We’re not talking about watches or anything else. We’re talking about things which you could just sort of pass off in terms of every day, a secondhand iPhone, a couple of hundred dollars, pounds, whatever.

I remember the days when Deliveroo and Uber didn’t have the code, and because of that, obviously, previously, people would just be taking the order, and they wouldn’t be taking pictures of the courier, and they’d just say, my order never arrived. These high rises, right? Surely amountable losses that these companies have faced.

They’ve had to put checks and balances in place to make sure that the couriers are delivering the food, but the people which are generally sort of good people just ordering food aren’t taking advantage of the system. I would love to drill down a little bit on Fitflop, which you’ve worked at as well.

The main ways to combat fraud

So what are the main ways that you and your company, let’s say, combat fraud from your angle? And what does fraud prevention look like for you on a day to day basis? 

ADAM SHERLOCK: So the main way of combating fraud is we use a third party tool. Um, so he’s a third party tool that we have a rule-based system. We write all our own rules in house. 

THOMAS TARANIUK: Fantastic. 

ADAM SHERLOCK: We will then analyze trends of what’s happened. We will look at the chargebacks, what has caused these chargebacks, how they got through our systems, and then we’ll create rules to plug those gaps. 

Yeah, we will also get feedback from different teams like customer service who are seeing issues and they will raise it to us and then we’ll look at our processes and patch where we need to.

Identity verification for online marketplaces

THOMAS TARANIUK: What are the current approaches to verify users for these online marketplaces and how do you think fraudsters actually bypass these systems? 

ADAM SHERLOCK: The KYC is the basic check that they do on the seller side where they will ask for identification documents. But again, that’s a very laborious manual process. So a lot of the decision making is automated.

If you know the process, it’s actually quite easy to tick all the boxes on an automatic process and get through the system. Again, if you’re supplying copies of identification cards and passports, all this stuff is quite easy to, to get fakes of, to get through these checks. So, the KYC checks, while they are good as a deterrent, that they’re not foolproof, calling, telephoning sometimes can be an indicator.

We’ve done that in the past with previous company that I’ve worked with where we’ve telephoned and tried to verify, but our success rates at connecting with people wasn’t very high. Now that’s not an indicator of fraud on its own. People are busy, they don’t answer their phones. All these sort of behaviors go on.

Language barriers, especially in Europe here is another challenge that we face. Best way of doing it, I think it’s a combination of you do your basic KYC checks, anything that is suspicious, sideline it, get an experienced investigator to look at it, pick up the telephone. 

THOMAS TARANIUK: Definitely, I like to call it multi-layered as well protection because it’s not just at KYC. You can do the biometrics, you can do the IDV, voice recognition and other angles as well. But that’s at the point of entry, I think for a lot of these marketplaces also understanding the behavioral, let’s say, patterns of different users and maybe not so much on the transaction side that we’re looking at banking, but in other other instances.

Friendly fraud aka chargeback fraud

So what I’d like to touch on now, Adam, is that friendly fraud, otherwise known as chargeback fraud. It seems to be the most common type as we’ve discussed in the e-commerce sector. So could you explain to us again what chargeback fraud is and how prevalent it is for certain platforms?

ADAM SHERLOCK: So chargeback fraud is where a cardholder will go to the bank and dispute a transaction stating that it’s unknown.

Well, they can fall into two categories:

1. So you either have fraudulent chargebacks, which is, I’m the cardholder, I did not make this transaction.
2. Or you have a service chargeback, which is, I made the transaction, but I’m not happy with the outcome. Maybe the product didn’t arrive. Maybe it wasn’t happy with the delivery. Maybe you charged me twice.

Suggested read: 4 Ways to Protect Your Business from Chargeback Claims

Yeah, with card chargebacks, it has become a lot harder, as we were saying before, in Europe with 3d secure. It’s far more difficult now for customers to say, I did not authorize that transaction when there’s been push notifications come through. Push notifications aren’t infallible though.

We have seen certain situations where unauthorized transactions have been authorized, whether that’s simply bombarding the legitimate. Account holder with lots of requests and they get sick and they end up clicking on just, okay, yes, I’ve authorized this. Or if there’s some social engineering that’s going on in the back end that we’re not aware of that they’re manipulating the legitimate cardholder to accept the transaction.

Yeah. But that’s a lot of work for a fraudster to go through. So we do see that, but it’s not very often. And usually it’s on high ticket orders.

Promo abuse in e-commerce and ways to combat it

THOMAS TARANIUK: Another fraud type that we see on e-commerce platforms is promo abuse, where fraudsters take advantage of online promotional offers. This is often overlooked as an issue and can actually cause a great deal of financial loss for a company. In fact, PayPal claimed to have shut down over 4.5 million accounts recently, which they said were run by criminals who were taking advantage of their reward scheme.

