Matt Botti

December 11, 2017

Criminals know that the holidays are an opportune time for theft—people are traveling, properties are left unsecured. The classic movie “Home Alone” describes this scenario perfectly: two comedic and dimwitted burglars don’t miss an opportunity to attempt to burglarize a home, wreaking havoc on clever eight-year old Kevin McCallister who’s home alone and forced to defend his property with DIY booby traps such as piping hot doorknobs, flying irons, sticky tar steps, and more.

The holidays—with their exponential increase in online activity and online shopping—represent an opportune time for cyber fraudsters to create havoc for your organization. And unfortunately, this is true across industries, from retail to finance to insurance, but this doesn’t have to be the case. Let’s first look at holiday trends and challenges, and then we’ll look at some best practices and solutions to help you verify identity, prevent fraud, and mitigate risk.

Holiday Shopping Trends

This year, according to Adobe, Cyber Monday had the largest online sales day in history reaching $6.59 billion—a $1 billion-plus increase over 2016. Additionally, smartphone-driven revenue reached an all-time high at $1.59 billion. These trends are expected to continue. According to Adobe:

“For the rest of the season, 13 days are projected to exceed $2 billion in online sales bringing the total to 18 $2 billion days this holiday season, over double the number from last year.”

Is your organization ready for that—for those 13 days? Are you prepared to deal with that increase in the number of visitors, the number of potential sales, and the increased exposure to risk? With increased traffic, comes increased risk and vulnerability.

Holiday Fraud Trends

Unfortunately, holiday shopping—and holiday fraud—go hand-in-hand. Last year, for example, ACI Worldwide’s survey data (based on hundreds of millions of transactions from global merchants during the 2015 and 2016 holiday shopping season from Thanksgiving through December 31) uncovered this key finding:

  • While eCommerce transactions grew by 16%, fraud attempts grew by 31%

A clear one-to-one correlation: As transactions increase, so do fraud attempts.  Consequently, organizations need to be prepared for this challenge.

Peak Fraud Days and Beyond

It does not matter that Cyber Monday has already come and gone. This holiday season, organizations should be aware of “peak fraudulent days,” and prepare accordingly. According to ACI Worldwide’s data for last holiday season:

“Fraud attempt rates were highest on Christmas Eve (1.6 percent), Shipment Cutoff Day (1.5 percent) and Shipment Cutoff—Express (1.7 percent). The trends driving these peak fraudulent days include shipment cut-off and buy online pick-up in-store.”

Smart organizations, prepared organizations, expect and plan for this expected boost, or rise, in fraudulent activity. Even beyond the holiday season, you should be prepared to verify customer identity, mitigate risk, and prevent fraud all year long. Recent, large-scale data breaches (such as Equifax) now expose PII for hundreds of millions of people.  Consequently, criminals will take advantage of this opportunity to create false identities.

Combatting Synthetic Identities

At the heart of mitigating risk—and protecting your organization from fraud—is identity resolution. You need to be able to verify identity—that your customers are who they say they are.

As customers go about doing business with your organization, shopping and creating a digital presence, some people create true identities, while others create false or synthetic identities. Fraudsters then use these synthetic identities to acquire goods and services.  What can my organization do to address this type of consumer fraud?

Fraud Prevention Best Practices

Let’s get your organization better prepared for this reality: the fraudsters (burglars) will come knocking on your door. You can count on it—it’s a statistical reality. Here’s where I suggest you start.

I want you to think of yourself as a surfer—figuring out when and how to catch the next wave of fraudulent activity. Surfers, they watch the waves, study the waves, the sets, the patterns. Waves, and fraudsters, move in predictable ways. These patterns can be studied, identified, and harnessed by smart, trained organizations willing to put the right solutions in place.

1 | Identify Customer Entry and Exit Points

First, figure out the entry and exit points for your customers. Then decide when and how to “interrupt” their customer journey with your organization.

