Fraud prevention: what retailers are doing to beat online scammers

Online fraud is on the rise. According to trade association UK Finance, scams against online retailers totalled £265.1 million in 2018, up 29% on the previous year. However, retailers are increasingly arming themselves in the fight against cybercrime. Last year the sector spent 17% more on cybersecurity, found a recent survey by the British Retail Consortium.

Lessons learnt

For William Scott Forshaw, founder of luxury bag company Maxwell-Scott, falling victim to scammers nearly eight years ago led the company to completely rethink its approach to fraud prevention.

“We got caught out,” he says. “Someone managed to insert a script to our shopping basket. So when customers were typing in their credit card details, it was recording that information and sending it to an Excel sheet on a server in Thailand.”

The company located and removed the script after the bank flagged a problem. But by that time it had been running for a month. Subsequently it had to pay £25,000 in fines to Mastercard and Visa, as well as being forced to pay £5,000 to a security firm to do a sweep of its systems. “It was pretty serious at the time – and because we were so small it was [a significant amount].” 

Off the back of that experience, it rebuilt everything. “Since then our servers have been immaculate and we’ve put lots of protocols in place” he says.

The business operates an iframe payment gateway, customer card details are processed on a separate page hosted by the bank – unlike the large retailers, which tend to store card details on their own secure systems.  “So from an online perspective, even if the site got hacked, they couldn’t get any details from it."

All points of vulnerability are isolated in this way. “When we take phone orders, we only have one computer to process card details, which uses super secure software and is completely unlinked from our network, with a separate IP address,” he says.

“We take security very seriously... Just sticking to the minimum is pretty basic, there are still ways around it.”

The right support

Ollie Marshall, IT director at Maplin, agrees that it is crucial that retailers do more than just comply with the minimum standards as “liability for fraud sits with the merchant.”

“Being online-only, it was obvious to me fraud was going to play a massive part"Ollie Marshall, IT director at Maplin

After the electronics brand relaunched as an online-only retailer earlier this year, the company used the opportunity to bake fraud prevention into its transactional processes. “From day one we had fraud attempts,” says Marshall.

“Being online-only, it was obvious to me fraud was going to play a massive part [in resigning our systems].” The company decided to partner with fraud detection business Signifyd, which aggregates data in real time to determine whether a transaction is fraudulent.

He says fraudsters try to evade detection by first making low value purchases. “On a standard rule-based approach they will sometimes get through and find a hole,” he says. “We run all transactions through the Signifyd system, as we don’t want to think about fraud.”

Layers of security

Bathroom specialist, also used a third party to help provide “a higher level of security,” says James Booth, who works on dev-ops at the company.  The site sits behind an SSL encryption with all payment details being handled by Barclays with 3D Secure. In addition it uses Cloudflare for automated threat detection and its web application firewall to block potential threats.

His advice to companies is not to do it all themselves.  “Leverage tools and systems… to provide the extra levels of security and analytics that would be otherwise impossible without a dedicated global team, then focus on the internal factors that you can make the most impact with.

“Security begins at the lowest level, from multi-factor authentication for a developer working on the product, all the way to the TLS [Transport Layer Security] certificates the end-user sees. By the time the user sees the website, there will be multiple levels of systematic and procedural security they will have traversed, and they should be none the wiser.”

It’s also the responsibility of the banks to teach retailers how to operate in this environment”James Booth, dev-ops,

But while the ultimate responsibility rests with retailers, Scott Forshaw believes the banks could also do more to educate companies. “When we first started out they were useless – they are better now but I still think they are missing the mark by a long way,” he says.

“For a small company trying to sell online, to have this information to hand, top level understanding of the issues [is very hard]. It’s also the responsibility of the banks to teach retailers how to operate in this environment.”