Dive into the World of Fraud with the "What The Fraud?" Podcast! 🚀 In this episode, we discuss the different ways that fraud is perpetrated in the e-commerce industry, how synthetic learning technology can be used to help fight against fraud, and also share top three tips to help companies better protect themselves.
THOMAS TARANIUK: This is “What The Fraud?”, a podcast by Sumsub, where digital fraudsters meet their match. I’m Thomas Taraniuk, Head of Partnerships at Sumsub, the global verification platform, helping to verify users, businesses and transactions.
Here’s a terrifying statistic to kick off today’s episode. Between now and 2027, it’s expected that cumulative losses due to online payment fraud will exceed 343 billion US dollars globally. E-commerce has rapidly expanded since the COVID pandemic in 2020, and with this expansion has come a massive increase in fraudulent activity in the sector.
Identity theft, chargeback fraud, card testing and promo abuse are all common ways that fraudsters extract as much money as possible from online retailers and customers. Although companies are putting in measures to stop this from taking place, the question we’re asking today is ‘is it enough?’
Our guest is Adam Sherlock. Adam is the Fraud and Payments Manager at international footwear brand Fitflop and has previously worked at Leisure Pass Group and Amazon. He is highly experienced in developing internal processes and building effective teams to combat fraud in commercial business. Adam, thank you for joining us on “What The Fraud?”.
ADAM SHERLOCK: Thank you for having me.
THOMAS TARANIUK: There are so many unbelievable statistics I could use to illustrate the scale of the problem in e-commerce fraud. Here’s one that I used at the end of the last episode, that the industry loss in 2022 was estimated at 41 billion US dollars, and this amount grew to 48 billion US dollars by the end of 2020. What are the primary types of fraud affecting the e-commerce industry and how do they impact merchants and consumers?
ADAM SHERLOCK: So there’s three predominant forms of fraud that we see on e-commerce. They are account takeover, ATO, there is card fraud, and there is concessions fraud or refund fraud.
Suggested read: Fraud and Money Laundering in E-commerce: How Proper Identity Verification Can Prevent It (Guide 2024)
Suggested read: New Account Fraud—How to Protect Your Business
THOMAS TARANIUK: That makes sense. And that’s not a push to the audience to go look up this guide as well and commit fraud on their side. But it sounds, from the perspective of the second type that you mentioned there, the consumer doesn’t lose out as much as the business itself loses out.
And if we’re speaking about eBay and these concession frauds, they’ll have it in place where it’s part of their loss in terms of their book, in terms of making these refunds to keep the customer happy and keeping these fraudsters out and actually creating these accounts on Amazon, on eBay. It must be a top priority, right?
ADAM SHERLOCK: It is very hard to detect, though. How do you detect between a fraudster that’s setting up a fraudulent account and a new customer that simply has an unwanted Christmas present that they want to sell? There is KYC screening and checks that you can do. But again, these are not infallible processes. They can be circumvented quite easily.
In a global context, North America has, from what we’ve seen as well, the highest fraudulent transaction value globally, counting for over 42 percent of e-commerce fraud worldwide. But on the other side of the Atlantic, we’ve got Europe, where statistics suggest that Germany and France are the countries that are impacted the most by this type of fraud as well.
THOMAS TARANIUK: So from your experience, Adam, do the above statistics ring true for you?
ADAM SHERLOCK: Definitely. Interestingly, after the introduction of 3D Secure in the UK, we saw fraud rates. We did see that migration of trends to the US, where it is far easier to get transactions through for the fraudsters. The number of credit cards that are circulating in the US is huge, and the geographical area size is just, it makes it very easy for the fraudsters to hide there.
THOMAS TARANIUK: If we talk about contributing factors for each one of these regions as well, why do you think fraud is more likely to happen in one place compared to another?
ADAM SHERLOCK: Well, the anonymity of the internet is the greatest advantage to the fraudster.
They will then tie that in with living in a high density urban area. And the reason for that is they can hide their activities far easier. If you’re living in a rural location where there is only one courier that comes there and you’re getting a hundred packages a day delivered to that address, the courier is going to remember you and understand, you know, something’s not right here.
