Two reports released today by fraud-prevention technology providers show how the coronavirus pandemic is creating new challenges for online retailers trying to distinguish the growing number of legitimate online shoppers from criminals seeking to commit fraud. Both note how the rapid growth of curbside pickup is increasing the likelihood of retailers suffering fraud losses.
The study from Sift emphasizes the dramatic growth in criminals attempting to take over the accounts of good customers since the coronavirus closed down many stores in March. It explains that account takeovers enable criminals to order online and pick up goods outside stores with relatively little risk of being apprehended due to protocols requiring face masks and social distancing.
According to Sift, the percentage of account log-ins that are fraudulent increased more than 378% for its retailer clients that sell physical goods online. While Sift did not disclose the average percentage of attempted account log-ins that are fraudulent, or estimate how much actually occurred, a November 2019 study by Signal Sciences, which specializes in protecting web applications, found that account takeover attempts accounted for 29.8% of attacks on ecommerce sites, making it the largest single kind of attack.
To assume control of accounts, criminals are taking advantage of the hundreds of millions of consumer sign-in credentials that have been exposed in recent years through data breaches and the fact that many shoppers use the same passwords on many websites. A 2019 online survey by Google found that 65% of consumers use the same password on multiple sites.
Between the ready availability of consumer information for sale online and the fact that a password might be reused on many sites, criminals logging into legitimate shoppers’ accounts often have the required user name and password combinations: 1.18% of fraudulent log-in attempts at ecommerce sites are made with the correct credentials, according to NuData Security, a fraud-prevention unit of MasterCard Inc.
Once a bad actor signs into a customer’s account using stolen credentials, he can change the account’s profile information, such as the password or shipping address. He can also change the registered mobile phone number, and then place an order for curbside pickup. Many retailers text shoppers when their order is ready for pickup, so changing the mobile number allows the criminal to get the text and proceed to pick up the goods.
In addition, with store employees typically instructed to keep their distance from customers and many shoppers wearing masks, verifying identity becomes difficult, especially with store employees trying to avoid long lines and probably not instructed to prioritize fraud prevention, says Jeff Sakasegawa, a trust and safety architect at Sift, which offers fraud-protection services for some 34,000 websites.
“Many retailers said, ‘first, let’s get the functionality in place,’ and they didn’t lead with, ‘How do we make sure these transactions are secure?’” he says. “Now, they’re seeing the consequences of these new methods and how fraudsters can find them attractive.”
A 55% increase in fraud attempts related to in-store pickup
The report from Forter, another provider of fraud-prevention services, also highlights the growing risk to retailers from in-store and curbside pickup. According to Forter, there was a 55% increase in attempted fraud for orders placed on-line for in-store pickup in the first half of 2020 compared with the prior year.
“Fraudsters commonly use the victim’s correct billing and personal details, ask for in-store pickup, and then appear in-store while assuming the identity of said victim,” according to the Forter report.
Forter estimates that total fraud attempts on all kinds of retail ecommerce transactions have increased only about 14% during the coronavirus pandemic. That relatively modest increase could get lost at a time when online sales are soaring. U.S. online retail sales increased 30.1% during the first half of 2020 compared with the same period in 2019, according to the U.S. Commerce Department, as more consumers went online either to avoid in-store shopping or because physical stores were closed.
Forter warns that criminals may be taking over accounts or creating new ones and then biding their time, or “aging” the accounts, knowing that retailers get suspicious when an account holder changes information in his profile and then quickly makes a purchase. “Fraudsters are capitalizing on diverted attention to harvest and age account data now to launch more impactful attacks in the coming months,” the report says.
That could pose additional risks for retailers during the upcoming holiday season when the high volume of transactions generally reduces the likelihood that a retailer will manually review a suspicious order.
The risk from new online shoppers
The Forter report also highlights the risk to retailers from consumers shopping online for the first time. “New customer accounts opened by less experienced users are likely to use weaker passwords, fewer security steps and be more vulnerable to account takeover attacks,” the Forter report says.
Forter says about 30% of traffic to its retailer clients’ websites during the COVID-19 period have been from first-time visitors, versus 5-7% before the pandemic. That poses several risks, the report says. First, retailers are five to seven times more likely to decline transactions from new customers versus shoppers who have purchased before, which means retailers likely are preventing at least some legitimate shoppers from purchasing.
What’s more, the report says, the new customers represent a higher risk of fraud and subsequent chargebacks from honest customers whose credit card numbers are used for fraud. (Chargebacks represent the refunds retailers must make when a cardholder complains that she didn’t make an order that appears on her account or that there was a problem with the product.) Plus, the new accounts from honest shoppers are more likely to be the target of criminal account takeover, Forter says, “as new users are less savvy about safeguarding their personal data.”
Forter says its report on fraud in the first half of 2020 is based on its visibility into $200 billion in ecommerce transactions and the activity of 800 million consumers.