Digital Transactions Authoritative, insightful and timely information for payments professionals
No longer content to use a stolen credit card, criminals are targeting e-commerce merchants for everything from customer account data to loyalty points to BNPL fraud.
Criminals follow the money, and, with e-commerce booming and more merchants selling online than ever before, it’s no surprise that fraudsters are flocking to the online channel. Fraud is nothing new for e-commerce merchants. What’s changed are the methods criminals are using to perpetrate it.
They’re actively targeting consumer accounts on merchant sites to commandeer those accounts and gain access to the data within them. They can use this data to create synthetic identities or sell it on the black market.
Criminals’ focus on account takeover is tied to the fact that identity verification is a primary element in the payment process. Taking over a consumer’s account on a merchant’s Web site gives criminals access not only to the consumer’s personal data, but also to any payment information the consumer may have stored in the account.
With access to the customer’s payment data, criminals can make purchases with that e-commerce merchant. To ensure they receive the goods, criminals simply need to change the shipping address on file or make the purchase online and pick-up curbside.
‘Massive Acceleration’
One of the most common methods used for account takeover is credential stuffing. Thanks to data breaches becoming a common occurrence, criminals can purchase lists of consumer passwords and user names on the dark Web. The cyberthieves then launch an attack that forces that data into customer accounts until a combination is found that opens an account.
Once in control of that account, criminals can use the password to try to take over other accounts the victim may have elsewhere on the Internet, cybersecurity experts say.
Criminals are even using the information in a customer’s account to fraudulently apply for a buy now, pay later loan that will never be repaid, says Erika Dietrich, head of merchant payments analytics & optimization at ACI Worldwide Inc.
“We’re seeing a huge increase in credential stuffing as part of account-takeover attempts,” Dietrich says. “Once in control of an account, criminals can change the attributes of the account to perpetrate fraud, such as changing the shipping address on the account after making a fraudulent purchase.”
Besieged by so many attack vectors, e-commerce merchants are at risk of losing more than $20 billion in 2021 to online fraud, compared to $17.5 billion in 2020, according to Juniper Research. The projected losses represent a 14% year-over-year increase.
“When the pandemic hit, there was a massive acceleration of digital fraud in the space of a few months, and that acceleration is continuing,” says Rich Stuppy, vice president and senior customer experience leader at Kount Inc., which provides fraud-prevention and detection solutions.
‘A Step Away from Cash’
Helping fuel the rise of e-commerce fraud is that many merchants that did not have an online presence prior to the pandemic raced to launch a site. In their rush, many merchants did not take all the necessary precautions against fraud.
That opened the door for criminals to get creative. “Criminals are attacking e-commerce merchants differently now and targeting all touchpoints in the customer journey to extract data they can monetize or fraudulently [use to] obtain items of value,” Stuppy says.
One targeted item of value is loyalty points. Once in control of a consumer’s account on a merchant site, criminals can access any loyalty points in the account. If there are enough points, criminals will use them to purchase a product that can easily be resold or cash them out, if that option exists.
Another tactic is to transfer loyalty points from a consumer’s account to another controlled by the criminal, who can then sell access to them online.
Prior to the pandemic, airline and hotel miles were popular targets, but with air travel and hotel stays dropping off considerably, criminals have turned their attention to retail loyalty programs, fuel rewards, and even supermarket loyalty programs, cybersecurity experts say.
Cybercriminals will also sell loyalty points direct to unsuspecting consumers by advertising on a social-media site, such as Twitter or Instagram. The deal might allow a consumer to purchase $100 worth of loyalty points for $50, for example. The unsuspecting consumer is typically instructed to pay using cryptocurrency, which makes the transaction even more anonymous. Once payment is received, the points are transferred.
A big part of what makes loyalty points a prime target for criminals is that most consumers forget they have accrued them and often neglect their loyalty accounts. That means they are likely to discover their points have been stolen well after the fact. “Loyalty points are a step away from cash,” Stuppy says.
Another new wrinkle in the fraud threat is the use of Internet bots—applications programmed to perform repetitive, pre-defined tasks—to attack merchant inventories by placing bulk orders using thousands of different customer identities for popular items that can be quickly resold.
Such attacks are a nightmare for e-commerce merchants as they not only lose the inventory to fraud, they also have to turn down sales to legitimate customers. That can hurt customer loyalty, says Dan Holden, vice president of cybersecurity at e-commerce platform provider BigCommerce.
Criminals are also using bots to test thousands of stolen credit card numbers at one time preparatory to credential-stuffing attacks. “Malicious bot attacks really ramped up during the pandemic, particularly inventory scams,” says Holden. “These types of campaigns are increasingly complex and sophisticated, and detecting them can be really challenging, since they’re built to mimic human behaviors and appear like real customers to the unsuspecting retailer.”
‘Fraud Is A Profession’
To guard against the increasing sophistication of criminal attacks, cybersecurity experts recommend merchants deploy fraud-detection engines.
This technology uses artificial-intelligence applications that continually learn about customer-behavior patterns to reduce the risk of false positives, which can cause legitimate transactions to be declined. Decline rates for e-commerce purchases are in the 15% range, compared to about 1% in the physical world, Stuppy says.
Another advantage of artificial intelligence is that it makes it harder for criminals to beat fraud screens. “Rules-based systems are built around data points, and criminals have shown they can engineer fraud schemes that get around those data points to beat the rules,” says Colin Sims, chief operating officer at Forter, a provider of fraud-prevention technology. “Rules-based solutions began showing their limitations about 10 years ago,”
Effective fraud prevention also requires e-commerce merchants to take a multi-layered approach by deploying fraud-detection tools at every stop along the customer journey. “Frauds trends can change daily, hourly, even by the minute,” ACI’s Dietrich says. “Merchants need to deploy multiple fraud-detection tools at every customer touchpoint, not just one or two.”
With no sign of e-commerce fraud slowing down any time soon, cybersecurity experts say e-commerce merchants must be more diligent when it comes to fighting fraud and preventing false positives. The latter can be quite harmful, as many consumers who took to shopping online during the pandemic have made it a regular habit. They could be easily driven away if declined because of a false positive, experts say.
“Fraud is a profession, and criminals have better access to data that can help them perpetrate fraud by manipulating identities,” says Sims. “The challenge for merchants is to unmask a criminal when he shows up with a manipulated identity.”
