10 minute read 25 Jul 2019
ey-two-mannequins

How digital transformation increases consumer and retail fraud risks

By

Anurag Kashyap

EY Global Consumer Products, Forensic & Integrity Services Leader

Global CPR sector Leader. Helps clients mitigate fraud risks. Provides anti-counterfeiting solutions with Integrity at the forefront

10 minute read 25 Jul 2019

As the use of new technology increases in an omni-channel world, so do the potential cyber security pitfalls.

Digital transformation has swept across the consumer products and retail (CPR) sector, from manufacturing process automation, to sales and distribution, and logistics and digitization of customer payments. Yet, as CPR companies adopt impressive new technologies, they also encounter new fraud risks.

We’ve examined the emergent digital fraud dynamics when organizations undergo such transformation journeys and outlined ways that companies can address loopholes, tackle misconduct and put monitoring mechanisms in place to potentially pre-empt and mitigate fraud. But first, it’s worth looking at the degree to which CPR companies have changed in the digital era.

Woman doing electronic transaction
(Chapter breaker)
1

Chapter 1

What is driving the digital transformation in CPR?

Responding to consumer demands, importers and exporters, suppliers, carriers, and distributors are more interconnected by data than ever before.

Over the past five years, the e-retail market has grown by more than 100% a year, and in 2017, e-retail sales accounted for 10.2% of global retail sales, with Indonesia, India, Mexico and China as the fastest-growing markets. In 2019, e-retail sales are set to account for up to one-third of total retail sales in China.

And consumer expectations are changing as direct-to-consumer brands acquire individual customers at scale. Omni-channel retail has now become the new normal. For the speed, ease and convenience that customers expect, the industry is transforming the point of sale (PoS) process in traditional retail stores, online platforms for direct consumer reach, and the supply chain systems that expedite the ordering and purchasing process.

Investing in technology— such as a distribution management system for tracking secondary sales (distributor to retailer), PoS terminals for tertiary sales (retailer to consumer), and automation software for performance monitoring and sales route optimization — has helped companies along the path to digitization.

As more stakeholders use digital technology, the risk landscape is changing. Incidents of fraud perpetrated by company insiders, connected organizations and external parties are exposing and exploiting the new vulnerabilities of networked business models.

Aside from promoting access to fast-growing emerging markets, digitization enables multidirectional supply chains, connecting importers and exporters, suppliers, carriers, distributors and customers. Automation is streamlining manufacturing, logistics and payments, and expedites integration with third-party networks that link subcontractors, manufacturers, stockists and distributors. These processes produce real-time data that can be used for more precise management and monitoring.

But as more stakeholders use digitized technology, the risk landscape is changing too. Incidents of fraud perpetrated by company insiders, connected organizations and external parties are exposing and exploiting the new vulnerabilities of networked business models.

Salesman selling a shoe to a tourist
(Chapter breaker)
2

Chapter 2

Emergent problems

Cyber criminals, dishonest or careless employees, and fraudulent third parties can thwart the best intentions of your digital strategies.

Digitization has focused concerns on fraud. The EY 15th Global Fraud Survey found that 36% of respondents considered fraud and corruption as the greatest risk to business, and 37% rated cyberattacks as the greatest risk. In the CPR industry, there are several primary vulnerabilities to consider:

  • Sensitive personal data collected through e-commerce: Retailers are targeted because they hold up-to-date data that criminals can use, such as names, addresses and credit card details. High-profile hacks have business and reputational consequences for companies.
  • Cyber threats to online transaction platform: Denial-of-service or distributed denial-of-service attacks represent a major business risk, as sales are halted when online channels are compromised. This can be the result of a malicious attack or a system failure because the platform cannot respond to the volume of traffic on peak sales days, such as Black Friday.
  • Insider risk: Company employees can commit fraud by misusing internal systems and processes. For instance, in the secondary sales system (distributor to retailer), staff can inflate sales on new or existing retailer outlets to claim undue benefits, and in the tertiary sales system (retailer to end consumer), employees can claim promotional benefits that are meant for consumers.

Digitization links online systems and physical processes, sharing real-time data between internal functions and third parties to reduce order response times and mitigate overstocked inventories. This opens up new vulnerabilities, particularly when companies fail to upgrade control and monitoring measures. Here, we break down those vulnerabilities by category.

PoS

Digitization has transformed the PoS functionality by recording and aggregating transactional data. However, PoS is also a major target for fraud, affecting in-store retail to e-commerce vulnerabilities. These include:

  • The terminal itself can be targeted, with mobile PoS devices being vulnerable to malware via in-store Wi-Fi networks.
  • Most terminals accept contactless payments for rapid customer onboarding, which presents security and authentication risks.
  • Self-service checkouts can attract fraud perpetrated by customers — for example, scanning one item and packing another more expensive item, or several items.

