As the New Year begins and ecommerce sales are being tallied against fraud losses, ecommerce merchants, acquirers, solution providers, and issuers are typically preparing their lists for what worked and what didn’t work as part of the Holiday Season. 2020 started in the same way but with one significant exception when undertones of an unknown virus expected to spread across the world became a harsh reality. COVID-19 was officially declared a ‘global pandemic’ on 11 March 2020 and organisations around the world quickly shifted their focus to emergency systems and operational planning to prepare for millions of workers to work from home, or sadly, to be removed from their jobs completely.
This black swan event set the stage for an abrupt and unanticipated explosion of ecommerce transaction volumes that will be studied and written about for years to come. The exodus of brick-and-mortar retail led to an acceleration of mobile and ecommerce growth, while organisations accelerated years of digital transformation in just a few months. The US Census Bureau recorded a 44.5% year-over-year increase in ecommerce retail sales during the second quarter of 2020.
As quickly as card-present and omnichannel merchants moved to revise their business plans to support ecommerce models and implement curbside pick-up procedures, the fraudsters went to work using an old playbook that was proven and very effective. The increased volume of online and mobile transactions, heightened by the panic of a global pandemic, left the door wide open for the all too familiar scams that supported huge spikes in identity theft, account takeover, and ultimately third-party and application fraud.
Early on, COVID-19 perpetuated a level of real fear in most people that can create an emotional and debilitating physical response, often leading to the use of poor judgment in stressful situations. This environment exposed a vulnerability that allowed phishing schemes to be highly effective as people literally feared for their lives.
There is a saying used in risk mitigation and fraud prevention that says: ‘follow the money and that will show you the open door’. When the US Government approved the Cares Act and trillions of dollars were being disbursed to millions of Americans, it was not clearly understood how the disbursement process would work and the confusion led to large scale targeted phishing attacks. Phishing schemes also targeted consumers who wanted to purchase masks, hand sanitizer, and other essentials suddenly in short supply. For years fraudsters have taken advantage of consumers and increased the number of phishing scams used to extract a person’s credentials, but it was the added fear of COVID-19 and the impact of shelter in a place that made the scams even more effective. Google identified a 250% increase in phishing sites between January and March.
Another opportunity for fraudsters came in the form of Business Email Compromise (BEC) attacks. Many organisations went from few or no employees working remotely, to their entire workforce working at home. Fraudsters pounced on the chance to exploit less secure hardware and security practices in the home, as well as the physical distance from IT and cybersecurity teams.
Fraudsters used social engineering to obtain information to bypass two-factor authentication measures, then took over the email accounts of unsuspecting employees and executives, and used the trust associated with these email accounts to reroute payments and access additional personally identifiable information.
Businesses were being attacked on multiple fronts. Direct attacks including data breaches, social engineering, and Business Email Compromise had all greatly increased. Meanwhile, businesses also experienced a surge in online and mobile commerce from both legitimate consumers and fraudsters leveraging compromised consumer payment account and identity credentials. The behaviour of a typical consumer drastically changed at the same time fraudsters ramped up their activity. Historical patterns that previously would’ve been recognised as a high risk or a typical fraud event, were no longer as clear. It became extremely difficult for organisations to discern a true fraud attack from what was becoming the ‘new normal’. Businesses felt the impact in terms of more fraud losses, higher decline and false-positive rates, and increased chargebacks related to fulfilment and other non-fraud reasons.
Typically, the victims of online fraud are unsuspecting individuals who are vulnerable because of their age, technical ability, and lack of knowledge about fraud scams. According to the Federal Trade Commission, Americans have already lost more than USD 145 million to fraud related to the coronavirus, measured by more than 200,000 complaints from consumers. The full residual impact globally is yet to be known, but rest assured that the numbers will be significantly higher. As personally identifiable information, collected through the various schemes discussed, is used over the holiday to perpetrate more fraud against merchants, the victims of COVID-19 will extend beyond the consumer to included merchants, acquirers, and issuers.
It is difficult to put history into words, especially as we are living through it, but the pandemic has influenced ecommerce in a way that will change how we think about everything going forward. The way we work, shop, learn, and the way we interact with one another will forever be changed.
This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.
About Kevin J. Sprake
He is a veteran ecommerce payments and fraud prevention executive who is passionate about serving customers. He is a past-Global Board member of the Merchant Risk Council, and was recently named as the Managing Partner of The Fraud Practice.
About The Fraud Practice
A payments and risk focused consulting firm that leverages their global market experience to work with merchants, financial institutions, and service providers to assess, design, improve, and bring to market new solutions in ecommerce. Since 2004, their assessments and strategies have helped customers to re-define the fraud and payments industry.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now