Managing payments fraud

Charmaine: The digitization of commerce has undoubtedly been a boon for businesses. The ability to let customer search, order, and pay for products and services digitally has created new opportunities for brands to better understand the consumers who shopped with them. But as the volume of ecommerce increases, so do instances of fraud. According to the Adyen's Retail Report, 36% of brands in Asia Pacific have experienced an increase in fraud attempts over the past 12 months. As more and more of us embrace ecommerce, this is a trend that will continue. How can merchants keep up to date with changing fraud trends? What processes and solutions need to be in place to keep customers safe? We'll address those questions and more in today's episode.

Aurélie: So the challenge for every organization is, where do you put the threshold between the numbers of check and controls you want to have to control your fraud risk, versus the happiness of your client to have a very easy and smooth client journey.

Charmaine: Welcome to Behind the Figures, the show that goes beyond the stats to explore the trends shaping Asia Pacific's retail, restaurant, and hospitality sectors, and share expert advice on how to leverage the latest technology and innovation to make the most of it. I'm your host, Charmaine Yee. In this episode, we're delving into one of the most pressing issues facing APAC businesses, fraud. Not only does fraud hurt the bottom line, with 44% of businesses saying that fraudulent transactions and chargebacks are a significant cost, it can break customer trust, damage brand reputation, and halt growth. However, as you'll find out in this episode, brands need to be able to combat fraud, while also making it as seamless as possible for customers to shop with them. Not an easy task, even for the largest companies, as Aurélie Saada, APAC Risk Lead at Microsoft, explains.

Aurélie: As an organization within Microsoft, we are providing a very wide range of services and products to our clients. And it can go from the gaming and Xbox, but also hardware like laptops, up to services like M365, Azure cloud, and we have some rewards program. So you can imagine that the different type of fraud that we are experiencing, and related to these different products can be quite wide, which is in a way making our life more challenging, but it's also quite stimulating, because we never know what's going to really raise. One of the major fraud that we will experience, is really what we call the payment fraud. So it's everything which would be related to stolen credit card. Another major fraud that we have is what we call the contact cover, which is the biggest trend that we see nowadays, where basically somebody managed to have access to your ID and to your password. And they will go on your account, and they will just buy things on your behalf and using the credit card that you will have saved under your profile. So we can go also to the wide range of spamming and phishing DDoS attack. We do also see fraud related to crypto mining on some of our products. And we also experience, you know, that just simple range of attacks like HSN, or like network broadcast, illicit content and things like this. What was interesting to notice is we really saw a switch in terms of the nature of this fraud. Within each of the categories, you have also different ways you know, the fraud is operated. And pre- and post-COVID were really a deep switch, you know, in the way this was proceeded and one of the main reason was just purely the increase of digitalization for our clients and the society in general. So we know that the mobile banking, for example, increased by double digit in Southeast Asia and we saw an increase for example, on some trends, in terms of some of the products related to charity products. You know, for Microsoft, for example, in cloud, we're proposing for free or for discounted cloud subscription for a nonprofit association and different types, you know, of charities. For us to really realized this very quickly and then manage to provide the quickly, files documents or false proof of identity and confirmation of they were a nonprofit association, so that they can have access to these free resources and just performing their fraud there. So that's, that was interesting because, that's how we are trying to do good, you know, in our products. But, of course, we can't prevent how the services will be used.

Charmaine: It's clear that the types of fraud companies face today are almost as broad as the number of products and services offered by Microsoft. And as Aurélie has pointed out, the strategies adopted by fraudsters are changing all the time. But the dilemma for businesses is how to keep the fraudsters out, while making it easy for customers to shop. While 49% of APAC consumers believe that retailers need to do more to protect them from payment fraud, they do not want to be inconvenienced. 30% of consumers in the region say that the payment authentication processes need to be fast and require no action from them, while 31% of them will abandon their cart if there are too many steps in the checkout. It's a problem that Aurélie is very familiar with.