These small incidents extrapolated across multiple stores can represent significant losses.

The online marketplace

Online trading scales up retail operations — enabling retailers to trade faster and with more people — but it also increases the risk of fraudulent activities that are damaging e-commerce. Recent trends include:

  • Listing fraud: Employees receiving payments from sellers in exchange for manipulating a listing on the marketplace for higher visibility.
  • Commission fraud: Employees receive favors from sellers for reducing the commission percentage that is to be paid by the seller for sales made through an online marketplace.
  • Cost arbitrage fraud: Sellers buy their own products that have cashback offers listed on the online marketplace and then resell them offline.
  • Cashback or promotional fraud: Employees inflate cashback and promotional schemes on certain products to favor specific sellers and receive payments in return.
  • Click fraud: Competitors and others deliberately click on pay-per-click (PPC) adverts (sometimes using technology) to generate fraudulent charges for advertisers, undermining the PPC campaigns. This drives up the advertising cost with lower conversion rates and skewed user data for online businesses.
  • Listing payment fraud: Fraudulent sellers list products for sale and request advance payment. The seller takes payment, but the product does not exist or is not sent, and the buyers’ bank or credit card details may be used as part of a wider fraud scheme.

Loyalty programs

Digitization has transformed the PoS functionality by recording and aggregating transactional data. However, PoS is also a major target for fraud, affecting in-store retail to e-commerce vulnerabilities. These include:Loyalty program fraud is endemic, particularly in emerging markets — for example, in Asia, where most purchases are by cash on delivery or by mobile applications, rather than a credit card.

Loyalty apps record a customer’s entire transactions, including cash transactions, and collect rich customer data for retailers regarding customer choices and behaviors, including bank account and location information. This valuable data attracts hackers.

Loyalty programs are also targeted by insider fraud, including abuse of points, offers and promotions. The employees involved do not pass on promotions to customers, or award themselves, friends or family extra points, with or without a purchase, in exchange for goods or cash.

Risk management functions need to consider that while risks associated with transactions are broadly similar, the scenario differs between regions, depending on cultural norms, shopping habits and levels of technology adoption. Safeguards and solutions must reflect this.

For example, developed economies are experimenting with facial recognition as part of the payment authorization. However, in emerging Asian economies, which are experiencing the highest growth in e-commerce, payments are mostly completed by cash on delivery, smartphone apps and prepaid cards. These are all transferable, not linked to bank accounts and do not require a credit reference.

Supply chain vulnerabilities

Inventory management and control systems that track and locate warehouse items and integrate with back-office systems (accounting or enterprise resource planning) — and often with PoS and asset management software — monitor stock levels and movements. However, CPR organizations are reporting incidents of fraud that are exposing loopholes in secondary and tertiary sales systems.

Examples of insider fraud by abuse of secondary sales systems (distributor to retailer) include:

  • Inflated sales on new or existing retailer outlets to claim undue benefits – sales staff manipulating the system to claim incentives
  • Incentives claimed by the creation of “ghost salesmen” – a response to pressure for incentives and targets
  • Loopholes in the retail outlet creation process that can allow the creation of fake retail outlets in the secondary sales system by distributors to claim undue trade scheme benefits
  • Leakage in scheme payouts made for inflated sales or fake retail outlets
    Database security issues around permissions enabling unauthorized access to back-end databases and work-arounds, such as sharing passwords to bypass approval workflows

Examples of fraud by abuse of tertiary sales systems (retailer to end consumer) include:

  • PoS system used only for billing promotional products and, therefore, transactional data is not indicative of real customer behavior
    Promotional benefits not passed on to the end consumer – the customer paying full price and the employee claiming the promotion separately (e.g., with a two-for-one offer, they keep the extra item)
  • Sales booked in non-business hours so that some sales not recorded on the system
  • Hackers exploiting vulnerabilities in the digital transaction platforms, including insiders who find loopholes in the system and external hackers who understand the system
  • Misuse of reward points to claim points on customer purchases and apply them to another loyalty card (an employee’s own card or one belonging to a family member or friend)

Drilling down into primary, secondary and tertiary sales data uncovers more specific vulnerabilities. For instance, although mobile PoS devices and distribution management systems have improved visibility of transactions and stock levels, transparency levels vary depending on the software package used. Large-scale systems that deal with high volumes of transactions, particularly in Asia, may miss small incidents that are individually insignificant, but widespread across the business.