What are the ways that an e-commerce platform can protect itself from promo abuse? 

ADAM SHERLOCK: Definitely have a tight control over how promo codes are generated. I’ve seen a lot of opportunities within companies where anybody with access to tools within the company can generate promotional codes and there is no oversight on that.

Who’s generating them, what they’ve been used on or redeemed on, just simply ends up being put into a basket of promotions used. So you do need to keep tight controls over who can generate promo codes, because there is always that insider threat that you’ve got to be aware of. You’ve also got to link up accounts that are using high value, promotions and ideally your fraud tool will have some sort of functionality in there that will allow you to then see these accounts that are using promotions and use a related customer section to map out how these accounts are related and what levels of promotions are using.

Refer a friend is a very open field for abuse. That is one that many companies seek additional customers at pretty much any cost, which is quite detrimental because it’s an easy avenue for forces to then generate large amounts of discounts for themselves, especially if they are reselling the goods.

Suggested read: Promo Abuse Fraud—How to Avoid It

Yeah, there was an interesting one that we saw where a person simply take advantage of our systems. They put a discount code in, continued to the next stage of the checkout, took the URL, put it into a different browser, which would then not read that the discounts would have been applied and they would add another code.

And they would do this through several different browsers and eventually get the cost of the order down to almost zero. So we saw that at one stage, and that was quite an easy technical fix that we could remedy. 

Money laundering in e-commerce

THOMAS TARANIUK: What I’d love to touch on now is another major issue on the topic of fraud in the e-commerce sector and that’s used by criminals to, let’s say, launder money.

So it’s clearly important to verify not only the customers but the vendors, of course, as well. So how else can bad faith actors use e-commerce platforms to launder their money? 

ADAM SHERLOCK: So the ways that would come to mind immediately would be prepaid cards. They can then buy. Prepaid cards, especially if they’ve set up a seller account themselves and they’re buying off themselves, they can then launder the money that way.

No goods are actually being shipped, but for the platform, it looks like a legitimate transaction is being done, especially if the seller account is small enough, they’re not coming in and trying to say, I’ve got 10, 000 iPads to sell. That’s going to raise questions at eBay’s level. But if they come in and say, and I’ve got a couple of secondhand phones or items that are high value.

But not high risk. For example, a kitchen unit, it could be 5,000 there for a kitchen unit. And they can do transactions that way to, to launder money. We did see a lot of electronic gift cards being used often as payments. 

THOMAS TARANIUK: So the sort of PlayStation, Xbox, those sort of ones. So are we talking about electronic gift cards as the ones that you get on a rack at one of the like 

ADAM SHERLOCK: You can get those as well, because again, you’ll be paying for cash for those.

Yeah. But when I was working at Amazon, we would see a lot of gift certificates that would be 27 pounds and 18 pence. So it’s a really unusual number. Normally, when you buy a gift card, you have a round number, 20 pounds, 30 pounds, and these unusual amounts were actually being used to pay for services to people that were then trying to avoid paying tax.

Basically, we saw a lot of activity that now would be called only fans activity. There’s a lot of gift card transactions that were paid that way. And usually when we do see these. Odd amount gift certificates. They’re not a legitimate purchase. They are being done for some nefarious reason.

There can be companies that will have collections for somebody leaving the company and the gift certificate will be the funds that they’ve gained on that. Learned that the hard way by cancelling an order and then having a very angry customer ring up saying, we’re about to do the leaving presentation.

We were going to give them a certificate as they’re leaving pay, where is it?

Preventing money laundering in e-commerce

THOMAS TARANIUK: Money laundering as well is notoriously difficult to protect a company against, I think, in this sector. So what can be done to try and prevent it in the future from happening? 

ADAM SHERLOCK: Depending on the items you’re selling, for example, we saw previous cases of people buying gold and silver bullion, and they were then trying to use that to move to different jurisdictions because it’s easier to transport precious metals like that rather than bags full of cash.

THOMAS TARANIUK: Yeah, wads of cash wouldn’t work. Wolf of Wall Street, that sort of thing. 

ADAM SHERLOCK: Yeah, but it’s easier to carry, you know, a few bars of gold or something along those lines in your bag going on a plane somewhere and then launder it in a different country. So you, depending on the products that you’re selling, you need to be aware of monitoring these carefully.

If there’s any unusual purchases or purchase patterns, they’ve got to be investigated. And the merchant really has a responsibility to cancel these transactions. They see them and they believe it’s suspicious. Not to assume that it’s just an easy sale for us, they, they need to sit back and actually have a look at the wider picture and say, something’s not right here.

