Getting the seasonal shopping balance right: Blocking fraud without locking out customers
As Black Friday and South Africa’s peak holiday shopping season approaches, e-commerce businesses must strike a careful balance between anti-fraud measures and customer experience. By introducing too many onerous measures to reduce the fraud risk, e-tailers risk slowing down processes, driving customers away and losing sales in peak shopping season.
This is according to Jason Lane-Sellers, Director, Fraud & Identity EMEA at LexisNexis Risk Solutions, who says fraud attempts spike dramatically during seasonal shopping events like Black Friday, Cyber Monday and summer holidays.
“What we see online is an average of one in 11 new accounts being opened is an attempted fraud,” he says. “In busy periods like the year-end holiday shopping season, attempts double or triple. Fraudsters are aware that during these periods, businesses want to accept as many customers as they can, and the criminals try to hide among the high volumes of transactions.”
The 2023 LexisNexis Risk Solutions Cybercrime Report for the EMEA region reported an 84% increase in human-initiated attack rates on e-commerce businesses and a 25% increase in e-commerce bot volumes. Bot attacks on gaming and gambling skyrocketed in EMEA in 2023, with bonus abuse the top fraud type.
“Organisations that are new to digital and still finding their feet in e-commerce are especially at risk,” Lane-Sellers says. “Criminals know these companies may be lax or not have all the necessary controls in place, and are likely to be desperate to bring on customers.”
Lane-Sellers says traditional approaches to reducing fraud risk can be counterproductive – ultimately driving away customers and impacting sales.
“Traditional methods, such as looking at types and values of transactions could result in errors,” he says, noting that legitimate customers may change their shopping patterns in December – buying more goods, more expensive items and possibly sending purchases to new delivery addresses as gifts.
Basic rules vs CX
“Basic rules and analysis based on transaction values, or setting limits on the number of transactions, could raise false alarms. In addition, when you use basic measures and limits, fraudsters will learn what they are and surf beneath them. For example, if you set a R5 000 limit, fraudsters will avoid notice by buying up to a value of R4 999,” he says.
Lane-Sellers says: “Particularly risk averse companies may simply say no to high value risky transactions because they don’t have the resources to look at them manually.”
Other traditional approaches, such as sending one-time pins and using multifactor authentication, are also counter-productive, slowing down the customer journey and negatively impacting customer experience, he says.
“Customer experience is the differentiator in business today, so you cannot just block all transactions you think might be fraudulent. You must balance fraud controls and customer experience, mitigating risk invisibly and in real-time, so customers enjoy a fast and simple shopping experience.”
Real-time, intelligent risk mitigation
Lane-Sellers says multiple layers of security and behavioural intelligence are key to getting the balance right. “As businesses and customers become more digital and mobile and embrace self-service, organisations need fraud detection and risk mitigation to be faster, more accurate and more effective, so customer recognition becomes more important. Just because a person knows the username and password, it doesn't mean they are the legitimate user,” he says. “However, one-time pins and multifactor authentication shouldn’t be necessary for every customer. Organisations need to use a digital identity profile to understand whether the customer is indeed the legitimate customer, based on factors like their IP address, device and type of transactions. If you are able to recognise the 99% of good customers, finding the 1% who aren’t is easy.”
Importantly, organisations should overlay authentication and validation with behavioural intelligence or behavioural biometrics, which understands how the customer usually types, swipes and navigates the site, he says. Changes in these behaviours could indicate that they are not the real customer, or that they are being forced or persuaded to make the transaction. Behavioural intelligence identifies signs like unusual hesitance, but it is invisible to customers. LexisNexis BehavioSec recognises legitimate users and flags non-human behaviour to detect bots, remote access Trojans and aggregators, analysing each session for environmental risk factors and behavioural anomalies.
Businesses also need to be able to tie together a 360-degree view of consumers across digital, physical and behavioural dimensions, leveraging the intelligence from a global repository of shared information. An organisation’s local intelligence, plus the global shared intelligence harnessed through LexisNexis Digital Identity Network, allows organisations to make more accurate risk decisions and enhance protection against fraud.