E-commerce account takeovers increased 347 percent, and shipping fraud jumped 391 percent from 2018 to 2019, a fraud and identity solutions company reported Tuesday.
Fraudsters are gaining access to accounts using credential stuffing, romance scams, social engineering, phishing, or hacking, noted TransUnion, formerly Iovation, in its “Global E-Commerce in 2020” report.
The three-digit rise in account takeovers is connected to the rash of data breaches over the last decade, according to Angie White, a senior manager at TransUnion.
“We’ve gotten to a critical mass,” she told the E-Commerce Times. “Fraudsters are seeing that stolen personal information can be used for account takeovers.”
They’re also realizing that taking over an account gives them more than just access to an e-commerce website.
“Customer accounts are loaded with valuable personal information,” the report notes. “They are a prime target for criminals, who use sophisticated tactics to break in, steal credit cards and make fraudulent purchases from these accounts.”
E-commerce has become the fastest-growing segment for account takeovers, White pointed out.
“It’s above online banking, gambling, and insurance,” she said. “Part of the reason for that is that e-commerce merchants have been so reluctant to drive up friction and cart abandonment that fewer controls have been put in place to stop account takeover.”
Problems arising from the COVID-19 pandemic could compound the problem.
Moving large numbers of employees to work from home can create the kind of distraction fraudsters thrive on, observed Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a managed services and consulting company in Scottsdale, Arizona.
“As workforces transition to working from home, they can lose the protections of centralized security technologies their companies have implemented on their office networks,” he told the E-Commerce Times.
“Security staff that are normally tasked with detecting fraud … can miss attacks due to distraction or from drastic changes in the business that their monitoring is unprepared for,” he explained.
Scarcity created by the virus also could contribute to account takeover.
“There are extreme shortages and purchasing restrictions on many common household and business items — from obvious and widely reported goods such as toilet paper and hand sanitizer, to remote work tools such as laptops and tablets,” noted Josh Bohls, CEO of Inkscreen, a maker of enterprise mobility security solutions in Austin, Texas.
“This leads buyers to look for alternative sources of product, and it opens them to buying brands they would have otherwise ignored, clearing the way for fraudulent websites to promote fake or nonexistent inventory and harvest credit card data,” he told the E-Commerce Times.
“Even Amazon is having trouble validating new sellers and products,” Bohls added.
Shipping fraud is another attack vector attracting Web predators.
“The growth in e-commerce has led to a dramatic increase in shipping fraud, with more fraud rings accessing customer accounts and email accounts to track and redirect in-transit shipments before delivery,” the report notes.
“It makes a lot sense that you would see corresponding increases in both account takeovers and shipping fraud,” TransUnion’s White said. “The two are pretty closely linked.”
All About Mobile
The mobile sphere is now of prime importance to e-commerce.
“E-commerce today is all about mobile and declining brand loyalty, as consumers want to be able to shop from anywhere, from any retailer of their choosing, globally,” the report explains.
“Research shows that 78 percent of e-commerce transactions come from mobile devices, and global e-commerce is climbing rapidly — in 2019, it was projected to increase by 20.7 percent to $3.5 trillion,” it notes.
However, the brick-and-mortar infrastructure remains critically important to retailers, as the majority of consumers prefer to make purchases in-store, and e-commerce only represents 14 percent of total global retail sales, according to the report.
Meanwhile, all that mobile e-commerce transaction activity has caught the eye of fraudsters. Risky transactions from mobile devices increased year-over-year by 118 percent, the report points out.
Small Screen, Big Attack Vector
While shopping with a mobile phone may be convenient for some consumers, it does pose risks that usually are avoided on a desktop computer.
“Shopping on a mobile device is often faster and easier, but the limited screen real estate leads to less scrutiny of websites, apps, and products,” Inkscreen’s Bohls said.
“I have not seen the research on this, but I feel that mobile shoppers are more prone to tap to buy without the same level of due diligence they might have on a computer,” he remarked.
It’s harder for shoppers to determine if they’re on a legitimate website with a mobile phone, said Chris Hazelton, director of security solutions at Lookout, a provider of mobile phishing solutions in San Francisco.
“Ad networks can point mobile users to legitimate retailers’ websites, but malicious adware can just as easily send buyers to a scam site,” he told the E-Commerce Times.
“The ‘right now’ economy has trained buyers that they can satisfy a need with a couple of clicks,” he continued. “Paired with this immediacy that is often part of mobile commerce, users often overlook key indicators of phishing and malicious websites.”
Keeping Pace With Fraudsters
An organization is only as strong as its weakest link, and the same can be said for fraud in retail, observed Jack Mannino, CEO of nVisium, a Herndon, Virginia-based application security provider.
“As brick-and-mortar shopping became more secure with the adoption of credit cards with the EMV chip, fraudsters began to migrate online,” he told the E-Commerce Times.
That resulted in a rise in card-not-present fraud, but over time, retailers implemented more and more robust fraud detection measures in the desktop online shopping experience, Mannino noted.
“However, mobile devices and mobile shopping have not been afforded the same measures,” he pointed out.
“Some of that has to do with the technology — mobile IP addresses are constantly changing — and some due to the fact that retailers don’t recognize these protections for mobile shopping exist,” Mannino said. “As we see companies start to implement more biometric authentication, we will hopefully see a reduction in mobile e-commerce fraud.”