Fighting Fraud Amid a Pandemic? Follow the Money

In what feels like society’s longest five-month stretch in a generation, it has become cliché to comment that the global pandemic has impacted nearly every part of our lives. In economic terms, the downstream effects are starting to come into focus and we’re seeing wholesale changes in consumer behavior occurring at an unimaginable rate and depth. While shelter-in-place mandates slowly have begun lifting in much of the U.S., consumers are still flocking to digital commerce to avoid unnecessary physical trips to the grocery store or their favorite burger joint.

And of course, when consumers change how and where they spend their money, fraudsters are never far behind, quickly identifying the trends, preparing tactics and readying the attack.

Case in point: Online learning platforms are seeing exponential increases in enrollments as homebound workers, the newly un/underemployed and others look to up-level their skills. And almost on cue, fraudsters are now setting their sights on those very businesses, hoping to take advantage of the newly booming industry.

These changes in consumer behavior are creating a new set of challenges for Risk, Fraud and Trust and Safety teams—and the same fraud prevention playbooks they employed as late as January may suddenly need to be adjusted for this new normal. Below are some critical tips for beating back the fraud barrage—while not alienating legitimate customers—that fraud fighters can employ during the pandemic:

  • Prep for the Preppers: When consumers suddenly began panic buying massive amounts of household staples such as toilet paper and dried beans, the existing models, rule sets and workflows used by many businesses to identify suspicious buying behavior were thrown totally off-kilter. In the past, a rash of shoppers buying dozens of cartons of, say, oat milk, might indicate a fraud attack for a particular merchant. Now, it’s just business as usual. Regardless of what your business sells, make sure to adjust your thresholds, especially those based on quantities, for suddenly popular items so that you don’t mistakenly decline legitimate purchases. Keeping the context of local, national and global events in focus has always been a facet of preventing fraud. Now it needs to be a top priority.
  • Mind the (order fulfillment) Gap: While the pandemic has crippled whole swaths of businesses, many, from big-box retailers to Michelin-star restaurants, are trying to maintain their brick-and-mortar locations with an online twist. So-called BOPIS (buy online, pick-up in-store) options have become necessities for many companies that simply don’t have the logistical capabilities or capital to deliver their goods to their customers’ doors. Fraudsters know that many businesses are new to BOPIS fulfillment and will actively exploit that fact. Be on the lookout for account takeover (ATO) attacks specifically targeting merchants offering BOPIS, in which scammers start using stolen payment and account info to place orders. The ruse is easily executed once the fraudster changes a legitimate shopper’s account information to their own or once they place the order with the shopper’s real information and then insert their own name as the pick-up person, allowing them to pass surface-level inspection. For fraud fighters, that means ensuring you keep a close eye on wholesale changes to online accounts tied to in-store pickup—there’s a good chance someone’s up to no good.
  • Spread the Work: With many industries facing much higher fraud rates, Fraud, Risk and Trust and Safety teams may be overwhelmed with the sheer volume of suspicious transactions. Add in rapidly changing consumer behavior along with dispersed fraud teams working remotely and stopping payment scams becomes an anxious game of whack-a-mole. While automation and machine learning are hopefully technologies your business can leverage to sniff out fraud, you’re likely going to need to manually review some transactions, especially in some booming industries. Rather than assigning all manual review to a single analyst, businesses should strongly consider delegating the work, with the lion’s share going to more senior members of their teams. While the work can be tedious and not without its own costs, the reality is that sharply honed skills in the midst of an entirely new fraud landscape are critical. Otherwise, businesses could be looking at unprecedented fraud losses or a trove of wrongfully blocked purchases, both of which can cause serious reputational damage and revenue shortfalls.
  • Chuck the Hucksters: The internet has been awash in coronavirus scams, with cybercriminals deploying robocalls, phishing attacks and text messages promising people vaccines/cures or impersonating public agencies to secure personal details. These schemes can be easily replicated on e-commerce sites, community networks and marketplaces, and manifest as fake listings, comments on user posts with links to phishing sites or phony fundraisers. Content abuse on the internet isn’t new, but preying on specific fears related to the pandemic is an opportunity scammers can’t pass up. Similar to noting changes in payment fraud scams, fraud prevention pros should be on the lookout for an array of signals that suggest content abuse and then be ready to block the sources. Some key considerations include the age of the user’s account on your site, the “velocity” of postings from that user, the validity of any URLs posted and indications that the content has been posted multiple times on your site.
  • Communicate Inside and Out: Every department and person in your company is likely experiencing the dizzying ripple effects of COVID-19. Fraud, Risk and Trust and Safety teams should document and share the changes they make (including the ones suggested above) to the relevant teams to mitigate internal confusion or cause slowdowns. For example, including customer service teams on changes to your fraud-fighting strategies could be tremendously helpful for reps as they interact with customers asking why their order hasn’t been confirmed yet. Likewise, letting your company’s broader customer base know what you’re doing to keep them safe via your available communication mediums—even if it means the occasional delayed shipping time—can make a world of difference and lift a burden off of support teams.

Inevitably, the ways in which cybercriminals will try to take advantage of the pandemic will continue to change. The scams we see today will likely morph into some other insidious tactics, in step with consumer behavior changes. And while this reality presents a unique set of challenges for fraud fighters, by ensuring you’re up to date on consumers’ spending and fraud patterns throughout the pandemic, you can stay one step ahead of fraud, protect your business and preserve trust between you and your customers.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard
Jeff Sakasegawa

Jeff Sakasegawa

Jeff Sakasegawa is a Trust & Safety Architect at Sift.

jeff-sakasegawa has 1 posts and counting.See all posts by jeff-sakasegawa