At the beginning of October 2020, Sift released its Q3 2020 Digital Trust & Safety Index. What did you find interesting about online fraud amid these unprecedented times and ecommerce merchants should be aware of?
Our Q3 Digital Trust & Safety Index report focused on the rise of account takeover and how its prominence impacts both consumers and businesses. In addition to finding that attempted ATO rates increased almost 300% year-over-year across Sift’s global network, we see that there’s a clear gap between how consumers view ATO threats and how they protect (or fail to protect) themselves. Rather than securing their online accounts with tools like password managers, consumers overwhelmingly place the burden of account protection on the businesses they hold accounts with. Moreover, consumers will hold those businesses accountable if their accounts are hacked, with almost 30% saying they would completely stop using a site or an app after an account takeover incident. That causes lasting and severe damage to businesses in both customer lifetime value and the unfortunate reputational damage of a targeted ATO attack.
How has ATO changed during the COVID-19 pandemic? What leads to a proliferation of these attacks?
Sift saw a clear spike in ATO attempts in the early stages of the pandemic and continued to see elevated rates through Q2 2020. The much-reported ascent of ecommerce since worldwide lockdown and social distancing order went into effect has created huge opportunities for fraudsters. With more consumers shopping online and with a real shift in buying behaviour, cybercriminals are relying on trust and safety teams being unprepared to mitigate fraud. The sheer volume of purchases on many ecommerce sites allows fraudsters to blend in more easily and take over accounts without detection, using credentials supplied either from the dark web or through credential stuffing. Likewise, many merchants who may have only recently begun taking online orders are simply less aware of and able to fight back against different types of attacks, which is something bad actors know and seek to take advantage of.
Fraudsters surge in ATO methods has the potential to devastate ecommerce sites and shoppers as we head into the holidays. How can ecommerce merchants best prepare and protect against them?
One of the major consumer behaviour changes in the pandemic beyond the move towards ecommerce has been towards new types of order fulfilment. Shoppers are flocking to BOPIS (buy online pickup in-store) options like never before and many merchants have rushed to offer BOPIS and curbside pickup in response to demand. In some cases, merchants’ scramble to meet consumer expectations hasn’t included the appropriate risk assessment or mitigation. Most BOPIS programs that we encounter have some serious flaws in how they verify ID, which is made all the more difficult when masking and social distancing rules are in place. I expect criminals to take full advantage of BOPIS programs as holiday sales ramp up due to the number of ways to impersonate legitimate shoppers - either by taking over online user accounts and changing pickup details like name and date-of-birth or by using stolen payment info and simply having store associates drop items off in their cars.
Merchants can fight back against BOPIS fraud by identifying the signals that lead to payment fraud or account takeover in the first place. That means having a system in place to identify discrepancies between signals like shipping and IP address locations, account age, purchase amount, and purchase velocity. Machine learning can be enormously helpful in this regard by not only reducing manual review but by constantly analysing transactions through review of tens of thousands of different signals.
Considering that many consumers have opened ecommerce accounts for the first time, what is their vulnerability level? What methods can consumers apply to secure their accounts?
First-time online shoppers are much more likely to be targets of fraudsters and other cybercriminals. With that said, even seasoned digital consumers are, for the most part, vulnerable as well. The most important first step any consumer can take is to download and use a password manager. Password managers aren’t a guarantee to prevent account hacks, but if used properly, they can greatly reduce exposure to account takeover attacks. By creating and storing complex, unique passwords that the consumer doesn’t actually need to remember, password managers not only help secure accounts but also eliminate the headaches of filling out forms and figuring out passwords for each account.
I’d also advise shoppers to enable two-factor authentication whenever possible on any website or app they use that contains sensitive information.
You have recently launched a product that allows customers to create a fraud fighting hub with Sift. How does this fraud fighting hub look like and what should a merchant expect after testing it?
We made some significant updates to Sift Connect, our open APIs and integration hub, in order to help fraud fighters get more of the data they need in one place. With low-to-no code integrations with payment service providers like Adyen, Braintree, PayPal, and Stripe, we’re creating a fraud-fighting command centre optimised for transparency and control. These new integrations are all available in a new app gallery experience so that fraud prevention teams can easily connect different data streams and use the Sift Console as their home base.
We’re continuing to increase the power our customers have in their fight against the different types of fraud they face every day. These new components make it easier to send data to Sift, detect more fraud, and learn more from the data sent.
About Kevin Lee
Kevin Lee is a Trust and Safety Architect at Sift who helps customers implement strategies that cross-functionally align risk and revenue programs. Prior to Sift, he has spent the last 14+ years leading various risk, chargeback, spam/scams, and trust and safety organisations at Facebook, Square, and Google.
About Sift
Sift, formerly Sift Science, is the leader in Digital Trust & Safety, empowering companies of all sizes to unlock revenue without risk. Sift prevents fraud with industry-leading technology and expertise, an unrivalled global data network, and a commitment to building long-term partnerships with our customers. Twitter, Airbnb, and Twilio rely on Sift to stay competitive and secure. Visit us at Sift.com and follow us on Twitter @GetSift.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now