One bright spot over the past two years is that ecommerce sales have skyrocketed. Retailers did everything in their power to make purchasing faster, smoother and more efficient. Yet while retailers were pulling the tech strings to make shopping more enjoyable, fraudsters were waiting in the wings — resolute in their quest to ruin to party. And, since the fourth quarter of 2021, incidents of fraud have gone haywire.
Next week at NRF PROTECT, a panel of retailers and experts will share their perspective on what’s going on, why cases are rising and what can be done to stem the rising tide. The session, curated by NRF partner Card Not Present, is titled “Why has fraud gone haywire since the holidays – and what can we do about it?”
In advance of the conference, DJ Murphy, editor-in-chief of Security Portfolio, shared his expertise on the topic.
Retailers are reporting that incidents of fraud are rampant. Why is this year different from past years? What’s at the root of the upsurge?
There are several reasons fraud has skyrocketed to new heights and stayed there. First, as digital transactions go, so goes fraud. Fraudsters can simply get away with more when there are more legitimate transactions in which to hide. More volume means fraud prevention teams, already strapped for resources, have to evaluate more transactions with, usually, the same number of team members. And resources are always hard to come by.
In the first year of the pandemic, most ecommerce verticals saw five years’ worth of growth in six months. While the rate of growth has moderated, transactions are still growing. The pandemic also saw many people out of work and inflation is a concern right now. During times of financial stress, fraud increases.
Even as the effects of the pandemic are waning, online payment alternatives are burgeoning. Many merchants want to offer their customers the convenience of one-click purchasing with digital wallets (e.g., PayPal or Apple Pay) or in installments (i.e., buy now, pay later) but are not aware of the ways bad actors can leverage those relatively new payment methods. Criminals are capitalizing on the proliferation of new, poorly understood and poorly regulated payment technologies.
Did you miss NRF PROTECT 2022? Take a look at our event recap.
Are there types of fraud that are increasing at a greater rate? Is there any rhyme or reason why one or two types of fraud are proving to be more viral?
Traditional clean fraud (i.e., a fraudster enters stolen credit card into the checkout page of a retailer’s site) and all the variations on it will always be with us, but there are several other fraud attacks that have taken center stage recently. Account takeover — when a fraudster secures login credentials and takes over someone else’s online account — is perhaps the biggest current problem for an entire range of digital businesses.
Retailers, banks, insurance companies, travel sites, event ticketing sites, streaming media sites and more all invite users to establish online accounts. In the case of retailers, to make transactions more convenient for repeat customers, consumers can store a credit card on file. ATO has become prevalent because, as consumers establish more online accounts, they tend to use the same email/password combo to authenticate themselves.
Data breaches, phishing and social engineering have made billions of these login credentials available to bad actors — and each one gains them access to multiple online accounts. Once a bad actor has illegally accessed someone else’s account, the number of ways that access can be monetized is nearly endless.
A more recent attack type — refunding — is less straightforward and more dangerous because it’s far more difficult to spot. Refund abuse has always been a problem for retailers — both online and in stores — but a new twist on it has made it more insidious. Instead of individual consumers trying to game returns, professional refunders have acquired in-depth knowledge of certain retailers’ online return policies and are advertising their services to help consumers order online, initiate refunds and keep both the refund and the product — pocketing a fee for their trouble. Professional refunding has become a preferred scam because the refunder is selling only knowledge and is taking no risk.
The only pattern for fraudsters is what is working right now. They will hammer an attack vector until that vector is closed to them. Then they will think of something else. And if they can’t think of anything on their own, rest assured, the criminal fraud community disseminates information widely on scams that work.
Browse resources and read the latest articles and press releases related to loss prevention.
To what degree does the current fiscal and political climate affect fraud? I’m assuming that as inflation grips some consumers, they’re more inclined to do things they would not have done in the past. Do you feel that a brand’s political leanings prompt vengeful acts?
There’s no data or even anecdotal evidence to indicate that politics have any bearing on fraud rates. It’s well established, though, that when the economy takes a downward turn, ecommerce fraud increases.
This is especially the case with malicious “friendly fraud” (i.e., when a legitimate cardholder leverages the “zero liability” rules of the credit card networks to claim fraud on purchases they did make, keeping the product and getting their money back). The term friendly fraud was coined when it first emerged during the 2008 financial crisis. As consumers become more educated on how the rules work and the low risk level associated with it, they are becoming more likely to engage in friendly fraud.
Economic upheaval, such as significantly higher prices due to inflation, absolutely causes more friendly fraud. And fraudsters — feeling the pinch of high prices like anyone else — may be ramping up other types of attacks as well.
What actions are retailers taking to thwart fraud? In the face of a tight labor market, and the expertise needed in this front, I’d imagine hiring more people is not in the cards. Are there tech solutions they are relying on more heavily?
Resources are always an issue for fraud departments. In large retail organizations, it can be difficult for departments that do not directly bring in revenue to get the resources they need. Technology, while still expensive, can automate some aspects of fraud prevention and increase efficiency.
Anti-fraud technology has evolved significantly in recent years. Large retailers are leveraging massive amounts of customer data and using systems that integrate artificial intelligence and machine learning to make predictive decisions on fraud. Device fingerprinting, behavioral biometrics and other technologies are becoming more commonplace. And there are managed solutions that will take decision-making on fraud completely out of retailers’ hand and assume the chargeback risk.
Humans, however, and their intuition and expertise, are still an important part of a layered fraud defense.
Are there new threats waiting in the wings that retailers are bracing for?
Always. Unfortunately, given the creativity and industriousness with which bad actors pursue their craft, they are nearly impossible to predict. If retailers communicate with one another effectively, however, they can respond to new threats quicker.
In the past, retailers often have looked at fraud prevention as a competitive advantage. If I can make it a little harder to attack my site, the bad guys will simply move to one of my competitors. But that attitude leaves retailers blind to the new attack vectors they can’t see but others can.
The number of events like NRF PROTECT focused on fraud professionals is small but growing. Small groups of retailers often gather informally in a virtual setting. Fraud professionals that seek those resources out and share information are much better equipped to deal with emerging threats.
Is there any indication this recent uptick will begin to diminish soon?
I will answer this question with a “yes, but.” Fraud departments and professionals, as they always do, will get a handle on some of the newer fraud types contributing to this surge and it should moderate. But even so, the holiday season is not too far away, and fourth quarter transaction volume will see associated fraud increase again.