Aurélie: One of our main focus is having a very smooth client experience journey. When we have clients who are going to log in, create their account, and buying online until the point, you know, where they want to leave us, on how they're going to close their account. So the challenge for every organization is where do you put the threshold between the numbers of check and controls you want to have, to control your fraud risk, versus the happiness of your client to have a very easy and smooth client journey when there is no checkpoint and you can click click you buy, send, and poof, it's done. We really spend a lot of time to assess, you know, where do we want to put our controls. And the good news is nowadays, fraud is unfortunately so widely present, that we do not see offending to receive, you know, OTP request, or you have to submit your biometric, plus your password, plus your code, and your personal things, you know, so different times. People are getting used to it. But we still want to find the right balance between setting up you know, these checks and having an easy buying journey, I will say. But beyond even the login, the creation, and the transaction step, it's also how do we have a very strong client engagement platform when we make mistakes. So either the AI or the fraud investigators can make a wrong assessment. And they can reject a real client, which is the worst thing that we see happening, because we know the numbers, you know. Once you lose a client, you have to put three times more efforts to win them back. So that's really not our goal. But we really try to do as much as possible what we call proactive reach out. So it will be sending preferred form of communication, of course, but if it's not working, trying to use all the channels. We also implemented recently, a chatbox. So if we have any issue, you know, or if you would like to reach out, clients can use a chat to reach out to us, if they think there are some contact or fraudulent transaction on their account. Or if there is something suspicious. They feel there is a quicker responsiveness, you know from our side. And that has been a great tool that we have experienced.

Charmaine: Tackling fraud effectively while minimizing the impact on the customer requires adopting a range of processes that both prevent fraud and make it easy for customers to contact you when the problem arises. Moreover, it is important that your fraud controls and processes are tailored to each market that you operate in. As Aurélie explains, fraud trends in Brazil will be different from those in Vietnam.

Aurélie: We realized through the years of experience we had on the fraud business, that every country worldwide will have a different approach. Like we know, for example, in Brazil, what the highest fraud trends we observe over there. And then in Europe, there are some specific countries also which are regularly coming up on our radar. And we have also in Asia, for example, Vietnam and Indonesia, our major countries when we observe fraud trends. And for us, in order to adapt to this multiculturality, I will say, of fraud, the aspect we have used is also the multiculturalily of our team. So we are having a team of fraud investigators which are across time zones, across different continents. And they are really local people who are aware about the payment habits, the fraud habits, they are aware about the community and their friends, so what's happening, you know, on the ground, in terms of fraud trends. So it's really kind of helping to give this insights but also, when I was speaking earlier about client engagement, we proceed to do the client call in their hometown language. So it's also giving you know the small facilities to reach out to people and being sure that we have no information lost in translation, and we can reach out directly to the sources of the checks that we are performing.

Charmaine: Having on the ground fraud expertise and connections has been essential to how Microsoft manages fraud in Asia Pacific.

Aurélie: What we do, especially as we are really having a deep connection with the local government agencies or police entities, because we also want to be sure when we detect like fraud patterns, you know, like a big fraudster, we want to be sure that we stop the leak at the source. So we also have some units specialized in investigation and working a deep dive police investigation and policy enforcement entity to be sure that we don't let people go for free and just, it's not like a matter for us to stop. And then people go somewhere else, and then go somewhere else. Which was interesting, also, as in APAC, we do have some countries which are really preferred in terms of fraud. And we understand this, because we also have knowledge of the local usage of the different tools people have. We know in Indonesia, people have in average, weekly funds, and everything is going to be on mobile transaction and mobile banking. In Vietnam, also we realize that people have very strong knowledge and usage of cloud. And this is where we saw most stuff, were fraudulent patterns related to our cloud businesses and very elaborate fraud trends, I will say. So based on this, we also managed to develop internally some detectors and some checkpoints, more specialized to the country. Like for example, if there is a credit card coming from a bank, you know, coming from one of the country, or if there is even some type of the banks where we know there is a highest fraud rate, you know, because the credit card stolen, or there are less control that the bank itself. And all this is helping us to have this framework of knowledge in APAC, especially because this is where we have a very diverse in background team implemented across the different countries.

Charmaine: For companies of the size and scale of Microsoft, it's possible and probably essential to dedicate a lot of in-house resources to detecting and preventing fraud. But what about brands who don't have the resources or specific expertise to build their own systems? How can merchants protect their customers and their bottom line? For Cat Parker, Global Director of Commercial at T2 Tea, the answer is to work with partners who offer the best protection and support.