Whereas into a high rise apartment building, there’ll be multiple couriers coming day after day, and it’s easier to hide their behavior. Plus they will have access to buyers. Most of these fraudsters don’t want the goods when they do e-commerce fraud, they want cash. And so they want to convert that product into cash.
And by living in an urban area, there will be buyers. They can go down the local pub and, Hey, I’ve got this. Anybody want to buy that? And there’ll be buyers for that sort of. Yeah.
THOMAS TARANIUK: And it’s not like, um, high ticket items. We’re not talking about watches or anything else. We’re talking about things which you could just sort of pass off in terms of every day, a secondhand iPhone, a couple of hundred dollars, pounds, whatever.
I remember the days when Deliveroo and Uber didn’t have the code, and because of that, obviously, previously, people would just be taking the order, and they wouldn’t be taking pictures of the courier, and they’d just say, my order never arrived. These high rises, right? Surely amountable losses that these companies have faced.
They’ve had to put checks and balances in place to make sure that the couriers are delivering the food, but the people which are generally sort of good people just ordering food aren’t taking advantage of the system. I would love to drill down a little bit on Fitflop, which you’ve worked at as well.
So what are the main ways that you and your company, let’s say, combat fraud from your angle? And what does fraud prevention look like for you on a day to day basis?
ADAM SHERLOCK: So the main way of combating fraud is we use a third party tool. Um, so he’s a third party tool that we have a rule-based system. We write all our own rules in house.
THOMAS TARANIUK: Fantastic.
ADAM SHERLOCK: We will then analyze trends of what’s happened. We will look at the chargebacks, what has caused these chargebacks, how they got through our systems, and then we’ll create rules to plug those gaps.
Yeah, we will also get feedback from different teams like customer service who are seeing issues and they will raise it to us and then we’ll look at our processes and patch where we need to.
THOMAS TARANIUK: What are the current approaches to verify users for these online marketplaces and how do you think fraudsters actually bypass these systems?
ADAM SHERLOCK: The KYC is the basic check that they do on the seller side where they will ask for identification documents. But again, that’s a very laborious manual process. So a lot of the decision making is automated.
If you know the process, it’s actually quite easy to tick all the boxes on an automatic process and get through the system. Again, if you’re supplying copies of identification cards and passports, all this stuff is quite easy to, to get fakes of, to get through these checks. So, the KYC checks, while they are good as a deterrent, that they’re not foolproof, calling, telephoning sometimes can be an indicator.
We’ve done that in the past with previous company that I’ve worked with where we’ve telephoned and tried to verify, but our success rates at connecting with people wasn’t very high. Now that’s not an indicator of fraud on its own. People are busy, they don’t answer their phones. All these sort of behaviors go on.
Language barriers, especially in Europe here is another challenge that we face. Best way of doing it, I think it’s a combination of you do your basic KYC checks, anything that is suspicious, sideline it, get an experienced investigator to look at it, pick up the telephone.
THOMAS TARANIUK: Definitely, I like to call it multi-layered as well protection because it’s not just at KYC. You can do the biometrics, you can do the IDV, voice recognition and other angles as well. But that’s at the point of entry, I think for a lot of these marketplaces also understanding the behavioral, let’s say, patterns of different users and maybe not so much on the transaction side that we’re looking at banking, but in other other instances.
So what I’d like to touch on now, Adam, is that friendly fraud, otherwise known as chargeback fraud. It seems to be the most common type as we’ve discussed in the e-commerce sector. So could you explain to us again what chargeback fraud is and how prevalent it is for certain platforms?
ADAM SHERLOCK: So chargeback fraud is where a cardholder will go to the bank and dispute a transaction stating that it’s unknown.
Well, they can fall into two categories:
Suggested read: 4 Ways to Protect Your Business from Chargeback Claims
Yeah, with card chargebacks, it has become a lot harder, as we were saying before, in Europe with 3d secure. It’s far more difficult now for customers to say, I did not authorize that transaction when there’s been push notifications come through. Push notifications aren’t infallible though.
We have seen certain situations where unauthorized transactions have been authorized, whether that’s simply bombarding the legitimate. Account holder with lots of requests and they get sick and they end up clicking on just, okay, yes, I’ve authorized this. Or if there’s some social engineering that’s going on in the back end that we’re not aware of that they’re manipulating the legitimate cardholder to accept the transaction.
