In this episode, Yvette Bohanan and Chris Uriarte sit down with Eyal Elazar, Head of Product Marketing at Riskified, to discuss policy abuse trends and the implications of consumers and professional criminals increasingly engaging in these schemes.
You can listen to the full podcast using the player below or continue reading to learn more about this topic.
What is Policy Abuse?
Policy abuse, a form of first-party fraud, occurs when a customer – whether legitimate or a professional posing as a legitimate customer – manipulates a business’s policies for financial gain.
A newly released 2023 Riskified survey of over 300 merchants found that 90% of online merchants believe policy abuse is a significant problem for their bottom lines.
Policy abuse can take various forms, including:
Return Fraud: Exploiting a business’s return policy by returning used or stolen items for a refund or store credit. Organized groups sometimes engage in return fraud schemes, resulting in significant financial losses for businesses.
Coupon Misuse: Using coupons in ways that violate the terms and conditions set by the business. Examples include photocopying coupons, using expired coupons, or combining multiple coupons inappropriately.
Offer Exploitation: Creating multiple accounts or using fraudulent information to take advantage of discounts, freebies, or other offers intended to attract new customers.
Item Not Received (INR): INR occurs when a legitimate customer does not receive a purchased item. INR can be used in cases of third-party fraud when a customer has a package stolen from their doorstep or when the item they were expecting is not shipped to them. However, when a legitimate customer receives the item but claims they did not in order to avoid paying for it, then INR becomes first-party fraud.
Reseller Abuse: Using automated bots to purchase items from a retailer (or manufacturer) to create false scarcity and resell the items on a marketplace at a higher price. The business suffers rapid inventory depletion, resulting in revenue and reputational impacts, along with being disintermediated from the customer. The customer who purchases through the reseller suffers, too, by paying more than they should for the product.
While some forms of policy abuse have held steady for the past year, several are on the rise. In a recent Riskified survey, 37% of business respondents noted that return fraud is increasing, 57% have seen an increase in Item Not Received (INR) fraud, 38% have seen an increase in promotional code abuse, and 45% have seen an increase in reseller abuse.
Why is Policy Abuse Hard to Prevent?
Given the wide range of policy abuse schemes and that an estimated 30-40% of policy abuse cases involve legitimate customers, it is not surprising that fraud controls designed to mitigate third-party fraud (where the customer or account holder suffers a financial loss) are not successful in detecting policy abuse. Moreover, many policy abuse schemes, such as coupon fraud, do not result in a chargeback – historically an essential confirmation tool for detecting fraud patterns, blocking bad actors, and training models.
What Should Businesses Do To Curb Policy Abuse?
Because the symptoms and financial impacts of policy abuse show up in various places in an organization, businesses should create a cross-functional team to discuss all forms of policy abuse. Consider a team that includes risk management, finance, legal, customer support, marketing, and logistics. As appropriate, product managers, software engineers, and information security team members may be included to discuss trends, issues, and potential improvements to controls.
Data that reflects a 360-degree view of marketing programs and customer accounts is critical to making cross-functional conversations actionable. High-level data that pulls through a customer journey – for example, sales, returns, chargebacks, and refunds related to a specific marketing promotion – is a good place to start. Be prepared to segment data further to see patterns that will unearth actionable information. Segmenting by payment methods, geographic details (such as zip code), and customer demographics will be important to ensure controls are specific enough to protect good revenue. Getting to actionable insights requires everyone to focus on the 360-degree view of the data and resist the urge to look solely at gross sales. Focusing on the “top line” can result in limited thinking about the actual revenue a program or product is generating, allowing fraudulent schemes to perpetuate.
Once a new control is identified, creating or enhancing automated controls focused on specific policy abuse schemes enables scalability and tuning for a particular form of abuse. For example, models and tools that detect reseller bots will identify bot versus good customer activity. Combining these automated controls with refreshed manual controls, such as updated customer support procedures and policies, creates a comprehensive, measurable, and tunable response to specific risks.
Policy Abuse is Here to Stay
With younger demographics more prone to believing policy abuse is acceptable behavior and more organized rings participating in first-party fraud schemes, businesses must recognize that policy abuse is here to stay and act accordingly. Getting the conversation started internally and looking closely at your data is the first step in mitigating the losses and risks associated with this first-party fraud.