Fraud in the ecommerce space: trends to watch in 2021

Understanding the ‘now’ to get ready for the ‘next’

As we embark on a conversation about ecommerce's future and what's waiting for us behind the corner, we cannot look past or even avoid talking about the effects and consequences of COVID-19. While consumers have changed their shopping habits and expect easy transactions across every channel, ecommerce merchants are forced through increased demand to add new digital payment methods and expand their services into online and mobile channels, as well as into international sectors. However, as businesses move towards cashless, digital platforms, this also creates new opportunities for fraudsters to exploit.     

The fast growth of online activity and demands during the lockdown left merchants vulnerable to fraud attacks, especially those new to digital channels, hence not conversant with the online space. Identity-related fraud, including account takeover and account creation, continues to be substantial and growing. The 2020 report by Javelin Strategy & Research states that merchants have weak authentication protocols, as 'under half of all merchants require only a username and password to authenticate consumers, and approximately a quarter of merchants supplement usernames and passwords with tools like device recognition (28%) and location (24%)'. Verifying customer identities in real-time  while providing a frictionless customer experience can be a struggle for merchants who don't have the appropriate data-tracking system to accurately distinguish between legit customers and malicious bots. 

Besides, the number of successful fraud attempts increased, especially during brick-and-mortar retailers' closing – who have more to worry about in 2021. Fraudsters became more innovative and opportunistic in exploiting new schemes to defraud or gamify one’s online stock availability for COVID-19 essentials or trendy fashion items. Not surprisingly, the high volume of fraud attacks translates into higher costs for merchants and revenue loss. 42% of businesses admit that digital fraud's consequences constitute an impediment to their desire to expand and innovate new online services. 

The entire payment ecosystem is challenged and pushed at so many levels. The question that arises is what's in store for the players involved? Here are some of the trends that fraudsters are exploiting and merchants should stay alert on this year.   

New mutations of old types of fraud

Account takeover (ATO) attacks 

ATO fraud, or the 'fraudster's weapon of choice,' rose 282% between 2019 and 2020. One prediction made for 2021 is that hackers will use automated methods such as script creation and credential stuffing to commit attacks and make ATO fraud easier than before. The consequences? Perhaps we will see more data breaches, but we must also ask ourselves: will this mean that the industry will finally stop relying on usernames and passwords? What about adopting passwordless login, biometrics, and continuous authentication to thwart ATO? A deployment of BOT detection during online account creation would easily spot a human-being not creating or modifying the online account. This, coupled with moving away from using username and password as the primary roadblock for fraudsters, would quickly reward the retailers.

Another concern is that ATO is spreading in the ecommerce space, aggressively emerging in the online gaming industry. The risks are high when one has to keep players engaged and active, and ensure real-time transaction approvals. The impediment here is whether gaming retailers have robust fraud prevention solutions to analyse if the transaction data is genuine or fraudulent. In addition to BOT detection, mobile and digital identity authentication solutions provide identity certainty and the ability to validate customers in a frictionless way.

Chargebacks/friendly fraud 

Chargebacks are the most common ecommerce fraud type and one of the most expensive challenges online retailers experience. Although we distinguish between criminal or friendly fraud – accidental or intentional –, the result is the same: it often brings additional fees, loss of inventory or services. The new shopping habits, such as buy online pick-up in store (BOPIS), digital gift cards or curbside pick-up, also led to more chargebacks that might continue in 2021. BOPIS fraud, for instance, increased 55% year over year in H1 of 2020, while fraudulent chargeback claims more than doubled between January and June 2020. Thus, it is not surprising that chargeback fraud can account for between 40% and 80% of all fraud losses.  

Transaction fraud/phishing  

Via this type of fraud, bad actors make purchases using stolen payment information, usually gained through phishing attacks. Fraudsters pose as a representative from a trusted company, and victims are tricked into sharing personal details willingly. In 2020, under the new circumstances of working from home, people who are not tech-savvy are more likely to click on phishing emails. In addition to this, fraud teams work with different entities (e.g. PSPs, call centres, delivery companies) that, in return, have staff working remotely as contractors. So, it’s quite challenging sometimes to know for sure if an email sender is actually affiliated with one of the other links in the ecommerce chain. Will we see more phishing attacks, or did companies learn from 2020 and are now more prepared to fight fraud?

Synthetic identity 

Considered the fastest-growing financial crime in the US, synthetic identity fraud creates a fictional persona, as fraudsters combine personal info from a legit person with invented details in a bid to open accounts or transact online. Fraudsters use synthetic IDs to shop online, and this can lead to huge revenue loss. When merchants don’t have a highly accurate fraud prevention AI system, it can even lead to false positives. 

