5 Major Fraud Risks Edtech Companies Face and How to Avoid Them

1. Data privacy

Protecting your users’ data is one of the most important aspects of running a business — especially when it comes to students. There are a number of bills and laws that protect student data — ensuring businesses do not sell the data, use it for targeted marketing, or abuse it in any other way.

Laws related to how you collect, use, or disclose student information are constantly changing — which can be challenging to keep up with. On top of that, most edtech companies don’t address data privacy properly. Simply having a privacy policy isn’t enough to prevent your business from running into compliance issues.

Failed compliance can have severe consequences — such as fines, lawsuits, or even the loss of your business. The Federal Trade Commission takes data privacy very seriously, especially when it involves young students and consumers. Any violation of consumer protection and data privacy laws could put you in a world of legal issues, as recently happened to one popular educational technology platform.

Check your compliance status

The first thing you need to do is check that both your privacy policies and privacy practices align with federal laws. And because laws are always changing, it’s best to check at least once every year.

Know who you are doing business with

Secondly, conduct your own due diligence. Learn who your customers are through an identity verification process called know your customer (KYC). Knowing who uses your platform can help you determine what kind of legal responsibilities you have.

Students are not always going to be your main customer or client. Your key clients could be educational institutions, teachers, school districts, or state education departments. And depending on who your client is, the laws you must follow can vary.

For example, if Sally, a 12-year-old girl, uses your online learning platform to get help with her algebra homework, then your client is Sally. In this case, you’re liable for following the Children's Online Privacy Protection Rule (COPPA). And you may have to limit the kind of information you collect from Sally.

However, if Sally’s school contracts with your business to use your educational services, then you may be liable for following both COPPA and Family Educational Rights and Privacy Act (FERPA) laws.

2. Data security

Data security is an entirely separate issue from — but equally important as — data privacy. It comes with its own set of risks and solutions. Data security is all about how you protect your users’ data from things like data breaches and account takeover (ATO) attacks.

You have access to very sensitive data — especially if your platform is used by young children. Lack of adequate data security protocols can leave that data vulnerable. If a fraudster got hold of it or a data breach occurred, you could face legal consequences, contractual issues, and brand damage.

Higher education institutions and edtech companies are increasingly becoming the targets of cybersecurity attacks. There’s a lot of valuable information at stake — information that fraudsters can use to commit larger, more nefarious attacks.

Recovering from a data breach or account takeover attack can be expensive, time consuming, and a huge drain on your staff. According to an IBM report, the average cost of a data breach in the education industry totaled over $3.7 million. That cost includes things like lost business, labor and employees to repair security systems, notifying existing customers of the event, and much more.

Develop a data security plan

First off, you should have a formal plan in place for security threats. In this plan, outline who needs to respond when an attack happens, the steps employees need to take during an event, attack-specific guidelines, and any follow-up actions. Having a plan in place can reduce the likelihood of an attack and better prepare you if one happens.

Protect accounts

Next, invest in account protection software. Most ATO attacks happen because customers reuse easy-to-guess passwords across multiple online accounts. It only takes one set of matching account credentials for a fraudster to wreak havoc on businesses and customers alike.

However, if you proactively protect accounts, you won’t have to worry about the potential consequences. It’s best to find a software that can detect unusual logins, identify abnormal account activity, and block suspected fraud.

3. Friendly fraud

Friendly fraud is a risk that all businesses face, but it's especially common for companies that bill customers on a recurring basis for services. It happens when a customer misuses the dispute process to get a refund. And it can feel extremely unfair, especially if you’ve met your end of a transaction.

Friendly fraud can happen for a variety of reasons.

• Customers may be dissatisfied with services and request a refund with their banks rather than work with you directly.
• Customers may not recognize the billing descriptor on their bank statements and automatically assume fraud.
• Customers may use your services for a couple months and then dispute the charges simply because they don't want to pay.

Regardless of the reason for a friendly fraud dispute, your business is the one that suffers the consequences. That includes chargebacks, fines, reputation damage with card brands, and more. To make matters worse, banks almost always take the side of the customer — which means you have to fight to prove your innocence.

