Buying fraud right off the virtual rack

Report states online attacks continue to rise, especially for retail sites

commence shopping cart

Forter, a fraud prevention company, recently released a report showing that the apparel industry was the most desired by fraudsters and scammers - up 70 percent in attempted attacks 2016. The Fraud Attack Index report examined over 136 million transactions, discovering an almost 80 percent increase in domestic attacks over the last 12 months.  

This report examines the trends in online fraud attacks across industries, comparing the different situations experienced by different industries. Overall, 2016 saw a steady rise in online fraud attack rate, which increased 8.9 percent over the course of the year. 

Luxury goods continue to be highly sought after by fraudsters, with an average fraud rate of $5.91 at risk out of $100 of sales, which is 41 percent higher than electronics. However, during 2016, there was also a 69.9 percent rise in the attacks against apparel websites and goods, as this industry came under attack more than ever before, partially attributed to serial liar-buyer abuse, in addition to traditional stolen-credit card fraud. 

A growing trend in the realm of account takeover (ATO) is the use of hacked online payment accounts such as PayPal, ApplePay, AndroidPay. In these attacks the fraudster breaks into the victim’s account and uses the details there, including payment details, to make purchases and take actions as if they were the victim. 

“The increased sophistication of the online criminal underworld, where a huge and connected marketplace exists to provide numerous services that make theft easier (and where stolen data can be found easily and cheaply following the massive data breaches of the last few years), means that fraudsters have direct access to the tools and information they need to commit online fraud. This has lowered the barrier to entry for new fraudsters to enter, and enabled experienced fraudsters to increase the scale, sophistication and speed of their attacks,” Forter said. 

The unprecedented data breaches of the last few years have included account and password information. That and the fact that many consumers continue to reuse passwords across multiple accounts have made this form of attack easier to carry out. 

According to the report, another emerging fraud-prone sector is digital goods. This past week Forter saw a person portraying himself as being in western​ Europe buying logo designs for a website that sells "security" services. The person, who turned out to be from eastern Africa, used multiple credit cards from all over the world, which means he is probably getting them through the "services" they're selling on their dodgy site, Forter said.

“This person was also trying to buy small-value services. Fraudsters of this sort are usually using their attacks to run tests to find out which card is still working. This was a clear sign that the card was stolen,” Forter said. “Should they have successfully​ made the purchases, they'd most likely have used these cards to make high-value transactions. Needless to say, we blocked every attempt.”

Then there’s collusion, when a single fraudster (or occasionally, more than one fraudster working together) sets up accounts as buyer and seller to move money around and hide their tracks. Forter was able to track the perpetrator through the use of behavioral analytics, watching his payment patterns. Forter’s proprietary proxy piercing uncovered the location of the perpetrator.

“Every once in a while they try to make a very high-value transaction through one of the many buyer accounts they possess. It's a very sophisticated example of buyer-seller collusion, because indeed most of the traffic in the seller account is legit, that's how their money laundering business works and that's why it's nearly undetectable. We do, in fact, manage to filter the good from the bad and never let the bad transactions go through, but it's a fascinating case,” Forter said.

Freelance services marketplace Fiverr started using Forter in 2015 to handle its fraud prevention. Fiverr said the improvement in chargebacks and user experience has been important. False positives (when a good customer is declined mistakenly) makes for terrible experience.

“Fraudsters are highly creative and are willing to put time into their scams. That sometimes means setting up a website, a legitimate-looking one. Often, it means promoting that website with SEO and advertising,” Forter said.

More findings

Forter’s fraud analysts also found a 131 percent rise in the amount of domestic online fraud attacks via ATO and online payments takeover. Another takeaway was found in the comparison between the degree of attacks in the fourth quarter of 2015 to the rate in the fourth quarter of 2016, which indicated that online attacks have almost doubled for domestic orders.

Verifi, a company that provides fraud prevention for online retailers, said every dollar stolen costs merchants an additional $3.08 in lost time, services or merchandise.

Criminals will often exploit weaknesses in the credit card system, creating additional fraud. Verifi cited the EMV roll-out, which was a great benefit for brick-and-mortar retailers but placed further pressure on card not present (CNP) merchants as criminals turn their attention to committing fraud via online and telephone channels. Countries that have previously implemented EMV have reported increases in CNP fraud while physical point of sale numbers have reduced. According to Aite Group research, CNP fraud is expected to more than double from $2.8 billion to more than $6.3 billion by 2018.

Since mircochip cards make card present much harder for American fraudsters, those forms of fraud have become less prevalent. MasterCard reported as early as January 2016 that it had seen a 27 percent reduction in counterfeit fraud (by dollar volume), as compared to the same period last year

Verifi said merchants need to strike the right balance of fraud coverage without losing legitimate customers and sales. Strong fraud defense strategies work, but they alienate customers when they are too restrictive. Misplaced or overly-rigid fraud measures create “false positives” that require a manual review and creates unnecessary friction at checkout. A customizable platform allows merchants to fine-tune their fraud mitigation according to their market, evolving fraud patterns and in order to maximize sales.

Another best practice from Verifi is reducing chargebacks before they happen with a cardholder dispute resolution network (CDRN). Today it’s possible for a post billing chargeback notification platform to process hundreds of thousands of cases monthly and to enable almost near real-time collaboration for both fraud and non-fraud chargeback disputes. By integrating directly with card issuers and redirecting disputes from the issuer to the merchant for resolution, disputes can be resolved before they escalate and become chargebacks.

Verifi also mentioned that order details during the initial billing inquiry can resolve disputes. A platform to share order details between merchants and issuers on the initial dispute or billing inquiry call can dramatically resolve false fraud claims that lead to unnecessary chargebacks and lost profits.

By providing a deeper level of data, cardholders can better recall or understand their purchases and avoid filing false cases of fraud that result in lost sales. Order details can include:

  • Product/service description
  • Merchant (name, URL, address)
  • Customer/transaction history
  • Device name (“Jane’s X phone”)
  • Unique cardholder information
  • Email address
  • Registration username

What do you think? Head to our Facebook page to leave a comment.


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)