Digitization has focused concerns on fraud. The EY 15th Global Fraud Survey found that 36% of respondents considered fraud and corruption as the greatest risk to business, and 37% rated cyberattacks as the greatest risk. In the CPR industry, there are several primary vulnerabilities to consider:
- Sensitive personal data collected through e-commerce: Retailers are targeted because they hold up-to-date data that criminals can use, such as names, addresses and credit card details. High-profile hacks have business and reputational consequences for companies.
- Cyber threats to online transaction platform: Denial-of-service or distributed denial-of-service attacks represent a major business risk, as sales are halted when online channels are compromised. This can be the result of a malicious attack or a system failure because the platform cannot respond to the volume of traffic on peak sales days, such as Black Friday.
- Insider risk: Company employees can commit fraud by misusing internal systems and processes. For instance, in the secondary sales system (distributor to retailer), staff can inflate sales on new or existing retailer outlets to claim undue benefits, and in the tertiary sales system (retailer to end consumer), employees can claim promotional benefits that are meant for consumers.
Digitization links online systems and physical processes, sharing real-time data between internal functions and third parties to reduce order response times and mitigate overstocked inventories. This opens up new vulnerabilities, particularly when companies fail to upgrade control and monitoring measures. Here, we break down those vulnerabilities by category.
Digitization has transformed the PoS functionality by recording and aggregating transactional data. However, PoS is also a major target for fraud, affecting in-store retail to e-commerce vulnerabilities. These include:
- The terminal itself can be targeted, with mobile PoS devices being vulnerable to malware via in-store Wi-Fi networks.
- Most terminals accept contactless payments for rapid customer onboarding, which presents security and authentication risks.
- Self-service checkouts can attract fraud perpetrated by customers — for example, scanning one item and packing another more expensive item, or several items.
These small incidents extrapolated across multiple stores can represent significant losses.
The online marketplace
Online trading scales up retail operations — enabling retailers to trade faster and with more people — but it also increases the risk of fraudulent activities that are damaging e-commerce. Recent trends include:
- Listing fraud: Employees receiving payments from sellers in exchange for manipulating a listing on the marketplace for higher visibility.
- Commission fraud: Employees receive favors from sellers for reducing the commission percentage that is to be paid by the seller for sales made through an online marketplace.
- Cost arbitrage fraud: Sellers buy their own products that have cashback offers listed on the online marketplace and then resell them offline.
- Cashback or promotional fraud: Employees inflate cashback and promotional schemes on certain products to favor specific sellers and receive payments in return.
- Click fraud: Competitors and others deliberately click on pay-per-click (PPC) adverts (sometimes using technology) to generate fraudulent charges for advertisers, undermining the PPC campaigns. This drives up the advertising cost with lower conversion rates and skewed user data for online businesses.
- Listing payment fraud: Fraudulent sellers list products for sale and request advance payment. The seller takes payment, but the product does not exist or is not sent, and the buyers’ bank or credit card details may be used as part of a wider fraud scheme.
Digitization has transformed the PoS functionality by recording and aggregating transactional data. However, PoS is also a major target for fraud, affecting in-store retail to e-commerce vulnerabilities. These include:Loyalty program fraud is endemic, particularly in emerging markets — for example, in Asia, where most purchases are by cash on delivery or by mobile applications, rather than a credit card.
Loyalty apps record a customer’s entire transactions, including cash transactions, and collect rich customer data for retailers regarding customer choices and behaviors, including bank account and location information. This valuable data attracts hackers.
Loyalty programs are also targeted by insider fraud, including abuse of points, offers and promotions. The employees involved do not pass on promotions to customers, or award themselves, friends or family extra points, with or without a purchase, in exchange for goods or cash.
Risk management functions need to consider that while risks associated with transactions are broadly similar, the scenario differs between regions, depending on cultural norms, shopping habits and levels of technology adoption. Safeguards and solutions must reflect this.
For example, developed economies are experimenting with facial recognition as part of the payment authorization. However, in emerging Asian economies, which are experiencing the highest growth in e-commerce, payments are mostly completed by cash on delivery, smartphone apps and prepaid cards. These are all transferable, not linked to bank accounts and do not require a credit reference.
Supply chain vulnerabilities
Inventory management and control systems that track and locate warehouse items and integrate with back-office systems (accounting or enterprise resource planning) — and often with PoS and asset management software — monitor stock levels and movements. However, CPR organizations are reporting incidents of fraud that are exposing loopholes in secondary and tertiary sales systems.
Examples of insider fraud by abuse of secondary sales systems (distributor to retailer) include:
- Inflated sales on new or existing retailer outlets to claim undue benefits – sales staff manipulating the system to claim incentives
- Incentives claimed by the creation of “ghost salesmen” – a response to pressure for incentives and targets
- Loopholes in the retail outlet creation process that can allow the creation of fake retail outlets in the secondary sales system by distributors to claim undue trade scheme benefits
- Leakage in scheme payouts made for inflated sales or fake retail outlets
- Database security issues around permissions enabling unauthorized access to back-end databases and work-arounds, such as sharing passwords to bypass approval workflows
Examples of fraud by abuse of tertiary sales systems (retailer to end consumer) include:
- PoS system used only for billing promotional products and, therefore, transactional data is not indicative of real customer behavior
- Promotional benefits not passed on to the end consumer – the customer paying full price and the employee claiming the promotion separately (e.g., with a two-for-one offer, they keep the extra item)
- Sales booked in non-business hours so that some sales not recorded on the system
- Hackers exploiting vulnerabilities in the digital transaction platforms, including insiders who find loopholes in the system and external hackers who understand the system
- Misuse of reward points to claim points on customer purchases and apply them to another loyalty card (an employee’s own card or one belonging to a family member or friend)
Drilling down into primary, secondary and tertiary sales data uncovers more specific vulnerabilities. For instance, although mobile PoS devices and distribution management systems have improved visibility of transactions and stock levels, transparency levels vary depending on the software package used. Large-scale systems that deal with high volumes of transactions, particularly in Asia, may miss small incidents that are individually insignificant, but widespread across the business.
Consequently, although companies are aware that there is some leakage from the secondary sales system, they are not aware of the magnitude of the overall losses.