E-commerce is one of the Indian economy’s fastest growing sectors. Bank of America Merrill Lynch estimates the Indian online retail market to carry a gross merchandise value (GMV) of $62 billion by 2020, with a GMV of $17 billion this year. This growth is fueled by businesses which are increasing efficiencies in demand and supply and diminishing entry barriers. With e-commerce playing a pivotal role in the economy and our daily lives, it is important to understand some of the risks involved.
Fraud is one of the biggest risk these companies face. A recent CyberSource survey suggests that North American businesses expect to lose 0.8% of total revenue due to fraud. Whereas in India, this number ranges between 4-5% as per some estimates.
There are three categories of frauds in an online marketplace, each with distinct and multiple modus operandi (MO).
Buyer side frauds: Where buyers file fraudulent claims, chargebacks or compromised payment cards. Fake buyer accounts are created with the intention of utilising a compromised payment card to purchase items. Many buyers also abuse services provided by the marketplace such as their return policies, guarantees etc. Recently there was a case of two youngsters buying expensive mobile phones on Flipkart and claiming they received empty boxes. Their scheme ran for over a year and half with the cost of those 152 phones totaling Rs. 1.05 crore.
Merchant side frauds: These typically range from non-fulfillment to selling counterfeit and many other complex models. Fraudsters typically create a new account and list popular/fast moving items at extremely low prices to attract the most number of customers in the shortest period of time. As the last date of delivery passes, complaints of not having received the items start to pour in. The fraudster tries to keep the whole scheme going till disbursement day using various tactics. In the case of counterfeit goods, complaints of the item being fake start coming in. Depending the type of product, customers may or may not be able to identify a fake immediately. There have been cases of phones being sold and customers finding out almost a year later at the service centre that the phone is a fake. Given the ease with which transactions can take place and the difficulty in seeing the physical movement of goods, cases of money laundering and abuse of online marketplaces have also been observed.
Cyber security fraud: Customer accounts are not without cyber security challenges. Frequently, accounts are compromised and subject to account takeovers (ATO) and identity theft. Credit card details are sold online by the hundreds. Professional fraudsters have an arsenal of credit card numbers and their details. Sometimes a marketplace account is a by-product of a larger hack. Hackers then proceed to place orders through the account or create a seller account from which a scheme is run.
A recent report by OECD estimates counterfeit and pirated goods to be 2.5% of global imports. According to one Nilsen report, losses caused by payment card frauds globally in 2015 is estimated at $21.84 billion. These figures show systemic inefficiencies and exceptional unmet demand (in the case of counterfeit/infringing goods). A survey carried out by MarkMonitor shows that 39% of the surveyors intentionally bought a counterfeit product with a sizable number willing to buy again.
One can find listings for ‘fake/replica iPhones’ on e-commerce websites which are sold at a fraction of the cost of the original phone (Rs 7,000 vs Rs 61,000). The counterfeit goods market’s lucrativeness lies in the lack of close substitutes for premium products and the ability to bridge this demand with low risk and high benefit. Branded items ranging from smart phones to handbags are replicated and sold at a fraction of the cost of an original.
Consider the example of a merchant selling a counterfeit product or indulging in a fraud scheme with no intention of fulfillment. In both these cases, the marketplace expects free market forces to identify such fraudsters and, after suffering reputational damage, put these fictitious players out of business. Despite knowing their certain fate of being removed from the marketplace in a short span, why do such frauds happen repeatedly?
The economics of it all
The answer lies in the market and cost structures of the ecosystem and the fraudster’s risk benefit ratio. The barriers to enter the market are almost nil – an email id and credit card. In the case of a seller, a bank account to which the earnings are to be credited and a phone verification are additional requirements. The identity assumed online doesn’t have to be the person’s real identity. There are enough resources online to generate temporary email ids, credit card numbers and many other free tools to mask the person’s identity. This allows for multiple unrelated identities and accounts to be created with access to the marketplace. Even if one is shut down, there are other accounts through which “business” can be carried out.
The cost structure incentivises fraudsters to participate on the platform repeatedly. Cost of the hardware used as well as the internet connection is fixed in nature. Participating multiple times helps spread this cost over multiple participation. Disbursement schedules are well defined, enabling merchants to adjust their delivery time periods.
The risk benefit ratio is skewed with rewards being pure profits for the perpetrators and no real consequence of being caught. The large costs of security and law enforcement following up outside the marketplace is itself a deterrent for the companies to follow up. Sometimes these merchants reside outside the geographical boundaries of the country. This leaves the platform vulnerable to recurring incidents by these fraudsters. The initial cost of identification itself is very high.
As a result, the market experiences the following.
At a macro level, incomplete information and previous experiences can cause partially informed buyers to stay away from the entire range of products, thereby damaging the market-system. Marketplaces which are sensitive to customer experience bear the cost of bad customer experience by compensating buyers. They are able to retain customers by incurring this cost. Due to the existence of many players, such losses have a spill-over effect where financial institutions and other players pay a price directly and in terms of opportunity cost. Another element of exposure is the legal aspect of the matter. Marketplaces in which such transactions have occurred, the risk is entirely borne by the online marketplace. Lawsuits have been filed against Alibaba for allowing such transactions to take place. These are risks that accrue directly by virtue of transactions on the marketplace.
