5 minutes with Jane Lee - The fraud supply chain, cyberattacks and more | 2021-03-31

How can consumers and retailers protect themselves in the coming months? Here, Jane Lee, Trust and Safety Architect at Sift, speaks to Security magazine about this critical issue.

Security: What is your title and background?

Lee: I’m currently a Trust and Safety Architect at Sift, a leading Digital Trust & Safety company that helps protect hundreds of companies like AirBnb, Twitter, and Doordash, from fraud and abuse, so that they can focus on providing frictionless customer experiences and growth. My passion for designing and operationalizing fraud prevention systems is what led me to my current role at Sift. I was introduced to the fraud prevention space during a stint as a private investigator. I then joined the disputes team at Square where I focused on chargeback operations. Following that role, I spent over five years on Facebook’s Site Integrity Operations team where I built scalable solutions to protect the Facebook community from nefarious activity.

Security: What are the unexpected ways fraudsters are leveraging the new shopping norm - such as social media, and buy online pickup in-store (BOPIS) fraud?

Lee: With the pandemic significantly impacting in-store shopping, fraudsters have changed their tactics to take advantage of the new shopping norm. In many ways, fraudsters’ activities act as a barometer of economic trends because they always follow the flow of money.

Knowing that traditional retail merchants have been forced to shift to e-commerce during the pandemic, bad actors are quickly adapting their methods as well. For example, buy online pickup in-store (BOPIS) has become an attractive option for consumers during the pandemic. However, the rush to establish curbside or in-store pickup with quick turnaround has unfortunately made retailers more vulnerable to fraudsters. A part of why BOPIS fraud is so successful is because merchants are no longer able to leverage the buffer time between an order being placed to when it is shipped, to validate a transaction. Additionally, many traditional indicators such as a mismatch between billing and shipping addresses no longer exist. To mitigate this challenge, retailers need to look to other forms of data to understand their customers’ usual behaviors and spot telltale deviations.

A key driver of BOPIS fraud – and one that has skyrocketed during the pandemic – is account takeovers (ATO). Our global network found that the rate of ATO jumped nearly 400 % in physical ecommerce businesses since the start of the pandemic. The increase in ATO is largely due to the data breaches in which consumer credentials are stolen, combined with the fact that over 65% of users recycle the same password across multiple platforms. Additionally, bad actors have exploited pandemic fears by deploying phishing campaigns related to COVID (e.g.: stimulus check scams, contact tracing scams, and more) to deceive consumers into providing personally identifiable information. To add insult to injury, the overwhelming volume of new accounts, credit cards and transactions, provides a larger shroud of cover for bad actors to hide under as they hack into user accounts, illicitly purchase products via stored payment details, which are then easily picked up curbside.

Security: How do cyberattacks, like phishing and account takeover attacks, and data breaches accelerate the fraud supply chain?

Lee: Fraud doesn’t happen in a vacuum. Cybercriminals use different attack vectors to steal from consumers and businesses, often through more complex ways than merely buying stolen credit cards to make large purchases. This system makes up the fraud supply chain and many times it starts with data breaches.

Data breaches are almost always a means to an end. Information like usernames or passwords can arm fraudsters with enough to execute more sophisticated attacks. An email address is all a bad actor needs to launch a phishing scheme to try and convince consumers to share further personal data such as credit card information, passwords, etc. While most people may think it's easy to recognize a phishing scheme, sophisticated fraudsters will use additional information garnered through previous data breaches to personalize content that demonstrates potential legitimacy.

Data breaches often serve as the primary “link” in the fraud supply chain which can fuel different types of attacks such as phishing scams and account takeovers ultimately leading to payment fraud. This fraud supply chain is interconnected and self-supporting and the only way to effectively combat the fraud supply chain is to accurately analyze thousands of patterns and signals to effectively protect against fraud without compromising growth. This is the essence of a Digital Trust & Safety strategy.

Security: How has COVID outdated retailers’ fraud identification processes?

Lee: Consumer behavior has changed significantly during the pandemic and the rules-based fraud prevention strategies that have been used for years must adapt as well. Traditionally, fraud prevention teams rely on creating manual rules to make educated guesses on how bad actors behave. However, it’s important to remember that bad actors are adversaries and they will figure out ways to skirt the threshold of outdated rules-based systems.

With caps on order volumes and values, rules-based strategies don’t account for the changes in consumer behaviors. As shelter-in-place orders continue to cause consumers to make higher-volume purchases, some fraud prevention systems are stopping these legitimate transactions completely or creating friction within the customer journey. To adapt to the shifts caused by the pandemic, merchants need to implement machine learning. By analyzing thousands of different signals in real-time, machine learning can help fraud teams change their parameters dynamically, so they’re not stopping real customers from making a purchase.

Security: How can machine learning help identify consumers new behavior to recognize new types of fraud?

Lee: 2020 was an exponential year for e-commerce sales. According to our global network, the average daily transaction volumes from April - November 2020 have been equal to 88% of a typical Black Friday. It’s basically been Black Friday every day for online merchants. The consistently higher volume has likewise made fraud prevention more of a marathon filled with different patterns than usual and less of a sprint.

Fraud prevention teams can no longer rely on their traditional methods to keep up with higher order volumes, pandemic-induced shopping behavior changes, and new strategies implemented by fraudsters. Machine learning is essential to not only identifying new trends but changing risk thresholds. In a typical year, anyone trying to buy multiple cases of vodka from a merchant would have been an obvious fraud signal. But now? That’s a regular Covid coping purchase. A machine learning system ingests these purchases and can quickly adapt to look at other signals in order to detect suspicious activity. Now is the time to leverage machine learning and automation to fight fraud.

The only way for businesses to effectively balance fraud prevention with the customer experience is with automated and adaptive defenses built with machine learning. Advanced velocity checks, for example, can detect changes in typical user behavior, whether through purchase volume, changes in device, or payment method. These checks account for natural changes in customer behavior, providing that seamless shopping experience all while preventing fraud.

With the increased transaction volumes, real-time alerts and automated responses will play a critical role in helping fraud prevention teams identify and block fraudulent orders while providing a frictionless shopping experience for consumers.

Security: What are other best practices retailers/consumers can implement to ensure a safe shopping season?

Lee: First, create standard operating procedures (SOPs), and invest in training and quality control. A simple tactic such as verifying identification before loading a BOPIS order into someone’s car can prevent an order from getting into the hands of the wrong person.

Consumers can protect themselves by practicing good password hygiene and staying vigilant knowing that hackers are actively trying to steal personal information. Not using the same password across different accounts and double-checking the validity of websites before entering credentials are online shopping best practices

Retailers and consumers alike should leverage multi-factor authentication (MFA) and/or security notifications. MFA requires a user to confirm their online activity via other trusted channels like email or text, adding another layer of security that is challenging for fraudsters to compromise. Similarly, security notifications offer a less invasive way to notify users of suspicious activity on their accounts.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.