The lay of the fraud land: Q&A Session with merchants - Series I

What fraud trends do you see on the rise?

Cristián Barros, Head of Fraud Prevention at Cornershop by Uber

Ecommerce fraud is becoming more complex, with more creative and sophisticated fraudsters targeting companies with an aggressive expansion strategy – so as fraud evolves, companies need to adapt and come up with differentiated solutions. Increasing ATOs attacks, for example, will require fraud and cybersecurity teams to work closely to prevent and disarticulate these networks, with a better and refined strategy for early identification of these cases. Tools like two-factor authentication could be game-changers when ever-changing fraud attack MOs (modus operandi) are putting enormous pressure on fraud machine learning models. Nowadays, companies are looking for fast and effective responses from either their third-party partners or their own data science team.

Such fraud trends will be accompanied by new challenges, like increasing regulation standards that force merchants to rely on less information and develop new tools to prevent fraud. One example is new account authentication tools, with the challenge of offering low friction levels but simultaneously maintaining high effectiveness.

Pamela Cronin, Senior Payment and Fraud Manager at Insparx

We see the following fraud trends on the rise:

1. Affiliate fraud – Affiliate marketing programmes bring traffic and customers to our platforms through referrals, who then in turn get paid per customer registration or per sale. For some affiliate partners, the traffic is not always legitimate. There is a rising trend of affiliate partners creating multiple registrations that can come from the same device, IP address, UA, email domains with a combination of all or some of the same criteria in order to generate revenue. Other partners are using credit card data, which has been purchased on the dark web to complete a transaction and to test cards. To a large degree most partners are legitimate, however, when new partners are onboarded, they must be very monitored closely as we have also seen cases where the registrations appear to be genuine, yet, months later these accounts are used to test credit cards. The accounts that are created are not in use either and have no activity which gives a negative impression to our customers.

2. Card testing – Accounts are created and used to test if credit card credentials are valid and utilised to make multiple purchases on other platforms. We see various attempts on some accounts where a BIN number is the same and the last four digits are tried in sequence. Another example is when expiry dates are also seen in sequence; this time, a different month or year is being used. Although internal velocity checks are put in place to detect such behaviour, the volume of attempts is increasing. 

3. Referrals – Most recently we are receiving bot attacks across various marketing channels. These attackers are registering profiles and writing messages to our customers referring them to various white label versions of another dating platform. Their goal is to avoid marketing costs and to steal our customers by encouraging them to visit their sites. The attackers seem to be aware of our internal thresholds, velocity checks, and fraud detection, so they use these criteria in order to go undetected. Attacks only occur on weekends in order to achieve better success. Although there are new rules put in place to prevent this, the attackers change their criteria with each attack.

Stephan Spijkers, Co-Founder at PIMVendors

NADUVI.com is a home and living marketplace and as such, we see mostly credit-card fraud on our platform, as well as return fraud. Customers usually claim to have never received their package (even though the vendor on our platform uploaded a track & trace) or that they would like to return their package and then they return a completely different item, abusing the lack of sophisticated return processes at our vendors.

Ravi Purohit, Associate Director, Products at Rakuten

Friendly fraud, refund fraud, sign-up fraud or promotional abuse, digital payments fraud, and account takeover or identity fraud have been at the top of fraudulent trends over the past few years.

With many data breaches happening across the social media space and customers’ privacy being compromised, we can expect a rise in account takeover fraud. Fraudsters can get access to leaked passwords and personal details from the dark web and try to take over the accounts on ecommerce websites or payment apps through bots. Since account takeover or identity fraud puts the fraudster in the driving seat for the account, the magnitude of potential damages is also high with this. Other fraud categories (e.g. friendly fraud, refund fraud etc.) are expected to grow organically with the rise of ecommerce space as a whole.

Juan Pablo Ortega, Co-Founder at Rappi

On the merchant side, we have seen a rise in fraudsters’ attempts to perform account takeover attacks. Most of the time, these are done through social engineering, as fraudsters would call or send messages to our users, posting as costumer-services agents who offered a coupon or discount if the users were able to authenticate their account. The fraudster then utilised the information that the customer provided, including the SMS verification code, to access the legit account and make fraudulent transactions.

