What has 2019 taught us? A retrospective on ecommerce fraud

Fraud has become highly sophisticated, continuing to evolve day by day, hour by hour. What are the take ins? Check out the following 2019 retrospective and be prepared for 2020

Fraudsters nowadays have the necessary means to take advantage of every opportunity for new scams: personal and financial data is now accessible online; new tools and advanced technologies open doors to the bad guys in order to increase potential disasters; bad bots allow scam acts to be performed at unprecedent scale. For this article, we have put together an overview of what occurred within the industry during 2019 and which main types of fraud should be highly watched in 2020.

Fraud by the numbers

Data breaches have grown in frequency, as huge amounts of personal data – usernames, passwords, social security numbers, account information – have become available on the dark web. An analysis made by Cyber Risk shows that throughout H1 2019, 3.813 breaches were reported, exposing over 4.1 billion records. In comparison to the same period of 2018, the number of reported breaches raised up to 54%. Also, the 2019 Verizon Data Breach Investigations Report suggests that 52% of breaches featured hacking and 28% involved malware.

Bot attacks and their consequences

LexisNexis released a report, showing that bot attacks affected accounts in media and ecommerce. More precisely, during January-June 2019, 16.4 billion transactions were recorded, out of which 277 million were human-initiated attacks. This represents a 13% growth over H2 of 2018. Arkose Labs’ report on fraud and abuse, conducted for Q3 2019, analyses the attack patterns and investigates the mechanics of inauthentic attacks, which range from automated bots to human driven attacks. These attacks focus on defrauding businesses and end users credentials via fraudulent account registrations, account takeovers, or payments using stolen credentials. The report further suggests that the Philippines is the biggest attack originator (88.3%), followed closely by the US (88.2%).

The use of bad bots triggers other types of fraud such as account takeover, which occurs when criminals use another person’s credit or debit card account, initially by gathering the victim’s information, and then contacting the card issuer and pretending to be the genuine cardholder. In fact, 1.5 million individuals got involved in an account takeover (ATO) attack in 2019. Account takeover and fraudulent account creations represent the majority of identity-related fraud activity, with 69% affecting mid/large ecommerce businesses and 55% for mid/large retailers, as per LexisNexis.

Moreover, the successful exploit by a bad bot can escalate to another range of issues such as increase in failed logins, increase in customer account lockouts and customer service tickets, increase in fraud (e.g. stolen credit cards, unauthorised purchases), or increase in chargebacks – with friendly fraud (the root cause for over 70% of fraud losses) and account takeover being the top sources of chargebacks. Chargebacks911 reports that 81% of customers admit to fill a chargeback out of convenience. And while the average chargeback ratio on the retail industry is 0.50%, most acquirers restrict or cancel merchants’ accounts if they approach the critical 1% chargeback-to-transaction ratio.

Phishing and identity theft

Reports have shown that certain types of fraud continue to dominate; for instance, a 147% increase in the total number of clicks on phishing links was recorded from January to September 2019. If, for example, a person loses their account info to a phishing email, then the hacker uses that data to make purchases with the victim’s financial information. This scheme is called identity theft. Moreover, a study by Worldpay shows that the predominant types of ecommerce fraud in 2019 are identity theft – totalling 71% –, phishing – 66% –, and account theft – 63%.

What should we watch for in 2020?

In the end, perhaps the goal of each individual or business alike should not be how to manage or detect fraud, but how to prevent it. If we are to look ahead into 2020, we should definitely keep a close eye on the ‘fraud agenda’. As mentioned above, ATO is a significant issue; the majority of successful ATOs coming from credential stuffing attacks where numerous unique IP addresses are used for logging in to user accounts via bots and automated scripts.

Closely to this, we can see identity theft and phishing scams, where fraudsters take over an existing identity – targeting the victim’s personal information including names, addresses, credit card or account information –, or they simply use fraudulent websites, emails or text messages to access personal data, respectively.

Another rising trend is click and collect fraud, which was reported by ACI Worldwide as being the fastest growing trend globally during the holiday shopping season. An 89% growth was seen in loyalty fraud – Forter reveals –, while 23% was reached by Buy Online Return In-Store (BORIS) fraud and Buy Online Pickup In-Store (BOPIS) each.

Equally important, is the question that raises regarding the Open Banking momentum and tendency towards data sharing: will these challenge in any way the fraud teams? If we think about the fact that there will be payment methods developed on OB networks, this means new scenarios that fraudsters would take advantage of. For instance, copycat websites could pretend to be a TPP and potentially abuse consumer data. In this case, how well do we understand the risks? We need to watch this space.

So, how can fraud be prevented in a better and more efficient way? One important fight ecommerce merchants have to overcome is avoiding false positives. They must protect their revenue, while not blocking true customers, but actually protecting them from breaches. In order to accomplish this, I believe merchants should invest in artificial intelligence and machine learning tools that are equipped to combat the increasingly sophisticated types of fraud. Also, consumer education is important, as customers must be aware of fraud implications and the preventive actions they could take. Equally important is collaboration: the law enforcement and judiciary sectors should continue to share knowledge on how to recognise, detect, and stop attacks, as well as maintain a strong cooperation with businesses and the private sector entities in a bid to facilitate data sharing between them, so that they would be able to seize complex cyberattacks and take preventative security measures.

About Simona Negru

A graduate of English Language and Literature studies, with an MA in American studies, Simona is always on the lookout for the best and new stories to capture. A passionate content editor, Simona is keen on discovering and sharing all the relevant news and topics on both distributed ledgers and cryptocurrencies, as well as online security and digital identity, all while finding the hottest trends in the industry for The Paypers’ readers.