Data Breaches and Identity Theft Are Fuelling E-commerce Fraud
The pandemic birthed a new era for e-commerce fraud, and the risks and vulnerabilities have never been greater. Data breaches and credential phishing alone exposed more than 1.1 billion personal records last year. and resulted in billions of dollars in losses for merchants through chargebacks, lost revenues and damaged customer relationships.
Understanding these fast-growing threats can help businesses protect their online channels and their customers from fraud. With so much data available, fraudsters have lots of options besides using stolen cards to make online purchases.
Here in our latest guest post, Rafael Lourenco delves into why e-commerce businesses must engage in more anti-fraud strategies.
Lourenco is executive vice president and partner at ClearSale, a card-not-present (CNP) fraud protection operation that helps retailers increase sales and eliminate chargebacks before they happen.
The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives:
E-commerce businesses have always had to worry about fraud, almost always in the form of CNP fraud or return fraud. Increasingly, other types of crime are also affecting e-commerce, either directly or indirectly contributing to chargebacks, lost revenue, and damaged relationships with customers. Understanding these fast-growing threats can help businesses protect their online channels and their customers from fraud.
So, what are the types of crime that are making it easier for fraudsters to target e-commerce sites? The first is data breaches. The Verizon Data Breach Investigations Report (DBIR) team analysed 5,212 confirmed data breaches at organisations around the world during 2021, and these breaches exposed more than 1.1 billion personal records. These records can be email addresses, passwords, social security or credit card numbers, or any other type of personal data that may go up for sale among criminals.
The second type of crime that sets the stage for more e-commerce fraud is credential phishing. Phishing — sending an email or text message tricking the recipient into sharing information — was the attack mode for more than 60 per cent of socially engineered data breaches in 2021, according to the DBIR.
When attackers use phishing to steal credentials, they can often then access the email network of the victim to steal more data from co-workers, customers, and vendors. If they can find a way to access file systems with those credentials, they can also copy the information in databases — another data breach — or encrypt it and hold it for ransom.
While system intrusions accounted for most breaches in 2021, phishing wasn’t far behind, and it doesn’t seem to be slowing down. In a recent trends report, credit reporting agency Experian predicted that social engineering (aka phishing) will continue to target consumers and ‘could result in billions of dollars of losses in 2022′.
More stolen data, more e-commerce fraud options
With so much data available, fraudsters have lots of options besides using stolen cards to make online purchases. With stolen account credentials, they can simply log in to victims’ retail, banking, or social media accounts and start buying things using the payment methods linked to those accounts.
This account takeover (ATO) fraud can be difficult for businesses to detect if they’re using an approved list to screen orders, because the orders will look like they’re coming from a known good customer.
ATO can also give fraudsters access to customers’ loyalty accounts, which they can use to make purchases or exchange for gift cards. With the loyalty point market forecast to be worth $215billion in 2022, it’s not surprising that this kind of fraud is on the rise.
Stolen data also allows fraudsters to create synthetic identities, cobbled together with a real person’s name and address, perhaps someone else’s social security number or credit history, and a new email address connected to the thief.
This kind of identity fraud is a long-term play in which criminals open bank accounts or lines of credit with their fake identities, and then build credit to make major purchases before disappearing with the goods. Meanwhile, the people whose data was used in the fraud, sometimes including children, may suffer credit damage that takes months or years to repair.
If this sounds like something that’s too complex for a lone fraudster, you’re correct. These types of fraud are typically the work of organised crime rings, who caused 79 per cent of the breaches the DBIR team analysed in 2021.
These groups also have the funds to hire botnets, not only to launch data breach and phishing attacks but also to commit ATO and CNP fraud at scale. This kind of attack can quickly raise an online store’s chargeback costs. It can also cost the store customers.
Eighty-four per cent of consumers in ClearSale’s 2021 State of Consumer Attitudes on Fraud and CX survey said they would never shop again with a retailer or website that allowed fraud with their card.
E-commerce businesses need more anti-fraud strategies
A recent Experian survey found that ’65 per cent of businesses plan to increase their fraud detection budget‘ this year, which is a reflection of the fraud landscape they face. Retailers that are strategic with their spending will see the best results.
With so much data available to fuel so many different fraud tactics, screening orders for CNP fraud is no longer enough to protect businesses and customers. In addition, e-commerce businesses should consider adopting these anti-fraud best practices:
No more automatic approvals for repeat customers: Approved lists of good customers can lead to fraud if those customers’ accounts are taken over and used to place orders. Screen every order, even those from repeat customers.
Evaluate orders based on multiple factors, not just card data: Behavioural biometrics and customer history online can help weed out new customer accounts created by fraudsters using fake identities and associated payment accounts.
Consider batch analysis of orders: By analysing random batches of seemingly unrelated orders, you may find that many have the same bank identification number, a possible indicator for synthetic identity fraud. They can then manually review those orders and cancel them if they’re fraudulent.
Review flagged orders: Manual review can prevent false declines and help your artificial intelligence (AI) learn how your good customers behave versus fraudsters.
Strengthen your organisation’s data security: Patching, updating, endpoint monitoring, and planning for incident response can help reduce the threats to your company’s customer data. Require that customer accounts use strong passwords or other reliable authentication to keep fraudsters out of payment and loyalty accounts.
Finally, keep a close eye on your chargeback rates and your false decline rates to see how they’re trending and respond as needed, and monitor your brand’s mentions on social media and the web to prevent phishing attacks under your brand’s name.
Fighting fraud is unfortunately not as straightforward as it once was, but it’s possible to protect your business and your customers.