As merchants, consumers, and payments providers wrestle with the Covid-19 pandemic, one thing is certain: Online fraudsters are as relentless—and opportunistic—as ever.
If little else, this year has proven that forecasts are grounded only in the moment they are made. No one could have foreseen in 2019 the impact of the Covid-19 virus on the U.S. economy and how it would alter e-commerce and online fraud.
Here’s the impact so far. The most recent quarterly data from the U.S. Census Bureau for the second quarter finds that e-commerce sales accounted for 16.1% of all retail sales, or more than $211.5 billion. That is much higher than the 10.8% share in 2019’s second quarter, when online sales totale $146.4 billion.
The big questions about e-commerce in 2020 are how much more will consumers shop online and how much more fraud will this shopping spree generate. It’s already known that as e-commerce volume increases so does fraud. At least one fraud-prevention vendor noted major spikes in attacks in the first half of 2020.
Certainly, online-fraud issues have intensified in 2020, affected like so much else by the Covid-19 pandemic. As many states shuttered nonessential businesses and consumers shifted much of their spending to online stores, so, too, did criminals increase their misdeeds. Matters such as account takeovers and a better understanding of chargebacks surged to the forefront of merchant concerns, if they already weren’t there.
Long a major issue for merchants and payments providers, account takeovers further cemented their position as the pandemic settled in place. “It’s the number-one fraud trend we see,” says Jeff Wixted, vice president of marketing and client solutions at Accertify Inc., an online-fraud specialist owned by American Express Co. “It’s due to data breaches.”
The problem worsened as habitual online shoppers increased their spending and consumers who formerly didn’t shop online much increased their e-commerce activity. Wixted says some Accertify clients are experiencing Black Friday or Cyber Monday sales volumes, referring to two peak holiday shopping days online.
Digital Newbies
Some suggest that account-takeover attacks will grow more numerous, especially as the fourth-quarter holiday season arrives. “We will see an intensification,” says Julie Conroy, research director for Boston-based Aite Group’s fraud and anti-money-laundering practice.
“We haven’t seen a big spike yet because the fraudsters have been focused on defrauding unemployment and the Payroll Protection Program,” Conroy adds. The PPP program is a small-business funding program from the U.S. government.
A huge new segment of digital newbies who may be more susceptible to social-engineering scams could succumb to account-takeover attacks, Conroy says. At the same time, a lot of financial institutions have relaxed some of their velocity rules and dollar limitations on services like person-to-person payments and remote deposit capture because they want to ensure as few customers as possible are inconvenienced, she says.
Already, she says, “We have seen an uptick in phishing. All of the ingredients are there for the crime rings to do well with account-takeover attempts.” Phishing scams gull online users into giving up key credentials like user names and passwords.
For some frontline personnel, rising fraud is already a problem. “Financial institutions definitely are contending with more account takeovers,” says Charlotte Ritonya, vice president of security and fraud, card services, at Brookfield, Wis.-based Fiserv Inc.
“As we shore up the point of sale with contactless [payments] and EMV, we start to shore up authentication,” Ritonya adds. “Account takeover is not a new event; we’re just seeing more and more of it.”
As other observers note, the cheap price of consumer data—information for the average stolen account sells for $15.43, according to antifraud specialist Digital Shadows Ltd.—makes account takeover more widely available, says Christopher Mascaro, Fiserv vice president of fraud data and financial crime insights.
Biding Their Time
Immediately after the Covid-19 lockdowns went into effect this spring, fraudsters sprang into action. According to data collected for its third-quarter Fraud & Abuse Report, San Francisco-based Arkose Labs said attack rates on logins increased 28% in the second quarter. Along with that was a 30% lower attack rate on account registrations and a whopping 47% decrease in the attack rate on payments.
Cloud configurations and the notion of software-as-a-service, which has contributed positively to ever-increasing decentralization of computing capabilities, also have been put to use by criminals.
