In the new ecommerce fraud landscape, every vertical is now at risk

Fraudsters have known for years that small merchants can make easier targets than big-name online retailers with better security. Now they’re finding that virtually any vertical can be a worthwhile target, not just the high-profile niches like electronics and designer goods. The reason? Thanks to data breaches, there’s a glut of low-priced consumer data, including payment data and account credentials, for sale on the dark web. For example, a stolen credit card number with the CVV goes for as little as $5 now, while a card number plus bank information costs about $15. As the cost barriers to fraud fall, fraudsters are expanding into new areas—like hailing rides and ordering dinner with stolen data.

New risks for previously “safe” verticals

It’s no longer safe or wise to assume that fraudsters will pass you by if you sell inexpensive items or everyday necessities. The risks for nontraditional fraud targets, like ride share providers and food delivery services, are magnified by the fact that they typically have lower margins than, for example, luxury goods and apparel retailers. This means that even small fraud losses have a big impact, especially when chargeback fees are factored in.

Not only can transportation, food, and other “low-risk” merchants lose money to thieves using stolen card data and hijacked accounts, they can be hurt by CNP fraud in other ways. Card-testing fraud, committed by humans or botnets, can cause small losses along with costly chargebacks as thieves try to match card numbers with other data like CVV numbers and billing zip codes. Card testing increased by 200 percent in the first third of 2017 compared to the same period in 2016, and it targets verticals you might not expect.

For example, it’s hard to imagine charities as targets for CNP fraud, but thieves have learned that making online donations can be an easy way to test card data before they move on to bigger, more lucrative fraudulent purchases. Card-testing can affect charities’ cash flow, skew budget planning, and raise their expenses as chargeback fees add up. Small retailers and B2B sellers are frequent targets for card-testing, too, because they often don’t have controls to limit the number of data-entry attempts a customer can make during checkout.

The bottom line is that any merchant who takes card payments can and should expect fraud attempts. The LexisNexis 2017 True Cost of Fraud Survey found that “regardless of industry segment,” businesses that sell online face more fraud attempts, on average, than businesses that do not sell through digital channels.

Traditionally risk-prone verticals still face fraud threats

This increase in fraud in “low risk” verticals doesn’t mean that fraudsters have turned away from higher risk, higher reward targets. Travel, jewelry, luxury goods, apparel, beauty, electronics and health and wellness are still frequent fraud targets, because thieves want to avoid spending their own money on big-ticket items or because they want merchandise for black-market resale. Worldwide, ecommerce fraud losses reach as much as $40 billion each year, largely due to fraud against these higher-profile verticals.

Rather than a shift in targets, what we’re seeing now is an expansion of the fraud playing field thanks to the law of supply and demand. Stolen data and credentials are so cheap now that there’s little economic incentive to reserve them for major scams. E-commerce fraud is now, unfortunately, an affordable everyday habit for criminals.

Now’s the time to step up security

The trend toward more widespread CNP fraud is bad news for businesses of all kinds. The good news is that the best practices that protect businesses in higher risk verticals can also help businesses who find themselves newly at risk. No matter what vertical your e-commerce business occupies, your fraud prevention program should include:

• Limits on the number of times a customer can try to enter correct data into your online checkout form.
• Consideration of the order itself, such as the order value and shipping method requested.
• Validation of customer data using continuously updated two-way datasets.
• IP, geolocation, device, historical, and behavioral validation.
• Manual screening of suspect orders to identify fraud and avoid false declines that can cause your business to lose customers.
• Real-time scalability to reduce vulnerability during seasonal sales peaks and botnet attacks.

If you’re wondering whether a low-risk business really needs to develop this sort of multi-layered approach, consider the main lesson of CNP fraud history: Fraudsters go where it’s easiest to commit fraud. In the same way that the EMV liability shift for point-of-sale transactions pushed thieves to shift their attention to CNP fraud, and in the same way that fraudsters often target smaller merchants because they know their defenses are weaker than enterprise-level retailers, criminals will continue to exploit vulnerable businesses in low-risk verticals because they can. As those businesses tighten their fraud controls, the merchants who haven’t taken protective steps could see even more fraud. The cost of committing CNP fraud is now so low that the cost of going unprotected is simply too high, in any vertical.