Consequently, although companies are aware that there is some leakage from the secondary sales system, they are not aware of the magnitude of the overall losses.

Masks hanging in a market
(Chapter breaker)
3

Chapter 3

Fix the leak: proactively assessing vulnerabilities

Follow a three-way approach to determine potential pain points and start changing behaviors and better protecting your assets.

With CPR companies spending large sums on technology transformation projects in their key business operations, stakeholders responsible for these projects must evaluate the fraud vulnerabilities that arise. Specific focus is required on high-value projects that have a financial impact in the form of incentives or payouts for company employees and external third parties involved in the value chain.

This supplements the need for a proactive strategy to detect and address loopholes in processes and systems involved in the digital transformation initiative, with a view to preventing fraud before it happens rather than reacting after the event. A proactive strategy requires organizations to determine where the issues are and take steps to address them using a combination of controls, monitoring and encouragement to change behaviors.

A three-way approach to proactive forensic assessment can add value for businesses seeking to mitigate the potential leaks:

1. Identify and understand

  • Identify the transformation initiative with the highest financial impact
  • Understand the purpose and objectives of the transformation initiative
  • Understand the key performance indicators linked to the transformation project that would potentially result in benefits to internal and external stakeholders, and their financial impact on the organization
  • Analyze links between business-critical processes and systems involved in the transformation initiative

2. Perform functionality testing and data analytics

  • Perform functionality testing of the system application or platform being implemented
  • Design fraud risk scenarios relevant to the business processes linked to the system application or platform under focus
  • Extract data from relevant sources and perform forensic data analytics to test the hypothesis for fraud risk scenarios applicable to the business
  • Conduct additional checks to validate the exceptions identified based on data analytics

3. Mitigate

  • Identify vulnerable areas and categorize them in order of priority
  • Devise practical controls to mitigate risks
  • Build a monitoring framework based on parameters that help to identify red flags on a continuous basis going forward
  • Assist in implementation of the controls in consultation with management
  • Define and agree on an ongoing review mechanism for the controls

When an organization’s key risks have been identified using test scenarios and data analytics within the three-way approach above, monitoring for specific types of incidents can be incorporated into the control framework.

However, considering the quantity of electronic records and transactions, which have been increasing significantly, companies face an uphill task. They need to proactively harness analytics to evaluate data, highlight gaps and identify patterns using intuitive technology-assisted tools.

Analytics is an immensely powerful tool. For instance, trend analytics of online sales data helps spot illicit purchasing patterns, such as bulk buying and repeat returns. Retrospective analytics on PoS terminals can be used to identify inappropriate or fraudulent activities, complementing the payment analytics conducted by credit card providers.

Considering the increasing quantity of electronic records and transactions, companies face an uphill task. They need to proactively harness analytics to evaluate data, highlight gaps and identify patterns using intuitive technology-assisted tools.

Data visualization and machine learning enable large organizations to identify trends around potentially fraudulent activities and communicate with companies to advise which employees may pose the biggest risks within their organization.

Conclusion and key takeaways

Digitization has transformed the CPR environment in many positive ways, as e-commerce expedites almost instant trade in a wide range of products sourced from all over the world. Successful online and omni-channel retail is highly profitable, but digitization is also creating a different risk horizon.

New threats include cyber criminals intercepting physical and online sales systems, dishonest or careless employees, and third parties deliberately seeking opportunities to exploit loopholes or system workarounds in ways that make the system vulnerable to interceptions or fraudulent schemes. The digitized CPR industry produces vast quantities of data, which can be leveraged to grow businesses – and protect them as well.

Rather than having to discipline or dismiss individuals who are caught, it is possible to identify where the risk is in the business and proactively change behaviors. It is important to continue monitoring and measuring transaction integrity to identify which strategies and processes are making a difference, and ensure the right activities and groups are being targeted.

Today’s CPR industry requires systems for identifying and combating fraud risks created by digitization. New developments in retail technology also bring new opportunities for interception and exploitation. Adopting the three-way approach to forensic assessment is key to managing the risks associated with CPR incidents of fraud.

Summary

Incidents of fraud perpetrated by company insiders, connected organizations and external parties are exposing and exploiting the new vulnerabilities of networked business models. A proactive strategy requires organizations to determine where the issues are and take steps to address them using a combination of controls, monitoring and encouragement to change behaviors.

About this article

By

Anurag Kashyap

EY Global Consumer Products, Forensic & Integrity Services Leader

Global CPR sector Leader. Helps clients mitigate fraud risks. Provides anti-counterfeiting solutions with Integrity at the forefront