Lewis Farran, enterprise account director at event sponsor Forter, told delegates that the biggest cost to businesses associated with fraud is NUMO - New User Missed Opportunity
Travo Cyber Summit: The missed opportunity of a risk averse rules-based approach
By far the biggest cost associated with fraud is lost revenue from genuine customer who are either declined or are out off transactions and abandon their carts, the Travolution Cyber Summit heard.
Lewis Farran, enterprise account director at event sponsor Forter, said travel firms must consider the flip side of cyber protection and try to turn this into a revenue-generating activity.
He most firms that deploy a simple rules-based approach but this leads to friction in the experience that prevent transactions while a more behavioural approach prevents this from happening.
“Globally about $8 billion is spent on fraud operations, that analysts checking accounts, transactions log ins and signs-ups and everything else that goes with it.
“In total globally $22 billion is lost to fraudulent payments, that’s people using someone else’s credit card details or payment details to buy things and subsequently there’s a charge back from the bank and you are liable for that.
“However, that’s still only the third largest cost of this kind of activity. Policy loss, where people are committing an abuse post sale, maybe buying something online and claiming they didn’t receive it or it was damaged is a significantly bigger burden than core fraud loss.
“For travel it might be a customer booked a holiday then COVID hit so they go to their bank and say it was a fraudulent charge. The banks sides with the customer and you’re liable for the chargeback.
“You can dispute this, but it feeds it the original burden of having teams gathering evidence for the banks which is very hard to do.
“But, actually the biggest cost of fraud is by far is revenue being lost from genuine customers. These are people who, because of the friction or checks or reviews you have in place as a business, get falsely declined when they are actually good customers.
“Not only that but they won’t be your customer for very long if they are declined. And, of course, with more and more people buying online during the pandemic the problems has grown exponentially.”
Farran claimed for every $1 lost to fraud the average merchant loses about $30 of customer lifetime value when falsely declines payments putting people off ever returning are accounted for.
“We refer to this as NUMO - New User Missed Opportunity,” said Farran. "If you are a first time buyer you are five to seven times more likely to be rejected and have your payment declined.
“Most of you will be looking to drive more traffic to your websites to get customer to buy directly rather than through third parties.
“You spend marketing budget, invest in making the website and bringing traffic to it. That works, the customer goes on for the first time and tries to buy something and they’re five to seven times more likely to be rejected.
“Forty per cent of people who are falsely declined on their first time of buying will never go back to that page again. They will probably want to go on that holiday, so they will still buy just not with you and they will never go back.
Farran set out two key causes of these false declines and cart abandonment due to the transaction process: using a rules-based approach and taking too much of a risk averse approach and putting too many transactions through a 3DS bank authentication system.
“Unfortunately, criminals are very smart, they’re not necessarily following the rules and when you squeeze them in once place they pop up somewhere else, so rules do not work.
“Forter is able look at what’s going on below the surface, at behavioural data points which are not quite so easy, or we would say impossible, for a fraudster to replicate.”
This behavioural data includes heat maps showing how long people spend on each page. Criminals will typically go straight for a high value product, especially in travel.
It also ascertains whether the device they are using has been modified, what operating system are they using and even if they are left or right-handed.
“These are hard to find but once we’ve seen someone use our system we then recognise them forever,” said Farran.
Many firms put transactions through 3DS authentication because is passes the liability on to the bank if it is fraud and in many countries is mandated by governments or the card issuers.
However, Farran said this is a significant cause of friction in the payment process and can cause widespread transaction failure. The UK has high abandonment rates compared to the Nordics but in Italy only 66% of transactions are completed when put through 3DS.
Farran said people have “authentication fatigue”. “Consumers hate it,” he added, “there are some upsides which is why people tend to throw all of their transactions through 3DS.
“There is the extra security, of course, but mostly it’s a shift in liability. If you approve a transactions where the consumer went through this process you are no longer liable if it turns out to be fraud, the bank is.
“This sounds fantastic. What’s the loss? You get the revenue if it turns out to be fraudulent, who cares, you don’t pay the chargeback.
“However, the consumer hates it. Cart abandonment is the biggest outcome, especially if I’m a first-time buyer and it also leads to a number of false declines.
“Which is why it’s an opportunity for you. Yes, you need to avoid that risk but it’s quite easy to figure out very quickly if someone is who they way they are and can be trusted.
“You want to remove the friction wherever possible for your customers you definitely want to decline a known fraudster but there’s this subjective area in the middle.
“You need to set policies that will allow you to retain those good customers. Replace your rules-based policy towards risk and use machine learning. Allow clients to complete more transactions while minimising the risk.
“And we have found the fewer transactions you send through this 3DS authentication process the fewer transactions will be declined by your issuing bank.”