It’s no exaggeration to say that online fraud is rampant.
All ecommerce companies deal with fraud at some point, and it’s often after the first chargeback that merchants become fully aware of the fraud risks specific to ecommerce.
Unfortunately, online fraud is only increasing, especially in the U.S. Despite the fact that we only account for about 21% of global payment volume, the U.S. bears the brunt of almost half the losses due to fraud.
So, why is online fraud so prevalent?
The answer has two parts:
- Stolen credit card information is easy to buy.
- Prosecution is rare, and online fraud may be a low priority for law enforcement, due to difficulty amassing evidence and time and resource constraints.
With that being said, let’s take a deeper look into each part.
Ease of access to stolen credit cards
We’ll examine the typical process for how a stolen credit card can become a fraudulent order for a merchant.
Step 1: Credit card numbers are stolen, either via large criminal syndicates or solitary hackers.
Online criminal organizations or lone hackers will attack companies and organizations, regardless of size, to obtain access to any type of personal and/or financial information. When said information is acquired, it’s often packaged to immediately be sold on a black market. The more information available on a cardholder, in addition to the card number, the higher the price they can fetch. (Cards sold with information such as billing and delivery address, email and phone numbers are sold at a premium.)
Step 2: The personal and financial information stolen is sold to a 3rd party, and usually not used by the initial thief themselves.
More often than not, the organizations and individuals who steal personal and financial information are not the same individuals and organizations who use that information. The larger the hack, the less likely that the party responsible for the theft of data will use it to commit fraud. In the aftermath of the Target and Home Depot hacks, law enforcement noticed a significant uptick in the black markets of personal information being sold.
As mentioned above, online thieves looking to commit fraud are able to buy stolen cards and personal information in mass quantities on the black markets. (U.S. credit card information can sell for as little as $5.) With the Target data breach alone, over 40 million customer records were accessed. Often selling in bulk, those who collect and then sell the personal and financial can make a hefty amount selling the information online.
Step 3: Once in possession of stolen credit card information, a fraudster tests and then exhausts the credit card.
Now that a fraudster is in possession of credit card information, either from buying it from a black market or by stealing information themselves, the first step is to separate the active cards from the inactive cards.
They will usually test the stolen credit cards by making small purchases online (typically in the range of just a few dollars) to see if the transaction will go through. If the transaction is successful, they will attempt to max out the credit cards to their full potential.
Depending on how much information the fraudster has stolen (phone number, email, SSN, billing and delivery address, passwords, etc.), they can, with varying degrees of success, pass themselves off as the legitimate cardholder, and are often able to pass an online merchants fraud screenings because of the information that they have at their disposal.
Now that we’ve demonstrated the ease with which a fraudster acquires and uses stolen credit card information, let’s explore the enforcement issue.
Prosecution: Difficult and rare
Prosecuting for online fraud is quite difficult, for many reasons.
First, an investigation often crosses state, if not international, lines, causing jurisdictional issues to arise. If the online merchant is based in Orlando, FL, and the real cardholder lives in Austin, TX, and the fraudulent purchase was shipped to a Montpelier, VT location, this brings up questions of where is the crime determined to have taken place. On top of that, when a crime involves multiple states, federal law enforcement may also be involved, raising the number of stakeholders further, and complicating the question of ownership of investigating the crime.
Second, evidence can be in short supply. When a fraudster impersonates a cardholder, uses a new email address, rents a mailbox under an assumed name, and attempts other methods to escape detection, little evidence may be available to authorities to tie the actual fraudster to the attempt, and they may not have enough for prosecution.
Third, in terms of the scope of crime that law enforcement deals with, ecommerce fraud may be perceived of as a lower priority, due to the low average monetary amount, and oftentimes the lack of a victim. If the cardholder is guaranteed protection by their issuing bank, and will have their money refunded, they may not have any motivation to continue with prosecution. Compare the average monetary amount of ecommerce fraud to those cases that the FBI, DOJ and Secret Service discuss on their respective sites. They tend to deal with fraud where the stakes are generally much higher—counterfeit money, insider trading, securities fraud, investment fraud, scams etc. We recommend reviewing the FBI’s Internet Crime report, released annually, in order to give you an idea of the vastness of the complaints that the FBI alone receives on a yearly basis, and consider the manpower likely available to pursue those cases. This isn’t to say that law enforcement ignores the issue, but it’s helpful to frame ecommerce fraud in relation to the crimes they deal with.