Establish clear lines of communication

To start, make sure that you clearly communicate with your customers about your platform’s billing cadence, refund policy, and terms of service. When customers sign up for your services, they shouldn’t have to guess what comes next. You should provide all the details they need to know in a follow-up email or a link to helpful resources on your website.

Also provide easy ways for customers to contact you whenever they have an issue. Encourage them to reach out to you directly if they’re unhappy with the services. Most likely, you can settle the problem without the need for a dispute.

Get chargeback prevention tools

No matter how hard you try to build good rapport and trust with customers, things happen. Someone might have a bad day and take it out on you. It’s best to be prepared for any situation.

The great thing is, there are tools that can help you navigate unfair disputes. Tools like prevention alerts, rapid dispute resolution (RDR) and order validation will notify you ahead of time when a customer files a dispute. That way, you can respond quickly and avoid getting a chargeback.

Fight chargebacks

Majority of the time, it’s better to just refund a customer when there’s an issue. However, there are instances where it might make more financial sense to fight back an illegitimate dispute. For example, say a customer uses your services for a few months, files a dispute, opens a new account, and repeats the process.

Clearly, you can see a pattern with this behavior. The customer is using your service but trying to get out of paying for it. It may be beneficial to you to fight back and recover the revenue that’s rightfully yours. Then, you can block that customer in the future.

Learn more about chargeback management and prevention tools.

4. Unauthorized transactions

When fraudsters get ahold of stolen payment cards, they can wreak havoc on your business. A common scheme in the edtech space is that fraudsters will create multiple accounts and buy subscriptions to online-based learning platforms with stolen payment cards. Then, they’ll sell those accounts online for a discount.

Sometimes, the accounts fraudsters sell are legitimate — meaning, their buyers can actually log into and use the accounts. But often, the scheme is just a ploy to turn cards into cash at the expense of the buyer and you.

Once the original cardholders notice the unauthorized charges, they will most likely file a dispute. And you’ll end up paying for it.

Verify cards

When customers sign up for your services and input their card information, make sure you require card verification value (CVV). It’s typically a three- or four-digit number on a payment card that’s used to verify online purchases. Fraudsters are unlikely to have this code if they get card numbers from a data breach.

Secondly, set up and use address verification service (AVS) to validate transactions. AVS allows you to check if the billing address provided during checkout matches the billing address on file with the cardholder’s bank. If the addresses don’t match, then whoever is using the card likely isn’t the cardholder.

Get technology

You can set up a variety of protocols and checks, but the only way to truly block unauthorized purchases is to use fraud detection software. Fraudsters are crafty and find new ways to circumvent fraud controls that businesses set up on their websites.

You need a robust solution for this never-ending problem. And fraud technology is the answer. Preventing unauthorized transactions is simple, effective, and easy with technology. It does all the hard work for you — collecting data, identifying suspicious activity, and blocking fraud. All you have to do is find a technology that works best for your business.

Learn more about choosing machine learning fraud detection software that’s right for you.

5. Account sharing

If you run a subscription-based business model, you know that account sharing can seriously hurt your profits. Many edtech companies operate this way. Some companies allow users to share accounts, but doing so opens the door for fraud.

When you don’t place strict controls around account sharing, customers will find ways to take advantage of you. They may purchase a subscription for themselves but also offer their account credentials to friends and family. Some may even sell their credentials online to others, sharing your services freely.

Not only does this practice often violate your terms of service, it can increase the likelihood of an account takeover attack. When customers share accounts, there’s a higher chance that the login credentials will fall into the wrong hands.

Set controls around account sharing

If you don’t want users sharing accounts, set up strict controls to block login attempts that don’t align with your policies. However, if you want to offer some account sharing you can set up subscription tiers.

For example, say a small team of professionals wants to share access to your online courses. You could offer a subscription tier for businesses that allow a certain number of users to access a shared account.

Fight policy violations

If customers violate your policies in any way, you are well within your rights to suspend or terminate their accounts. Sometimes, keeping a problematic or opportunistic customer around can cause more harm than good. And you need to do what’s best for your business.