Cat: Whether it's an ERP system, our POS systems, middleware that we have sitting in between, but also ecomm platforms, and customer experiences, sort of that web architecture space, we tend to partner with best in class technologies for that reason, but you've still got points where you have to integrate with everything. And so for us, it's really important that the APIs and EDIs and all types of integrations that we do through middleware and whatnot, when that is done, that we go through the appropriate solutioning, to make sure that it's robust to the best of our ability. That as well as that we're really trying to make sure that we, on the other side of things, it's an ongoing maintenance process. And if we detect areas of vulnerability, it's about addressing that immediately as a priority. So there isn't a bigger priority when it comes to business than fixing, you know, any types of weaknesses or vulnerabilities in the system. But I think for the most part, we do our best to try to build the systems, right. And then make sure that we just continue to manage them, because they're always going to iterate and evolve. But it does give us and myself, particularly, I have a lot of confidence, going to sleep at night knowing that we've got good partners in place that we can lean on for these types of things. And I think when we've had incidences where there's been phishing scams and some of the fraud that would come through the website, for example, that we get alerted to that quite quickly, and we can action it very quickly. And I think that's probably why some of those chargebacks are a lot lower for us versus a lot of other retailers. But it's not to say, you just never know. I hope at some point in time, things like this aren't an issue, but I think that they're only going to get more difficult to manage against. So I think for all retail it's really important to choose wisely when you choose your partners in that regard.

Charmaine: Choosing a partner wisely is easier said than done. When choosing a partner such as a payments service provider, we recommend looking for a like-minded industry leader who gets it. This includes having the ability to keep up with the growth in your transaction volume using the best technology and importantly providing support and guidance that goes beyond the tech. Here's Adyen's Martyna Lazar, Head of Risk and Compliance for APAC, to explain how Adyen helps clients adapt to the changing fraud landscape.

Martyna: The pandemic brought a lot of new shoppers into place. Shoppers that were not necessarily familiar with ecommerce and the same goes for the businesses. Some of the businesses that operated in an offline space had to move online and weren't prepared for the immense growth in online transactions. As business models were changing and adjusting to consumers behaviors across different geographies, the fraudsters were changing as well. And the fraudsters were also getting more creative. We saw fraudsters taking advantage of the knowledge gap associated with, you know, consumers moving the first time into online space and just starting to build that trust, and businesses moving into ecommerce and seeing that immense growth. The shift in the landscape really helped us to help the merchants as well on identification and response to those attacks. We've seen the payments stakeholders in the ecosystem, watching the different regulations in APAC region much closer, the different rule changes on the card network side much closer. Also, when you look at that payments landscape, we've seen different payment methods being prevalent in APAC, you know, or just coming out in APAC like buy now, pay later, cryptocurrencies, and so on. With all the changes in the landscape, we also had to shift to really focus on how we can support the new business models changes and the new fraud trends in the market. As the world started, you know, opening up in the beginning of this year, what we have seen, in terms of some of the trends was some of the increased card testing activity. It is not necessarily tied to the removal of pandemic related restrictions. But really, some of the card testing activity is tied to the data breaches that have been happening in the region itself. Let me just explain what card testing is. Fraudsters would usually use the card testing to determine the validity of the card numbers. So first, they would purchase the card details or the packages of many, many cards on the dark web, or they would just steal the card details via saved account takeover attacks or via phishing or spyware software. And then with those numbers in hand, they will attempt small purchases on completely unsuspecting merchants of low value transactions, just to see if the card was approved. And then you know, those small transactions were approved. And by small transactions, I'm thinking ride hailing transactions of couple of dollars, food delivery transactions of couple of dollars. The fraudster see that, hey, those cards are actually working, they move on to the businesses with much higher ATV, so much higher average transaction value, right, your luxury retailers, for example. We've also seen a lot of bot-driven activity, so fraudsters using bots to attempt many transactions in minutes or in seconds using, you know, stolen cards, combinations of 16 digits card numbers, but also both activity on the account takeovers as well. What was really interesting during the pandemic was that focus on the smaller or midmarket businesses that just entered into the space, oh, we've definitely seen that they've been targeted by fraudsters because, you know, as we are having those conversations on fraud here, probably fraudsters have exactly same conversations, right? And they exchange information and they do have the intelligence to target those merchants.

Charmaine: There's no one size fits all approach to detecting and preventing fraud. What solutions a brand adopts will depend on the type and size of the business, the markets it operates in, and whether it's solely digital, or has physical stores as well. Given how complicated the problem is, it can be confusing to know where to get the best information on payment fraud and fraud prevention. That's where the merchant at risk Council can help. The organization was set up shortly after the internet boom when companies were facing online fraud problems they had never experienced before. Here's MRC CEO, Julie Ferguson, to share some of the major concerns of the organization's members.

