COVID-19 has become a scapegoat for many things. But the fact remains it did have — and continues to have — a massive impact on virtually all aspects of our lives. How we live. How we work. How we buy.
And how we’re defrauded.
Signifyd closely tracks what’s happening in the universe of retail fraud. Our data indicates that during the pandemic fraudsters have increasingly focused more intensely on the early stages of the purchase journey — everything from appropriating accounts, to creating new (false) accounts, to changing credit cards tied to existing accounts. Fraudsters know that these early stages of the payment process are more vulnerable than actual checkout. So now, more than ever, retailers have to guard against fraud in the end-to-end customer journey.
Advances in technology are partly to blame. But so is COVID-19.
This blog post will serve as something of an index to Signifyd’s recently published report, “The State of Fraud 2021.” The report details the latest fraud trends, including new types of attacks and new twists on old attacks. It also provides some strategies on how merchants can avoid fraud rings’ new intensity and ingenuity.
- COVID-19 changed the nature of ecommerce fraud detection. As a result of the unprecedented disruption, fraud became more abundant, more automated and more diversified in terms of techniques and targets.
- In particular, according to Signifyd’s State of Fraud 2021 report, fraudsters focused more on attacking the entire buying journey, including the earliest stages of account creation.
- Technology advances cuts both ways when it comes to ecommerce. Artificial intelligence has helped retailers better serve consumers, but it’s also allowed fraud rings to increasingly automate attacks.
So, on to some observations, explanations and tips from “The State of Fraud 2021.”
What COVID-19 hath wrought — this time
COVID-19 created chaos in the retail world. Traditional retailers had to pivot immediately to sell their goods online and to add new channels such as curbside pickup. Retailers that already had an online presence had to step up their game to meet high demand. And fraudsters seized the disruption to initiate a truly golden age in fraud. They intensified their tried-and-true tactics — synthetic identities, return fraud, fraudulent fulfillment disputes, and others. And then came up with new schemes that retailers were not prepared for.
Advances in tech contribute to the problem
Recent innovations have proved advantageous to retailers. Many use advanced — and still evolving — technologies like artificial intelligence (AI) and machine learning for such things as recommendations, as well as process automation, in which software robots (or “bots”) do a lot of the heavy lifting in completing transactions and even answering customer service calls. That’s the good news. The less-good news is that the bad guys are exploiting these technological advances as well.
Advances in machine learning and process automation as well as continuously declining costs of creating and maintaining bots and learning machines have accelerated fraudsters’ abilities to successfully perform scams across the entire customer relationship lifecycle.
With carefully programmed bots, criminal organizations can quickly test thousands of stolen credit accounts, execute fraudulent orders in rapid-fire succession, and clean out whole inventories of popular products to resell them without authorization at sky-high prices.
Fraud advanced in other ways during the pandemic, too, with fraudsters upping their social engineering games. With so many working from home — or wanting to — fraudsters shifted from “romance mule fraud” to “work-at-home mule fraud” schemes.
Mule fraud’s changing face
The common idea is to trick a “mule” — typically an innocent person — into helping criminals move fraudulently purchased goods or money around the country and even the world. In a romance mule scheme, scammers take advantage of lonely people looking for relationships by pretending to be prospective partners. But the romance version takes months or years of deception to build an emotional bond with the potential mule. Work-from-home mule fraud is more transactional and therefore quicker.
Under a work-from-home mule scam, for example, unwitting people would take work-from-home jobs that involved moving what are actually illegally acquired products on behalf of someone else. Fraudsters created entire fake companies with real recruiters who would prey on people tethered to their homes during the pandemic to do things for them.
Finally, one of the most creative innovations on the part of scammers is synthetic identities. These take identity theft one step further. Criminals create a whole new and non-existent person by patching together pilfered and made-up personally identifiable information and then create accounts using those identities. They then use these accounts to steal goods from unaware merchants.
Targeting early stages of the buying lifecycle
In the past, a fraudster might have concentrated on stealing credentials and personal information. Today, fraudsters are spending more of their time seeking earlier, more vulnerable places to defraud retailers. Professional fraudsters know that the early stages of the payment process — when consumers create their accounts or log in or make changes, such as adding new payment options — are less protected than the later stages of checkout. Retailers don’t want to add too much friction when new customers are opening accounts for fear a shopper will abandon a cumbersome process, and simply click over to Amazon. They erect fewer barriers as a result, which is attracting more and more criminal activity at this stage of the payment lifecycle.
Bringing it all together: frauds’ rise of the machines
One example of how fraudsters are targeting every point in the value chain of retail transactions was last year’s clear out of Sony PlayStations — where fraudsters managed to unleash bots to immediately buy all available PlayStations on the market, and then resell them at exorbitant prices — in a form of automated scalping.
Bots are also the key to rapid-fire fraud, which allows fraudsters to test large numbers of stolen credit accounts in an incredibly short span of time or to “credential stuff.” Generally this involves attempting to breach a mind-boggling number of consumer accounts in rapid succession.
Rapid-fire fraud is possible because fraudsters can buy thousands of stolen names and passwords on the dark web for a surprisingly small sum. A Netflix account can be bought for $1. PayPal credentials for $1.50. Fraudsters use these credentials to launch online attacks:
- Because many consumers use the same user names and passwords on multiple sites, fraudsters attempt to sign in on thousands of sites at once, then make purchases on the accounts that they can successfully access
- Fraudsters are also adding stolen credit cards to an account in good standing that they’ve taken over. Once in, they buy products that they resell on online marketplaces.
- With verified (stolen) credit cards, fraudsters use bots to place thousands of fraudulent orders at hundreds of ecommerce sites. They do this so fast that risk managers don’t have time to detect and stop it from happening.
It does take some AI and machine learning expertise to build systems that can attack in this way. But the number of rapid-fire attacks increased dramatically last year — by 146%, as detected by Signifyd.
What retailers can do: AI versus AI
What can retailers and brands do in the face of all this? Perhaps, not surprisingly, the best way to fight an automated bot attack is with an automated protection solution. Think of it as AI vs. AI.
The key to a good defense is data. Signifyd, for instance, is powered by data from its Commerce Network of thousands of merchants selling to millions of customers in more than 100 countries. The data is the foundation of a system that is augmented by third-party data and human intelligence to feed and design intelligent, constantly learning machine models that constantly adjust — meaning that as fraud attacks shift, the models’ defenses shift with them.
Signifyd’s “State of Fraud 2021” report details more than a dozen strategies to protect your enterprise from fraud, while optimizing revenue from online sales. It also makes it clear that preventing fraud is no longer a defensive act, but requires you to be very much on the offensive.
Photo by Signifyd
Looking to keep pace in the golden age of fraud? Let’s talk.