The many faces of omnichannel fraud
Credit to Author: Jovi Umawing| Date: Wed, 12 Sep 2018 15:00:00 +0000
The rise of new technologies, social networks, and other means of online communication have brought about compelling changes in industries across the board.
For example, in retail, organizations use digital tools such as websites, email, and apps to reach out to their current and potential clients, anticipate their needs, and fully tailor their business strategies around making the user shopping experience as positive, seamless, frictionless, and convenient as possible.
This is the heart of the omnichannel approach. And while the foreseen outcome may sound lovely in the ears of consumers and businesses, it’s actually easier said than done. A lot of planning, executing, aligning of goals and core values, and—most importantly to us—securing is involved.
As for the organizations who have adopted this approach, a majority of them believe that they don’t have adequate tools and measures in place to protect their businesses against fraud in the omnichannel environment.
What is omnichannel?
To understand how we can protect businesses in an omnichannel environment, we should go back to basics. It’s important to know what omnichannel is, how it works, and how it affects clients of organizations using this approach.
Omnichannel—also spelled omni-channel—is a compound word composed of the words “omnis” and “channel.” Omnis is the Latin word for “all,” while channel, in this case, pertains to a way of making something, such as information or a product, available. With these in mind, one could roughly define omnichannel as available in all channels, irrespective of the business or the industry it belongs to.
For example, although an omnichannel banking strategy looks different from an omnichannel retail strategy, both apply the same principles. Here’s a simple illustration:
In omnichannel banking, the customer can access their accounts anywhere, pay their bills anywhere, and get money anywhere.
In omnichannel retail, the customer can browse items anywhere, pay anywhere, and return them anywhere.
It’s safe to assume that a majority of businesses already have the “all channels” part covered, but the basic tenet that sets the omnichannel approach apart from the multi-channel approach is its focus: Omnichannel pays more attention to how the organization interacts with the client and less on the actual transaction. The interaction between customer and organization is seamless—meaning, the customer won’t meet bumps when switching from one device to another in the middle of a purchase—regardless of the channel the customer chooses.
Because communication among channels also happens at the backend, the organization is able to anticipate a customer’s future needs, wants, and likes, which they then use to (1) tailor their pitches and/or ads and (2) communicate messages to the customer consistently across channels.
A successful and effective omnichannel strategy fosters a deeper relationship between customer and organization, which in turn translates into invaluable, loyal, and happy customers.
When a new strategy introduces new security risks
Risks are unavoidable when an organization undergoes strategic change. It’s already challenging enough for organizations to let their channels start talking to each other as part of the drive to enhance customer experience. With customers now becoming more informed, connected, and knowledgeable about what they want and what they don’t want to encounter when interacting with a brand, they significantly influence and shape the way retailers respond to them.
And why not? Nowadays, it’s relatively easy for customers to be put off by a brand that doesn’t address their growing demand for a faster, more personalized, flexible, and seamless experience overall.
Addressing such demands inevitably leads to introducing new ways consumers can shop, an uptick in the availability of fulfillment options, and the increased availability of new payment options to users. Of course, where a hand-over of money, product, or data is involved, fraud is fast on its heels.
Types of fraud in omnichannel
Organizations looking into adopting an omnichannel approach should also look into ways they can protect user data, user accounts, and sensitive financial data (if they haven’t already), on top of protecting their physical and digital assets. Below, we have identified several fraud types that are found in an omnichannel retail environment. (Note that some of these can also be found in multi-channel retail environments as well):
- Card-not-present (CNP) fraud. A well-known scam where a fraudster uses stolen card and owner details to make online or over-the-phone purchases. As the fraudster cannot show the card to the retailer for visual inspection, they get away with the fraudulent purchase.
- Cross-border or cross-channel fraud. Fraudsters steal credentials and sensitive personal information used by their target in one channel so they can commit fraud to another or an associated channel.