Julie: So the biggest challenge is fraud is constantly changing, it's constantly evolving. You have to have a good set of tools, an arsenal to be able to defeat fraud. APAC is a little bit behind in the amount of tools that are available to detect online ecommerce fraud. And using AI and machine learning, a start of the standard fraud screening is a best practice in the US. And we're starting to see that implemented and some of the larger APAC merchants do that today. What's really different about APAC that makes it hard is that there's lots of localized payment methods. So it's not just the majority of the transactions being Visa and MasterCard or bank card transactions, but there's just a lot more complexity because of the way the consumers like to pay. And it's different in the countries on which localized payment method they like to use. Additionally, because account takeover is such a large problem and we are encouraging and recommending people use two factor authentication or account profiles or if banks or localized payment methods are suspecting fraud doing that stuff.

Charmaine: As payment fraud increases, it's not surprising that governments across Asia Pacific are responding with new regulations to protect consumers. Not only does the MRC help keep merchants up to date, but it also works with regulators to ensure that new rules continue to support the growth in ecommerce, explains Julie.

Julie: There is so much more regulatory scrutiny in our industry. In the last five years, a lot of it has to do with the fact that the volume increased over the last couple of years because of the pandemic. But there has been a big increase not just on the bank side, but on the merchant side for how transactions happen. Recently, in fact, in India, RBI created a rule that basically said you couldn't store a credit card on file for a consumer and they said, everybody just use tokenization. What the regulator didn't realize is tokenization end to end isn't really ready for primetime 100% across the board. So what this had meant, this new rule that was supposed to go into effect was if you had a subscription, like if you had your Netflix movies subscription, you would have to log in every single month, type in your credit card number, so that you could continue your subscription. So while this would have provided good protection for the consumers, it would have provided great inconvenience for the consumers as well. So we actually partnered with lots of our merchant members and had discussions with the regulators. The dates have been adjusted and the tokenization is improving. Through collaboration, we're going to be able to manage the regulations that are coming down. But our industry is definitely becoming more regulated. The other area in our industry that's under a lot of regulatory scrutiny is buy now pay later. The Australian regulator had announced some changes. And in fact, just recently, some best practices had been announced by a working group that limits consumer exposure to no more than $2,000 and they need to check credit worthiness beforehand. And the buy now, pay later vendors or solution providers will actively go in and get audited just to say, "Hey, this is the best practices to try and relieve some of that regulatory pressure that's coming down the pipe." So I really do believe our industry is going from being a highly unregulated industry, this is on the merchant side to being something that becomes very heavily regulated in the next couple of years. It's really important for merchants to try to stay up to date on those regulations. Because if you don't, you risk large fines if you're not compliant. And even in some cases, we've seen regulators shut down or take away that merchants ability to accept payments. So staying up to date is difficult if you sell across multiple countries or even across regions, you have to stay up to date on all of those regulations. So just because you are based in APAC, you still need to be compliant with the European regulations if you sell in Europe. And so one of the things that MRC does is we actually have an advocacy and regulatory working group that meets on a regular basis to talk about the changes going on in the world and what we should be doing, and we make sure that we educate our members. We're a nonprofit organization, and the goal is really to share that information.

Charmaine: As we've heard throughout this episode, instances of fraud have escalated in the past few years. And keeping up to date requires constant vigilance. To help you combat the fraudsters, Adyen's Martyna shares some of the fraud trends that have emerged in the recent years.

Martyna: With the businesses moving to online space, it almost feels like fraudsters exchange this intelligence on different business models, risk management systems, and so on. And they do think of different ways to start the malicious activity on and basically gain financial benefit from those merchants. There are a couple of prevailing fraud trends right that we've seen over the past few months. A lot of stakeholders in the payments ecosystem talk about is really first party misuse. It's usually very, very difficult to stop, because it's not your usual hostile fraud of, you know, just a stolen card being used in your business. It's a fraud, where you as a merchant, you actually need to differentiate whether it's really your genuine customer committing this first party misuse, or it's a fraudster that's behind it. When you think about the first party misuse, it's getting increasingly easier for the consumers to actually file chargebacks with the bank. And there definitely was shift over the pandemic, when the banks made it a bit easier to get your refunds. Once the pandemic started, and the consumers they wanted to know whether there is a possibility for them to cancel the transaction, to get their refund, whether they can withdraw or change their mind. But then the trend actually went even further right, to the point that it is addressed now by the card networks, where a new compelling evidence will come into force next year, that will basically change the way the merchants can dispute the first party misuse chargebacks. So, you know, I think the most important thing to distinguish in terms of first party misuse is really to see whether the shopper had an intention at the time to buy a product at the time of transaction, or is this just a buyer's remorse because the shopper just realized, "Hey, I cannot really afford that. So I will just go back to my store and tell them that I want a refund." When people think about friendly fraud, first party misuse was called a couple of years ago, people probably think more about first party chargebacks. But there's also so much more, there is a refund fraud, saying that the item was damaged, but it really wasn't or taking advantage of window of the time for fulfillment, for the delivery of the product. There is also promo code abuse. So there are Telegram groups that give you tips how you can actually set up different accounts and get those promo codes of $20, $25. All those first party misuse examples, they're so different. But they're not happening in vacuum. Many times they're also an indicator to another fraud that is going on, for example, account takeover.