  • By entry point I mean: the new customer relationship, when the stranger (potential customer) is beginning to form a relationship with your organization.
  • By exit point I mean: the stranger’s identity has now been verified or established; a stranger becomes a friend (as opposed to a fraudster or foe) and so, you allow them to proceed through your organization’s doors.
  • By interrupt I mean: asking for identity verification, providing prompts and questions that will empower your organization to resolve the stranger’s identity, and verify, in fact, that they are a real person and not a fraudster, not a synthetic identity.

As a best practice, allow for variable entry and exit points. In other words: you do not need to replicate the same identity verification process for everyone.

2 | Stay Balanced (Friction vs. Seamless Customer Experience)

The trick here is this: figuring out how to stay balanced between friction (annoying the customer, asking too many questions, scaring them off) and seamless experience (no disruptions, it’s so easy to transact with your organization, etc.). The balancing act is yours and yours alone.

You need to figure out how and when to interrupt their customer journey and say, essentially: “Can I please see your ID? Thank you.” Typically, you don’t want to introduce friction at the beginning of the customer journey since this prevents visitors from becoming loyal customers.  You don’t want your customers to feel policed, intruded upon, de-railed (from the pathway to purchase); but you also don’t want to neglect to do your job (resolving identity, mitigating risk, preventing fraud) by being too polite.  The balancing act is yours.

3 | Low Friction Entry Point: “What’s Your Email?”

Before providing access to services or content, some organizations are asking for a consumer’s email address. This simple disruption (which causes minimal friction) seems like a great way to establish a relationship with a potential customer.  However, how can you verify who is really behind the email address?

Recently, we launched a new solution:  that can go a long way in helping you to understand patterns of activity associated with the email address. For example, the solution provides insights on your customer’s email activity ranging from “weeks last seen” to “total sightings” and “late night sightings” to “browsing patterns (financial, retail, etc.)” and web and IP addresses. Email addresses can provide descriptive statistics and true/false values about your customer’s key characteristics related to their email address activity online.

How do you know if that email address truly belongs to “honest person” or “fraudster” who plans to purchase goods or services?  Well, you analyze the activities that surround the email address and determine if it is being used for legitimate transactions or false transactions.  You can do this in real-time and determine if the person should proceed in the journey or if they should be interrupted with another barrier to verify their identity.

4 | Additional Friction When Necessary: “You Shall Not Pass”

Now that a relationship has been established, how much trust exists in the relationship.  What do organizations need to trust the consumer?  This is largely based upon the activity.  Am I changing my account information?  Am I authorizing a transfer of funds or goods?  Depending upon the amount of risk associated with the action requested, organizations should consider when they must act like Gandalf from The Lord of the Rings and say: “You Shall Not Pass”.  This can be accomplished through knowledge based authentication, second factor authentication, context based authentication or bio-metric authentication.  Each of these options for establishing trust offer different implementations; but, the common goal is to help you verify identity and prevent fraud. 

Conclusion

Surfing the waves of fraudulent activity and protecting your organization is no easy task.  Staying balanced and providing the right mix of entry and exit points is important to your customer experience.  For low friction entry points like email addresses, I highly recommend that you analyze user activity to validate if the person is a friend or foe before allowing deeper entry and access your organization.

To learn more about our solutions for detecting and mitigating consumer fraud, click here.

Matt Botti

Matt Botti

Serving as Director of Product Management, Matt Botti is responsible for Acxiom’s Risk Solutions. Before re-joining Acxiom in February 2017, Matt served as the Director of Software Engineering at ABC Financial Services and he previously served in various roles at Acxiom spanning a 17 year period. Prior to joining Acxiom, Matt served as a Medical Economics Analyst at QualChoice of Arkansas, a health insurance provider in Arkansas. Matt earned a bachelor’s degree in political science and completed extensive education towards a master’s in public administration from The University of Arkansas at Little Rock. Matt lives in Bryant, AR with his wife and two children.