There is another element of risk which accrue due to indirect causals. Government policies also have an impact on the e-commerce business. Given the nature of the business where transactions can occur online between two parties without any physical verification of identity and transaction, there are instances where the platform is misused to transfer money. The actual transaction may take place in another form, but the money flows could be done through these platforms. There are countries with closed capital accounts which place a restriction on the amount of foreign currency that can be held by the general public. The demand for this foreign currency gives rise to a black-market for the foreign currency. The flows of the foreign currency could take place through these marketplaces with the payment of the local currency taking place outside the platform.
The Indian landscape
The Indian e-commerce fraud ecosystem is still in its nascent stages. Much of the fraud being committed are basic versions of classic MOs – listing items at extremely low prices and getting away with the money, selling counterfeit items, buyers ordering items and claiming they haven’t been received, card frauds etc. It is alarming that such cases are missed on a regular basis. The case of a duo duping an Indian e-commerce marketplace for Rs. 1.05 crores over 18 months is not a one-off case. Incidents of such long-term schemes have been seen on this and other platforms time and again. This points to a huge flaw in the checks systems or a failure of internal resources to act on such accounts in a timely manner. Either cases don’t play out well.
Established companies that are expanding into new markets have an advantage over Indian companies as they have a lot of experience in dealing with fraud at various stages in the fraud ecosystem – from complex group attacks to one-off cases by individuals trying to make a quick buck. They have seen the fraud ecosystem evolve with them and know what to expect at various stages. Companies use algorithms to assist in the detection as it is impossible to manually check the large number of existing and new participants in the market.
Future trends and solutions
As the market evolves, companies will be targets of sophisticated attacks as these attacks will be more profitable. From individual fraudsters, there could be a transition to a group operating on a regular/seasonal basis. Marketplaces will have to find mechanisms to counter these. Data analytics and machine learning help in reducing the reaction time and take proactive action. Systems can be designed in a way where majority of the accounts don’t require manual investigations. While algorithms can proactively take action on accounts, it is important to find the balance between technology and the human element. Areas of overlap between fraudsters and genuine customers is where the risk is high and the human element is necessary. There is a large element of subjectivity in such cases for which the circumstances of the case need to be understood in order to ensure good customer experience. A work-force trained and experienced enough to understand the difference between a fraudster and a genuine customer need to be built over time in anticipation rather than in reaction to events.
While the population of such fraudulent accounts are small compared to the overall landscape, it is important to understand the implications of policies enacted to prevent such behaviour on other regular accounts. Policies relating to account verification, restricted and permitted items, disbursement schedules, etc. play a pivotal role in degerming the fraud landscape on the marketplace. Companies should review the system as a whole and think of new ways to patch loopholes such as linking disbursement schedules to order success rather than predefined weekly or monthly schedules.
As the objective of achieving a 100% fraud free marketplace is a distant possibility, companies must improve upon their response and redressal mechanisms. In a country where people are still hesitant to purchase online, having due diligence measures and appropriate response mechanisms to help victims will be a key distinguishing factor in the medium to long run. When customers are given a sense of assurance and security despite suffering an untoward incident, they would consider coming back to the marketplace to transact. However, when grievance redressal mechanisms fail, as Albert Hirschman pointed out in his 1970 book (Exit, Voice, and Loyalty) customers will choose to exit the marketplace than keep voicing their concerns and risk undergoing another bad experience.
It is commendable that Flipkart and Amazon have taken steps in following up cases of fraud outside the platform. This will go a long way in deterring such cases of fraud in the future. However, there is also a flipside as people will start looking at ways to mask their identity. This will increase the complexity involved manifold. It is important to have a firm level as well as industry level strategy. Attacks are rarely limited to one site and happen across marketplaces. Information sharing is very crucial in pin pointing the physical presence of the perpetrators and putting a permanent end to the particular threat. While there are many concerns regarding the sharing of data among marketplaces directly, it is important to explore the possibility of establishing a third party capable of compiling and aggregating relevant information and facilitating a physical investigation. This would reduce cost substantially in the medium to long run as it addresses the root cause. Insurance companies are working towards sharing information relating to fraud through a database being created by the General Insurance Council.
Considering this changing landscape, it is necessary for a business to calculate its profit optimising point between the cost of anti-fraud review and loss due to frauds. The role of fraud has been significantly underrated in economic analysis. Lack of adequate understanding and accounting for fraud dents the ability of the marketplace to function at an optimal level. It is only by altering the fraudster’s risk-benefit ratio that companies can truly reduce the incidence of fraud. While there are a number of short-term pressures, Indian companies must start preparing for the future. A fraud strategy must be created at a firm as well as industry level. Creation of a third-party organisation dedicated to facilitating fraud investigations outside the marketplace will play a critical role is ensuring the threat is permanently reduced while accruing greater benefits to the firm and industry.
This article was published on The Wire