The state of digital goods fraud in 2021
Here’s an interesting fact to start your day: consumers spent $861 billion online with U.S. merchants in 2020, representing an incredible increase of 44% year-over-year.
By now, it’s clear that the maddening pandemic has been as much of a boon for online businesses as it was a curse for brick-and-mortar ones.
However, with the demand for global digital goods exploding, it’s not just the legitimate businesses that look to make a profit.
The favorable market boom came with a corresponding increase in online fraud, especially in payments to various digital goods, spiking at the very beginning of the pandemic and retaining unreasonably high levels.
For all U.S. merchants, both store-based and online, the cost of fraud is up 7.3% in 2020 from 2019. However, mid-to-large retailers selling digital goods are hit the hardest by fraud attempts with monthly fraudulent transactions up by 37.1%.
As unfortunate as it is, fraud is a common element of online activities.
What shouldn’t be common are the ways online criminals are taking advantage of this expanding digital market. They are literally cashing in on the opportunities presented to them.
As a team with more than 35 years of combined experience in fighting digital goods fraud, we understand the situation all too well. It pains us to say that it’s no surprise to see fraudsters finding their way into the ecosystem and thriving.
The good news is that businesses can learn about these fraudulent actions and prevent their consequences by examining the behavior of everyone involved in this “racket”, most notably the businesses themselves.
So, let’s dive into why this is happening and how you can dramatically lower your business fraud risk.
TLDR: being aware of the various ways your business can be hurt is the first step to solving the fraud problem.
Why digital goods like eGifts and eGaming are under constant attack
Fraudsters have a narrow but precise focus when it comes to their targets:
- Ease of purchase acceptance
- Time to ROI
- Resale value
In other words, they target retailers dealing in digital goods because they can be easily penetrated, there are no shipment issues, and they can quickly get their hands on money.
These are all the reasons why particular industries like eGifts and eGaming are experiencing the brunt of fraudulent efforts. According to Forter:
- Digital currency gift cards are the target of fraud attacks 5x the normal rate.
- Downloads (apps and music) are targeted by fraud attacks 3x the normal rate.
- Console games (Playstation, followed by Xbox and Nintendo) experience fraud attacks 2x the normal rate.
What’s happening in the eGifts market
Demand for digital gifting reached an all-time high in 2020, with 71% of consumers saying they are more interested in digital gift cards than other gifts.
However, digital gift cards present a highly appealing proposition to fraudsters for the same reason consumers love them: they are issued instantly and are anonymous.
The high level of flexibility and convenience appeals to the dark side too. On top of that, they have a high resale value. Together, they form a potent combination for automated fraud at scale, which is exactly what’s happening today.
Let’s take a closer look.
Being anonymous means digital gift cards are virtually (interesting choice of words, we know) untraceable. It’s extremely difficult to prove that the goods were delivered to the intended person.
Furthermore, it’s fairly easy to shop directly or receive resale value for a gift card, whether in the form of money, other goods, or even cryptocurrency. As a result, your business is bound to lose and eat the charge.
All of this is evident during peak sales seasons such as holidays and special events like Black Friday where the sheer volume of transactions acts as a cover for fraudulent ones.
Digital gift cards are one of the most common purchases, and some merchants make the fraudster’s job easier by loosening up a bit their fraud control. This is a well-intentioned but ultimately misplaced effort on their part to provide a smoother and faster customer experience.
How eGaming is faring with fraud
When it comes to eGaming, the principle is largely the same.
GlobalWebIndex's data shows we have passed the 1 billion mark of people streaming games each month. One in five gamers has experienced fraud when paying for games online, while one in three reports being less likely to spend money on online games due to concerns around fraud.
The influx of new gamers driven by the pandemic meant gaming platforms needed to implement quick onboarding to keep up with increased volume in registrations, which understandably led to “relaxed” screening and payment checks.
The corresponding surge of in-game payments for items, in-game currency, features, additional levels, and so on has created various opportunities for wrongdoing. There are numerous accounts at play here, most of which have payment details on file and some of which aren’t real, to begin with (run by bots).
When you factor in the relative anonymity these accounts offer and lenient KYC (Know Your Customer) checks, you get a fertile ground for payment fraud to prosper.
For large gaming platforms, the risk of online payment fraud is also high because they have to deal with payments that require real-time approval, as gamers want instant gratification, just like any consumer wants.
So, thieves have been taking advantage of the resulting situation by stealing payment data and engaging in financial crime.
What both verticals have in common
It’s important to understand that:
- digital gift cards don’t fall under industry standards for tracking and use as credit and debit cards, for instance.
- there is a lack of regulatory oversight in eGaming
If you’re potentially targeted by online payment fraud in these two verticals, you are largely left to fend off these attacks yourself.
This means fraudsters have almost unprecedented freedom to come up with different but effective schemes.
Speaking of schemes:
How fraud has evolved: from unsophisticated to cunning means
Naturally, payment fraud remains the undisputed champion of fraud risk, with the most frequent cases involving hackers obtaining access to databases that store credit card information.
