If you run a subscription business, you might be one of the lucky brands that saw their sales and demand increase during the pandemic.
Since Covid-19 entered our lives, digital and physical subscriptions have grown in popularity, with consumers looking for treats, distractions and “home experiences” during various lockdowns.
According to the latest data, digital subscription sites like Netflix have grown 300% during the pandemic, while nearly one in five (17%) of us have signed up for physical subscriptions, such as meal boxes and beauty packages.
But don’t be fooled into thinking this is just a pandemic fueled fad. Even before the pandemic, research suggested that 75% of mainstream brands will offer some sort of subscription-based offering by 2023 – due to the recurring revenue these services generate.
But while growth is great news for the subscription industry, it is also an opportunity for fraudsters.
New, high-growth industries are clearly targets for fraud, with fast-growing companies often putting their need to meet excess demand ahead of good security practices. Today, as the latest rapidly growing industry, subscription services are a duck sitting up for the attack.
So what are the top threats your subscription business is likely to face? And how do you mitigate these threats before they affect your bottom line?
While promotion abuse is not technically fraud, it is a real headache for subscription businesses today.
To attract new subscribers, many organizations offer a free trial or a discount in the first few months of a subscription. Too often, however, savvy consumers seek to bend the rules by creating multiple free accounts to take advantage of your brand’s generosity. While this may sound like a small fraction, the impact of promotion abuse among a few authors can quickly add up and dramatically reduce your profit margin.
Because so many organizations have been lackluster in cracking down on this practice, the abuse of promotion has evolved into more organized “resale” systems, where fraudsters take advantage of product promotions to hoard merchandise to sell at a higher price. . Much of this happens unbeknownst to the company, costing them more than they realize.
Account takeover – worse for subscription businesses than other retailers
Account Takeover (ATO) is an issue that affects just about any business where customers have an online account. But in the subscription world, the takeover can be a lot worse than in other industries, as a payment option is already set up on each account.
Worryingly, our team at Ravelin has seen a sharp increase in ATOs across all categories of e-commerce, not just subscription businesses. Today, retailers tend to experience an average of three major attacks per month.
ATO typically occurs after a customer’s login credentials are compromised, whether through a phishing scam, breach, or corporate leak. The most common way for fraudsters to commit ATOs is to obtain a customer’s login credentials from a completely separate account. With so many people still using the same password on multiple sites, this is still a surprisingly effective practice, giving scammers a master key to anything that can be locked in your life.
Once a scammer gets their hands on someone’s credentials, they can do a lot of damage with them. For example, they can log in and make their own purchases, knowing that customers of subscription companies will be billed by direct debit or through the card attached to their account.
For digital streaming / subscription services like Spotify, Disney +, or Netflix, there is a thriving market for reselling accounts. After all, paying a few dollars for a premium account using someone else’s login is tempting when the only risk is that access will one day be blocked.
Two-factor authentication (2FA), magic links, one-time passwords, etc. are excellent deterrents against this type of behavior. But many businesses, especially American for some reason, are loath to introduce friction into the login or sign-up experience. The cost of this is that credential stuffing, the easy practice of reusing existing username and password combinations, will continue to work.
Fight against fraud and abuse
Despite the seriousness of the threats, there are several ways businesses can protect themselves, both from a prevention and recovery perspective.
From a prevention standpoint, in the absence of effective two-factor authentication, businesses must continuously check to see if people sign up for new accounts using compromised credentials or if people are signing up for new accounts. update existing accounts with compromised credentials. This can be done through the API, so it is an instant verification that will avoid the most glaring user errors.
Another key tool is to monitor connection attempts and, most importantly, to set speed limits. Scammers use basic scripting tools that hammer a login with credentials to try and find a combination that works. This would obviously never be legitimate customer behavior, so a limit will stop the more obvious attacks. However, scammers are cunning and scripts will now attempt to mimic human speeds and behaviors. However, this tactic will then be much slower, inadvertently providing significant protection for your business.
From a recovery perspective, if a scammer manages to get in undetected, they will adopt behaviors typical of a scammer and not a legitimate customer. A spike in connections is a significant indicator that an attack is underway and now is a time for a business to be vigilant and see unusual behavior in accounts. Be careful to include a sudden change in details between accounts, especially a phone number, which a scammer can then use to bypass a one-time password.
Your customer service team will also likely have an upsurge in complaints about inability to access accounts or strange behavior in accounts. This is really valuable information because it is likely to be real examples of account takeovers that you can reverse engineer to see how it affects your business.
Once you’ve detected an account takeover, speed and communications are critical. Suspected compromised accounts should be frozen and account owners invited to update their login credentials. Clear and honest communication is very important here. Done well, users will appreciate your efforts to secure their businesses.
Combating the ever-changing tactics of scammers can be a daunting task, but there is help. While you certainly can’t outsource all the responsibility for your fraud risks, a technology partner has a role to play in helping automate and speed up much of anomaly detection, credential checks, and more. flow limits. The right partner can significantly reduce both the loss due to the fraud itself and the cost of defending against it, while providing real value for money.
And right now, value for money is something most businesses want to go with.
Mairtin O’Riada, CIO and co-founder, Ravelin
