Article (9 pages)
Digital adoption leapfrogged a decade in days during the COVID-19 pandemic, accelerating the shift to digital and multichannel client service that began in the 2010s. The pandemic-driven boost to e-commerce is estimated to have exceeded $200 billion in 2020 and 2021. 1
About the authors
This article is a collaborative effort by Richard Detura, Carla Ioshiura, Adrian Murphy, Bryan Richardson, Sebastian Scheurle, Eric Schweikert, and Max Vancauwenberghe, representing views from McKinsey’s Risk & Resilience Practice.
Increased digital adoption has enabled new forms of fraudulent activity and amplified the importance of effective fraud management for promoting growth and meeting customers' increasing expectations for digital experiences. Although most companies have improved their digital user interface and experience, many have struggled to effectively enhance fraud controls without impairing the client experience.
Many organizations report being overwhelmed by the sheer volume of fraud attempts. In financial services, for example, many banks are so inundated by fraudsters that they cannot meet online origination targets; they are unable to verify identities and authenticate customers while combating fraud.
At the same time, fraud threat vectors have become significantly more sophisticated. They include nation-state actors, organized criminals, cyber terrorists, and insiders, as well as local fraud rings. Advances in technology present challenges as fraud attacks occur with greater frequency, speed, and effectiveness. Commonly used methods include phishing, destructive malware, social engineering, deep fakes, and fraud-as-a-service exploit kits.
Most Popular Insights
- What matters most? Six priorities for CEOs in turbulent times
- Women in the Workplace 2022
- The ten rules of growth
- Even in the metaverse, women remain locked out of leadership roles
- The clean hydrogen opportunity for hydrocarbon-rich countries
Faster movement of money usually increases the risk of fraud, and real-time disbursements are set to double in 2022 from 17 percent of disbursements in 2021. 2 Cryptocurrency opens up new threat vectors that companies must learn to defend against: examples include crypto ATM scams, crypto support impersonators, crypto confidence scams, and the use of stolen credit cards to buy crypto. Risk rises further when unsuspecting customers inadvertently share their authentication details with fraudsters targeting their devices and accounts.
The evolution of fraud threats has undermined the effectiveness of a reactive approach to combating fraud, which essentially focuses on stopping schemes one by one through manual reviews. In this article, we propose a new approach to fraud and the client experience that addresses the new reality. To use this approach effectively, companies must strengthen core capabilities (the immune system) and improve their abilities to continually identify and address vulnerabilities arising from new fraud methods and patterns, as we describe in the next article in this series.
Significant value is at stake for companies and customers
The higher volume and greater sophistication of fraud have created two types of issues for companies: first, higher costs relating to fraud losses and operations to combat fraud, and second, significant customer experience challenges. This has created an opportunity for leaders to reduce costs and create standout client experiences by investing in tech-enabled client journeys and fraud processes.
Fraud losses have increased dramatically. Data from the Federal Trade Commission 3 and Federal Bureau of Investigation 4 paint an alarming picture. In 2021, fraud losses in the United States rose to $5.9 billion, and internet crime losses soared to $6.9 billion—increases of approximately 436 and 392 percent, respectively, compared with 2017.
Unfortunately, the United States is not alone. Many markets globally—including Asia, Australia, the Middle East, South America, and Europe—have experienced similar spikes in fraudulent activity.
Companies have typically regarded investments in fraud defenses as simply a cost of doing business. However, in a recent fraud roundtable we facilitated for global financial institutions, seven out of eight participants reported that threat levels for fraud and identity threat are now so elevated that CEOs and business leaders are paying attention. Regulatory scrutiny of fraud management controls also is increasing. Further, companies not only bear the direct cost of fraud but also lose sales when legitimate transactions are denied or when customer attrition occurs at the point of sale or point of interaction. One study found that up to two-thirds of declined sales transactions are false positives. 5
Fraud is also hurting customers’ trust and willingness to use services. For example, more than 10 percent of credit and debit card users experienced fraud over a 12-month period. 6 In most cases, these events not only prevent customers from running their transactions but also raise stress levels. In a survey by McKinsey of banking customers who were fraud victims, 70 percent reported having felt anxious, stressed, displeased, or frustrated when they were warned about potential fraud.
The same post-fraud survey made clear that customers perceive true fraud events—situations where fraud is not just suspected but actually occurring—as moments of truth that, on average, actually tend to increase their satisfaction with their service provider. But the impact in individual cases depends on how companies handle the fraud issue, with customer satisfaction ratings ranging from very high (customer satisfaction score of 82 points) to very low (customer satisfaction score of −58 points) (Exhibit 1). In addition, among “Detractors”—customers who had a bad experience related to the company’s handling of fraud—37 percent of all detractors closed the account or significantly decreased their use of it.
