Everybody loves m-commerce. Customers can shop whenever it's convenient for them. Merchants earn more sales because customers have their store in their pocket or bag. And fraudsters see a bonanza because mobile fraud prevention practices haven't yet caught up to the many ways criminals can exploit the channel. That's part of the reason that 72% of fraudulent transactions happened via mobile during the first three months of 2019.
Fraud in the mobile channel is a serious risk to merchants and consumers. Stopping it requires a multipronged approach that's slightly different from traditional e-commerce fraud prevention.
Here's what you need to know to protect your mobile channel from three common types of fraud.
Stopping mobile brand impersonation
Brand impersonation is a growing problem on all kinds of platforms, including email, SMS, social media and mobile apps. Malicious brand impersonation accounts on social media have increased elevenfold since 2014, as fraudsters seek to dupe consumers into sharing payment data and credentials. Digital security firm RSA said that social brand impersonation accounted for 9% of all Q1 2019 online fraud.
There are two ways brand impersonators directly exploit the mobile channel to target victims and steal data. The first is by using technologies that are unique to mobile: SMS and apps.
In a typical SMS brand impersonation attack, fraudsters send a message asking recipients to click on a link to verify account information, claim a prize or change their password. The link may look legitimate, but it leads victims to a site that harvests their data for resale on the dark web or for use by the scammers who sent the text messages.
In an app impersonation scam, malicious actors publish apps that appear to be from trusted retailers or service providers. Customers who don't realize the apps are fake may install them, putting themselves at risk for credential theft, card fraud and malware injections on their mobile devices. RSA found that so-called rogue mobile apps made up half of all fraud attacks in Q1 2019, a 300% increase from the previous quarter.
Fraudsters take advantage of mobile users indirectly, too. Phishing email campaigns are sometimes timed to coincide with commuter hours, which makes it more likely that victims will read the message on their phone. This matters to criminals because most mobile email clients don't display the sender's email address, only their name – which the fraudsters can set up to be anyone or any brand. Without the address visible to verify the sender's identity, mobile recipients are up to three times more likely to fall for the scam than they would be if they were at their desktop.
Preventing brand impersonation requires ongoing vigilance. To push back against social media scammers impersonating your brand, you need to
- Monitor social channels for trademark infringement.
- Report fake accounts with each platform's reporting tools.
- Establish active, validated accounts for your brand on major social platforms.
Routinely check the major app platforms for apps that might be posing as your brand and report them to the platform when you find them.
To keep fraudsters from impersonating your brand via email and SMS, let your customers know how to check that messages are from your company, and let them know that you'll never ask for payment or login data by email or text. Consider hiring a digital security service to monitor the web for domains impersonating your brand. Hosting services usually shut down these domains if there's evidence they're violating trademarks or engaging in scam behavior.
Fighting card-not-present fraud in the mobile channel
Card-not-present (CNP) fraud has been steadily rising for years, as point-of-sale card fraud has become more difficult due to EMV adoption. According to the Verizon 2019 Data Breach Investigations Report, CNP fraud now accounts for nearly 75% of all card-related fraud.
Aite Group projects that CNP fraud will increase by 16.4% by 2021, costing merchants $6.4 billion. Meanwhile, when merchants deploy fully automated solutions to prevent CNP fraud, their false decline rates may also go up. Aite found that 62% of the merchants they surveyed have had higher rates of false declines since 2017 – a problem that causes merchants to lose sales and customers.
Although CNP fraud is a problem in both mobile and online channels, each channel requires different fraud-prevention strategies. For example, the behavioral biometrics that can be evaluated on a mobile device are different from those on a desktop. How many apps are installed on the phone? What's the current geolocation data? How is the current user holding their phone? How do these markers compare to the customer's past biometric data? Adding mobile-specific layers of authentication to your store's fraud prevention program can better protect you from CNP fraud.
Tracking CNP fraud metrics by channel is important, too. Ideally, every merchant would track completed and prevented fraud in each channel, but many don't. Tracking by channel shows you which channel is more heavily attacked, which is better at stopping fraud and pinpointing where you need to focus your fraud prevention resources.
Preventing and identifying account takeover fraud in m-commerce
Mobile account takeover is another fraud-related problem that's becoming more common. Mobile phone account takeovers increased by 56% from 2017 to 2018, according to Javelin Research. That's because SIM swap fraud has become a relatively cheap and easy way to remotely hijack victims' phones. And with control of a phone, criminals have access to the authentication channels they need to take over most, if not all, of the victim's online accounts.
This type of account takeover made news recently when Twitter founder Jack Dorsey's account was hacked via a SIM swap that targeted his phone. Criminals don't need physical access to the phone to run this scheme. They only need the phone number and the ability to persuade or bribe the cell carrier's customer service personnel to virtually change the SIM number associated with the account to one the criminals control. Then, two-factor authentication codes sent via SMS or voice call go straight to the hackers, which means they can reset their passwords for email, banking, and social media accounts, as well as retail apps and customer accounts.
SIM swaps aren't the only way fraudsters gain control of consumers' accounts. Millions of credentials have been stolen in data breaches and offered for sale on the dark web. Even without the passwords for those accounts, account takeover (ATO) scammers can use botnets to brute force crack passwords if they have the login ID. And because so few people use a unique password for every account, when one password is cracked, it's usually easy to access that victim's other accounts.
How can your store reduce its risk of ATO fraud while keeping good customers happy?
- Require customers to choose strong passwords for their store accounts, and encourage them to choose passwords they don't use for other accounts.
- Encourage customers to opt in to receive alerts whenever their password is changed, or when they make purchases over a set spending limit.
- Offer two-factor authentication for your customer accounts. It's not foolproof, as SIM swap ATOs show, but it offers some protection. Keep in mind that two-factor authentication adds some friction to checkout, which can cause conversion rates to drop. If you go this route, monitor your conversion metrics carefully and be ready to make adjustments to find the right balance.
- Build a fraud-prevention program comprising multiple layers of identity and device verification plus other screening parameters that are tailored to each sales channel's fraud risk profile.
- Manually review all flagged orders instead of automatically rejecting them. This can reduce false declines and help identify accounts that have been taken over. Entering the results of these manual reviews can also improve the accuracy of your fraud-detection algorithm.
Despite the fraud risks, mobile holds tremendous potential for online merchants. It's already the leading e-commerce channel in many countries, and it accounted for nearly one-third of U.S. online retail sales at the end of 2018.
The challenge for merchants is to build mobile sales channels that are as secure from fraud as possible and easy for good customers to use.
To achieve those goals, online retailers need to focus now on guarding against mobile brand impersonation, CNP fraud and account takeover fraud.