What makes this especially effective is the fact that the majority of these credit cards are still valid in the eyes of payment networks (not yet labeled as fraudulent) as the cardholders themselves aren’t aware their sensitive information has switched hands, so to speak.
Sadly, digital fraud takes on many forms, including:
To improve their chances, fraudsters deploy bots, software programs that automate specific tasks like entering payment and checkout details, in something called account takeover (ATO).
Basically, this is a form of identity theft. Upon getting access to the account, the scammer will alter certain account details, like the delivery address and email, to redirect the goods ordered on that app or website to them instead of the rightful buyer.
Bots scale the fraud operation while also mimicking a genuine human buyer’s behavior as closely as possible. As you can imagine, this makes it very difficult to protect against.
What’s more, if the bot attacks are successful, fraudsters may extend their attempts to an organized attack, which will likely continue until the product’s inventory is depleted.
It’s also worth noting that some bot attacks are specifically designed to exploit specific sites and brands. So, if a fraudster sees an opening in your platform, you are likely painting a big target on yourself.
Related to ATO is account aging. Lately, this fraud practice has become popular because it allows fraudsters to build up a breached account’s reputation.
They sit on stolen information and let the account “age” like wine, thus making it more difficult for fraud detection teams and automated rules-based systems to identify bogus accounts from real ones.
Friendly fraud/chargeback fraud
There are several other fraud types you should be wary of, starting with friendly fraud, also known as chargeback fraud.
It begins with a person making a legitimate purchase.
However, once they receive the product, they open a false dispute with their credit card issuer to reverse the payment on the grounds of problems with the product or not having made the purchase at all (credit card fraud).
The fraudsters may be trying to have their cake and eat it too - receive both the product and keep their money (also called stealing), or they may simply experience a case of buyer’s remorse - regret the purchase and no longer want the product.
Examples of friendly fraud include the buyer asserting that:
- They didn’t make the purchase although they did
- The order was canceled but still shipped
- The item delivered does not fit the description or expectations
- They didn’t receive the item at all
- The item was returned but the seller didn’t issue a refund
The dark side of friendly fraud is that it’s very hard to predict and prove human intentions in these cases, especially since not all of them are intentional and malicious (e.g. the kid trying to get his hands on the latest Halo game or the buyer forgetting they made the purchase).
Also known as promotion fraud or promotion abuse. Not so fun fact: more than two-thirds of loyalty/promotion programs have been the victim of fraud.
What’s intriguing here is that it isn’t just typical fraudsters that are the culprits.
There are three main types of loyalty/promotion fraud offenders:
- Loyalty members
The first group targets unsecured or poorly secured loyalty accounts, which is often the case with such accounts. This allows them to carry off user’s credits and promotions through account takeover schemes.
Loyalty fraud also comes from where you least expect it: your employees, partners, or legitimate customers. They hardly appear like your run-of-the-mill scammers but here we are.
This type of fraud may occur during checkout, when a customer doesn’t associate their purchase with their loyalty account, allowing the employee to credit their own or their friends’ accounts.
Retailers that don’t have capable tools to track the attribution of loyalty points are most at risk of insider fraud.
Awarding your loyal customers with points, special discounts, and other membership privileges is a popular and successful method to build your relationship with them.
However, you should be aware that some loyalty members may try to abuse this and gain undeserved loyalty advantages by “gaming the system” in various ways:
- Creating multiple accounts to obtain access to additional promotions
- Selling or transferring points to non-members
- Making a purchase with the accrued intent to return it for cash
- Double-dipping - simultaneously using points online and in the physical store.
As for the more cunning fraud developments in the eGaming field go, enter card-testing fraud.
A thief gets their hands on a single stolen credit card number access or a list of them and begins making test purchases. These tend to go unnoticed because of the aforementioned nature of numerous in-game payments that happen in small amounts.
Starting with $0.99 and incrementally rising, these charges grow into more costly ones as soon as the fraudster realizes they are possible. Every made purchase, regardless of how big or small, can become a chargeback filed by the credit card’s real owner.
Finally, there is true fraud, in which a credit card is stolen.
In the gaming environment, funds from the card are used to beef up a game account so it can be sold on a trading site. And these sell well because the asking price is considerably lower than what was spent on building the profile as it’s all profit for the criminals.
When the real cardholder discovers these charges, they file a chargeback dispute, and we’re pretty sure you know by now on whom the harm falls if the card owner is successful.
The (un)expected ways businesses are hurting
The end result of all this fraud goes beyond the usual hit in the ROI area or as we like to call it - the cost of inadequate fraud protection.
Here are five factors leading to soaring fraud-related costs:
- Human workforce (manual review)
- Lost revenue
- Risk scoring tools
- Chargeback costs
- Third-party enrichment
We already mentioned fraud detection teams whose job is to manually review transactions and approve or reject them.
Not only do these teams cost salary-wise, but they are also costing the business with slow and often excessive analysis that is driving away potential customers with a poor customer experience (as opposed to instant gratification).
