By Colin Sims, Chief Operating Officer, Forter
Abuse is growing in volume and attention
Policy abuse is a recurring topic in my recent conversations. As ecommerce has grown rapidly, so have the types and amount of abuse.
Gartner identified policy abuse as a key differentiator of platform solutions in their just-published Market Guide on Online Fraud Detection; I’d argue that it’s a requirement. And in a recent 451 Research study, when asked where they had seen a notable increase in losses, participants pointed out policy abuse (34.7%), friendly fraud (34.7%) and loyalty program fraud (34.1%) among their top five responses1.
The challenge is that in many of these conversations, abuse and fraud are treated as similar. Other vendors in our ecommerce optimisation market reinforce this perception, promising to address fraud and abuse at the same time. The truth is that fraud and abuse are fundamentally different—they must be tackled with different technologies and tactics or you risk significant – and often unintended – disruption to customer experience and revenue.
Abuse is fundamentally different from fraud
Stated simply, fraud is when someone other than the card or account holder is involved in an interaction. Fraud can only happen with the wilful manipulation of a digital identity, and that tells you something about how to defend against it. We also know, empirically, that while the attempted fraud on a given site (what we call “the fraud pressure”) is a function of many things, it is generally predictable and the most important factor is the nature of defences that are in place. If your defences are good and consistently turn away bad actors, then fraudsters will migrate to an easier target.
Abuse is another matter altogether. These are users that, for the most part, are not hiding their identity. Abuse stems largely from good customers who are taking advantage of permissive policies, or who have legitimate claims. And because they are not hiding their identity, they know that there is an upper limit on how much they can claim or the merchant will stop doing business with them.
In summary, abuse is perpetrated by your customers, and fraud is perpetrated by people who are not your customers.
Let’s go a little deeper, because this is an incredibly important point: If fraud is perpetrated by people who aren’t your customers, then you won’t recognise them. You need to block them over and over, before they can checkout and do it consistently or the fraud pressure will persist. That makes fraud detection incredibly hard for merchants to do – they need a broader dataset across merchants to accurately identify fraudsters.
Merchants do have the dataset to recognise abuse; what they lack are good tools to link together and collapse accounts that are created by serial abusers. While fraud “pressure” is mostly predictable across ecommerce and is largely a function of your defences, abuse pressure is much more idiosyncratic and is almost exclusively a function of policies specific to the merchant and how those policies are enforced. For example, we see that when it comes to service chargebacks, legitimate customers – even those who are abusive – do not behave the same way on different sites. Therefore, it would be a mistake to universally block those customers at checkout.
Return policies matter. Customer service matters. The shipping policy and vendor matters. And whether or not there is a consequence to their actions matters. Did you try to close their account? Did you deny the INR claim after the third time, the tenth time, etc.?. These are the questions a retailer should be involved in, because it goes to the fundamental relationship that a retailer has with its customers. Most retailers should and do, care about this a lot.
The right way vs. the wrong way to address abuse
Fraud and abuse are very different problems, perpetrated by an entirely different set of actors, requiring a completely different set of technologies and tactics. I have run operations for an eCommerce retailer, and I’m sympathetic to the temptation both to build things in-house, and to consolidate vendors. But now that I am on the vendor side my perspective is informed by conversations with many merchants across different verticals, and I’m concerned by some of the trends I’m seeing.
For example, we have seen some fraud detection vendors start to “cover” (where the merchant pays to shift the chargeback liability) on things like Item Not Received (INR) claims and other service chargebacks. I can see why this appears compelling to the merchant – INR claims are indeed on the rise, so it seems to magically make the problem disappear – but there is nothing the fraud vendor can do to manage the risk without interfering in the merchant-customer relationship. That relationship, in my humble opinion, is the merchant’s business.
For example, I would never presume to write the Return Policy for one of our customers, even if that was the root cause of 90% of their abuse. Nor would I decline a buyer who was not manipulating their identity on the presumption that they might file a service claim because people keep stealing their packages. Nor does it make sense to only address service chargebacks after they have already happened (in the dispute process). But when a vendor takes responsibility for abuse they would have to do all of the above.
Two closing thoughts to frame fraud and abuse
Both fraud and abuse are, fundamentally, risk management functions, and any eCommerce company at scale benefits from building them. But it is important that in doing so, they invest the resources that produce both the best outcome for the customer and the best economics for the business. I leave you with two key statements that I hope will be helpful in framing fraud and abuse:
- The right way to think about fraud is to acknowledge that the main value of fraud vendors is to provide hyper accurate fraud detection that scales. The vendor must be able to leverage a unique dataset that spans different verticals and geographies and helps you make decisions about buyers you don’t recognise, even as they manipulate their identity.
- The right way to think about abuse in any form (returns, INR, promo) is to find a vendor that makes you smarter. That vendor should not simply shift responsibility; they should help you identify and prevent root causes. You should gain access to better tools for measurement and insight into your dataset, and unique expertise to help you apply thoughtful policies that drive the right outcomes. Those policies should never interfere with the sacred relationship between you and your customer.
