Cybercriminals are in the business of fraud. They study consumer behaviors, market trends, and new technologies much like merchants do, and have become so adept at using what they learn against online providers, that attacks continue to grow in size and scope every quarter.
In fact, new data from Sift shows payment fraud jumped 23% between 2020-2021, representing rising abuse in all industries and massive upswings in high-growth verticals like fintech and digital goods & services. We’ve seen global fraud rings executing more complex attacks more frequently, and automation (bots) adding speed and scale that businesses are largely unprepared for.
Merchants can’t keep thinking of fraud as something lurking outside of the ecommerce bubble. The global fraud economy is an interconnected network of abuse; the fraudsters who drive it are shaping tactics around the changing digital landscape, all while seizing opportunities to exploit whatever security considerations merchants are ignoring in the name of growth.
Payment-focused attacks surge across markets
Consumers aren’t very forgiving about security failures, and brand abandonment is a common outcome post-breach. Between 56%-74% of consumers surveyed by Sift would stop engaging with a brand due to fraud, while 60% of self-reported payment abuse victims have been defrauded more than once. That’s a huge risk for your bottom line, and a customer’s lifetime value is a hefty price to pay. But the damage done isn’t just financial— it stains a brand’s reputation. When an unauthorised transaction from your business shows up on a non-customer's bank statement because their payment information was stolen elsewhere, they will forever associate your company with fraud.
Victims of payment fraud don’t only become wary of the specific merchants involved— they start to mistrust entire industries and types of providers, if abuse becomes a regular problem. One-third (approximately 33%) of consumers peg financial services as the riskiest, followed closely by retail, marketplaces, and digital goods & services. And it makes sense, since people are cautious about where they store and manage money, and likely to associate a higher risk with markets where they spend a lot of it. Not because those industries are inherently insecure, but because consumers align their perception of safety with how much they think, or know, they have to lose, whether it’s loyalty points or their life savings.
For the most part, Sift’s network data backs up consumer instinct. Fintech fraud rates surged in 2021 by 69%; digital goods & services and on-demand services saw notable increases in fraud rates too, meanwhile average fraudulent transaction values more than doubled in retail. What adds insult to injury for merchants is what happens in the aftermath of a successful attack - on top of product loss, 86% of consumers would request a refund if they discovered their payment information had been used to make an unauthorised purchase, leading to time and money wasted on dispute management. Worse, merchants are liable for interchange and misuse fees when it comes to card testing attacks and any resulting declined transactions, so you’ll end uppaying for inadequate fraud prevention long after funds and data have been compromised.
Fintech stays locked in the crosshairs
No merchant is immune to payment abuse, but it’s the markets with snowballing popularity that fraudsters aim for when betting big. Cybercriminals heavily targeted emerging and expanding industries like decentralised finances and alternative payments in 2021, fueling higher payment fraud rates and larger-value attacks across fintech.
Remittance saw the worst of it, with the average value of fraudulent transactions jumping by a gutting 677% YoY, from USD 163.67 in 2020 to USD 1,271.00 in 2021. Fraudulent transaction values also rose in crypto exchanges (8%), digital wallets (9%), and neo/ challenger banks (85%). Providers in this space aren’t only contending with fraudsters waiting to snatch the valuable data they hold—unchecked consumer behaviors, like poor password hygiene and credential reuse, make it easier for cybercriminals to bypass security gates across multiple platforms, apps, and sites. Two-thirds (66%) of consumers admit to storing credit card or other payment details with online retailers, and 33% of the respondents mention they save the credentials for their financial institutions in device-native password managers, placing the responsibility for protection largely on merchants offering these conveniences.
Automation adds fuel to the fire
A profitable attack done using one type of fraud often turns out to be fundamental to the success of another. This regularly happens in fraud economy, with financial fraud being the final step and leading to the ultimate payout. Fraud rings— groups of cybercriminals working together to commit abuse— regularly leverage several methods and channels of attack, using various technologies, and targeting multiple merchants at once.
Recently, Sift data scientists and fraud experts have exposed and taken down a number of these operations. From crypto-scammers targeting dating sites, to bot-backed credential stuffing and ATO attacks, fake fundraisers, and user-forum phishing, a lot of the most detrimental abuse is being performed by teams of bad actors leveraging any and all types of fraud. Moreover, cybercriminals are evolving in terms of how they apply automation. It gives them the ability to test massive amounts of stolen data too rapidly for most merchants to keep up, or spread dangerous links and information far and wide, leaving businesses completely at the mercy of consumer behavior.
Looking at mutual techniques used by organised fraud rings, it is clear that they’re more interested in weakening entire communities of merchants and consumers than they are in targeting individuals, and are aligning those goals with when, and, more importantly, how, they strike. You can see how some of the recent operations we’ve examined work on Sift’s new Fraud Intelligence Center, where we’ve broken down the data and methodology in detail.
Plainly put, reactive fraud prevention can’t keep up with automated abuse and organised attacks, and the merchants relying on it are likely already struggling to protect customers effectively. Tools like friction and two-factor authentication can disrupt the user experience, and, without real-time data influencing their accuracy, add opportunities for fraudsters to break through. Trust and safety teams need an end-to-end solution that takes into account all types of abuse, and how that abuse changes shape in every industry, without having to apply security tactics that disrupt the user experience or put a cap on growth.
About Jane Lee
About Sift
Sift is the leader in Digital Trust & Safety, empowering companies of every size to unlock new revenue without risk. Our cutting-edge platform dynamically prevents fraud and abuse with real-time machine learning that adapts based on Sift’s unrivaled global data network of 70 billion events per month. Global brands such as Doordash, Twitter, and Crypto.com rely on Sift to gain a competitive advantage in their markets.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now