Forter has released its 9th annual Fraud Attack Index. At 46 pages, it paints a damning picture of how fraud prevention solutions are failing as people shift to online shopping. More importantly, the rise in data breaches is allowing fraudsters to lay the groundwork for future attacks.
Forter is not the only organisation concerned about the rise in online fraud. Three weeks ago, Action Fraud, the national centre for reporting cybercrime, reported that £19 million in bank fraud had been prevented by bank staff and police. In June, it also reported that since lockdown started, online shopping fraud was responsible for losses of over £16 million.
One problem is that the number of legitimate transactions is outstripping the number of fraudulent transactions. Although this shows fraud, as a percentage of transactions is dropping, the reality is that it is still increasing. The danger here is that retailers and merchants will misread the numbers and find themselves caught out.
Michael Reitblat, CEO and Co-Founder of Forter, comments: “A rapid rise in new customer accounts, coupled with having to pivot quickly from brick-and-mortar to online sales channels, put unprecedented stress on merchants as they tried to perfect the e-commerce experience. It is clear from what we’ve seen that some retailers were more agile and prepared for this than others, quickly introducing new services such as curbside pickup and Buy Online, Pick-up In-Store, in a bid to retain new customers.
“To fully realize this new revenue potential, merchants need more accurate fraud prevention that can distinguish between these valuable new customers and fraudsters. Merchants can have a false decline rate between 5-7x higher for new customers – typical of legacy systems that do not have sufficient data on new account holders.”
A shift in shopping is a boon for fraudsters
The shift from in-person shopping to buying online has made life easier for fraudsters. They can take advantage of the lack of physical contact to mask their behaviour. The report calls out one specific fraud, online and pickup in-store (BOPIS) which has seen a 55% increase in fraud attacks.
It is often a combination of attacks that come together to defraud victims. The fraudster uses stolen details of the victim to place a legitimate order. They then arrange to collect in-store with forged or even stolen identity documents. The retailer hands over the goods, believing that this is a legitimate transaction. Interestingly, the report also says that some retailer staff are ignoring their policies and not checking identity thoroughly.
Another fraud, returns abuse, has seen a 43% decrease. One reason could be that with lockdown, people are going out less. It means that people buying, wearing and returning clothes have no reason to do so. With few people in-store and most stores closed, the use of receipts to claim false refunds has also fallen.
Account takeover set to soar
The rise in data breaches has made it easier for fraudsters to carry out identity theft. The rise in BOPIS is one example of this. Another form of fraud, enabled through data breaches, is Account Takeover.
Many people are shopping online for the first time and find themselves having to create user accounts on multiple stores. It has led to poor password hygiene and reuse. It makes them susceptible to data gathered in breaches and brute force attacks.
Is it not just the customer who is at fault here. Many stores have gone online for the first time during the pandemic. They lack the security skills to protect their sites and customer data. However, there are also failings by established online retailers. The use of card skimming software to steal customer data has been found on websites of large and small organisations.
Forter warns that: “Retailers need to prepare for increasing ATO attacks during the holiday season.” It estimates that account focused fraud attack losses will reach $25.6 billion in 2020.
Allied to ATO is loyalty fraud. Over 22% of consumers shop exclusively with brands whose loyalty programmes they are members of. While numbers are down significantly, Forter puts this down to the current travel industry woes. As people get back to travel, it expects them to pick up soon. It is seeing loyalty account details currently being stolen by fraudsters and banked for future use. One reason for saving the details is that the older the account, the more likely it is to be seen as trusted.
What are the most stolen items?
Many of the most stolen items are those that fraudsters can cash in on quickly. This is nothing new but still requires vigilance from retailers. Some of the key areas are:
- Apparel and accessories: Over order value per attack is $255, and fraud against branded apparel is 1.5x the average.
- Digital goods: Gift cards are often used as a currency by fraudsters. One fraud around tax threatens victims with court action and offers them a way out if they pay in gift cards. Digital currency gifts cards have fraud 5x the normal rates. For downloads such as apps and music, it is 3x and for console games 2x. Fraudsters make around 25-60% of the value of the card when it is resold.
- Electronics: High value, easily resold, and a favourite of fraudsters. Consumers’ purchases of accessories for computers, tablets and laptops soared by 41% during the lockdown. It has led to shortages of graphics cards, webcams and microphones. Items are sold cheaply on resale and used goods sites.
- Cryptocurrency: The anonymity and ease of cash out make all cryptocurrencies attractive to cybercriminals, not just those engaging in fraud. Fraud attacks (65%) currently outstrip transaction volumes (41%) showing its popularity.
- Food and beverage: No surprise that food and drink are being hit hard. Transaction volumes have soared, especially as people can’t go out eating and drinking. So what are fraudsters favourite tipples and foods? Tequila (27x), Champagne (17x) and Cognac (16x) are top of the hit list. Wine (<2x) is a surprise. Presumably, it doesn’t fit the lifestyle. There are some oddities here. Baby formula fraud is up 7x. Meanwhile, fraud has fallen significantly for diet drinks (5x), organic groceries (4x) and spinach (8x). It seems fraudsters are not fans of Popeye and healthy eating.
Enterprise Times: What does this mean?
Fraud is too often characterised as a nuisance rather than a serious issue. Many transactions are small, but they all add up. It is also a crime where the victim is often blamed and accused of being stupid, lazy or even complicit. That is far from the case.
Retailers and merchants, despite massive investments in technology, are just as culpable. The ease with which skimming software ends up on online stores shows that there is not enough care taken by retailers. The same is true when it comes to data breaches. They currently stand at an all-time high with billions of users losing their data. Most of the attacks come through known vulnerabilities that businesses failed to patch.
All that data is compiled and sold by cybercriminals. For fraudsters, the more information they have, the more effective the fraud. However, when retailers don’t do proper checks on identity, fraud such as BOPIS are made easier.
In the next few months, we will see the biggest retail events of the year. Black Friday, Cyber Monday and Christmas. On these numbers, the only people likely to be celebrating at the end of 2020 will be the fraudsters.