Cyber Monday has been a well-established retail holiday for more than a decade.
But as we move into Cyber Monday 2017, many ecommerce retailers might be thinking of it as Black Monday. No, not because it will change red ink to black on the balance sheet, but because of the sinister implications the official launch of the online holiday shopping season brings along with it.
As online orders increase markedly, so to do the number of fraudulent orders placed by opportunistic criminals looking to make a killing during the season of giving.
The company’s “2017 Q3 Cybercrime Report” says that the number of cyber attacks that it identified and stopped between July and September 2017 was double the number it stopped in the third quarter of 2015.
Specifically, when it comes to ecommerce, ThreatMetrix found:
- The increase in number and magnitude of data breaches (we’re looking at you Equifax) is feeding a corresponding online fraud frenzy.
- The criminals who make a living defrauding ecommerce operators are turning to the same tools that other sophisticated businesses are using, including bots.
- As online orders in general — and mobile orders in particular — increase, so does the number of fraudulent orders.
“What has become more and more evident this year, is that stolen identity has an almost instant impact on attacks that we see in the network,” the report says right off the bat. “Fraudsters capitalize on the new blood of fresh credentials, acting fast with mass identity testing bot attacks, using validated credentials to takeover trusted user accounts, open fraudulent new ones, and make a vast swath of bad payments with stolen credit card data.”
Just as online shopping has evolved during its relatively short lifetime, the tools and tactics of those looking to take advantage of our digital lifestyles have become better and more sophisticated.
Fraudsters are turning to automation to optimize their crime
You saw the report’s reference to “bots,” right? Yes, crooks are automating their crimes just as businesses are automating their operations. And you know how mobile has become the way to do almost everything — including shop? That’s showing up in ThreatMetrix’s findings, too. For the first time, the company says, mobile transactions have overtaken desktop in ThreatMetrix’s analysis. Retailers have been tracking a similar pattern for years.
The ThreatMetrix report, in fact, says that mobile transactions were four times higher in the third quarter this year than they were in the same quarter two years ago. So what, you ask?
“As transactions continue their upward trajectory, so does cyber crime, particularly across account creations and payments,” the report says.
It’s a bit of a down note for this week, the week the holiday shopping season officially kicks off (though marketing and shopping has been underway for some time). It’s show time for retailers big and small. Adobe, which has been meticulously tracking holiday online spending for years, predicts that digital sales this year will be up 13.8 percent over last year, reaching $107.4 billion.
Cyber Monday itself, Adobe says, will be the largest online shopping day in history, seeing $6.6 billion in sales, nearly 17 percent higher than last year.
The increase in mobile fraud amid the holiday activity carries special significance for small and mid-sized ecommerce retailers, Adobe’s says in a news release. The San Jose, Calif. company predicts that big operators ($100 million or more in annual sales) will see higher conversion rates and higher order values than smaller operators (less than $10 million in annual revenue). But small and medium businesses will have the upper hand in mobile conversion, because they will attract shoppers with a higher intent to buy, Adobe says.
So, it’s good new/bad news for small and medium businesses. Those mobile shoppers are particularly valuable, but those mobile orders bring with them a higher risk for fraud.
That said, the ThreatMetrix report isn’t simply trying to be a buzz kill. Knowledge is power, and of course there are ways retailers can protect themselves, all year long, and we’ll get to those.
Data breaches fuel a fraud increase
But first, some more context from ThreatMetrix’s 46-page report. While common sense would dictate that fraud attacks and other online criminal behavior would rise after a major data breach, ThreatMetrix puts its data behind the notion. It says that attacks have grown significantly this year and that there is increasing evidence that online crime is providing the initial investment for other criminal activities.
In other words, these aren’t backyard hobbyists we’re dealing with.
“It is clear that fraudsters are opportunists, constantly looking to exploit gaps that arise in the period just after a big data breach or attack. For example, we see the biggest spike in attack rates following several high-profile data breaches at the start of the quarter, indicating that fraudsters took advantage of the availability of fresh data, as well as customer caution around transacting online.”
The report doesn’t specifically address the massive Equifax breach announced in September —personally identifiable information stolen from 145 million Americans, nearly 210,000 credit card numbers snatched. But given that there was some question about whether the Equifax data theft would lead to more online fraud, ThreatMetrix’s report would seem to point to the affirmative.
That said, whatever is fueling online fraud attacks, they are going to continue — and increase in the holiday season. While ThreatMetrix’s report looks at industries beyond ecommerce, the section dedicated specifically to online retail says that there were 100 million attacks, including payment fraud, fraudulent account log-ins and bogus account creations.
The report notes that buying and fraud activity during the back-to-school season has served as a reliable predictor of shopping and fraud activity during the holiday period. As for the 2017 back-to-school season, ThreatMetrix says it saw an increase in “sustained high volume bot attacks” given the large store of consumer data available to fraudsters.
In all, the digital identity company saw 450 million bot attacks in the third quarter, “a large portion” of them aimed at ecommerce merchants, in some cases to test the stolen identities fraudsters has acquired.
“Leading online retailers were attacked relentlessly by bots, botnets and other scripted attacks,” the report says. “Fraudsters have easy access to user credentials that they can exploit individually or as part of mass identity testing sessions.”
Not a good omen for what’s to come this holiday season.
All of which puts digital retailers in a tough spot: They must protect themselves from fraud, but not at the expense of shipping good orders and keeping legitimate customers satisfied. The holiday season is a particularly excruciating experience for retailers plagued by fraud. The last two months of the year are far and away the biggest opportunity to make money for most retailers.
But it is also a hectic period when odd-looking orders — those with mismatched billing and delivery addresses — abound. One instinct might be to clamp down and refuse orders that don’t look right. That leaves money — lots of money on the table. Business Insider found that last year U.S. ecommerce merchants lost $8.6 billion by mistakenly holding back legitimate orders for fear of fraud.
Or they can fill those orders and hope for the best. If they’re wrong, they stand to lose substantial sums in chargeback fees and other fraud losses.
The ThreatMetrix report does offer another way, explaining that there are tools available to help merchants protect themselves from fraud and the fear of fraud that leads them to withhold orders. ThreatMetrix, which is a Signifyd partner, uses a raft of transaction, user behavior and device information to identify good and bad operators among millions consumers. This allows the company to authenticate legitimate customers.
Tech tools can protect you from fraud
When paired with Signifyd’s machine-learning fraud protection, the technology provides a powerful combination. Signifyd’s guaranteed fraud protection comes with a 100 percent financial guarantee on any approved orders. That transfers the stress of fraud and the worry about declining good orders to Signifyd, so merchants can focus on their customers and their companies.
And there is little doubt that during the crucial holiday season, retailers’ focus needs to be squarely on the business at hand — no matter what fraudsters intend to throw at them.
Mike Cassidy is Signifyd’s storyteller. Contact him at [email protected]; follow him on Twitter at @MikeCassidy.