Yeah. But that’s a lot of work for a fraudster to go through. So we do see that, but it’s not very often. And usually it’s on high ticket orders.
THOMAS TARANIUK: Another fraud type that we see on e-commerce platforms is promo abuse, where fraudsters take advantage of online promotional offers. This is often overlooked as an issue and can actually cause a great deal of financial loss for a company. In fact, PayPal claimed to have shut down over 4.5 million accounts recently, which they said were run by criminals who were taking advantage of their reward scheme.
What are the ways that an e-commerce platform can protect itself from promo abuse?
ADAM SHERLOCK: Definitely have a tight control over how promo codes are generated. I’ve seen a lot of opportunities within companies where anybody with access to tools within the company can generate promotional codes and there is no oversight on that.
Who’s generating them, what they’ve been used on or redeemed on, just simply ends up being put into a basket of promotions used. So you do need to keep tight controls over who can generate promo codes, because there is always that insider threat that you’ve got to be aware of. You’ve also got to link up accounts that are using high value, promotions and ideally your fraud tool will have some sort of functionality in there that will allow you to then see these accounts that are using promotions and use a related customer section to map out how these accounts are related and what levels of promotions are using.
Refer a friend is a very open field for abuse. That is one that many companies seek additional customers at pretty much any cost, which is quite detrimental because it’s an easy avenue for forces to then generate large amounts of discounts for themselves, especially if they are reselling the goods.
Suggested read: Promo Abuse Fraud—How to Avoid It
Yeah, there was an interesting one that we saw where a person simply take advantage of our systems. They put a discount code in, continued to the next stage of the checkout, took the URL, put it into a different browser, which would then not read that the discounts would have been applied and they would add another code.
And they would do this through several different browsers and eventually get the cost of the order down to almost zero. So we saw that at one stage, and that was quite an easy technical fix that we could remedy.
THOMAS TARANIUK: What I’d love to touch on now is another major issue on the topic of fraud in the e-commerce sector and that’s used by criminals to, let’s say, launder money.
So it’s clearly important to verify not only the customers but the vendors, of course, as well. So how else can bad faith actors use e-commerce platforms to launder their money?
ADAM SHERLOCK: So the ways that would come to mind immediately would be prepaid cards. They can then buy. Prepaid cards, especially if they’ve set up a seller account themselves and they’re buying off themselves, they can then launder the money that way.
No goods are actually being shipped, but for the platform, it looks like a legitimate transaction is being done, especially if the seller account is small enough, they’re not coming in and trying to say, I’ve got 10, 000 iPads to sell. That’s going to raise questions at eBay’s level. But if they come in and say, and I’ve got a couple of secondhand phones or items that are high value.
But not high risk. For example, a kitchen unit, it could be 5,000 there for a kitchen unit. And they can do transactions that way to, to launder money. We did see a lot of electronic gift cards being used often as payments.
THOMAS TARANIUK: So the sort of PlayStation, Xbox, those sort of ones. So are we talking about electronic gift cards as the ones that you get on a rack at one of the like
ADAM SHERLOCK: You can get those as well, because again, you’ll be paying for cash for those.
Yeah. But when I was working at Amazon, we would see a lot of gift certificates that would be 27 pounds and 18 pence. So it’s a really unusual number. Normally, when you buy a gift card, you have a round number, 20 pounds, 30 pounds, and these unusual amounts were actually being used to pay for services to people that were then trying to avoid paying tax.
Basically, we saw a lot of activity that now would be called only fans activity. There’s a lot of gift card transactions that were paid that way. And usually when we do see these. Odd amount gift certificates. They’re not a legitimate purchase. They are being done for some nefarious reason.
There can be companies that will have collections for somebody leaving the company and the gift certificate will be the funds that they’ve gained on that. Learned that the hard way by cancelling an order and then having a very angry customer ring up saying, we’re about to do the leaving presentation.
We were going to give them a certificate as they’re leaving pay, where is it?
THOMAS TARANIUK: Money laundering as well is notoriously difficult to protect a company against, I think, in this sector. So what can be done to try and prevent it in the future from happening?
