A recent report recorded a rise of 178% in malicious e-commerce fraud websites observed from October to December of 2021, compared to the rest of the year.
What caused this impressive rise, how does this affect businesses who accept online payments, and how is the fraud landscape looking moving forward?
Malicious Shopping Websites on the Rise
Set up to coincide with the pre-holiday shopping period, an average of 5,300 new, malicious e-commerce websites per week were recorded from October to December, according to a report published by Check Point Research.
These scam websites were set up to resemble legitimate e-shops, often spoofing the appearance and branding of popular online shopping destinations, such as Amazon and Michael Kors. Customers would arrive by clicking through fraudulent emails or advertisements. They would get tricked into buying something, believing it was a legitimate product from a legitimate shop, at which point the criminal would acquire their card details and not ship them anything. Others tried to lure customers in through social media and hijacked accounts of friends and family.
This type of scam obviously targets consumers, in an attempt to steal their credit card details. However, a rise in this type of fraud also affects businesses, in several ways.
Here is how:
-Many of these stolen credit cards are later being used on legitimate e-shops, causing chargebacks. Each chargeback costs a business an estimated 2.60-3.20 times the price of the products lost, even if not believed to be the fault of the business.
-Chargeback ratio increases for stores where stolen cards are used. This incurs higher bank fees and even potential blacklisting of the merchant.
-The general drop in the trust of affected consumers in online card-not-present transactions can take a toll on the market in general.
-Extensive fraud brings reduced buying capacity for affected consumers, which affects commerce on a macro scale.
-Major rises in online fraud can make merchants overcautious, increasing false positives and declines for those who manage their own rules – and thus increasing customer insult rates.
-Customers who file a chargeback are more likely to do it again within two months, often at a new retailer (at a rate of 40% per Chargebacks911).
Fraud Trends 2022: Criminals Are Getting Bolder
It’s obvious that fighting fraud on a larger scale is of benefit to every company involved in the online economy rather than solely the persons or companies affected by individual cases. And, to that is added the obvious increase in fraud targeting merchants directly, with 75% of organizations across the world reporting an increase in fraud attempts over the past two years, per a 2022 report by MRC.
The good news is that it’s not only the fraudsters who are getting more sophisticated. Fraud prevention technology and methodology has progressed by leaps and bounds in recent years, reflecting the exponential increase in fraudster activity. As elaborated in a writeup on e-commerce fraud by SEON, fraudsters no longer only target stores dealing in luxury items and electronics. Every business can be a target, no matter whether it sells physical or digital goods. In fact, some of the most common methods of attack have been with us long before the internet; they’ve just been updated.
But which types of fraud are on the rise in 2022? Merchants are well advised to be on the lookout for the below, as well as always consult with their fraud vendors and/or analysts as soon as they notice any suspicious activity.
1. Return Fraud
Return abuse is an umbrella term that encompasses different methods, including ‘wardrobing’ – when customers buy clothing with the intention of wearing it once or twice and returning it – and receipt fraud – when someone falsifies receipts in order to return merchandise for a profit.
Return fraud may be an old avenue for criminals and amateurs alike, but it is still on the rise. According to Shopify, in the US, approximately 10.6% of all merchandise bought in 2020 was returned. That goes to show how important it is for businesses to be able to tell fraudulent from genuine returns. Per the same source, reducing returns overall could save the entire retail industry up to $125 billion a year.
The prevention of return fraud starts with efficiency in inventory management and sales records. The more accurate and organized your records, the less likely it is for an attempt to be successful. Some stores put new policies in place, such as weighing returned items. But it also has to do with accurately evaluating risk by assessing the intentions and legitimacy of shoppers using methods such as digital footprinting and device fingerprinting.
2. Triangulation Fraud
A little more complicated but equally popular with contemporary fraudsters, triangulation fraud actually has a very low barrier of entry, meaning it could be set up by criminals of varying skill and experience levels.
Triangulation fraud involves three parties: a legitimate customer, a legitimate e-shop and a fraudster.
1. The fraudster creates an e-shop website or adds fake products on eBay, Amazon Marketplace or similar platforms.
2. A buyer tries to buy from a fake online store, giving the fraudster their card details.
3. The fraudster buys the same product from a legitimate online store using a stolen credit card, and provides the legitimate buyer’s shipping address.
4. The buyer receives the item from the real store, but soon notices other charges on their card (as the fraudster has stolen their details).
5. The buyer starts a cashback process with their bank.
6. The legitimate merchant is hit with the chargeback, both losing the item and the money it costs.
Chargebacks are a very common pain point for businesses. As Zoho explains, they can be linked to actual mistakes by the shopper or merchant, but they also often accompany fraud. For example, a card owner charged for a fraudster’s transactions will request a chargeback, while some shoppers will use the chargeback process itself to keep both their money and the product (friendly/first-party fraud).
Although shopping and payment platforms such as Shopify and Stripe may have some built-in tools to stop fraudsters, these are not adept at catching triangulation fraud in particular. For this type of more sophisticated scheme, dedicated fraud prevention solutions are more suitable, deployed by the merchant to protect their own as well as their customers’ interests.
3. Account Takeovers
An ATO, or Account Takeover, is simply when a fraudster acquires access to an existing account belonging to a legitimate customer. This can be done through various methods such as phishing, brute-forcing and cross-site scripting.
What is making all the difference in 2022 is that the stakes have been raised. A few years ago, taking over someone’s account allowed a criminal to use it to conduct further fraud, perhaps to sign up somewhere, but there was rarely anything worthwhile within – always depending on the type of account hijacked.
Today, however, the public is increasingly encouraged to save their payment card details online: on their accounts on e-shops like Amazon and TK Maxx, in their browser profiles, in digital wallets made possible by open banking protocols, and on other digital accounts. As a result, a successful ATO is much more likely to yield usable credit or debit card details, which the criminal may use in the same store or elsewhere.
In their writeup on this phenomenon, NordVPN stresses how major breaches even in high-trust companies such as British Airways, back in 2018, have resulted in customers’ card payments details being stolen. Certainly, the size and reputation of a company is no guarantee that consumers’ card details are safe.
And, of course, the reputation of a company suffers greatly once it has been involved in such an incident. The public is already concerned about sharing personal information such as their full address and phone numbers – and payment details have so much more potential to cause harm. It does not matter whether the blame lies with the company, as in the British Airways example above, or perhaps with the customer, in the case of someone using a very weak account. The results are still detrimental to the business.
What’s more, the criminal may attempt to use (or test) the stolen cards on the spot, bringing more cashback troubles for the already unfortunate merchant.
There are simple steps to take as the first line of defense, like asking (or forcing) one’s customers to use multi-factor authentication, which is much more complicated to hijack. In the merchant’s backend, to mitigate against such an attack, end-to-end anti-fraud solutions deploy technologies such as machine learning, online footprinting via reverse email and phone number lookup, behavior analytics, velocity checks and device fingerprinting. Gathering hundreds of different data points, a fraud prevention platform gauges the level of trustworthiness or risk for each individual user and transaction, keeping out bad actors.
Overall, e-commerce fraud is clearly on the rise in 2022 – and beyond, according to predictions. Fraudsters are eager to take advantage of every opportunity and become early adopters of new technology, though they will also adapt and tweak tried-and-tested methods to get the upper hand. Sophistication is central to this challenge: As online fraudsters become increasingly sophisticated, so ought we.
About the Author
Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager / Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.