Charmaine: It's one thing to keep track of the digital payment fraud you are experiencing, but with criminals constantly finding new ways to strike, is there a way to predict new types of fraud? Unfortunately, there is no crystal ball, says Microsoft's Aurélie. Instead, data is your best weapon in trying to combat the crooks.

Aurélie: I wish it will exist and it will make our life so much easier. The reality is like instead of being one step ahead of the fraudster, we are usually two step behind. And the goal for us is really, one, we can find tools. And we can have different metrics, or we can have different technology which will help us to detect even the fraud, you know, before it happened, that will be super ideal. The fact is we're fighting against, you know, people who organize in communities, who don't have any regulation, who can do cross border sharing of information and client data and advanced technology that we do not have as we are compliant with local regulation and this cross border information. And of course, the fact that we also business competitors. So it's not really at the mindset of just, for me, you know, to call Google or Amazon and to say, hey, let's speak about our different fraud patterns, you know, because they will be on the same business as us. So we are trying as much as possible to predict this new fraud patterns from our internal and external information. So we are always aware of the external economical signs because this is going to trigger also some trends related to fraud, like for example, the fraud on crypto mining, depending on the market value of the Bitcoin, then we can see more and more fraud, you know, in this area. We are also developing internal detectors and internal factors so that we can be very reactive, as quick as possible, almost as a point zero of when the fraud is happening. So that there is no impact on our organization and on our clients. And all this together, really help us to not yet be successful to be one step ahead. But at least to reduce really what we call the time to detect. And this is really, for us, a key metric because that will avoid to have negative client impact, fraud losses, you know, which are going to impact the organization and overall satisfaction from our client on our products. And this is our goal.

Charmaine: Predicting the future of fraud may not be possible, at least not yet. But don't fear, we've got the next best thing. Our speakers share their top tips for preventing fraud. Firstly, you'll hear from MRC's Julie Ferguson, followed by Martyna Lazar from Adyen.

Julie: Businesses should put strong fraud controls in place. But I'm a firm believer that you need to be able to measure your authorization rates and your acceptance rates, as you put those fraud controls in place. You'd have to have those KPIs, so you can keep an eye on what's changing. So some of those key KPIs that you need to watch, as you put fraud controls in place, is your chargeback rate. So is it going up or down? Your authorization rate. So the number of transactions that are getting approved – what does that look like? And how many transactions are declining? As you put in stronger fraud rules, you may actually start to decline some good customers, so finding that right balance is key to avoiding those false positives.

Martyna: Some of the general tips that I would share for the fraud prevention is really identifying your loyal shopper behaviors, knowing how shopper interact with your website across different markets, across different vertical, across different country as well. What kind of payment methods are being used by the shoppers? Determining their paying behaviors, as well. aDetermining your fraud trends that you have seen previously on your account. Have you experienced account takeovers? Have you seen first party misuse? What kind of fraud chargebacks have you previously seen? Was it card testing or something else? So that reminding the fraud that you've seen on the account, that reminding the industry benchmarks, right. What is happening in the similar industries that you operate in, in different verticals? Because what we are seeing is really fraud, moving from country to country, staying the same across the vertical, but moving from country to country. So to what extent can you ingest this data across different geographies, and then being able to use this data in your machine learning capabilities, being able to feed it back to your machine learning system and help it iterate to make better decisions on transactions. And apart from this also, I think that what is truly important is looking at the combination of different tools that you can use to really target certain fraud patterns. So I've mentioned before first party misuse, account takeovers, both attacks, and so on. There are different strategies out there that you can use, of course, machine learning risk management, manual review on high risk transactions, authentication, network token, there is a lot of possibilities out there. And I think the combination of them and really knowing what your customer base looks like is the key for success.

Charmaine: Fraud is here to stay and it’s only going to get more sophisticated. While businesses will not be able to completely eliminate instances of fraud, by using data, staying informed, and working with reliable partners, they can improve the security of their checkout and ensure that the customer experience does not suffer. I hope you’ve enjoyed this episode of Behind the Figures. For more insights on topics like how the customer experience is changing and how payments can enable growth in Asia Pacific and beyond, check out our other episodes and be sure to subscribe.