THOMAS TARANIUK: So behavioral pattern recognition on the back end is important in terms of understanding exactly consumer behavior, not one time purchases, but they’ll keep for an easy source. I can imagine in e-commerce, they’ll, they’ll pick a merchant and they’ll say, okay, we’ve managed to funnel or launder or wash money through them quite a few times.

Why can’t we just keep doing it? Right? Criminals return to their source, their oasis. So I’ve just talked about the behavioral side here, but you can also do behavioral transaction monitoring.

Signs of transaction fraud

So transaction fraud is another area of concern for online marketplace companies. What are the most common signs of transaction fraud that companies should be aware of?

ADAM SHERLOCK: The first and foremost is brand new email addresses. If you have a service that allows you to see the age of an email address and you’re seeing a high value transaction come in or a suspicious transaction, That’s got a brand new email address. That’s immediately a big red flag, especially if it’s a Gmail or Hotmail or something along those lines that you can, an email address you can create straight away, disposable or temporary email domains, big red flag.

You actually get off just the. Block all those straight away. We put in a rule and we’ve got two and a half thousand email domains. 

THOMAS TARANIUK: So no, no, proton mails. Nothing like that. 

ADAM SHERLOCK: There are legitimate customers that will try to use those. And we just have to tell them, sorry, you need to try a different email address because we will not accept a transaction from those.

If there is community data from your fraud tool. And when I mean community data, it’ll be other merchants. Sometimes we’ll feed into the fraud tool. Information, for example, they put an email address into the negative list that can sometimes be shared with other merchants anonymized. Of course, you don’t know what merchants put information in there, but you will see an indicator saying another merchant is considered this fraudulent.

So it is really important to take not a hundred percent. As Bible, don’t, don’t take it as a hundred percent truth, but it is important to heed those and then build that into your model and say, this is a higher risk email address. Distance from the IP address to the billing address, distance between the billing and shipping addresses, phone numbers. High value items, multiplicity of items. Then related customers obviously is a big part. 

Importance of transaction monitoring

THOMAS TARANIUK: On the transaction monitoring side as well, it’s become more and more necessary to help companies stay protected from fraud, right?

Because in our last episode we discussed that transaction monitoring is an absolute must for the fintech industry. Is it the same for the e-commerce industry? 

ADAM SHERLOCK: Most definitely. Too many companies look at a fraud department as a loss department. Whereas we should be viewed as a revenue protecting department.

Uh, objective there is obviously to pass as many legitimate orders through as possible while keeping up the bad guys. That is definitely a challenge sometimes, especially with some customers behaviors and those customers that have a tendency to want to really protect their privacy. But I’ve seen before too quickly what happens when a company is not monitoring for fraud, that the fraudsters will chat in these forums and boast about their achievements and you will then start being targeted by multiple businesses.

And of course you run the risk then of having high chargeback rates, which means your merchant IDs could be either find restricted or actually terminated, which pretty much be the end of your online business. If that was the case, once you’re on to one of the card monitoring schemes for having high levels of chargebacks, there is excessive penalties that come with that.

And plus, you have to take lots of mitigating steps to rectify the situation. You’ve got to become quite draconian to bring your chargeback rate down, which will then kill your conversion rate as well, because all those customers that were on the cusp of maybe it’s legitimate, maybe it’s not, you will just block all those because you’re trying to drive down your fraud.

Technology to prevent transaction fraud

THOMAS TARANIUK: Completely. I like you touching on the point that it is protecting revenue at the end of the day. And it’s also protecting business practice and continuation of the business as well. So from the standpoint of anyone else in the audience who now is as part of the fraud team at an e-commerce company or otherwise a marketplace, how can they best utilize, let’s say, technology to prevent transaction fraud?

ADAM SHERLOCK: If the fraud tool does not provide it already, there are several companies out there that will provide information on customers that can help you verify the legitimacy of these customers. Google is always a great one as well. Googling your customer. It used to be quite easy to find people’s social media profiles pre Cambridge Analytica.

Once they were discovered of what the behavior was, and it became common knowledge that your social media posts, your friends lists, and your photos are quite accessible. There was a change in the social media companies and those accounts got locked down, which makes it a little bit more difficult for fraud prevention specialists to verify these customers, because that’s what you’re trying to do at the end of the day.

You’re trying to prove does that customer actually exist? And do they live? Where they say they’re living and by being able to identify those points quickly and cleanly and say, yes, this customer does live here. I have a high percentage likelihood that this is a legitimate customer. We’ll let the transaction go through.

