endpoint security

4 Types of eCommerce Fraud That Have Increased During the Pandemic

  • By Thorsten Herbes
  • Nov 02, 2020

As we shop from the safety of our homes and fuel the digital economy, we expose ourselves to a great amount of risk, and fraudsters are taking advantage of this sharp increase in online shopping over the course of the Covid-19 crisis. Bots, account takeovers, and fake accounts are commonplace threats to merchants and require far more sophisticated prevention methods than what companies have in place today. As the fraudsters become smarter and more adept at defeating the traditional methods of fraud prevention, detecting subtle tells and behavioral analysis have emerged as effective ways to protect both consumers and merchants from unwanted access and transactions. As a merchant, look for holes in your anti-fraud stack and realize that the fraudsters will always evolve. If your fraud prevention technology remains stale, you are inviting chargebacks.

While their methods continue to change, today’s eCommerce fraudsters can still be divided into several key fraud vectors.

Bots
The dark web is filled with easily obtained lists of usernames and passwords, and fraudsters are able to purchase large quantities of such combinations for relatively little money. These credentials are then loaded into a server and used to ping eCommerce and other sites in an attempt to find a combination that works. It’s essentially the fraudster’s version of playing a slot machine, hoping for the jackpot winning combination of username and password. Once they’re “in,” the options are near limitless -- the fraudster has access to the compromised account and can make changes, transact or, like many of us who use the same username and password across multiple sites, take over the account and associated payment methods. Plus, they can even access your accounts on other sites with the same credentials. Traditional methods of analyzing the physical identity of the consumer no longer work in this scenario because the fraudster has the matching data and can easily defeat this layer of defense. A more timely approach to fraud prevention against bots is to add in a layer of security that looks for commonalities, such as IP addresses, device fingerprint and other “tells” that can easily identify a bot and stop it from getting through.

Account Takeover
Once a fraudster gains access, taking over an account is simple. In a typical account takeover (ATO) scenario, the fraudster will change subtle pieces of information associated with the account, such as phone numbers, emails, and addresses. The fraudster now “owns” your account and can transact, purchasing goods for their own use or for the purposes of selling them. Consumer electronics or digital goods, like gift cards, are particularly attractive items. Fraudsters typically attempt a large number of transactions over a short period of time, in order to maximize the breach before the real account owner has a chance to notice the compromised account. ATO is more difficult to prevent than bots, as the fraudster has already made his or her way into the secured environment with real credentials and, more importantly, now controls the account. Again, traditional methods of defense often fail in this instance. However, while the fraudster can easily mimic the credentials of the real customer, they are unable to behave in the same way that the real customer would. Utilizing behavioral biometrics has proven to be the key defense here -- fraud can be detected by analyzing user behavior patterns and comparing them to the real customer’s known patterns. Is the shopping behavior the same? Is the typing rhythm similar to prior transactions? Are there any other dissimilarities in the interaction? The fraud can be stopped only by analyzing these small variations in an intelligent way.

Fake Accounts
Another common vector is the creation of fake accounts, using stolen identities or payment instruments. Fraudsters will visit a site or app and create a new user profile, using components that are stolen in combination with their own information, such as burner phones and fake email addresses. If successful, the fraudster can transact while impersonating the real consumer and take advantage of any goods or services obtained prior to the consumer noticing. Merchants often ship items or digital goods to this seemingly good new customer, often not realizing that they are dealing with a fake account until it is too late and the real account owner contacts them to ask about the charges on their credit card. Fake accounts are difficult to spot once they have been established, so the need for more subtle ways to detect a fraudulent customer becomes paramount. Creating fake accounts has only a limited rate of success, so fraudsters often use shortcuts to help them generate many fake account registration attempts at once -- something that can lead to their detection. Paying close attention to common traits, such as the number of instances a certain device has been used; how many times the same password has been used across multiple, seemingly unrelated accounts; and the general behavioral patterns can be powerful tools in deterring this type of fraud vector.

Transaction Payment Fraud
The result of all three attack vectors is almost always a chargeback. The real consumer has realized that their account has been compromised and that transactions have been made with their payment method without their knowledge or consent. The consumer now contacts the issuing bank and demands that the charges are reversed, resulting in the bank charging back the merchant for the unauthorized transactions. The risk to the merchant is reputational and financial, potentially resulting in negative reviews and corrective measures required by the card issuer prior to allowing the merchant to accept the compromised payment method again. Assuming that the fraudster has managed to successfully evade the typical legacy methods of fraud prevention, such as identity verification, one-time-passwords or even out-of-wallet personal identification questions, there is still hope that a fraudulent transaction can be avoided. Using behavioral attributes and measuring exactly how the fraudster interacted during the page traversal can be excellent indicators of likely fraud and can offer a final barrier against unwanted transactions.

Ultimately, relying solely on standard defensive measures has become a risky proposition in today’s socially distanced shopping environment. Thankfully, new ways to prevent fraud, such as machine-learning behavioral models powered by artificial intelligence, are at the forefront of the battle and become more powerful each day.

Featured

  • An Inside Look From Napco at ISC West

    Get a look into the excitement at ISC West 2025 from Napco. Hear from some of their top-tech executives live from the show floor. Read Now

    • Industry Events
    • ISC West

  • Upping the Ante

    I am not a betting man in terms of cards, dice, blackjack or that wheel with the black marble racing around the circumference of a spinning wheel, but I would bet on the success of ISC West this year. Read Now

    • Industry Events
    • ISC West

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West

  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

Most   Popular

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.