While ecommerce sales have maintained a torrid growth rate for years, it turns out that when it comes to being a growth industry, ecommerce itself has nothing on ecommerce fraud.
In fact, the growth in ecommerce fraud attempts in the first quarter of 2018 compared to 2016 outstripped the growth in ecommerce transactions by 83 percent, according to ThreatMetrix’s latest Cyber Security report. The San Jose digital identity company, which regularly reports on the volume of cyber attacks, said it foiled 210 million cyber attacks from January through March. It was the most the company had ever disrupted in any one quarter and it represented a 62 percent increase in activity over the year ago period.
Aside from the sheer volume of attacks, ThreatMetrix Q1 2018 Cybercrime Report, is sure to grab the attention of ecommerce companies for a number of reasons. First comes the finding that ecommerce is now the hot thing among digital fraudsters. ThreatMetrix found in the first quarter that ecommerce businesses were 10 times more likely to be attacked than financial services companies.
“Ecommerce attacks are becoming an increasingly popular target for global fraudsters: Many global ecommerce merchants are being hammered by mass scale bot attacks from the U.S., China and Brazil, attempting to test the validity of stolen identity credentials harvested from mass data breaches,” the report says.
Fraudsters embrace automation as a better way to steal
Just as ecommerce retailers have turned to automation to better protect themselves and their customers from fraudsters, the fraudsters themselves are finding technologically advanced ways to scale up their operations. ThreatMetrix reported that its network saw an astonishing 1 billion bot attacks in the quarter, a record number.
“These bots are predominantly targeting ecommerce merchants,” the report added.
Fraudsters find the best time to use the filched identities is the time between when the breach occurs and when it becomes public knowledge, ThreatMetrix says.
Fraudsters’ intense focus on ecommerce (820 million of the 1 billion bot attacks were directed at ecommerce sites) makes perfect business sense for online criminals.
Online retailers understand the need to provide a friction-free customer experience in order to inspire purchases during any one shopping session and to encourage return visits by consumers that the merchant has invested in acquiring in the first place.
“Ecommerce merchants walk a tightrope between optimizing customer experience with low friction authentication and few step-ups, while also maintaining effective fraud control,” the ThreatMetrix report says. “With so much competition for orders and market domination by a few key players, driving order acceptance rates is imperative, potentially making them a softer target for market-savvy fraudsters.”
The balance can be a difficult one to get right.
ThreatMetrix’s study reflects Signifyd’s findings in its Ecommerce Fraud Index released early this year. The index noted that fraudsters have been shifting to account takeover fraud as a preferred way to take advantage of stolen identities. In fact, account takeover fraud losses increased by 80 percent between 2016 and 2017.
“Validated credentials can be used to hack in to good user accounts and access sensitive personal information, as well as saved payment credentials,” the ThreatMetrix report noted. “In addition, once the fraudster has successfully hacked an account, they can capitalize on the trust that user has built up with the retailer, making fraudulent purchases that can potentially go unnoticed and are often subjected to less scrutiny than ‘new customer’ transactions.”
The holiday fraud threat is hardly slowing down
The ThreatMetrix report also offered some disturbing news about the ongoing volume of fraud attacks. Looking back to the fourth quarter of 2017, the report noted a “particularly intense attack period coinciding with the holiday shopping season, when attacks accounted for over 10 percent of all network traffic.”
The more ominous note was that the attack volume remained high in Q1, even after the lucrative holiday season had passed. From the report: “The overall attack levels for ecommerce remained high even after the record holiday season, with almost 150 million rejected transactions, representing an 88 percent increase over the previous year.”
The finding from the holiday season itself, mirrored a section of Signifyd’s fraud index in which the data showed that fraud losses during the 2017 holiday season increased 24 percent year-over-year. For the purposes of the index, fraud losses were defined as the sum of the number of chargebacks due to fraudulent orders and the number of orders withheld because of a suspicion of fraud.
The ThreatMetrix report also underlined the international nature of organized fraud rings. While the United States, the UK and other large European countries have traditionally been the lead originators of fraud attacks, countries such as Vietnam and Russia appeared among the top 10 for the first time, ThreatMetrix said. The change is an indication, the report says, that there are plenty of up-and-coming fraud threats out there.
Photo by iStock
Contact Mike Cassidy at firstname.lastname@example.org; follow him on Twitter at @mikecassidy.