The new approach: Fast, balanced, and collaborative
A fundamental tension exists between controlling fraud and optimizing customer experience, because tighter fraud and customer protection controls often add friction to the customer experience. The new approach combines a best-practice fraud model with customer experience considerations to strike a balance among several goals: loss prevention, customer protection, cost optimization, improved customer experience, and new business value.
Organizations need to consider authentication, fraud management, and customer experience simultaneously—not individually, as they are often treated today. Poorly designed authentication experiences have a disproportionately negative impact on customer engagement, fraud mitigation, and operational efficiency. To combat threats and enhance customer experience, organizations need to redesign customer and internal operations and processes based on a continuous assessment of actual cases of fraud along key customer journeys.
Companies fail to do this today because they frequently do not understand the trade-offs in their current setup and have not seriously considered how they might redesign their processes and operating model to optimize these. Sales and marketing, customer experience, fraud management, and compliance groups often operate separately and rarely share information or collaborate on meeting integrated objectives and achieving the right balance. Additionally, companies often do not systematically track how their performance of fraud controls involves trade-offs with customer satisfaction, customer engagement, and attrition. As a result, they are not able to evaluate rules, models, and controls to understand their true impact on fraud losses, profitability, and customer experience.
To implement the new approach, companies need to take actions across the fraud value chain, from deterrence and prevention to detection and investigation, to handling of any disputes that arise. The actions all should be within the context of establishing an appropriate fraud strategy and paying careful attention to customer experience (Exhibit 2).
Companies need an end-to-end fraud strategy optimized across the full ecosystem. The fraud strategy should reflect a company’s client, channel, and product strategies, have a clear view of customer experience and identity controls, and balance fraud reduction, customer protection and experience, operating cost, and business value. It should be integrated with enterprise strategic priorities (for example, incorporating the risk appetite for fraud into target customer journeys) and directly linked to performance.
Leading organizations generate so much buzz around their fraud capabilities that bad actors are deterred before they even attempt to commit fraud. For example, a Latin American auto loan company was so effective at marketing its tracking and monitoring capabilities as security for customers that fraudsters were deterred from stealing the cars in the first place. Further, card companies that lack a strong fraud management program are more appealing to purchasers of compromised data, while leading companies now market strong fraud protection to new potential clients. 7
Leading organizations constantly search for emerging threats (including fraud, cybercrime, and money laundering) and assess their potential impact. Monitoring of controls used to mitigate risk can reveal the (in)effectiveness of the control or its usage strategy. The insights inform a fraud taxonomy used to assess vulnerabilities. The outcome is a heat map updated in real time that shows where controls need to be improved to prevent fraud or where excessive friction is causing legitimate customers to abandon transactions.
Controls and usage strategy
Having controls that are durable, flexible, and adaptive is critical to any fraud management program. Further, having the right supporting analytics is fundamental to the control’s effectiveness. Detection platforms that incorporate broadly based and detailed information can identify existing and emerging fraud attacks, whether they occur in the new account acquisition stream (identity theft), are perpetrated against existing legitimate customers (account takeovers), or arise from the theft of services (such as reward program theft). Artificial intelligence and machine learning (AI/ML technologies) support these approaches.
Awareness and education
Top performers effectively promote consumer awareness and education relating to fraud and cyberthreats. They use viral channels and social media to maximize reach. For example, in conjunction with Emirates NBD, local law enforcement adapted the lyrics of Jamaican singer Shaggy’s 2000 hit “It Wasn’t Me.” They created a compelling video that warned residents about the dangers of fraudsters.
Some organizations offer customers prevention services at low cost or without charge, or they partner with antiphishing or antivirus software vendors to provide customers with tools to prevent phishing attacks on electronic devices. Device-based customer alerts related to online and/or overseas purchasing, spending velocity, or balance thresholds can notify customers of suspicious activity (at their choosing), allowing them to protect their accounts more actively. Last, some companies build awareness through transaction analysis and alerts that educate customers and empower them to monitor potential suspicious activity on their accounts. For example, Capital One’s Second Look flags certain transaction patterns, such as an unusually high restaurant tip or duplicate transactions, and alerts customers.
Robust customer onboarding and authentication are increasingly important. It is critical to design the fraud technology stack to allow iterative, fast-paced testing (including test control) across numerous types of fraud checks. Exhibit 3 illustrates a new dynamic multilayered control stack for new digital applications. This is a critical way to balance fraud control friction and customer experience, as customers do not value security and convenience equally and differ in their expectations for control, transparency, security, and convenience.
To study how different segments of customers react to a transaction denial, one bank introduced new ways of handling transactions flagged as potentially fraudulent. The bank sent customers in some segments a mobile alert that they could simply swipe to confirm the authenticity of a transaction. In other cases, the bank approved small transactions it would have previously denied and then sent the customer a follow-up email confirming the transaction. This solution not only reduced lost sales and cut the cost of fraud management but also increased overall customer satisfaction.
