In the past year, the subscription economy has grown by a whopping amount. The digital news and media subscription industry has seen 300% growth, while nearly one in five (17%) UK consumers say they have also signed up to physical product subscriptions, for example meal boxes, alcohol and beauty products. Encouragingly for those in the subscription industry, things don’t appear to be slowing down any time soon, with the latest research finding that as many as 75% of consumer brands will have a subscription-based offering by 2023. But as with any industry growing at an impressive rate, subscription businesses have become high-profile targets for fraud.
Fraudsters know the weak spots — they know that your revenue depends on regular recurring card payments, that customer acquisition and retention is important to your business, and that you’ll offer in-demand products at a discount from time to time. From here, they’ll use this information to take advantage of you. Here’s how.
Account takeover
Account takeover (ATO) is a particularly insidious threat for any subscription business. ATO happens when a fraudster manages to successfully compromise a customer’s online account by stealing their login credentials and making fraudulent purchases. Worryingly, we are seeing a sharp rise in ATO across all retail categories and not just subscription businesses, with retailers experiencing an average of three significant attacks per month.
By using a customer’s genuine credentials, fraudsters can fool subscription businesses into thinking any activity is being performed by the actual customer. For example, some subscription accounts, require you to log in and select different products every month to receive your delivery. But some months, the customer might forget to make a selection they can end up building a substantial amount of credit over time. A fraudster will target these valuable accounts to order or resell products, or even sell account details on the dark web.
Account takeover is a serious problem because of how easy it is for fraudsters to commit, how prevalent it is, and how difficult it can be for you to detect quickly. Because so many consumers use the same password across multiple accounts, it only takes one account to suffer a data breach for the logins of other accounts to be at risk as well. The world has also experienced a rise in sophisticated phishing attacks — and it only takes a handful of consumers to fall for the scam to make it a profitable endeavour. And because of their prevalence, compromised login credentials are now ten a penny on illegal dark web marketplaces.
How combining AI and humans can help to tackle cyber fraud
Delivery fraud
Some subscription businesses limit their customer base to certain areas or regions to make delivery easy. But many customers are now taking advantage of third-party delivery companies like Shipito or Boxit4me to access subscriptions that don’t cover where they live. The trouble is, fraudsters do that too, making it difficult for businesses to spot what’s a legitimate purchase and what is a fraudulent one.
For example, if a fraud team sees an order from a customer in America requesting delivery to a freight warehouse in Manchester, it would look immediately suspicious. But as so many customers use third-party shipping companies themselves now, fraud teams have a job on their hands identifying genuine versus fraudulent purchases.
Promotion abuse and reselling schemes
Although not usually fraud, promotion abuse is another major profit squeezer facing subscription businesses. Promotion abuse involves customers finding ways to take advantage of a business’s offers and discount codes that weren’t originally intended for them. While a few customers getting better discounts than they should doesn’t sound too bad, the long-term effects can leave businesses with eye-watering hidden costs.
In recent years, however, promotion abuse has evolved to more organised schemes, which directly affect subscription businesses. Now, fraudsters will often take advantage of product promos to amass merchandise to sell on at a profit — and whether you feel reselling schemes are fraud or simply abuse, it’s costing subscription businesses more than they know.
E-commerce startup and scaleup founders highlight the main pain points of running an online business
Mitigating subscription fraud
When it comes to detecting and mitigating fraud, the subscription world is very different to the rest of the retail world. Most retailers across the industry will look at order content as a strong fraud indicator, but for many subscription businesses looking at the order content might be unhelpful because order content often remains the same from month to month.
Subscription businesses therefore should manage the unique threats they are experiencing by monitoring fraud indicators that are relevant to their business. A spike in logins is a classic indicator of a credential stuffing attack, and can be ameliorated with rate limits on login.
Sudden changes in account behaviour is another key indicator. A gambling account that suddenly bets big, a streaming account that suddenly changes login details and adds premium services. These can be managed by machine learning algorithms primed for anomalous changes. These need to be treated carefully though as smart fraudsters will try to stay close to normal behaviours.
You may also want to investigate using graph networks to uncover the use of stolen credit cards or devices, or even to highlight mass reselling schemes. Graph networks work by giving you a visualisation of all the connections between various types of information — like emails, phone numbers, device IDs or payment methods. These graphs show all the links between new accounts and existing ones, creating vast networks of relationships, which makes it easy to spot when a new account is linked to past fraud activity.
But whatever tactics you opt for, one thing is certain: subscription businesses will remain a high-profile target for fraudsters. Which means it’s imperative to get the right technology in place to deal with the threat as soon as possible to protect both your reputation and your bottom line.
Written by Mairtin O’Riada, CIO and co-founder of Ravelin