The question, ‘is this a legitimate customer or a criminal?’ can be answered with a new approach to preventing fraud that goes well beyond identity verification.
The surge in online activity in recent years has led to a corresponding explosion in online fraud – a 140% increase in the volume of fraud attacks in 2021 compared to pre-COVID. Even enterprises with strong fraud prevention programs now struggle to confidently distinguish real consumers from cybercriminals.
Confidence in the customer-vs-criminal question and the balancing act of fraud prevention and customer friction have emerged as the top challenges facing the industry. To address them, e-commerce companies need a new framework for predicting fraud so as not to disrupt a smooth customer experience.
Stolen Data in the Customer Journey
As long as consumers embrace eCommerce, so will fraudsters. The sheer amount of stolen data available to cybercriminals is astounding (last year alone, SpyCloud recaptured more than 1.7B credentials and 13.7B pieces of PII from the criminal underground). By now, fraudsters are adept at using that stolen customer data at particularly vulnerable points in the customer journey, including:
New account opening fraud
The fraudster pieces together stolen data from multiple consumers to form a synthetic identity and uses it to apply for a store credit card. Without any previous or negative history for that identity, the account application will not trigger red flags via typical fraud detection mechanisms and the store will issue the card. The fraudster will slowly build credit history by making a series of small orders, working toward a higher credit limit before eventually making high-end purchases with no intention to pay off the debt. This is called “busting out fraud.”
Account login
The fraudster takes over a shopping account with credential pairs obtained on the criminal underground or harvested from the consumer’s device using malware. Once in, the cybercriminal changes the mailing address and orders merchandise.
In another scenario, the fraudster takes advantage of a gap in some customer service systems that cannot query against shipping addresses. The criminal places multiple orders to the same shipping address using fraudulent names and email addresses, then later calls customer service saying they never got the item – a twist on the Where’s My Order (WISMO) problem. If customer service teams aren’t able to search on the shipping address to identify the pattern of fraud, the retailer could process multiple refunds or ship replacements to the bad actor, which ultimately negatively impacts business revenue.
Another common ATO scheme is to steal loyalty points or gift card balances, which the fraudster can monetize on the dark web.
Loyalty point depletion has a significant problem for eCommerce businesses. When customers go into their accounts expecting to redeem loyalty points only to find they’ve already been redeemed, tense calls to customer service agents ensue. These situations can also negatively impact brand loyalty because the customer may think that your organization has been breached.
Account modification
Using similar ATO tactics to gain access to the account, the fraudster can completely lock out the legitimate customer by changing the notification settings and all the contact information. The account holder doesn’t see any red flags since all the notifications have been diverted.
Account lockouts cause an increase in support inquiries, requiring the customer to call customer service and go through several steps to get their account unlocked. In addition to impacting the customer experience, adding these inquiries to the customer service queue puts more strain on already busy customer service agents that are impacted by the increase in transactions.
Guest checkout
Criminals evade detection and commit fraud via guest checkout by:
- Bypassing identity verification checks due to the lack of account history, historical data, or purchasing behaviors that would otherwise flag suspicious activity.
- Purchasing identity kits and using a legitimate person’s name, payment method, and billing address to clear basic public database checks, but shipping to a mule address where they can receive the products.
- Using stolen payment information and choosing rushed shipping, in the hope that they will receive the product before the victim notices and can dispute the charge.
Many organizations struggle when deciding to implement guest checkout as an option for their customers. Ease and speed of transaction are important to consumers, with 24% reporting they will abandon online transitions because of mandatory account creation. While user experience and preventing revenue loss are critical, businesses must prepare as criminal tactics evolve and CNP fraud continues to rise and losses are estimated at $130 billion in cumulative revenue by 2023.
Criminals Are Innovating – Are You?
As criminals get more savvy and sophisticated in their tactics, ecommerce organizations must also get more innovative in preventing fraud. The goal is to preserve the customer experience, and the solution is to proactively determine that the customers transacting online are legitimate, and not cybercriminals using stolen information.
That can be incredibly hard without the right tools. New anti-fraud solutions exist that go beyond identity verification to analyze the severity of users’ exposed data from breaches and malware infections. If a consumer is at high risk of account takeover or synthetic identity, shouldn’t that be something we consider in our control frameworks?
It’s a common misconception that because nearly everyone has had their data breached or leaked, that we’ve lost the battle against fraud. But the truth is that the amount of data out there on the criminal underground about each consumer (and the recency and severity of their exposures) provides a strong signal of their risk. And using that data for good to enable faster and more accurate decisions about how to handle online transactions is the change we need at the front lines of fraud prevention.
Customers demand a fast, frictionless transaction experience, and fraud prevention teams want to disrupt criminal activity to reduce fraud losses, avoid unnecessary manual reviews, and reduce chargebacks. The ideal state is to make good fraud decisions upfront to create a more seamless overall interaction.
This article was originally published on the RH-ISAC blog.