Leading organizations use machine-learning algorithms and strive to utilize all available data to achieve a step change in the accuracy of fraud detection. They seek to reduce noise (false positives) and the risk that fraudulent transactions are missed (false negatives). For example, to thwart efforts by organized crime to steal equipment, a Brazilian telco uses powerful algorithms and a sophisticated escalation approach to verify and authenticate risky transactions. The score produced by an algorithm can be augmented by rules that improve fraud detection while reducing “goods” (that is, transactions that are not fraudulent) from the suspicious populations. Usage pattern profiles allow companies to detect previously unseen types of fraud attacks. Further, companies can use closure data in the detection queues to identify fraud attacks faster, well before the dispute is fully investigated. This reduces “learning” time—the time it takes to detect fraud and false positives—and the costs of fraud. In addition, companies can use customer information and machine-learning models to ensure that models are not flagging false positives that affect customers’ experience and ability to complete transactions.
Leading organizations support their investigation agents with sophisticated tools and artificial intelligence—for example, to determine the next-best action. In some countries, payments networks (such as Spain’s Iberpay) support collaboration on investigations, and this collaboration helps with future prevention strategies. Some banks are also forming cross-industry collaborations, such as with telecommunication companies to detect and prevent fraud from SIM swap schemes.
Self-service options make it easier for customers to file a dispute, raise a fraud claim, or check on the status of a dispute or fraud claim. Best-in-class institutions use a fully automated, straight-through approach to handle fraud claims in which automated decision engines apply calibrated red flags and white flags (for example, first claim of a customer or value thresholds). Leading companies have an end-to-end automated dispute process, from customer interaction (for example, via website or app) to straight-through processing of up to 60 percent of fraud claims.
Client experience and delivery
Organizations need to deliver experiences across two critical customer journeys: false positives and true fraud (Exhibit 4). For false positives—transactions flagged for fraud that turn out to be legitimate—the goals are to avoid impeding a customer transaction and minimize the hassle and embarrassment of a decline online or at a point of sale. The easier the remediation path for a false-positive transaction, the more tolerance an organization will have for strict fraud controls. Beyond calibrating their detection platforms, companies can use multiple approaches to communicate with customers and enable them to act. They can rapidly and explicitly communicate about potential fraud via customers’ preferred channels (for example, alerts, texts, phone calls, and email), enable customers to identify fraudulent transactions or validate incorrectly suspected transactions themselves, and adjust the actions they take based on the risk, so as to minimize friction. For example, one bank flags certain transactions as potentially fraudulent but processes them and lets customers dispute the charge if the transaction is actually fraudulent.
For true fraud, companies have a unique opportunity to deliver an experience in which customers feel swiftly taken care of and protected. Participants in the McKinsey post-fraud survey identified security, speed, and transparency as the key drivers of customer satisfaction. Customers value the speed when organizations react to fraud events in seconds and protect their accounts against future fraud. They are also willing to take actions to better protect their accounts going forward, including, for instance, sharing data and using features such as geolocalization. Approximately 39 percent of customers would even consider paying an additional fee to enhance protection. Last, customers want to understand how the fraud occurred, so they will feel reassured and trust their service provider in the future.
For both false positives and true fraud, communication is a powerful bridge between fraud prevention and customer experience. Good communication reassures customers and makes them much more amenable to taking an extra step by helping them understand why an action is required. To effectively apply this underused lever, companies need new processes and a customer-centric culture across the organization.
Shifting to a proactive, customer-centric approach
Fighting fraud must be a top priority for CEOs across all industries. The new scale and sophistication of attacks can cripple even the largest organizations and threaten customers’ trust. Smaller start-ups and fintech companies may stay beneath the radar for a while, but they will become credible targets as they scale.
Fighting fraud must be a top priority for CEOs across all industries. The new scale and sophistication of attacks can cripple even the largest organizations and threaten customers’ trust.
To combat the threat, organizations need to achieve a seismic shift: from reactive and siloed fraud mitigation to a proactive, customer-centric, integrated, and continuously evolving approach. An effective approach relies more on AI/ML; employs actionable analytics combining scores, rules, and red flags; and uses technology to deliver a growing share of customer experience and advanced authentication.
In the next article in this series, we discuss four capabilities that will equip organizations to assess and address risks and effectively limit fraud in a way that restores customer trust and loyalty:
- enhanced threat intelligence along client journeys
- fast-cycle testing to stop threats as they emerge
- advanced data, technology, and analytics capabilities
- the use of an integrated operating model to support the business in making trade-offs among fraud, client experience, volumes/revenue, and cost