Developments in online shopping and e-commerce are being exploited by villainous fraudsters often armed only with a laptop, internet connection and phishing e-mail
The truism that crime doesn’t pay is getting falser by the day. In the pre-digital age, before the era of single-click online payments, the process of fraudulently extracting money from victims was a subtle art honed by experts – and only a handful got away with it.
Famous bank robber Willie Sutton was once asked by a journalist why he targeted banks, his reported response was “because that’s where the money is”. Today the money is in personal data and criminal gangs have developed a host of ways to elicit it.
Online fraud, particularly targeting retailers and their customers, is so prevalent because it’s comparatively easy and safe. Easy because the web provides fertile ground for crime and safe because it’s possible to hide in places the long arm of the law can’t reach.
“Fraudsters of the past had different qualities,” says Nick Mothershaw, an ID and fraud expert at Experian. “They were patient and time-rich, with a particular set of skills and unusual equipment. But the advance of technology and the internet has bred a different kind of perpetrator, needing only a laptop, internet connection and a basic understanding of phishing e-mails.”
Twenty years after consumers began adopting the internet in earnest, the web remains a virtual Wild West. It is constantly updating, evolving and expanding, and every new development is an opportunity to exploit.
Online fraud techniques
The techniques used by fraudsters range from curmudgeonly to spectacularly clever. They pose as bank executives or law enforcement in confidence cons, or they simply buy parcels of financial and personal data on the dark web. They set up fake websites that mimic legitimate ones or they piggyback accounts, gently siphoning money over time.
But it’s not all about data. At the simplest level, opportunists can fib to get free products. They order a delivery, then claim a chargeback pretending the items were lost or stolen on route. Some of those who do this don’t even realise they are stealing, so entrenched is fraud in online channels.
At the other end of the scale, international crime syndicates operate in jurisdictions thousands of miles away from where the crime is perpetrated. They exploit loopholes in cross-border payments and overseas deliveries, knowing that fractured international policing is too weak to catch them.
“The rise of the e-commerce offers up manifold opportunities for fraud as retailers look to diversify and innovate across a multichannel model,” says Andy Herrington, head of cyber professional services for the UK and Ireland at technology company Fujitsu. “Complicating this is the risk of fraud from both the client side and internally.
“Retailers now have complex supply-chain webs whereby goods and transaction may not even pass through their hands. There is also the factor of legitimate sales coming from stolen card details. With this in mind the ‘fraud surface’ is expanding and is currently a growing risk.”
So just how big is the problem? In a word, enormous. High-profile data hacks on Sony’s PlayStation Network, US retailer Target and, in the UK, Kiddicare leaked the personal details of millions of customers. But even these colossal compromises barely scratch the surface.
Vanita Pandey at cyber-crime prevention outfit ThreatMetrix describes the problem as growing exponentially. The company analyses nearly two billion transactions a month from thousands of businesses. Between April and June this year it uncovered 69 million attacks on e-commerce transactions.
That’s in addition to 400 million automated attacks, where an army of zombie computers carry out a pre-programmed synchronised raid. Increasingly these attacks are “low and slow”, according to Ms Pandey, mimicking normal traffic patterns to beat firewalls.
The damage to corporate reputations, consumer confidence and bank balances is getting harder to ignore
“New account creations and account logins are targeted far more than direct payments in the e-commerce space because fraudsters see the creation or takeover of a legitimate account a better long-term prospect than a single-payment transaction,” she says.
“Gaining access to a legitimate account gives the fraudster access to sensitive credentials as well as a saved credit card in many instances. If they are clever, they can use this multiple times before being detected.”
Darren Thomson, chief technology officer at Symantec, says industry statistics reveal the pressure retailers are being put under. Symantec’s own figures show the sector reported 5,823,654 successful data breaches last year alone.
Cost of attack
The cost of these attacks is often absorbed by the victim businesses and is even factored into profit forecasts, such is the seemingly unstoppable march of online fraud. Yet the damage to corporate reputations, consumer confidence and bank balances is getting harder to ignore.
“The highly public attacks and breaches of the last few years rock consumer confidence and cost retailers a huge amount in management, reconciliation and written-off costs,” says Mr Thomson.
Combatting e-commerce fraud is as complex as the frauds themselves. Businesses have to develop protocols that can address crimes across the spectrum, from criminal masterminds to low-profile amateurs working from a laptop in a bedroom.
But their attempts to block the baddies must be balanced with the equally important requirement to offer a friendly customer experience and a quick, simple user experience that doesn’t alienate genuine customers with lots of security procedures.
“The best advice is to work with a payments company that understands e-commerce as well as the specific vertical,” advises Daniel Kornitzer, chief product officer at Paysafe. “They can put a risk programme in place that protects the merchants while avoiding friction for consumers.
“In addition to providing advice and implementing fraud rules, some payment providers have also designed innovative solutions such as indemnifying merchants against losses, which means retailers effectively outsource their risk management.”
Preparation is key. Mr Kornitzer says retailers should ideally construct a plan with their payment processor long before launching their website. The good ones will have their own fraud teams who can tailor advice to the retailer’s business model.
Tristan Liverpool, director of systems engineering at F5 Networks, says businesses need the technological capability to identify unusual behaviour, such as a regular customer’s card being used on a new device.
It’s also possible to detect new accounts opened for the purpose of committing a fraud, he says. Shared databases can cross-reference information on criminal operations, such as flagged delivery addresses and mobile numbers, as well as highlighting inconsistencies in sales transactions.
Retailers without the budget for sophisticated software have to do a bit more legwork, according to Mr Mothershaw at Experian. Although fraud happens in different ways, there are some signals that are universal.
“A few danger signs include orders involving multiples of high value, desirable goods and delivery addresses that are not valid or do not match to the billing address. Also watch for delivery requests for PO boxes and names that don’t match payment records. A further sign is lots of orders from the same device, especially if they are for different individuals,” he says.
Mr Mothershaw suggests implementing a strong and accurate identity-checking process at the start of the customer life cycle when they sign up for the first time. These may put off some shoppers initially, but once customers are validated, they can get an easy ride for follow-up purchases.
“There needs to be a balance between risk prevention and the experience of the person trying to logon. The right technology and data can help retailers identify ‘good’ customers as soon as possible and speed them on their way to what they want,” he says.
Fraud is a fast-changing crime, but for all the criminal innovation in this area, fraudsters cannot mask themselves completely. Retailers that educate themselves, use prevention software and partner with experts can stop themselves becoming the low-hanging fruit criminals so love to pick.