As the world spends more time shopping online, fraudsters spend more time targeting eCommerce merchants. A recent FIS/Worldpay risk mitigation survey found that more than half of merchants in 11 countries saw increases in synthetic identity fraud, account takeover fraud and identity theft/new account fraud in 2020. To protect their revenue and their customer experience, merchants need to understand how these attacks work and how to reduce their risk.
Synthetic Identity Fraud
Synthetic identity fraud happens when fraudsters combine data from multiple victims into a new persona—one that looks like a good consumer but is just a fraudster’s avatar. With a cobbled-together identity, criminals can open bank accounts, apply for loans, get credit cards and play the long game by shopping until the bills come due.
Fifty-five percent of the executives in the risk mitigation survey reported more synthetic identity fraud in 2020 than in 2019, with that figure rising to 61% for executives in Asia-Pacific countries (APAC). However, this kind of fraud was already trending before the pandemic. A January 2019 McKinsey report called synthetic identity fraud the “fastest-growing type of financial crime in the United States.”
Synthetic ID fraud causes a number of problems for merchants—they lose goods plus processing and shipping costs, and the fraudsters also sometimes file chargebacks. In cases where merchants have extended lines of credit to these synthetic customers, they may waste money trying to recover revenue from shoppers who don’t exist.
Because synthetic ID fraudsters target banks and credit card issuers first, McKinsey recommends that financial institutions use more third-party data to vet new customers. By checking to see if applicants are using data like email addresses, Social Security numbers and employers that correlate to other people, banks have a better chance of spotting fraudsters before they open accounts.
Merchants can reduce their risk of synthetic fraud by using AI, customer data and behavioral biometrics to authenticate first-time customers during the order screening process. That evaluation can look for potential fraud indicators like a new cellphone account, new email address and the use of VOIP—often via a “burner” phone--to place orders. Merchants can also implement batch analysis to look for orders with different customers' names but the same address and phone information—another indication of possible synthetic fraud.
Account Takeover Fraud
Fifty percent of surveyed executives said their companies endured more ATO fraud in 2020 than in 2019. ATO fraud, which is committed with stolen or cracked credentials, is, unfortunately, becoming easier all the time. That’s in part because there are so many data breaches that expose login credentials and because up to 65% of people use the same password for multiple accounts. When a tranche of passwords is exposed in a breach, fraudsters use bots to test them across other accounts until they find other stores where they can log in, impersonate the breach victims, and use the victims’ payment methods to make purchases.
Bots enable ATO fraud in other ways, too. Security company Imperva describes how fraudsters create “canary” accounts with target merchants, then use bots to try to log in with a batch of stolen credentials. If, after trying that batch, the fraudster can’t log back in with their canary account, they know that “a security rule was triggered, and the bot operators should change their behavior.” This tactic is similar to card testing when criminals enter different CVVs for stolen card numbers until they hit a match they can use. The solution is similar, too: Limit the number and velocity of attempts that a user has to enter login (or card) data correctly before blocking the IP address.
To detect cases where the fraudsters have already worked out the correct login, merchants can use historical customer data, behavioral biometrics, location and device data, the customers’ order recency and velocity to flag possible ATO.
Identity Theft and New Account Fraud
Fifty-two percent of surveyed executives reported more identity theft and new account fraud in 2020 than the year before. Consumer identity theft losses reached $56 billion in the U.S. alone last year, according to Javelin Strategy & Research. Analysts say the surge was driven in part by an increase in phishing scams related to the pandemic.
Whether thieves obtain personal information like Social Security numbers through phishing or data breaches, they can use it to open accounts in the names of the victims and then make purchases until the victims realize what’s happening and alert their banks. As with ATO fraud, the most effective prevention authenticates customers via behavioral biometrics like their purchase history, behavior on the site, order recency and velocity as well as their device and IP data to detect anomalies.
Creating a More Comprehensive Anti-Fraud Program
It’s important to keep in mind that despite the rise in fraud—and despite the need to block bots that are testing logins or card data—anomalies in customer behavior shouldn’t lead to automatic rejection of orders. That’s because the way we shop, work and live has been evolving rapidly since March 2020, and rejecting a good customer by mistake makes it likely that they will never return. Instead, flagged orders should be reviewed by a fraud analyst who can approve or reject them.
By layering AI-driven customer authentication tools and expert analysis with other fraud scoring practices, merchants can prevent fraud losses, stymie bot attacks and discourage fraudsters from targeting their stores, while keeping the shopping experience positive and productive for good customers.