Skip to main content

Your subscription business faces online fraud and abuse — here’s how to stop it

digital banking money bank
(Image credit: Shutterstock)

If you run a subscription business, you may be one of the lucky brands that saw an uplift in sales and demand during the pandemic.

Since Covid-19 entered our lives, both digital and physical subscriptions have surged in popularity, with consumers looking for treats, distractions and “stay-at-home experiences” during the various lockdowns.

According to the latest data, digital subscription sites like Netflix experienced 300 percent growth during the pandemic, while nearly one in five (17 percent) of us bought into physical subscriptions, such as meal boxes and beauty bundles.

But don’t be fooled into thinking this is just a pandemic-fuelled fad. Even before the pandemic, research suggested 75 percent of consumer brands will have some kind of subscription-based offering by 2023 — due to the repeat revenue these services drive.

But while growth is excellent news for the subscription industry, it’s also an opportunity for fraudsters.

New high-growth industries are clear targets for fraud, with fast-growing businesses often putting their need to meet excessive demand ahead of good security practices. Now, as the latest fast-growth industry, subscription services are a sitting duck for attack.

So, what are the main threats your subscription business is likely to face? And just how do you mitigate those threats before they impact your bottom line?

Promotion abuse and reselling schemes — death by a thousand cuts

While promotion abuse isn’t technically fraud, it’s a real headache for today’s subscription businesses.

To entice new subscribers, many organizations offer a free trial or money off within the first few months of a subscription. All too often, however, crafty consumers look to bend the rules, setting up multiple free accounts to take advantage of your brand’s generosity. While this may sound small fry, the impact of promotion abuse among just a few perpetrators can quickly build up and narrow your profit margin considerably.

Because so many organizations have been lackluster in clamping down on this practice, promotion abuse has evolved into more organized “reselling” schemes, where fraudsters take advantage of product promos to amass merchandise to sell on at a higher price. Much of this happens without the company’s knowledge — costing them more than they know.

Account takeover — worse for subscription businesses than other retailers

Account takeover (ATO) is an issue that affects pretty much any business where customers have an online account. But in the subscription world, account takeover can be much worse than in other industries because there’s a payment option already set up on every account.

Worryingly, our team at Ravelin has seen a sharp rise in ATO across all online commerce categories, and not just subscription businesses. Today, retailers tend to experience an average of three significant attacks per month.

ATO usually happens after a customer’s login credentials get compromised — either via a phishing scam, breach or a corporate leak. The most common way fraudsters commit ATO is by obtaining a customer’s login credentials from a completely separate account. With so many people still using the same password across multiple sites, this is still a surprisingly effective practice, giving fraudsters a master key for everything lockable in your life.

Once a fraudster has their hands on someone’s credentials, they can do a lot of damage with them. For instance, they can log in and make purchases themselves, fully aware that customers of subscription businesses will be billed by direct debit or via the card attached to their account. 

For digital streaming/subscription services like Spotify, Disney+ or Netflix, there is a thriving market in reselling accounts. After all, paying a few pounds for a premium account using someone else’s login is tempting when the only risk is that access will one day be blocked. 

Two-factor authentication (2FA), magic links, one-time passwords etc are excellent deterrents to this type of behavior. But many companies, especially US ones for some reason, are loath to introduce any friction into the login or sign-up experience. The cost of this is that credential stuffing, the easy practice of reusing existing username and password combinations will continue to work.

Tackling the fraud and abuse

Despite the severity of threats, there are a number of ways businesses can protect themselves — both from a prevention and from a recovery point of view.

From a prevention point of view, in the absence of effective two-factor authentication, businesses should continually be checking if people are signing up to new accounts using compromised credentials or if people update existing accounts with compromised credentials. This can be done via API, so it’s an instant check that will avoid the most egregious of user errors.

Another key tool is to monitor login attempts and, critically, to set rate limits. Fraudsters use basic scripting tools that hammer a login with credentials to try and find a combination that works. This obviously would never be legitimate customer behavior, so a limit will stop the most obvious attacks. Fraudsters are cunning though, and now scripts will attempt to mimic human speeds and behaviors. However, this tactic will then be a lot slower, inadvertently providing significant protection for your business.

From a recovery point of view, if a fraudster does manage to gain entry without being detected, they will demonstrate behaviors typical of a fraudster and not a legitimate customer. A spike in logins is a significant indicator that an attack is taking place and this is the time for a business to be vigilant in seeing unusual behavior in accounts. Look out for include a sudden change of details across accounts, especially a phone number, which a fraudster can then use to subvent a one-time password login.

Your customer service team will also likely have an upsurge in complaints about inability to access accounts or strange behavior in accounts. This is really valuable information as they are likely to be real examples of account takeover that you can reverse engineer to see how it impacts your business.

Once you have detected account takeover, speed and communications are critical. Suspected compromised accounts should be frozen and the account owners asked to update their login credentials. Clear, honest communication here is very important. Done well, users will appreciate efforts you are taking to secure their businesses.

Fighting the ever-changing tactics of fraudsters can be a daunting task, but there is help out there. While you certainly can’t outsource all the responsibility for your fraud risks, there is a role for a technology partner to help automate and accelerate lots of the anomaly detection, credential checks and rate limits. The right partner can significantly reduce both the losses to fraud itself and the cost of defending against it, while offering real value for money.

And at the moment, value for money is something most businesses want to subscribe to.

Mairtin O’Riada, CIO and co-founder, Ravelin

Mairtin is CIO and co-founder of Ravelin. Combining machine-learning and graph network visualisation, Ravelin helps businesses draw deeper insights from their customer data to detect fraud, account takeover and promotion abuse and increase payment acceptance.