As the holiday shopping season gets into full swing, merchants aren’t the only ones expecting to have a prosperous year. Fraudsters, too, are out to grab their illicit share of the money changing hands (or accounts) in the weeks ahead. Especially susceptible to theft by fraud are millions of e-commerce merchants who are unprepared to identify and stop the bad transactions that should never be completed.
The COVID-19 pandemic has driven e-commerce to new heights. According to the U.S. Department of Commerce, the highest annual e-commerce growth rate in two decades occurred in 2020, when online sales experienced a year-over-year increase of 32.4 percent. The growth rate for 2021 is projected to be “only” 17.9 percent. That’s the good news. The bad news is, when more purchases are made online, the opportunities for fraud grow as well.
Looking back at the 2020 holiday shopping season, TransUnion reports the days with the highest percentage of suspected fraudulent e-commerce transactions were:
You read that right. More than a quarter of all e-commerce transactions on Cyber Monday alone were suspected to be fraudulent. Those are stunning numbers that are simply unsustainable for even the most profitable businesses. Jupiter Research estimates that merchants will lose $130 billion worldwide to online payment fraud between 2018 and 2023. LexisNexis Risk Solutions says that amounts to 1.8 percent of revenue for businesses in an industry where margins can be thin from the start.
Merchants’ losses can add up quickly with online payment fraud. Say a fraudster is using a stolen credit card account to buy something online (not hard to do considering there are tens of millions of stolen account records for sale on the Dark Web). If the sale goes through – which it most likely would since the card is legitimate, albeit stolen – the merchant loses the merchandise that has been ordered and shipped.
But then, when the legitimate owner of the card reports the fraud to their bank, the merchant is charged for the fraudulent purchase and also must pay a chargeback fee to the payment provider. Thus, the merchant is out the cost of the stolen product plus fees associated with reversing a fraudulent payment.
Another type of fraud that plagues retailers – both online and brick-and-mortar stores – is return fraud. In this scenario, a customer requests a refund for a purchase when he doesn’t have a legitimate right to a refund. Perhaps the product wasn’t even purchased from that store, or it was purchased weeks ago, outside the retailer’s stated window for refunds. Return fraud occurs all year round but picks up during the bustling holiday season when merchants are handling larger volumes of sales and returns.
An interesting aspect of return fraud is that it often involves employees in the scheme to steal from the merchant. An unscrupulous cashier could initiate a fake return where there is no actual product coming back to the store, and then simply keep the cash that would normally be given to the customer. Cash goes out but no product comes back, making the store record the loss as shrink and lowering overall revenue.
In the hectic days post-holidays, when millions of returns are made, return fraud losses skyrocket. The National Retail Federation says that in 2020, approximately 5.9 percent of returns were fraudulent, resulting in losses of $25.3 billion for retailers.
Many online fraud-detection platforms rely primarily on static rule-based detection, with machine learning used to optimize rule sets and proactively suggest new, more effective rules. However, fraudsters have learned a few techniques to try to avoid detection by these types of solutions.
One technique is to mimic a typical online shopping pattern, where someone scrolls through multiple product pages and might even use a “compare these products” tool or look at product reviews. Then, a big-ticket item is placed in the cart and purchased with the purloined payment information. By looking like a typical purchase process, the fraudster makes the behavior less suspicious and skirts rule-based detection.
Another technique to hide malicious activity is to spoof the geographic location where the card was issued, to make it look as if the fraudster resides in that area. Again, this appearance of normalcy is meant to avoid the triggers of anti-fraud software. These tricks are simplistic, but they can be enough to fool legacy software that views rules governing such parameters in determining the risk of a payment.
This illustrates the need for fraud-management platforms to evolve into more sophisticated solutions that can truly identify high-risk transactions without stifling legitimate purchases.
Today’s cloud-based advanced fraud analytics platforms utilize Big-Data architecture, machine learning, artificial intelligence and behavioral analytics to dig through millions of transactions and billions of data points from cross-channel sources to get a full contextual view of transactions and detect anomalous signals and activities in real time. Such platforms can provide accurate, prioritized risk assessments that enable decision-making and allow mitigations to be triggered in time to prevent the losses.
It’s only by taking an extensive, 360-degree view of buyers, their transactions and related metrics, and feeding this into a sophisticated system that can detect and alert on outlying anomalies, can e-commerce merchants see the risk in allowing certain purchases to go through before they actually do.
Holiday shopping should be joyful for buyers and merchants, but not for fraudsters who are out to play the Grinch.
Saryu Nayyar is CEO at Gurucul.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.