Whereas somebody that you can’t find anything on, there’s no information in phone books or there’s no social media posts. You don’t find a LinkedIn profile, all this sort of behavior starts leading you as an Analysts, the question, does this person even exist? Is this a legitimate transaction now? 

Machine learning and artificial intelligence in e-commerce

THOMAS TARANIUK: It’s a given now because we will never be without a reasonable doubt that we can actually find someone, right?

But AI is now a huge topic. I touched on it in my last episode and the episode before that as well. And it crops up all the time when we’re talking about fraud in any industry, including e-commerce as well. So, how do the advancements of artificial intelligence, machine learning, AI contribute to the effectiveness of fraud prevention measures and the e-commerce industry and for these big players?

ADAM SHERLOCK: As an individual, you can’t analyze huge sets of data 24 seven.

Having the AI machine do that for you and either generate rules or produce rule recommendations as invaluable. The same as me having a hundred analysts working full time when we’ve got one machine that can do it for us without human error, of course, without human error, exactly without human bias and all these sort of attributes that go into it.

Suggested read: Machine Learning and Artificial Intelligence in Fraud Detection and Anti-Money Laundering Compliance

The advantage of the machine learning that we’re finding is that while we pick up the major behaviors, machine learning is very good at picking up these little nuanced cases that we would probably overlook as, as humans looking at a large set of data and they will flag this up as, as an anomaly and allow you then to take action to prevent that gap.

Machine learning also provides great scores of risk assessments. We were able to use it quite successfully in my current company where we’ve then put on rules that will. Automatically reject orders that go over a certain risk threshold, purely because it’s, it’s just too risky for us.

3 top tips for marketplace security

THOMAS TARANIUK: So my last question for you today, Adam, what are your three top tips for e-commerce platforms and online marketplace companies who want to protect themselves from fraud? 

ADAM SHERLOCK:

1. First and foremost is 99 percent of your customers are legitimate. Don’t put too much friction in place for them just because you’re trying to stop that 1%. It’s quite easy as a fraud professional to put in draconian rules that end up actually killing your conversion. You’ll eliminate all your fraud, but you eliminate most of your legitimate customers as well. So it’s very easy to become overbearing on your, on your fraud rule. So you just always keep in the back of your mind that 99 percent of your customers are legitimate. And you want them to have a frictionalist process to go through your payment, check out, get the goods just as they ordered, because that builds, you know, brand trust and that’s once you lose that trust, that’s, it’s almost impossible to get back.
2. The second thing is the positioning of your fraud tool. A lot of historic companies have the fraud tool sitting after the payments, but fraud tool should really be sitting pre authorization. So all transactions should be screened and then it goes through to the payment processing side of it. A lot of historic companies have it the other way around. So they take the payment first. The fraud screening doesn’t like it. Then you’ve got to refund the payments. It’s, it’s a messy process and you’re capturing the whole ecosystem of all the behavior that’s making attempts on your website.
3. The last one is, as a fraud professional, you’ve got to regularly analyze all your data. If you’ve got graphs that are generated through your fraud tool, regularly check them, see what’s going on, keep your finger on the pulse of the transactions that are coming in so you can understand what is happening. Because there might be situations there that either your fraud tool or your analysts or yourself haven’t picked up. And by regularly monitoring that traffic that’s coming in, you can capture situations a lot faster rather than just waiting for the chargebacks to come in, which is usually 30 days later.

THOMAS TARANIUK: And iterate, which is super important in terms of what new rules you should put in place. 

ADAM SHERLOCK: Exactly. 

THOMAS TARANIUK: Adam, thank you for joining us on “What The Fraud?”. It’s been great having you. 

ADAM SHERLOCK: Thank you very much for having me.

THOMAS TARANIUK: Thank you for joining us again on another episode of “What The Fraud?”. In the next episode, we’ll be investigating fraud in the crypto industry. With the recent explosion of cryptocurrencies into the mainstream, investment scams in crypto have risen exponentially. Time and time again, on the news and social media, we’ve seen stories of celebrities, either knowingly or sometimes unknowingly, promoting crypto investment schemes that turn out to be slick criminal enterprises.

We will examine how and why these types of fraud take place. What are the signs to look out for and how we can try and stop them? What an episode this has been. I’ve learned so much and I think it will be incredibly valuable for companies and customers when protecting themselves against fraudsters and criminals.

And as always please like, comment, follow and subscribe wherever you’re listening to us now. Any feedback you give us is incredibly helpful and also makes it easier for other people to find us. And if you want to hear more about what we do at Sumsub and how your business can benefit from our verification services, definitely check out our website at sumsub.com and subscribe to our socials.