Criminals increasingly took over consumers’ online accounts, such as an online account with a retailer, or used consumers’ information to open new fraudulent online accounts in 2018.

The number of U.S. consumers who were victims of total fraud fell last year, according to Javelin Strategy & Research’s 2019 Identity Fraud Study released in March. The study surveyed 5,000 U.S. adults representative of the U.S. census demographics distribution.

In 2018, 14.4 million consumers were the victim of fraud, a decrease from 16.7 million in 2017, and 15.44 million in 2016. 14.4 million U.S. consumers is 5.66% of the U.S. population, Javelin estimates. The firm says the cost of fraud in 2018 totaled $14.7 billion, down from $16.8 billion last year.

Javelin attributes part of the decrease in fraud victims to merchants, card networks and financial institutions adopting EMV—or chip-based cards that make point-of-sale transactions more secure.

Online merchants are also adapting to criminal techniques and are better at identifying suspicious shopper activity, says Kyle Marchini, senior analyst, fraud management at Javelin. For example, a common tactic merchants have used in the past is to look for risky attributes of the transaction, such as the billing and shipping addresses not matching. Recently, merchants have gone beyond this to look at more factors to determine if a transaction is fraudulent, such as the risk associated with the email address, phone number and a consumer’s shopping behavior, Marchini says. Merchants are able to do this by sharing information with one another.

“In many cases, this data draws on the experiences of a consortium of businesses, helping to identify whether there has been questionable activity associated with these attributes at other organizations and giving merchants a broader view into the user than they would be able to accomplish on their own,” he says.

advertisement

Plus, many merchants don’t store actual shopper credit and debit card numbers. Instead, those numbers are replaced with randomly generated placeholders that are then decoded and processed by a third party. This is called tokenization. 

“Tokenization initiatives minimize the value of data compromised from ecommerce merchants and the growing sophistication of tools that merchants have to identify suspicious activity prior to purchase makes it more difficult for fraudsters to successfully abuse valid card data,” Marchini says.

In fact, existing card fraud, or fraud using a consumer’s credit card number decreased to 4.40% of the U.S. population in 2018, down from 5.47% in 2017. Card-not-present fraud, which is fraud made via online transactions, telephone or mail, also decreased. About 88% of card-not-present fraud victims said  online transactions were the fraud source, according to the study. Last year, 82% of card-not-present fraud victims said online transactions were the source.

Despite the decrease in existing card fraud, other forms of fraud, such as account takeover and new account fraud, remain at high levels. Account takeover fraud is when a criminal accesses a consumer’s online account, such as an account she has set up with an online retailer. The criminal then uses his information to make himself another user, change the mailing address to ship himself products or other malicious behavior.

advertisement

Online accounts, such as a Prime member account on Amazon.com Inc., were the third-most common type of accounts taken over by criminals in 2018. Of account takeover victims, the most common accounts targeted, along with their respective share of account takeovers, were:

  • Checking or savings account, 30%
  • Major credit card accounts, 27% –
  • Online accounts, 22%
  • Mobile phone accounts, 17%
  • Mobile wallet accounts, 14%
  • Email accounts, 14%
  • Store-branded credit cards, 11%

Consumers may be a victim of fraud in multiple ways, which is why the numbers don’t add up to 100%.

Online account fraud takeover at 22% of account takeover victims in 2018 is an increase over 20% in 2017. Account takeover fraud is increasing because it gives a criminal a way to commit fraud without stealing card data, Marchini says.

“Moreover, since the owner of the account will likely have made prior successful purchases with the merchant, any purchases the fraudster makes are less likely to raise red flags than with a new account set up to use stolen card data,” he says.

Also in 2018, 1.25% of U.S. consumers were a victim of new account fraud, which is when a criminal uses a consumer’s information, such as payment data, to open an account. Store-branded credit cards were the second-most common occurrence of fraudulent new accounts, at 27%. Online accounts, such as with merchants, were the third-most common type at 24% and general purpose credit cards were the leader at 37%.

advertisement

Online security breaches were a common occurrence in 2018, and credit cards were the most common breached piece of data in 2018. Hacking group Magecart made headlines in 2018 for inserting its malicious code in vendor software, such as customer service chatbots, to conduct multiple credit card breach schemes in 2018.

Favorite