Avoiding mobile fraud: What small businesses need to know

Our insatiable love affair with the mobile device shows no signs of abating. According to a recent report there will be more mobile subscriptions on earth than people by the end of 2014. With one in seven European smartphone users having recently completed a retail transaction on their mobile phone, the opportunity is ripe for organisations to get on board.

However, engaging with consumers through mobile devices is very different to traditional eCommerce, and requires a different approach. This is especially true when it comes to mobile payments. So, what can organisations do to make sure they get their mobile payment strategy right?

Understand the radical shift in consumer behaviour

eCommerce orders have historically been placed during core business hours. However, the widespread use of tablets and smartphones has seen a radical shift in consumer buying patterns. The peak buying time for these types of devices now occurs between 8pm and 9pm. Understanding this shift in consumer behaviour is key – for instance, applying rigid fraud rules for anyone shopping outside of normal business hours will impede sales.

Businesses should also appreciate that consumers now use multiple devices at home, often switching between smartphones, tablets and PCs when purchasing goods. This can cause challenges when it comes to validating a device. That’s because historically, the more changes in the data, the riskier the transaction. If a consumer places an order on three or four laptops, for example, further investigation would need to be carried out. Now, households use many devices in one home, so organisations must ensure their fraud protection accommodates changing consumer habits.

Mobile devices add even more complexity to retailers’ infrastructure. Be prepared to accommodate the plethora of devices available within your fraud screening plans. Once you understand your customer, you can then adapt your rules to take into account new personal habits and behaviours.

Evaluate reliability of traditional data points

Technologies such as IP geolocation have traditionally worked well to track a consumer’s physical location at the time of a purchase. Unfortunately they can become completely redundant when a mobile device is not connected to a Wi-Fi network. In this instance, the device’s location would show as the mobile operator’s which isn’t sufficiently precise if you are attempting to confirm the owner’s location.

Given the nomadic nature of mobile devices, it can be difficult to pinpoint exactly where a purchase originates. Capturing the GPS location will certainly help when it comes to comparing details such as billing and shipping address proximities. Wherever possible try to collect GPS data – it can strengthen your fraud-screening rules.

Don’t rely on device fingerprint data alone

Device fingerprinting is a hugely useful way of identifying the PC or laptop used to make a purchase. It collects a range of information that can help to determine whether the customer is legitimate: installed applications, software updates, the time zone of the device and whether things such as JavaScript are turned on for the device. This all makes up a PC’s unique fingerprint.

Unlike PCs and laptops, very limited information can be collected from smartphones and tablets. This makes it difficult to collect the most valuable data. Ensure that you amend and adapt your fraud rules accordingly to account for this.

If possible, capture the IMEI and UUID numbers of the mobile device (the phone’s unique identity number). This can be another useful tracking element to compare against addresses or credit card numbers. And if you have a device that has made multiple purchases with the same card, then this can represent much lower risk. However, a device that has attempted to use six cards to conduct a purchase will raise suspicion and certainly need further investigation.

Embed mobile into your overall cross-channel strategy

Orders or bookings placed via through mobile devices provide a goldmine of useful information. The real value lies in the ability to compare these transactions alongside those from your call centre or website. It can help you to more quickly spot fraudsters migrating between different channels.

Take all the data available and create a set of rules specific to mobile transactions. Your mobile fraud screening should then feed into the other orders being placed across the business. This will help you to compare mobile purchasing information against other known data (such as the website or call centre) to detect further discrepancies.

How do you know if you are rejecting too many orders? You can’t manage what you can’t measure. You need to be able to collect and analyse your data to make sure your rules are performing to the best of their ability. For instance, are the majority of your rejected transactions coming from mobile devices or call centre transactions? If they are from mobile devices, then perhaps your current rule set needs tweaking.

James Hunt is an associate principal in CyberSource‘s managed risk services team

Sponsored content

This content has been sponsored by BIS, whose brand it displays. All content is editorially independent.

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.