ADAM SHERLOCK: Depending on the items you’re selling, for example, we saw previous cases of people buying gold and silver bullion, and they were then trying to use that to move to different jurisdictions because it’s easier to transport precious metals like that rather than bags full of cash.
THOMAS TARANIUK: Yeah, wads of cash wouldn’t work. Wolf of Wall Street, that sort of thing.
ADAM SHERLOCK: Yeah, but it’s easier to carry, you know, a few bars of gold or something along those lines in your bag going on a plane somewhere and then launder it in a different country. So you, depending on the products that you’re selling, you need to be aware of monitoring these carefully.
If there’s any unusual purchases or purchase patterns, they’ve got to be investigated. And the merchant really has a responsibility to cancel these transactions. They see them and they believe it’s suspicious. Not to assume that it’s just an easy sale for us, they, they need to sit back and actually have a look at the wider picture and say, something’s not right here.
THOMAS TARANIUK: So behavioral pattern recognition on the back end is important in terms of understanding exactly consumer behavior, not one time purchases, but they’ll keep for an easy source. I can imagine in e-commerce, they’ll, they’ll pick a merchant and they’ll say, okay, we’ve managed to funnel or launder or wash money through them quite a few times.
Why can’t we just keep doing it? Right? Criminals return to their source, their oasis. So I’ve just talked about the behavioral side here, but you can also do behavioral transaction monitoring.
So transaction fraud is another area of concern for online marketplace companies. What are the most common signs of transaction fraud that companies should be aware of?
ADAM SHERLOCK: The first and foremost is brand new email addresses. If you have a service that allows you to see the age of an email address and you’re seeing a high value transaction come in or a suspicious transaction, That’s got a brand new email address. That’s immediately a big red flag, especially if it’s a Gmail or Hotmail or something along those lines that you can, an email address you can create straight away, disposable or temporary email domains, big red flag.
You actually get off just the. Block all those straight away. We put in a rule and we’ve got two and a half thousand email domains.
THOMAS TARANIUK: So no, no, proton mails. Nothing like that.
ADAM SHERLOCK: There are legitimate customers that will try to use those. And we just have to tell them, sorry, you need to try a different email address because we will not accept a transaction from those.
If there is community data from your fraud tool. And when I mean community data, it’ll be other merchants. Sometimes we’ll feed into the fraud tool. Information, for example, they put an email address into the negative list that can sometimes be shared with other merchants anonymized. Of course, you don’t know what merchants put information in there, but you will see an indicator saying another merchant is considered this fraudulent.
So it is really important to take not a hundred percent. As Bible, don’t, don’t take it as a hundred percent truth, but it is important to heed those and then build that into your model and say, this is a higher risk email address. Distance from the IP address to the billing address, distance between the billing and shipping addresses, phone numbers. High value items, multiplicity of items. Then related customers obviously is a big part.
THOMAS TARANIUK: On the transaction monitoring side as well, it’s become more and more necessary to help companies stay protected from fraud, right?
Because in our last episode we discussed that transaction monitoring is an absolute must for the fintech industry. Is it the same for the e-commerce industry?
ADAM SHERLOCK: Most definitely. Too many companies look at a fraud department as a loss department. Whereas we should be viewed as a revenue protecting department.
Uh, objective there is obviously to pass as many legitimate orders through as possible while keeping up the bad guys. That is definitely a challenge sometimes, especially with some customers behaviors and those customers that have a tendency to want to really protect their privacy. But I’ve seen before too quickly what happens when a company is not monitoring for fraud, that the fraudsters will chat in these forums and boast about their achievements and you will then start being targeted by multiple businesses.
And of course you run the risk then of having high chargeback rates, which means your merchant IDs could be either find restricted or actually terminated, which pretty much be the end of your online business. If that was the case, once you’re on to one of the card monitoring schemes for having high levels of chargebacks, there is excessive penalties that come with that.
And plus, you have to take lots of mitigating steps to rectify the situation. You’ve got to become quite draconian to bring your chargeback rate down, which will then kill your conversion rate as well, because all those customers that were on the cusp of maybe it’s legitimate, maybe it’s not, you will just block all those because you’re trying to drive down your fraud.