In its 2021 Future of Fraud Forecast, Experian speaks that fraudsters are projected to use fake faces for biometric verification – a phenomenon dubbed ‘Frankenstein IDs’. The company believes that criminals will rely on AI to create new identities by combining facial characteristics from different people known as deepfakes. If this indeed happens, will businesses that use facial recognition tech as their foremost fraud prevention strategy be ready for these attacks? To prevent this type of attack, the use of facial liveness detection and genuine presence assurance would ensure that the synthetic identity cannot be used during enrolment or authentication.

Voice shopping and deepfakes

Voice search shopping is the latest trend in the m-commerce. Considering that companies like Amazon, Apple, Google, and Facebook are providing the market with smart speakers, it is no wonder to be so. At the same time, it is concerning that 39% of attacks targeting media companies are completed in cyberspace using mobile transactions. The platforms, interfaces, and devices that allow voice technology are relatively new and make this channel prone to security vulnerabilities like privacy breaches or deepfake audio scams. Deepfake attacks can be used for malicious purposes, such as attempts to bypass identity verification systems. Retailers should deploy voice liveness detection throughout their call centre operations and IVR systems to detect synthetic voice identity during enrolment or authentication.

Let’s talk about the future of fraud

Refund fraud

The economic difficulties in 2020 created turmoil among both unemployment and retail businesses, which will push people in 2021 to take advantage of any promotion and refund they can get, Ravelin believes. Some, more opportunistic, will even use it more than once, and thus, the company's profitability can be damaged, as the merchant's marketing money is overspent and wasted. No wonder merchants report a 49% increase in promo abuse and a refund fraud growth of 51%. 

Moreover, refund fraud is hard to identify, mostly because there isn't a related fraud chargeback. Fraudsters take advantage of this aspect: the so-called 'refunders' post their services on non-dark web forums or social media pages. They provide the consumers with guidelines that ‘must be followed’ to get a refund. They list companies that 'guarantee' refunds. When retailers refund the cardholder, the customer pays the refunder for up to 15-30% of the service's order value. However, fraudsters can use social engineering to perform refund requests on behalf of customers.

Buy Now Pay Later (BNPL)

With BNPL, retailers offer the option for consumers to purchase products on 0% credit. Customers are not billed right away for the full amount of BNPL purchases – an opportunity from which fraudsters can benefit. Compared with other types of ATO fraud, BNPL fraud can result in a longer lag time between fraud and detection. On the other hand, to beat the system, fraudsters can hire mules and set up shops to buy legitimate ID documents in developing countries. The need for biometric face match and ID verification would go a long way here. A system to compare a known selfie face to a government ID picture is a must. However, while the brick-and-mortar shop might currently suffer one fake getting through, they can prevent fraud at scale by recognising that they’ve see this face before.

Tips and learnings 

Ecommerce fraud is a significant business risk that must be mitigated with a well-designed and implemented identity fraud system.  While not all-encompassing, one should take a top-down approach to the threats, by listing the areas in which fraud is likely to occur and the types of fraud that are possible in those areas. Retailers need to analyse all relevant transactions to test and monitor internal controls effectively. One could use continuous auditing and monitoring to improve fraud controls and fix any broken rules immediately. Finally, all employees should ‘dog food’ their system to facilitate customer experience.

As we've noted, fraudsters were unwavering and relentless during COVID-19. With continually changing schemes and alternative approaches, fraud detection has been more complicated than ever. Just consider any factor in the pandemic, economic conditions, regulatory requirements, and IT resource constraints, and it might feel like it's too hard to keep up. Initiating some of these tactics will help to outfox the fraudsters — decreasing risk, thus maintaining the excellent customer experience that consumers demand.

What is your method to stay one step in front of fraudsters? 

About Simona Negru

A graduate of English Language and Literature studies, with an MA in American Studies, Simona is always on the lookout for the best and new stories to capture. A passionate senior editor, Simona is keen on discovering and sharing all the relevant topics on payments and commerce, as well as online security and digital identity, all while finding the hottest trends in the industry for The Paypers’ readers.

About Ralph A. Rodriguez 

Ralph is an Executive-in-Residence at Summit Partners where he works alongside Summit’s technology team to identify new opportunities within growth stage technology companies. Previously, Ralph was an MIT Fellow and a Research Scientist at Facebook where he led Applied Identity and Intelligence. Prior, he was the Co-Founder and CTO of Confirm.io, which Facebook acquired in 2018. As the longest-serving Fellow at MIT, he pioneered research on AI, cloud, mobile, neural science, and security at the MIT Media Lab and Harvard-MIT Health Sciences and Technology (HST) department.