As a result, the lost revenue is not reflected through a case-by-case individual purchase but through diminished brand loyalty and reputation.
It’s reasonable to assume that at least some of these potential customers that were mistakenly declined, were potentially long term loyal customers. On top of which, the receivers of digital gift cards would have likely bought more credit, which is another lost opportunity.
In an attempt to protect against fraudulent purchases, some businesses implement pre-purchase friction. These pre-purchase friction points often lead to another form of lost revenue: false declines/positives, as they not only drive away the fraudsters but also honest customers.
Risk scoring tools, one of the standard ways to filter out legitimate transactions (those that should be accepted) from fraudulent ones (those that should be declined to avoid the chargeback), charge per transaction analyzed.
For enterprise-level companies, this can be ridiculously costly due to the sheer volume of transactions, especially if there is a need to implement other third-party enrichment vendors to reach an accurate decision.
When it comes to chargeback costs, fees vary from $20 – $100. Every dollar lost to chargeback fraud costs an estimated $2.40 due to operational and customer acquisition costs. So a $100 chargeback fee actually costs $240.
An important side note: we can’t stress enough that online businesses are solely responsible for their individual fraud rates or chargeback rates - the percentage of transactions that become labeled as fraudulent within the payment processing cycle.
As a rule of thumb, any retailer that has a (consistent) fraud rate greater than 0.9% of their transactions will be labeled as a high-fraud retailer.
This means a higher chargeback ratio that also determines the risk factor and ability to process payments. Eventually, a business can be blacklisted from accepting payments online completely and ultimately, shut down for good.
Payment card fraud losses reached $28.65 billion worldwide in 2019 (the jury is still out on 2020 data), and these losses don’t include merchants’ operational costs related to inadequate fraud fighting.
To illustrate the point: approximately 15% of card-not-present (CNP) transactions involve costly manual reviews of pending sales, even though 90% of those transactions are approved. About 40% of fraud mitigation costs involve a manual review of CNP transactions.
According to the True Cost of Fraud study, the total cost of fraud is an average of $3.78 for every dollar of fraud lost in the pre-COVID period for companies dealing with financial services in the U.S. (up from $3.35 since 2019).
When all of the costs mentioned here are combined together, our estimates show that businesses are liable to lose anywhere between 250% and 350% in associated costs.
Ultimately, this puts our estimates at around the $108 billion mark for global fraud when it comes to total fraud costs.
When you factor in the long-term damage to brand loyalty and customer attrition, the true cost of digital goods fraud becomes even higher.
Tackling the challenges with AI
With high customer expectations and a rising focus on digital channels, businesses are hesitant to apply stronger policies that have the potential to limit customer interactions with their brand and potentially turn away good customers.
On the other hand, customers expect brands to trust them and provide a smooth, frictionless purchase process.
So what can businesses expect and do moving forward?
First and foremost, the need to automate the existing fraud prevention process with AI due to a growingly more complex environment.
You see, fighting fraud in digital goods with conventional fraud prevention tools is almost the same as fighting the current pandemic with social distancing. It will help but up to a point where only a vaccine will do the rest of the job.
The biggest challenge digital goods businesses are facing when fighting fraud is implementing a fraud protection system that will be able to:
- make accurate suggestions or decisions for the highest percentages of transactions as possible;
- maintain a high true acceptance rate and low chargeback (fraud) rates while limiting manual review costs;
- do it all in real-time.
Data science and AI/machine learning fully address these concerns due to their ability to analyze the context, user behavior, and account details in real time. Then, compare them to those of past buyers that have already completed the same purchasing process.
This translates into correct decision-making. In real time. Without turning off your customers.
The ultimate goal of fraud prevention solutions is not just to identify fraud attempts and lessen their blow but to eliminate them altogether.
The only feasible way to achieve this is the ability to analyze these transactions in real time via high-functioning AI/ML models.
Simply put, you need to bring your AI game.
Digital goods fraud is a real but solvable problem
Here at nSure.ai, we’ve been getting a lot of inquiries due to our capacity to help reduce fraud in situations where there is a limited course of action, so we wanted to share our thoughts and musings.
Online transaction volumes are increasing so businesses need to be ready to meet demands at scale to capture all potential revenue.
And it’s no secret that fraudsters are here to stay.
This requires a clear understanding of the payment fraud landscape, as well as the responsibilities and roles each player has in the larger online transactions process.
We mention this deliberately as research has shown that digital fraud victims often overestimate the ability of governance mechanisms to prevent fraud and tend to have misplaced trust in them, which leads to dire consequences.
Simply put, businesses must understand this new consumer and fraudster behavior, along with the broader context to approve genuine transactions without impacting the customer experience and bottom line.
The fact is that payment fraud is getting more sophisticated and effective, even more so when it comes to digital goods.
However, with AI and machine learning at the forefront, fraud prevention is at a point where businesses and customers together might finally have an upper hand over fraudsters - and not a moment too soon.