Criminals are attempting to capitalize on high transaction volumes to overwhelm organizations with a high level of bot traffic, some of it intended to test stolen card numbers before attempting purchases. A large retail website saw 20 million fraudulent log-in attempts as bad actors sought to use stolen data to access customer accounts.

Alisdair Faulkner, chief identity officer, LexisNexis Risk Solutions

Alisdair Faulkner, chief identity officer, LexisNexis Risk Solutions

Online retailers scored big during the first week of the 2018 holiday shopping season—despite fraudsters launching large-scale automated attacks designed to overwhelm defenses during their busiest period.

Overall, mobile and online transaction volumes jumped 20 percent from the same seven-day period last year, running from the day before Thanksgiving through to the day after Cyber Monday, according to the latest data from ThreatMetrix, a LexisNexis Risk Solutions Company.

The average basket value of transactions rejected as fraudulent was 2.7 times higher than the value of legitimate transactions.

These findings are based on an analysis of transactions and cyberattacks on the ThreatMetrix Digital Identity Network over the holiday shopping week, providing insight into global cybercrime patterns. As such, it offers the industry a first look at trends shaping this all-important season for retail and e-commerce.

Digital Decks the Halls with 20 Percent Growth in Transactions


holiday 2018 e-commerceFrom Thanksgiving through Cyber Monday, the total number of online and mobile payments grew by one-fifth year-over-year, offering further evidence that consumers are increasingly choosing holiday sofa surfing over elbowing their way through crowded malls.

The peak shopping days continue to be Black Friday and Cyber Monday, as consumers capitalize on widespread discounts, however there was a notable uptick in activity compared to last year throughout the week.

Mobile Rings in 60 Percent of Online Purchases

Whether it’s on the sofa, sipping eggnog at the relatives, or somewhere in-between, fewer consumers are using their computers to make their way through their holiday gift lists.


This year, 59 percent of all online sales were made via smartphone or tablet, up from 52 percent in 2017. In terms of amount spent, Black Friday marked the first day in history to see more than $2 billion in sales come through smartphones, marking a major milestone in the mobile revolution.

Basket Sizes RiseWith a Side of Bah Humbug

2018 holiday e-commerce fraudGiven record revenues, it’s not surprising that the average retail basket value was higher than normal – especially on Black Friday and Cyber Monday. Unfortunately, that was also true of fraudulent transactions.

The average basket value of transactions rejected as fraudulent was 2.7 times higher than the value of legitimate transactions—$250 versus $95. This suggests cyberthieves are attempting to exploit high transaction volumes during peak holiday shopping periods to hide fraudulent transactions.


‘Tis the Season for Sneak Attacks

That same dynamic played out in the key attack vector detected during this big holiday shopping week: automated bot attacks.

One major payments platform saw a high volume of bot attacks using session replay to hijack shoppers’ session IDs, indicating how fraudsters are attempting to capitalize on larger transaction volumes to try and overwhelm organizations with a high level of bot traffic. Session replay is a kind of network attack whereby a hacker intercepts, delays or repeats a data transmission and steals the users’ session ID. Hacker then uses the session ID to impersonate the genuine user and make fraudulent transactions.


These attacks predominantly originated within the U.S. and Vietnam. These bot attacks were most likely designed to test the validity of card numbers before making larger purchases, suggesting the worst is yet to come this holiday season.

Meanwhile, a large retailer experienced 20 million attempted bot-based login attempts beginning Cyber Monday. Here, too, the attacks originated in the U.S. and Vietnam, but also China. Here fraudsters leverage stolen credentials to attempt to penetrate user accounts where payment and identity details are typically stored by consumers.

Reasons for Cheer—and Caution

In all, the holiday shopping season is off to a spectacular start, but challenges still lie ahead in protecting digital commerce at its busiest time of the year. With these insights in mind, online and mobile retailers would do well to remain on high alert for the remainder of the season.


This year sees a total of 32 shopping days between Thanksgiving and Christmas, the highest possible in a calendar year, combined with revenues that are already exceeding expectations. This suggests that the holiday sales fest is just getting started. But with fraudsters out to crash the party, retailers will need to balance unprecedented opportunities—and some serious risks—for the rest of this record-breaking season.

ThreatMetrix, part of LexisNexis Risk Solutions, specializes in online customer authentication and fraud prevention.