Digital criminal gangs are expected to ramp up their activities against e-commerce companies over the weekend with Black Friday retail bargains attracting shoppers, a fraud and identity expert said.
There are several different methods for fraud, mostly by using stolen card information to commit Card Not Present (CNP) fraud against e-commerce companies.
It results in losses for the merchant or issuing bank, said the manager of fraud and identity strategy from LexisNexis Risk Solutions Pratik Choudhary.
“We expect to see account takeovers resulting in password and delivery information changes. We also expect a rise in synthetic ID fraud attacking industries such as telecommunications and Buy Now Pay Later providers,” Choudhary said.
He explained that fraudsters no longer work independently but operate within efficient networks of highly professional cybercriminals. “Fraud attacks will continue to be targeted and more efficient,” he added.
There are several practices criminals use to steal money. Account Takeover Fraud is when fraudsters use stolen credentials to take over genuine accounts to gather PII (Personally Identifiable Information), Choudhary said. They can then change details such as delivery address or buying a product using the card-on-file within the account.
He described synthetic IDs as modern-day Frankenstein’s monster. Fraudsters use data points, such as home addresses and social security numbers, extracting them from multiple people – either dead or alive – to create a new fake identity.
“This fake identity can be leveraged to gain credit or buy a product on contract without the intention of paying back the credit,” he explained. “This is particularly problematic for Buy Now Pay Later providers and the telecommunications industry.”
For example, Choudhary noted cases where synthetic IDs passed fraud checks , resulting in the criminal buying multiple handsets on a 12-month contract. “The fraudster only pays for one month and has no intention of paying back the rest of the contract value,” he revealed. This then leaves the victim with a 12-month contract bill that can often be difficult to break.
Malicious Bot Attacks grew by 38 percent Year-on-Year (YoY) in the first half of 2022. Bot attacks are used to test stolen credentials sold on the dark web.
“These bot attacks are automated and test multiple username/password combinations on a large scale,” Choudhary said. “Often, they target industries with relatively less fraud prevention than the banking industry to gather PII on their victims,” he explained.
“They want to maximize their chances of fraudulently buying products once they have successfully entered the eCommerce business’ ecosystem or have successfully used stolen credit/debit card details,” he said. “Genuine customers will likely spread their spending on multiple companies; however, the fraudster is likely to maximize their nefarious activity once they have successfully accessed card details or accounts,” he concluded.
On LexisNexis’s Digital Identity Network, more than 75 percent of transactions were made by mobile – either in-app or through a mobile browser.
According to Choudhary, what this shows is that mobile is now the standard for consumers across developed and developing countries due to consumer preferences, mass digitization strategies by companies and governments, and lockdowns during COVID-19.
“Our share of attack analysis shows mobile attacks are also on the rise, with desktop attacks decreasing since the first half of 2019,” he said. In the second half of 2021, the breakdown share of attacks per channel was split as such: desktop (40 percent), mobile browser (29 percent) and mobile desktop (31 percent), he added.
Speed of purchase is critical for e-commerce businesses, particularly in high transaction sales events, making trusting the mobile device in near real-time essential for conversion and revenue, Choudhary explained.
“For merchants, this holiday season, multiple elements will be key in stopping bad actors and realizing revenue through good transactions,” he said.
“Contextualization in the digital transactions happening on mobile devices via the power of a global digital network, securing trust tags to a returning customer’s mobile device and knowing the genuine customer’s behavioral biometric interaction with their device are all important.”
According to the 2022 Stay Secure survey conducted by digital payments giant Visa and Dubai’s Department of Economy and Tourism, around one in three online shoppers in the United Arab Emirates still struggle to identify fraud and scams.
The survey’s findings were released in August. Most respondents said they wanted to know more about how their personal information is handled and protected before providing it to an e-commerce website.
“The fact that a third of consumers are still unable to identify a potential fraud reinforces the need for all players in the payments ecosystem to continue to work together to ensure consumers are protected,” Visa’s Head of Risk for Middle East and North Africa Neil Fernandes said in a press statement at the time of the survey’s release.
In addition, around three-quarters of those surveyed stated that they would like to know how security technology works to trust digital payment methods, highlighting the need for payment industry stakeholders to focus on consumer education.
The survey also found that 84 percent of consumers said the security of payment facilities offered on a merchant website was the top reason they would opt to pay online instead of Cash on Delivery (COD).
Offering advice for ordinary consumers looking to purchase goods online and not become victims of fraudulent behavior, Choudhary emphasized the need to understand how one can get scammed or defrauded.
He suggested that customers should change their passwords regularly, ensuring they have different passwords for e-commerce, streaming sites and bank accounts. He also suggested avoiding using public Wi-Fi too.
Taking such precautions into account will “ensure you think twice when a scam targets you,” he said.
The pandemic-spurred growth in online shopping created a perfect storm for cybercriminals who found fertile ground for inventing new ways to attack and scam people online.
Earlier this year in July, cybercriminals launched a widescale phishing campaign targeting users in the Middle East where they impersonated over 13 renowned delivery companies and postal operators, a report by UAE-based cybersecurity firm Group-IB found.