Tracy Kobeda Brown is an experienced startup and corporate executive specialising in technology strategy, product design, engagement, video gaming, and information security. As the Vice President of Programs and Technology at the MRC, she oversees a team tasked with delivering content, education and tools to help payment and fraud prevention professionals across the world.

Carl Tucker is Vice President, Managed Risk Services at Cybersource, overseeing the development, delivery and innovation of Managed Risk Services solutions globally. In his role, he has worked with startups, businesses in emerging markets, merchants in high-risk fraud categories, and top Internet brands to provide consultation and fraud screening services on a regional and global basis.

They join the third episode of the Payments Powerhouses podcast to discuss fraud and cybersecurity challenges for merchants, as well as the recently released 2022 Global Payments and Fraud Survey Report.

Listen to the podcast below, or read on for the highlights of our conversation with Tracy and Carl.

The Merchant Risk Council, Cybersource and Verifi released the annual Global Fraud and Payments Report earlier this year. What was the objective of the report?

Tracy: This report resonates so well with our members and anybody in this type of industry -- ecommerce, fintech, payments or fraud -- because it's really hard to find first-rate benchmarking data. You definitely watch your business objectives and goals when you run a business. But you have to also look at what your competitors are doing to find out, are you in line with industry standards? Are you missing something?

And so this report provides data from SMEs of all sizes and a wide range of verticals. It's a one-stop place where merchants can benchmark the criteria and key performance indicators of their fraud prevention and payments management.

What are the most common types of fraud attacks that merchants currently face?

Carl: There’s a combination of phishing, pharming and card testing, which I find interesting because, from a merchant standpoint, it can hit your operational expenses if you’re seeing a higher number of transactions coming through. It could potentially hurt your brand as well. So it's something you want to keep an eye on.

Tracy: There’s also friendly fraud, or what we're now calling first-party misuse. In the first year of COVID, it shot up the rankings and became the number one broad attack factor. And then, in 2021, it dropped to position four. I think what's happened is that, as we've innovated and put better controls in place, the bad guys also like to innovate. And so, they answer our actions with a reaction. Account takeover, phishing, card attack, or card testing tend to always be in the top five.

What is first-party misuse, and why was it called friendly fraud?

Tracy: So if somebody got ahold of your credit card number and made a transaction that was not you, you could call your issuing bank and say, ‘that wasn't me, that was fraud’. And they would say, ‘Oh, no problem, you're a great customer, we will handle that for you’. They would take it off your bill in earlier days and charge it back to the merchant.

People started to realise that if they didn't want to pay for something, they could order it, receive it, and then call up and say, ‘I never got it' or 'That wasn't me’. These were typically known to be good or friendly customers – friendly fraudsters instead of criminal crime rings, in other words. So it got this name in the early days of ecommerce.

Carl: Friendly fraud can mean a lot of different things. It could be in the digital space or gaming, and it could be like the intentional kind of charging back once you get notified, and the credit card bill comes home – not wanting to acknowledge that it was something you purchased.

How have the types of fraud and the way they’re tackled changed over the years?

Tracy: With the pandemic, there were a number of notable things that we saw. The first is undoubtedly first-party misuse. When COVID-19 started, we had a lot of job uncertainty. We had people who did not have any income but needed necessities. So they had to find ways to gain those.

We’ve had impacted supply chains – before, we were accustomed to receiving a package in two to five days, and now it's taking 20 days, so we think someone stole it or the item must be lost.

We're seeing a return of identity scams, heavy phishing scams, and a lot of orchestrated bot activity, where programmed bots test merchants' and banks' parameters, looking for new loopholes.

Carl: Another thing that came out of the pandemic, particularly in merchants in Asia, is a digital-first mindset. This is very good because it ultimately gets us to a consistent purchasing process across all channels. And from our standpoint, it levels the playing field on the data for fraud prevention purposes, because the digital-first mindset allows us to have that data access.

I feel encouraged by the merchants we work with in APAC because there's a high willingness to capture rich data sets on transactions. The richer the data set, the more insight we can get; therefore, the more strategic we can be in preventing fraud.

What does the MRC do for merchants?

Tracy: We believe in a strong spirit of collaboration. When you are trying to solve something in fraud or payments for your company, you could spend a whole lot of time trying to do that research alone - but when you're in a consortium like the Merchant Risk Council, there's what's called ‘the wisdom of the crowd’. You can be an expert at anything, but, typically, the more people you bring in, the faster the problem gets solved.

Conversations about who's using what tools, the current fraud attacks, or what we see as we roll out a new regulatory piece of software or processing help us improve our results. We can give feedback where it needs to be given.

Ultimately, we're about revenue protection and revenue optimisation.

How can merchants better optimise payment processes without compromising the consumer experience?

Tracy: The short answer is technology. When it comes to payment optimisation, you will get significant scale by leveraging a multi-layered tech approach. It's an art-meets-science type of practice, and I think it's a combination of tech application and data science. Rich datasets empower you to not only capture bad guys, but plan out entirely new features.

Carl: The experience has to be as frictionless as possible. I know authentication is highly adopted in many countries in Asia. And I think you're going to see that continue to expand.

Tracy: Anytime you're going to touch what is called that checkout conversion moment, that is what merchants want to protect – they want to get that sale. So, efficiency is super important when you're looking at that checkout conversion.

There's another aspect, which is strategic thinking. For example, Carl mentioned authentication. If I implement authentication, that can be subverted with credentials for an account that your system already knows as a good account, which means I'm going to drive fraud attempts for account takeover, phishing and identity theft.

Every time we put a toolset in, there is the question of how it performs to solve the loophole we wish to close.

But also, when we put the toolset in, it helps to consider where we are sending fraudsters next. We can't always think we're just sending them to the business next door who might not be as sophisticated. They might really want our product. And to get it, they're going to look for another way through our business technology stack and processes. So it's vital to think about that strategically.

What best practices can businesses adopt to prevent or manage fraud?

Tracy: Join meetups or groups where you can safely share questions or insights. The MRC launched in Asia-Pacific last year for precisely this reason – to share knowledge and education to a market that might be emerging, and to learn tools and techniques from those who were ahead of the game or have rich, localized knowledge to share in Southeast Asia.

Carl: You want a layered approach, like a combination of rule-based screening and machine learning, as well as the support to implement this. The experienced merchants out there and those successful in getting the funding are the ones framing and using the language that their executives speak, which is revenue. Having an effective, well-invested fraud strategy and knowing how that will affect top-line revenue – if you can get to that point in the conversation, you're turning the tide to implementing something that will be successful.

What are some of the prerequisites or skills needed to pursue a career in Fraud / Risk Management?

Tracy: If you like true crime, do data analysis, or have a right versus wrong penchant, I think there are several ways to find your way in. A lot of us started in tech. Other functional areas would be in risk and finance or cybersecurity.

Carl: Basic foundational knowledge of machine learning is important on the skill set side. A background in statistics, math or consulting is never going to hurt. My team straddles this weird fence of sometimes being a consultant/therapist, but they have to be really strong in analysis.

I came from the merchant side, like most of my team. I am here because I can help more merchants solve problems than if I were just with one merchant. This sums up the general feeling of most folks in the Merchant Risk Council community - that ultimately if we work together, we can help everybody.

. . .


Payments Powerhouses is a monthly editorial series interviewing the movers and shakers of the payments and wider fintech industry in Southeast Asia and beyond. If you’d like to be featured on Payments Powerhouses, reach out to us here.