The global pandemic has changed many facets of daily life, and this is certainly the case when it comes to retail activity.
According to leading retailers, the volume of transactions occurring online, which had been growing at around 1% per month, has jumped by around 20% since COVID disruptions began. With many people still unable (or unwilling) to visit physical stores, this growth expected to continue.
Unfortunately, rising transaction volumes have been accompanied by rising incidents of fraud. Cybercriminals are taking advantage of rapidly changing conditions to attempt fraudulent purchases.
The methods they are using are also becoming more sophisticated. Where once stolen credit cards were the biggest challenge for retailers, now they must deal with a range of other types of fraud.
One gathering steam is the use of automated bots that pretend to be legitimate customers making transactions. Bots allow a single cybercriminal to mount large numbers of simultaneous transactions in the hope that some will be fulfilled.
Current challenges
Faced with these trends, security teams within retailers are dealing with a range of challenges. These include:
Customer awareness:
One of the biggest challenges faced is achieving awareness that fraudulent events are actually taking place. If a cybercriminal has compromised an existing customer account, there may be no indication that transactions using that account are fraudulent.
To be effective, security teams need to be notified in real time that fraud is taking place. Steps can then be taken to halt the transaction and ensure that no losses are incurred. Customers also need to keep a close eye on their accounts.
Balancing security with usability:
Security teams also need to find a balance between the measures they put in place and the experience this creates for customers. There can often be a battle between security staff, who want to lock things down, and marketing teams who want to make it as appealing as possible for customers to transact.
The introduction of multi-factor authentication (MFA) is a classic example. The security team knows having an additional step can significantly improve transactional security, however marketers will worry that it will increase transactional friction and lead to customers heading elsewhere.
The emergence of Reputational takeovers (RTOs):
This fraud technique is becoming more common and involves the complete takeover of an existing genuine account by a cybercriminal who then attaches an additional method of payment, typically a stolen credit card. The criminal might also change details such as delivery addresses. Transactions are then undertaken using that card and the goods shipped to the new address where they are intercepted and stolen.
Overcoming this type of fraud is very challenging and can involve putting in place tools that monitor for unusual account activity. Encouraging customers to regularly review their transactions is also important.
Tackling retail fraud risk at the board level
The challenges posed by retail fraud are showing no signs of easing and, with pandemic restrictions likely to remain in place for some time, are likely to increase even further. In many cases, fraud is replacing product supply chain troubles as the number one issue being considered by senior management.
For this reason, it’s important that retailers treat fraud as a board-level issue. The impact it can have on operations, customers, and profits needs to be fully understood and strategies put in place to counter it.
The strategies that should be considered will vary from retailer to retailer. Those involved in selling highly commoditised products, such as groceries and low-priced consumer electronics for example, will need to keep transaction friction as low as possible to lower the likelihood that customers will go elsewhere.
If a retailer is instead selling higher priced items, such as expensive jewellery or artwork, customers will be more likely to put up with additional security restrictions as the value of transactions will be significantly higher.
The task of explaining risks and potential responses will usually fall to the security team. They will need to be able to clearly outline the challenge being faced and the course of action that has been deemed to be appropriate.
The board will then have to recognise the potential for additional security measures to have a negative impact on customers but balance that against the risks and costs associated with not introducing those measures.
Achieving effective IT security in a retail environment comes down to balance. Selecting and deploying the most appropriate measures now will ensure growth can continue in the future.
Ashley Diffey is head of Asia Pacific and Japan at Ping Identity.