“A couple of years ago, to do account takeovers, fraudsters would need teams of people to help,” Wixted says. But today, through cloud computing, someone could do it all themselves, he says. They can efficiently rent the software for a period of time and then shut it down, Wixted adds.
The account-takeover problem is compounded by constant data breaches leaching usernames and passwords, poor password practices, and technology advances, Wixted says, adding: “These make it even more impactful when it does happen.”
Because there are now more consumers going online to shop for the first time, those individuals can be at higher risk for account-takeover fraud, says Kimberly Sutherland, vice president for fraud and identity-management strategy at LexisNexis Risk Solutions, an Atlanta-based risk and data-services provider. “Less-experienced online users are always going to be at higher risk,” Sutherland cautions.
Some criminals, however, are biding their time by creating sleeper accounts. In this scheme, Wixted says, the criminal creates an account and doesn’t necessarily do anything malicious with it initially. “They create them now and let them marinate for six to nine months,” he says.
These accounts can be spotted because, as is the case with accounts for loyalty or rewards programs, consumers generally don’t create an account and then let it sit unused, he says. There’s usually some driver to use the account, such as snagging points when booking a trip. Many technology providers can determine an approximate identity on online accounts, such as email addresses.
‘Ridiculous Volumes’
Chargebacks also have proven problematic during the pandemic. As online shopping volume has increased, so too have chargebacks.
“Most of the banks I interviewed have seen between a two- and three-fold increase in non-fraud disputes in the early months of the pandemic,” Aite’s Conroy says. This was compounded by the fact that many banks had offshore call centers that lacked the infrastructure to adapt to a work-from-home environment.
While some issuers have regained control of that, dispute volumes increased as summer travel plans were altered to reflect localized Covid-19 resurgence. “The other leg of the stool is that fraudsters recognize that call centers are seeing ridiculous volumes,” she says.
In the past 12 months, 17% of consumers initiated a payment dispute, says John Buzzard, lead analyst for fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research. “It’s likely this number is going to increase as a result of Covid fallout,” Buzzard says.
“Anecdotally,” he adds, “we are hearing from some major processors that they are seeing an increase in friendly fraud chargebacks in the past two months as consumers have increasingly had buyer’s remorse and continuing financial uncertainty. This has been different than initial disputes centered around undelivered goods—think travel—that occurred when lockdowns first went into effect.”
The travel-and-hospitality industry saw a lot more disputes that Wixted says were not necessarily related to fraud, but could have emanated from a customer-service issue. A consumer calling to cancel a flight might have been frustrated by hold times, gave up, and chose to file a dispute, he says.
Menacing Aspect
The other menacing aspect of the pandemic is that online shopping already is at elevated levels as the fourth-quarter holiday shopping season looms.
One concern centers on whether online shopping will continue to outpace prior quarterly sales. In 2019, fourth quarter e-commerce sales accounted for 11.3% of all U.S. retail sales, according to the Census Bureau, up slightly from 11.2% in the third quarter.
“I don’t know if we’ll see high e-commerce volumes month-over-month,” says Sutherland. “Will it stay at a rate that is higher than 2019? One thing that definitely came out of the pandemic is a level of uncertainty as it related to the economy and as to whether a state remains open or closed. Because of the uncertainty, many consumers are hesitant to make big purchase decisions.”
Criminals, too, may be anticipating the fourth quarter. “Not just from a fraud perspective, but from an economic standpoint, there may be more opportunistic fraud,” says Fiserv’s Ritonya. “There may be ways we start to see increases in disputes that are not valid.”
In addition to holiday shopping, the fourth quarter also signals a lot of personal-care purchases. “If the current trajectory for [card-not-present] payments continues, we will see a stronger usage develop around the holidays as health needs shift into consumer staples and personal-care items,” Buzzard says.
He adds: “Scarcity will drive demand and the demand, we anticipate, will mostly likely send more than a few consumers to fraudulent Web sites where they will be victimized in some way.”