The democratisation of fraud enables anyone with malicious intent to engage in payment fraud, identity theft, and phishing attacks. Sift’s Brittany Allen explains why these attacks are on the rise and shares best practices on how to prevent them.
During the past few years, the ‘new normal’ has shifted from ‘unprecedented times’ to ‘economic uncertainty’. As inflation rates continue to rise, so has payment fraud. This is at least in part because of the democratisation of fraud. This phenomenon is a result of advances in technology combined with the availability of easily accessible information, making it possible for anyone to commit fraud—even those with limited resources or technical skills, and who have never before participated in online abuse.
The democratisation of fraud includes first-party fraud, identity theft, and phishing scams, which only represent part of the social engineering spectrum—but that are all designed to earn illicit profits for the perpetrator. All attacks have the power to cut deeply into a company’s revenue and growth; in 2022, fraud cost online businesses USD 41 bln and is expected to siphon USD 48 bln in 2023. And according to a recent Sift survey, 16% of consumers admit to having committed payment fraud/knowing someone who has.
First-party fraud, such as chargeback fraud or refund and return fraud, is fraud committed by an authorised cardholder. This type of fraud can be difficult for merchants to prevent and detect because the purchase initially appears to be legitimate.
Consumers can initiate refund requests and chargebacks online as easily as they can purchase products, making it easier to engage in first-party fraud. Of course, the solution is not to introduce more friction into the sales or chargeback process, as that is just as likely to cause the opposite result (i.e., fewer sales and more difficulty disputing actual fraud).
The emergence of open fraud forums on the deep and dark web is another way that first-party fraud has been democratised. The availability of resources on the dark web has made it easier for individuals to commit first-party fraud. For example, there are underground forums that provide guides on how to commit chargeback fraud.
In addition to the deep web forums that teach users how to commit fraud, there are a variety of deep web marketplaces that sell personal information or access to phishing kits; some even offer phishing-as-a-service—just as easily as an organisation can subscribe to a cloud service.
There are countless deep web markets where scammers meet to buy and sell what they refer to as credit card ‘fullz’. These include full names, addresses, credit card numbers, card verification value (CVV) numbers, and expiration date—everything needed to commit payment card attacks, such as card hopping.
We would do well not to draw more attention to these criminal marketplaces, but just to illustrate the scope of this menace, one of the most active criminal markets leaked more than 2 mln credit card numbers in 2023. These credit card numbers tend to be stolen via data breaches, card skimmers, malware installed on the victim's device, or phishing attacks, where scammers send fraudulent emails or messages that appear to be from a legitimate source. Similar phishing attacks can also be used in order to obtain usernames, passwords, and other valuable personal information.
Phishing attacks are one of the internet’s oldest threats. When they first emerged over three decades ago, these attacks were novel enough that they required little sophistication to succeed. But as users have grown more aware of how phishing attacks unfold, scammers have engaged in a game of cat-and-mouse—constantly discovering new tools and techniques. Phishing remains one of the most prevalent attack vectors today for businesses and consumers alike.
Over the past decade, one of the most prominent trends in phishing has been the development of ‘off the shelf’ phishing kits and phishing-as-a-service. For example, EvilProxy is a phishing-as-a-service offering with advanced functionality to steal authentication tokens to bypass multi-factor authentication. With such low-hanging fruit, all it takes to engage in fraud is the ill intent to do so.
As economic uncertainty lingers, so will the inflation of fraud. But the good news is that there are multiple steps organisations can take to protect themselves and their users from fraud.
Some basic fraud prevention efforts include strong password policies and multi-factor authentication to prevent account takeover attacks and using tracking numbers or confirmed shipping providers to prevent return and refund fraud. Signature confirmation is a best practice for high-value purchases—pragmatically, any high-value purchase should be reviewed because the associated cost of fraud is so high.
When it comes to chargeback fraud, Visa Compelling Evidence 3.0 enables merchants to provide proof of previous transaction history to refute fraudulent disputes, but this does require a way to monitor for the consumer’s IP address, device ID, or device fingerprint (as well as their shipping address or user account). Ultimately, fraud detection systems enable organisations to collect these sorts of transaction details, as well as detect patterns of abuse and signals from global networks to fight fraud.
About Brittany Allen
Brittany Allen is a Trust and Safety Architect at Sift. She has more than a decade of experience combating e-commerce marketplace fraud at companies such as Etsy, Airbnb, 1stdibs, and letgo. Her current role focuses on trust and safety education, developing industry best practices and strategies, and representing the merchant’s voice at Sift.
About Sift
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of one trillion (1T) events per year, and a commitment to long-term customer partnerships. Global brands such as DoorDash, Twitter, and Wayfair rely on Sift to gain a competitive advantage in their markets. Visit us at sift.com, and follow us on LinkedIn.
https://www.linkedin.com/company/getsift/
https://twitter.com/GetSift
https://www.facebook.com/GetSift/
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now