Elena Chen Michaeli, Fraud Fighter at Shutterstock and MRC Education Committee Member at Merchant Risk Council

Trends, in contrast to fraud patterns, are by definition developments or changes. Customer abuse, payment fraud, and account takeover (either done manually or by using tech tools like bots for credential stuffing) are patterns that have been around for a long time.

Fraudsters will create such a trend and develop their technique once they realise that the vulnerability or weakness they were abusing has been patched or if the entity had caught up on the method they were using to attack, exploit, or misuse one’s platform/services/goods. Companies should not share any of their identified trends with anyone, as they will reveal their vulnerabilities that can be taken advantage of until these have been mended or prevented in other ways. 

In my opinion, a very underrated malicious tactic is the ongoing trend of social engineering.

Yassamine Taghilou, Anti-Fraud Manager at Vestiaire Collective

In Vestiaire Collective we’re keeping an eye on what fraudsters are doing and what the latest fraud trends are. Refund and return fraud, including freight fraud, are on the rise – e.g. we could detect some fraudulent refund-service companies who propose refunds to buyers by paying them a percentage of the cost of the item. They know how to open an organised postal claim against a merchant and get reimbursement by pretending that the buyer has not received the item.

In online payment fraud, despite that fraud is reduced through EU CNP due to SCA and PSD2, fraudsters have switched to international cards to defraud EU merchants. Moreover, we can see a dangerous spike in usage of the Buy Now, Pay Later (BNPL) payment method. This payment method extends the buying power of users with interest-free loans and users purchase merchandise for free in the checkout page.

The fraudsters take advantage of this mechanism and commit fraud through account takeover, identity theft, synthetic identity, and new (multiple) account fraud by using legitimate users credit cards.

Elena Emelyanova, Senior Payments and Fraud Manager at Wargaming.net

Fraud trends in the gaming industry are quite known overall and have not changed dramatically in the last five years. We all hear about account takeover and friendly fraud a lot, we all know about card testing and phishing, as well as payments fraud with stolen cards and compromised BIN databases. There is indeed a shuffle or some seasonality per fraud type in percentage share from year to year, but the definite leader is always friendly fraud also known as first-party misuse. 

Looking at the Wargaming traffic, first-party misuse is on the rise and prior to the Christmas peak, we are preparing for even more attacks to come in. I would define two categories of fraudsters within this type:

1. A good player who didn’t want to cheat, but falls under fraudsters’ class ‘by accident’. For example, due to technical bugs, he buys a bundle twice and calls the bank for a chargeback; thus, he is automatically blocked within the game and appears on the list of ‘friendly fraudsters’. 

2. A good player who did want to cheat. Although he is our legitimate customer who has good playing history and lots of achievements within the game, he acts illegally, trying to gain his own profit from cheating the system. 

The second type of first-party misuse participant is currently a trend in the industry: it is hard to catch such fraudsters, since he is, at same time, a loyal player in our games and a cheater in payments. We need to fight him when it comes to payments fraud (e.g. we can block his account, request the fine to be paid etc.), but this makes it really hard to keep his loyalty as a gamer.

Omer Shatzky, Head of Billing & Payments at Wix 

COVID-19 pushed more business owners and cardholders to sell and purchase online. With more transactions being completed online, there were new opportunities for social engineers and scammers to exploit newcomers who were not heavily experienced in ecommerce. For example, in the height of the pandemic, scammers took advantage of public anxiety by selling low quality or non-existent medical products. 

Additionally, the usage of cryptocurrency has become more of a commodity due to the rise of its value, consumer awareness, and more acceptance by well-known platforms such as PayPal, for example. As this is a whole new and complex kind of economics where most users are not aware of the intricacies and risk, it, therefore, can be easily exploited by scammers.

This editorial is part of the The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.