March 10, 2017

Keep your friends close, but your customers closer: identifying a social engineering attack

Luke Reynolds, Chief Product Officer at Featurespace, looks at how merchants and retailers can protect their revenues and their customers from online social engineering attacks.

With the rise of online and mobile retail, how do merchants know that their customers are who they claim to be, particularly on digital channels? 

We know that criminals are taking advantage of the anonymity of digital retail environments to commit sophisticated, targeted fraud attacks, exploiting customers by impersonating the merchant or bank – via online and phone channels – to get customer account and security data. 

It’s known as social engineering, and it’s on the rise. 

Businesses are only as strong as their weakest link 

As an online merchant, your business is only as strong as its weakest link. Criminals are constantly on the lookout for vulnerabilities to exploit. In our world of on-the-go, 24/7 access to retail purchases, this vulnerability can often be the customer. 

To tackle social engineering, merchants need to understand the subtle differences between loyal customers returning for repeat business, and criminals using compromised retail account data. 

This is crucial for merchants and retailers who want to protect their customers, reduce friction and maximise business revenue. 

Gone phishing: how to spot the signs

Social engineering attacks target merchants’ customers via email channels (known as ‘phishing’) or by phone call (known as ‘vishing’). The criminal – pretending to be from the merchant – attempts to get an individual’s security information to supposedly “stop” a fraud attack, and then uses these details to illegally access their retail account. 

It’s a dangerous type of attack, impacting both customers and merchants directly. It is incredibly difficult to spot in real time, because the criminal has all the correct details to access the retail account and order goods.  

In our mobile, online world it’s no longer enough to add business rules and security steps to protect customers. The key is to understand normal behaviour and spot anything out of character – however subtle – to protect customers, and avoid sending retail goods to a criminal. The aim is to reduce expensive costs in lost goods, refunds and chargebacks to the genuine customer whose account was compromised. 

So, how do merchants tackle it? 

The answer is to understand normal behaviour for each customer, and spot the subtle anomalies that indicate they are acting out of character. This stops the attack before goods are sent out, and prevents card details being compromised.

The good news is that the latest machine learning technology uses Adaptive Behavioural Analytics to enable merchants and retailers to understand each individual customer’s behaviour in real-time. By viewing all events in context, merchants can quickly and accurately detect the subtle anomalies that indicate someone is acting out of character. 

This technology builds rich behavioural profiles that go beyond transactional data, monitoring non-monetary events including log-in time, how a customer types their password, page navigation, time on page, and interaction via a merchant’s app or online account. The profiles continually update with the latest data, across all channels and products, to accurately flag the subtle anomalies which could indicate a social engineering attack. 

What’s the benefit for merchants? 

This technology approach enables merchants to intervene before goods are sent out to a fraudulent address, which:
•    Minimises the cost of losing goods to a fraudster
•    Catches the fraud before a genuine customer demands a refund for goods they never ordered
•    Reduces chargeback losses 
•    Keeps genuine customers loyal by reducing friction 

Adaptive Behavioural Analytics, delivered via a machine learning platform, is crucial in the fight against new types of fraud – strengthening merchants’ offerings to their genuine customers, and protecting both customers and business revenue from fraud attacks.

Want to find out more about how to protect your business from social engineering attacks?

Luke Reynolds will be speaking at MRC Vegas (13-16 March) – book your meeting now to speak to Luke at the event.