How can the UK’s businesses protect themselves from online fraud?
Step 1. Look for weaknesses in your systems
The thing to do, first and foremost, is to understand where there are problems in your system that may need to be fixed. The simple truth is that any weaknesses in your system can make you vulnerable to fraud.
Step 2. Reassess your appetite for risk
Merchants who configured their fraud rules and settings pre-pandemic should revisit them to see if they’re still right for their business.
As an example of services that help to protect you, think about your address verification services. These check whether a customer’s shipping address is the same as their billing address.
This helps you when you’re selling goods or services – for example, white goods – that you would expect to be bought by a customer and delivered to their home. So, if the addresses match, it’s a good sign of a trustworthy transaction.
However, if you encounter a new customer asking for a delivery to be made to a different shipping address, this is a transaction to watch. In this instance, you may want to look at your fulfilment options and choose to only offer a ‘signed for’ fulfilment option.
If you get a number of repeat orders from the same customer and the transactions go through without a problem, you could then choose to start releasing more fulfilment options to them. Your payment gateway will give you default settings that you can configure and test to see which prevents the good transactions from escaping and prevents the fraudulent transactions from getting through.
Step 3. Authenticate your users
With hybrid working becoming the new normal for many businesses, it’s vital to ensure that your virtual private networks are secure. VPN tokens are a useful security mechanism for authenticating a user or a device before allowing access to your system.
This is about staying alert. If you think something looks a bit dodgy, get a second opinion before granting access.
Step 4. Ensure someone at your business has responsibility for monitoring fraud
Our recent Opayo survey [please embed relevant slide] found that for 35% of the UK’s SME’s, no one had responsibility for monitoring fraud. That could be a very costly oversight. Having ownership of fraud monitoring – and clear key performance indicators for fraud reduction – helps to drive improvements in your processes and awareness. The benefits of having at least one person trained up to monitor for signs of fraudulent activity far outweigh the costs of the damage that fraud can cause.
But it’s also important not to rely on human monitoring alone. Many scams can only be picked up by automated tools. So, alongside appointing a fraud or security manager, invest in smart web security tools and technology that fit with your risk appetite and user experiences.
Real-time fraud screening tools usually come as standard via ecommerce payment providers to help you monitor your ecommerce payments activity. Common fraud prevention checks include address and postcode verification (AVS), card security code (CV2) and IP address checks, alongside two-factor authentication from 3D Secure. The benefits of this fraud screening information means you can identify if a transaction is legitimate or fraudulent before you approve dispatch of your goods, and you can set up rules on your account for added protection.
Opayo customers get access to the Opayo Solution or ACI Fraud Management as standard.
Step 5. Activate SCA and EMV 3DS
To decode those acronyms – SCA is Secure Customer Authentication and EMV 3DS is a messaging protocol for frictionless consumer authentication when a card-not-present transaction is being made. Along with point-to-point encryption, these improve online security and should be activated as soon as possible.
The importance of SCA should not be underestimated. Our Opayo survey found that only 10% of merchants viewed SCA compliance as a top priority for their business. But while SCA processes aren’t new, they are now being tightened. Increased security is being introduced around authenticating the identities of both the merchants and the customers.
There are three different types of authentications: face ID confirmation, push authorisation with a code, or confirmation of a purchase via a banking app. Going forward, two of those three will have to be used for every transaction. And these new, stricter regulations mean merchants now have to authenticate transactions. If you authenticate, you’re protected.
However, if your volume of transactions means you don’t want to authenticate, you can ask your acquirer for an exemption pass. Whether you get that depends on your acquirer’s policies and on your fraud rate. The lower your fraud rate, the more confidence your acquirer will have in granting an exemption.
Step 6. Stay alert to the balance between fraud and friction
As well as protecting themselves against criminals, merchants also have to consider whether their fraud-prevention tactics are stifling genuine transactions. As a business you suffer reputational damage if fraud happens and a customer is affected. But you also suffer reputational damage if your fraud-prevention techniques mean that your customers can’t complete genuine transactions.
This is a tricky balancing act. The key is to keep looking retrospectively at transactions. That way you gain a full understanding of what’s being written off, how much is fraudulent, and you can question how much could have been converted to successful sales – and how to adjust what you’re doing in the light of that