We were privileged to host a roundtable with KPMG to discuss the fraud threatscape and how it specifically affects the the on-demand industry. We were joined by representatives from Addison Lee, Deliveroo, Eat First, Gett Taxi, Hailo, Just Eat, and OneFineStay, all contributing under the Chatham House rule. As it was the initial meeting, the discussion was wide-ranging as we looked to tease out areas of mutual interest, which ended up being a rich seam.
The scale, sophistication and psychology of fraud
All participants agreed that the scale of fraud was enormous and growing. This was independent of whether the company was managing fraud threat well or struggling, and whether they were dealing with thousands of transactions or tens. There is a standing army of fraudsters whose bots are checking the edges of security, keen to exploit any weaknesses. Although it is impossible to estimate precisely, there was a general consensus that the numbers of people attempting online fraud is growing year on year - logical if we consider the young age of the typical online fraudster.
Add to that there is a definite improvement in the sophistication of the techniques being used. Some of the participants had seen fingerprinted devices cloned in 10 minutes. The group also reported that credit card details are ‘cleaner’ meaning the stolen details correspond to where the fraud is taking place. Card testing is done efficiently today with successful card details being ruthlessly exploited in minutes. And perhaps the most damaging evolution within the fraudster community is heightened co-operation amongst fraudsters- with coordinated attacks becoming more common and more effective.
Thirdly the behaviour is becoming brazen. Fraudsters are happy to call in to support lines to query rejections. For larger scale frauds they will even invest in false IDs. Fraudsters have also been known to evade online security checks by placing an order via phone, if the option is available. And even companies that provide a service where the person has to be present to receive or use it - a natural deterrent one would think - will still be targeted as the perception is that there is little chance of being caught.
With a very notable exception most participants had rarely resorted to engaging with the legal authorities to tackle fraud. For the simple reason that the police are focused on larger scale fraud and therefore either uninterested or under-resourced to deal with low-level fraud. The book of evidence required to convict someone of lower level fraud is fairly onerous and hard to resource as it can be expensive in terms of time to attend court along with compiling the evidence required.
One participant however took a different view. They invest in active detective work: filming fraud in progress and catching people in the act. The goal is to earn a reputation amongst street-level fraudsters that they will prosecute in an effort to deter future fraud. This company budgets for these prosecutions as part of an overall revenue protection budget from which are drawn the resources to not just prevent fraud, but to pursue perpetrators when the prevention has failed. This approach is notable for its rarity in on-demand but may become a model for others.
Education of newer companies
Another shared observation was that in on-demand where new companies emerge regularly, each of them seems to have to independently experience fraud before taking action. One unexpected consequence of emerging companies having lax security as they bid for growth is that they keep low-level fraudsters in play, as there is a constant supply of new targets to attack.
The table was agreed therefore that it made sense to try to educate new B2C-focused businesses on the fraud threat and what steps they can and should take to avoid becoming targets. Perhaps the VCs and incubators could be a route to doing this as it is investor money that inadvertently sponsors fraud. There will need to be further discussion on what those education materials look like but that they are needed is without question.
Co-operation between companies
Perhaps the major theme to emerge was a desire from the whole group to see active, meaningful and ongoing co-operation between companies within the on-demand industry. While more established industries have been sharing information on fraud threats and fraudsters for some time, the on-demand industry is so new that these don’t exist yet. A consequence of this is that companies are trying to manage the problem independently when it would be much more efficient to tap into the experiences of others and share not only best practice but also data and specific information on active fraud threats.
What happens next?
This roundtable was a really encouraging first step. Now we just need to keep the conversation going so that we can look at ways to co-operate and educate one another along with emerging companies. A key takeaway was a keen desire to look at ways of sharing data to stop fraud while taking into account that there are potential privacy implications that need to be considered Moreover, we collectively want to move away from an atomised approach to solving this issue. We know that fraudsters co-operate so it is time that those who battle with them do too. For anyone interested in further participation or to find out more details they can contact me at gerry dot carr at ravelin com.