THOMAS TARANIUK: Completely. I like you touching on the point that it is protecting revenue at the end of the day. And it’s also protecting business practice and continuation of the business as well. So from the standpoint of anyone else in the audience who now is as part of the fraud team at an e-commerce company or otherwise a marketplace, how can they best utilize, let’s say, technology to prevent transaction fraud?
ADAM SHERLOCK: If the fraud tool does not provide it already, there are several companies out there that will provide information on customers that can help you verify the legitimacy of these customers. Google is always a great one as well. Googling your customer. It used to be quite easy to find people’s social media profiles pre Cambridge Analytica.
Once they were discovered of what the behavior was, and it became common knowledge that your social media posts, your friends lists, and your photos are quite accessible. There was a change in the social media companies and those accounts got locked down, which makes it a little bit more difficult for fraud prevention specialists to verify these customers, because that’s what you’re trying to do at the end of the day.
You’re trying to prove does that customer actually exist? And do they live? Where they say they’re living and by being able to identify those points quickly and cleanly and say, yes, this customer does live here. I have a high percentage likelihood that this is a legitimate customer. We’ll let the transaction go through.
Whereas somebody that you can’t find anything on, there’s no information in phone books or there’s no social media posts. You don’t find a LinkedIn profile, all this sort of behavior starts leading you as an Analysts, the question, does this person even exist? Is this a legitimate transaction now?
THOMAS TARANIUK: It’s a given now because we will never be without a reasonable doubt that we can actually find someone, right?
But AI is now a huge topic. I touched on it in my last episode and the episode before that as well. And it crops up all the time when we’re talking about fraud in any industry, including e-commerce as well. So, how do the advancements of artificial intelligence, machine learning, AI contribute to the effectiveness of fraud prevention measures and the e-commerce industry and for these big players?
ADAM SHERLOCK: As an individual, you can’t analyze huge sets of data 24 seven.
Having the AI machine do that for you and either generate rules or produce rule recommendations as invaluable. The same as me having a hundred analysts working full time when we’ve got one machine that can do it for us without human error, of course, without human error, exactly without human bias and all these sort of attributes that go into it.
Suggested read: Machine Learning and Artificial Intelligence in Fraud Detection and Anti-Money Laundering Compliance
The advantage of the machine learning that we’re finding is that while we pick up the major behaviors, machine learning is very good at picking up these little nuanced cases that we would probably overlook as, as humans looking at a large set of data and they will flag this up as, as an anomaly and allow you then to take action to prevent that gap.
Machine learning also provides great scores of risk assessments. We were able to use it quite successfully in my current company where we’ve then put on rules that will. Automatically reject orders that go over a certain risk threshold, purely because it’s, it’s just too risky for us.
THOMAS TARANIUK: So my last question for you today, Adam, what are your three top tips for e-commerce platforms and online marketplace companies who want to protect themselves from fraud?
ADAM SHERLOCK:
THOMAS TARANIUK: And iterate, which is super important in terms of what new rules you should put in place.
ADAM SHERLOCK: Exactly.
THOMAS TARANIUK: Adam, thank you for joining us on “What The Fraud?”. It’s been great having you.
ADAM SHERLOCK: Thank you very much for having me.
THOMAS TARANIUK: Thank you for joining us again on another episode of “What The Fraud?”. In the next episode, we’ll be investigating fraud in the crypto industry. With the recent explosion of cryptocurrencies into the mainstream, investment scams in crypto have risen exponentially. Time and time again, on the news and social media, we’ve seen stories of celebrities, either knowingly or sometimes unknowingly, promoting crypto investment schemes that turn out to be slick criminal enterprises.
We will examine how and why these types of fraud take place. What are the signs to look out for and how we can try and stop them? What an episode this has been. I’ve learned so much and I think it will be incredibly valuable for companies and customers when protecting themselves against fraudsters and criminals.
And as always please like, comment, follow and subscribe wherever you’re listening to us now. Any feedback you give us is incredibly helpful and also makes it easier for other people to find us. And if you want to hear more about what we do at Sumsub and how your business can benefit from our verification services, definitely check out our website at sumsub.com and subscribe to our socials.
