At first glance, recent reports indicating the number of online data breaches fell by 48 percent in 2020 might appear to be welcoming news—until you realize that over 37 billion private records were compromised in the process. Even more disturbing? One out of every four businesses faced at least seven separate attempts at security attacks last year, with the amount of ransomware intrusions occurring at a 100 percent higher rate compared to 2019.
The pandemic may have resulted in a previously unimaginable growth for the eCommerce industry, but online fraud found a safe haven in the rise of digital marketplaces during 2020. FBI statistics revealed some 791,790 cases of digital crime were reported in the US last year alone; a nearly 70 percent increase totaling losses in excess of $4.1 Billion. But it’s not just the frequency with which online fraud is committed. It’s the level of sophistication. While phishing and other forms of data breaches continue to be a persistent threat, there’s a new breed of fraudsters employing increasingly sophisticated tactics online, resulting in a 48 percent increase in successful digital retail fraud attempts.
Consumer Confidence and Online Retail
Security may always be one of the most critical factors for consumers in shopping online, but there’s a certain disconnect between business and consumer perception towards secure shopping. Fraud detection relies in no small part on recognizing and identifying routine shopping habits from return customers. Yet a recent poll from Experian indicated 95 percent of businesses believe they are accurately identifying their customers, while 55 percent of consumers don’t feel recognized during their online experience.
Online retail has suffered as a result of this lack of confidence, with a recent report from the American Customer Satisfaction Index indicating customer satisfaction with eCommerce businesses has declined by almost 5 percent between April and September of last year. While banks and credit card providers are continuing to scale and refine security protocols largely as a result of consumer reliance on eCommerce, over 4.8 million cases of identity theft and fraud were reported to the Federal Trade Commission in 2020. As digital retail moves forward in 2021, integrating more robust authentication solutions at all stages of the customer experience will prove critical in ensuring both customer privacy and trust in eCommerce.
Account Takeover Attacks and the Pandemic
Phishing may have accounted for almost half a million of the reported cases of digital fraud in the US during 2020, but online shoppers are becoming increasingly vulnerable to more sophisticated forms of account takeover attacks (ATOs) as a result of AI-driven automation. With a 282 percent increase in 2020, ATOs present a particular threat for digital retail due to their imperceptibility. Banks and merchant processors can frequently detect more common identity theft attempts, including an unusually high volume of purchases or inconsistent billing and delivery information. But many ATO attacks consist of minor purchases made through successful credit card skimming intrusions online. While each purchase may be minor, they’re conducted gradually over time in order to avoid detection, with few customers noticing an ATO has actually occurred.
Over 60 percent of all reported ATOs result in attacks on an eCommerce account, with digital security analysts Sift estimating an increase of 378 percent in ATOs for digital retailers since the start of the pandemic in a recent report. But the effect of ATO attacks are cumulative. According to the same report, 28 percent of US consumers would abandon a site or retailer altogether if their personal data was compromised despite 66 percent of shoppers indicating they aren’t currently utilizing any form of a password manager when shopping online.
Credential Stuffing, Automation, ATOs and Identity Fraud
According to a report from the Merchant Risk Council, ATOs were among the top three types of fraud reported by eCommerce businesses in 2019, resulting in a loss of at least $4 Billion. But it’s not high volume purchasers who are necessarily at risk. Identity spoofing and chargeback fraud are two of the most commonplace tactics in ATO strategies, with the vast majority of cases occurring to low purchase accounts. A recent index report from DataVisor reveals that 80 percent of those accounts have not been logged into for 30 days, while 65 percent have seen no activity for three months.
ATO fraud against low frequency user accounts has historically been conducted by credential stuffing, where attackers test databases and lists of stolen credentials against multiple accounts to identify matches. But despite the increased reliance on online shopping, many consumers still rely on the same password for multiple sites regardless of its strength. The result has led to an increase in automated ATO attacks, particularly among sites which don’t integrate two factor authentication processes. Online retail saw an estimated 11 percent success rate in ATO attacks resulting from automated high quality credential stuffing in the second half of 2020 as opposed to only 1.18 percent during the first half.
Surprisingly, one of the latest automated fraud threats isn't the result of ATOs. It’s the result of denial of inventory bots (also known as scalping bots), in which fake accounts established by third-party sellers automatically browse high demand product pages in order to make mass purchases only to be resold at inflated prices. A 2020 report from Javelin estimated that between 40 to 80 percent of both successful and unsuccessful retail login attempts are automated, with 60 and 70 percent of traffic to checkout pages being from malicious bots.
How Online Merchants Can Protect Customers From Online Fraud
Hold and review any unusually high velocity sales from repeat customers.
Review frequent changes in payment methods (particularly suspicious fund transfers), authorizing orders directly from returning customers.
Integrate two-factor authentication services during both login and checkout processes.
Use address verification services (AVS) to scan and review transactions for any inconsistencies.
Enable digital wallet payment options, allowing you to encrypt and tokenize sensitive purchasing data.
Utilize behavior analytic API tools to collect and monitor customer activity on your site.
Invest in adaptive software designed to recognize malicious bots and monitor unusually high levels of traffic from repeat IP addresses.