- Click-and-collect fraud. This is otherwise known as the “buy online, pick-up-in-store” fraud. This occurs when a fraudster, armed with stolen card details and details of the real owners (for backup), buys online then picks up the item from the store. The purchase is flagged as fraudulent.
- Card-testing fraud. Also known as “stolen card number testing,” this tactic occurs when fraudsters use a merchant’s website to test if stolen card credentials are still valid by making small, incremental purchases. According to Radial, an omnichannel solutions company, there has been a 200 percent increase in card-testing fraud in 2017.
- Return fraud. This comes in many shapes and sizes. One type, which is friendly fraud, happens when a seemingly legitimate buyer purchases an item online, receives it, and then contacts their card issuer to claim that they never received the item they bought. Return fraud also happens when a buyer purchases electronics, takes out their expensive parts, and then returns the item to the store.
- Mobile payment fraud. In a world that is now described as “mobile-first,” it’s only logical to expect that fraud born from mobile device usage could outpace web fraud. And it has. Before, mobile browsers were typically the point-of-origin of such fraud; nowadays, fraud can be done via mobile apps.
Addressing omnichannel fraud
With the current amount of fraud omnichannel organizations are vulnerable to, a unified approach to solving all of them is a must. There are already third-party solution service providers that an organization can approach to assist them in this. However, there are practical ways organizations can do and lean on, especially if the budget is particularly tight, to nip fraud in the bud.
Track fraud across your channels. This allows organizations to identify the flaws in each of their channels so they can tailor their security strategy. Consider putting together an exclusive department to oversee this task and manage the data. With a team or one person focused on assessing, identifying, and coming up with ways to mitigate the business’s risk against fraud, it would be easier to get executive backing, especially when it’s time to invest funds on more sophisticated protection tools as the business grows.
Come up with a fraud prevention strategy. And this can only be done after the data from tracking channels has been collected and analyzed. Remember that for a fraud prevention strategy (or any strategy for that matter) to be effective, it should be designed based on the current and future needs of the organization.
Implement multi-factor authentication (MFA). Authentication is the first line of defense against fraud, so having at least two forms implemented is better than not using any authentication protocol at all. But organizations must make sure that the auth methods they want to adopt are reliable and difficult to intercept. That said, SMS authentication should no longer be an option.
If consumers want a unified and consistent experience across all channels, they should expect the same when it comes to identity authentication. While a true omnichannel authentication is still in its infancy, many organizations already recognize its importance and potential. This is good news, and organizations must keep an eye on.
Encrypt data. It’s one of the fundamental ways an organization can protect the exchange of data between their clients and their systems. Yet, there are still organizations that transfer, share, and store sensitive data in human-readable format. They probably think it’s still okay to do this in the age of breaches, even when point-to-point encryption methods are already available for businesses to use. But here’s the truth: This. Shouldn’t. Be. Happening. Anymore.
Dear Organization, please don’t be that company.
Read: Encryption: types of secure communication and storage
Secure your e-commerce website. Principles we learned in Security 101 apply here: Keep your software updated, use HTTPS hosting, use strong passwords (especially for those with admin accounts), back up data regularly, and use security software. Also, we hastily add not storing sensitive data to your server. Instead, use a third-party payment solution to conduct secure payment transactions between the organization and your clients.
The store of the future and cybersecurity: final thoughts
Going omnichannel is a continuing trend that won’t be going away any time soon. In retail, today’s customer demands and expectations are high, and businesses are expected to meet or exceed them. Doing so gives organizations an edge over their competitors, not to mention that evolving to omnichannel is a sure way of future-proofing their businesses. However, organizations must keep this in mind: If the omnichannel approach increases the user convenience, it may be convenient for fraudsters, too.
While overall growth is a business’s main objective, cybersecurity considerations should not be deprioritized. In an omnichannel environment, exposure to fraud, malware, and other digital crimes are heightened. As such, a lot more assets need to be protected.
The post The many faces of omnichannel fraud appeared first on Malwarebytes Labs.