These days, when I cautiously venture to my favourite shopping mall on a weekend, I notice how different it is from a year-and-a-half ago, when no one had ever heard of COVID-19. It is busy, but not nearly as busy as it was back then. Sadly, I can rarely find my shoe size as merchandise stocks are low due to COVID-related supply chain issues.
When the world moved online for grocery shopping and other necessities, driven by COVID-19 restrictions, financial criminals followed consumers. The pandemic created a pool of new and existing merchants who needed to quickly move their businesses online in order to survive during the health crisis. They were not always knowledgeable about the need for advanced security tools to prevent ecommerce fraud. Therefore, fraudsters immediately saw them as a target and came up with new ways to cash out.
According to Juniper Research, ecommerce fraud will rise 18% from 2020, to top $20 billion globally this year. More of this online fraud will occur in China than anywhere else. China will account for over 40% of global losses in 2025, estimated to be over $12 billion.
While many merchants are navigating a new territory, trying to develop their business online and balance the need to meet rising customer expectations, fraudsters are sharpening their skills and targeting digital transactions.
Here are the biggest ecommerce payment fraud trends that merchants should be aware of to protect their business, prioritize fraud prevention, and stay profitable.
1. Increase in account takeover fraud (ATO)
The pandemic gave a huge boost to ATO, a type of fraud when criminals gain access to customer data with the intention of stealing funds. Bad actors can take over a personal or a business account by stealing email addresses, passwords, date of birth, credit card, and social security numbers. Typically, fraudsters use bots to open accounts and make purchases or steal rewards points.
Fraudsters have been doing ATO for years but were able to put a new spin on it with the rise in services such as Buy Now, Pay Later (BNPL). Since customers aren’t billed right away for the full purchase, there is a lag between the time a fraud occurs and the time it is detected. Criminals see that gap as an opportunity for ecommerce fraud.
Unfortunately, some merchants respond to this rising threat by implementing fraud detection tools and strategies that do not protect as well as they should. The result can be unnecessarily high fraud losses, too many false declines and disputes.
What to do: Implement better systems for multi-level customer authentication. Look for fraud prevention solutions that can spot anomalies in real-time such as purchases from the same card number from multiple locations. Invest in fraud detection systems that can block individual transactions to avoid false positives while still stopping fraudsters.
2. New account fraud is on the rise
A recent report from the Arkose Labs shows that fake new account registrations comprised over one-third of attacks detected in 2021, an increase of over 70% from the end of 2020. Many merchants, especially large businesses, had an inflow of good customers opening accounts online to complete purchases during the pandemic. It created a perfect cover for cyber criminals who could easily go undetected in the crowd by creating fake accounts and later using them for any illegal activity, such as spam, phishing and info scraping.
Recently, fraudsters also started relying more and more on the creation of synthetic identities – a fraud technique that uses a combination of stolen personal information and false details. For example, fraudsters create a new identity using a real social security number, but a fake name and contact details. Once, the synthetic identity is set up, a fraudster can apply directly to get a credit card or target card owners with good credit. Criminals can then max out the credit limit and disappear.
What to do: Closely monitor new accounts, especially if you offer a welcome incentive. Account fraud with stolen or synthetic identities can be detected with fraud detection software that uses dynamic behavioral analysis. Such tools analyze user browsing behaviors, account log-in behavior, physical biometrics, device interaction data, and geolocation behavior. They can spot new fraud schemes and attacks that are not yet exposed.
3. Increase in rapid card testing
Card-not-present fraud is nothing new. However, with digital purchases at least doubling since 2019, fraudsters have been quick to take advantage of the segments of population who are relatively new to using credit cards online. Original internet scams such as phishing continue to evolve, giving criminals more access to pieces of information like credit card numbers, CCVs, names, and other personal information.
Since the start of the pandemic, fraudsters have improved their ability to test stolen cards in various ways. For example, one common method is to test stolen cards by making small purchases online in an attempt to build an online history. Furthermore, fraudsters have learned how to do this at a larger scale, resulting in a large numbers of fake new accounts and cards that are in good standing. If enough smaller purchases go through, the fraudsters learn which card numbers would be a safe bet to attempt purchases of high-value products, which can then be resold.
What to do: Software with supervised and unsupervised machine learning capabilities is essential here for an in-depth transaction data analysis and spotting anomalies in real-time. The more data points merchant fraud systems can refer to, the more accurate they can be when it comes to making decisions on whether a transaction should be flagged, or blocked immediately. While most other fraud solutions can only score and make decisions based on observations per customer segment or group, fraud detection systems are far more accurate if they generate a machine learning risk score for each and every customer, card or device.
4. BOPIS is here to stay
Over the last year, food and drink ecommerce has seen the biggest growth of 53%. As consumers complied with COVID-19 restrictions to protect themselves from the virus, they started using services such as buy online, pick up in-store (BOPIS). While curbside pickup was a significant source of revenue for many retailers, BOPIS fraud attacks took center stage.
According to the 2021 Retail Security Survey from the National Retail Federation (NRF), almost 39% of retailers identified BOPIS among the areas where ecommerce fraud incidents increased the most this year. Last year, only 19% of retailers picked BOPIS.
Prior to the pandemic, the curbside pickup sales were only a small proportion of overall sales volumes. Store staff could easily check the customer’s details and screen the transaction for fraud. As the number of curbside orders spiked significantly, up to 300% in some cases, traditional manual review of the orders was no longer possible. Fraudsters take advantage of the opportunity where the time between a sale and a pick up is short, and where they can avoid signature or PIN verification while using a stolen credit card.
Since consumers appreciate the convenience of curbside pickup service and retailers continue to make it available, BOPIS fraud is likely here to stay. Whether or not it continues to increase will depend upon the ecommerce fraud prevention measures set in place by merchants.
What to do: Use real-time transaction monitoring tools to spot anomalies on the fly when the order is placed. Train dedicated staff to work exclusively on curbside pickup orders and ask them to perform identity verification of customers.
5. Rise of friendly fraud chargebacks
The 2021 Chargeback Field Report from Chargebacks911 showed that 8 out of 10 merchants have seen an increase in friendly fraud chargebacks, driven by the pandemic. Friendly fraud happens when a customer makes a purchase with a card and then disputes it with the bank. The intent behind it can be malicious (for example, the customer received the delivery, but denies that in order to receive the money back), or unintentional (a customer made a purchase and didn’t recognize the merchant descriptor in the card statement).
Many businesses still don’t know how to identify this type of fraud, let alone prevent it. The number of these incidents will continue to rise as it’s now easier to commit them, due to the volume and nature of online shopping.
What to do: Use a clear billing descriptor to avoid customer confusion. Improve communications with customers with delivery confirmation. Independently audit the entire payment transaction journey to spot suspicious activity.
Overall, 2021 has brought on ecommerce fraud attacks that are more sophisticated for merchants as bad actors have adapted quickly to increased online transactions. The nature of payment fraud tactics also makes fraud detection challenging. For example, personal data stolen this year may be used years later, making it harder to discover fraud incidents.
As merchants continue to feel the pressure of fulfilling their everyday orders, keeping their customers happy, and balancing legal regulations, investment in real-time fraud prevention and detection tools, as well as a proactive anti-fraud strategy, will be more important than ever.