The era of a global pandemic led to more people staying at home. That meant a substantial growth in online business, particularly in banking and retail sectors, along with food delivery, education, streaming services, pharmacy sales, telemedicine and others.
Online fraud—including cybercrime and scams—has risen in proportion to this growth. And as fraud frequency has grown, so has its sophistication. In Q3 and Q4 of 2020, sophisticated attacks on retailers grew to 76% of all attacks. These types of attacks are slower, but harder to detect because they attempt to mimic human behavior. And as fraud has evolved, businesses report they have been less effective at fighting it.
Fraud will continue to grow in volume and sophistication at or more than the rate of ongoing online business growth. The world’s governments are scrambling to catch up with needed changes to cyber laws to hold those committing fraud accountable, but the best option is to prevent fraud from happening in the first place.
What is fraud?
Fraud is deception or misrepresentation, a perversion of truth to convince someone to part with something of value or surrender a legal right. Online fraud encompasses both financial fraud and identity theft on digital channels such as websites or mobile apps. It’s usually carried out by the perpetrator hiding information or providing incorrect information to trick victims out of information, products or money.
Online fraud hurts both businesses and consumers. Businesses lose money and have to pass those costs on to customers, and they also must take precautions to ensure that every potential transaction is legitimate. That can place an unwelcome burden on consumers to prove they are not trying to commit fraud.
What are the different types of online fraud?
Cybercriminals are creative, and there are myriad ways they work to defraud individuals and organizations. When fraud detection and prevention methods evolve to slow or stop specific schemes they use, they modify their approach to circumvent that detection technique.
The ability of cybercriminals to adapt and adjust when their techniques are exposed and accounted for means that classic fraud detection solutions struggle to detect telltale signs of fraudulent activity.
The way people go about committing fraud can be broken generally into either manual or automated efforts. Manual attempts involve individuals using the internet to hack into systems or gain access to information they use to impersonate legitimate users. Automated attempts involve programming bots or emulators to speed up and scale up efforts to access and use systems and information.
Bots or automated scripts perform simple, repetitive tasks quickly and at scale. Emulators are programs that mimic mobile devices from desktop computers. They are used separately in most cases but can be used together.
Some of these approaches include:
Account takeover (ATO) uses existing, legitimate accounts and their stored (or stolen) credit card information and loyalty points. A fraudster gains access to the account, makes purchases, and can use or resell the merchandise, seek refunds or stick a merchant with chargebacks. A form of ATO, business e-mail compromise (BED), where someone gains illicit access to a business’s email account and makes unauthorized fund transfers, remained the costliest form of fraud in 2020, accounting for $1.8 billion in losses.
New account fraud or account creation attacks set up new accounts using stolen credit card information to pay, often while abusing coupons, loyalty points and referral programs to make purchases. They then can seek refunds and always leave merchants liable for chargebacks.
Checkout fraud, or guest checkout fraud, uses stolen credit card information and the “Guest Checkout” option on websites for customers who don’t wish to register for an account. This allows fraudsters to sidestep identity verification checks when using stolen credit card information. They often use bots to automate testing stolen card numbers on a website, then manually use the same card information on different sites (sometimes weeks later) along with discount codes to look like legitimate customers. This is also known as CNP fraud, or “card-not-present” fraud.
There are also non-fraud attacks that are not illegal but are detrimental to online merchants and their customers.
Checkout abuse is the e-commerce equivalent to ticket scalping, and it is used to do that, among other things. Fraudsters use an automated script to buy a volume of high-end, limited-edition products in minutes or seconds, depleting legitimate merchants’ inventories. Then they resell those items for much higher prices.
Inventory hoarding uses bots to put products in shopping carts, skewing inventory data and making products appear to be out of stock. Bots can also redirect customers to competitors’ websites during busy shopping periods like Black Friday and the rest of the holiday season. Bots can wipe out inventory of an item in as little as two seconds, and up to 20 percent of traffic to online shopping carts is from bad bots.
Because fraudsters have become more sophisticated and agile in their responses to efforts to detect and stop their schemes, classic fraud detection approaches struggle to detect these more complex approaches. At an increasing rate, fraudsters have worked to bypass detection tools through efforts to emulate legitimate customers.
Where does fraud strike (by industry)?
Online retail, video streaming, social media, entertainment and financial services are among the most targeted industries for fraud via ATO.
Financial institutions and issuers are frequent targets of new account fraud, particularly credit cards, online accounts and loans.
Checkout abuse is carried out against retailers by sneaker bots, ticketing bots and grinch or jingle bots. They often go against a site’s terms and conditions.
Checkout fraud, or guest checkout fraud, also primarily targets retailers. It’s driven by availability of stolen credit card information, which tripled during 2019 to more than 76 million records. Merchants have a big incentive to continue to provide a guest checkout option on their websites because the second-most common reason for shopping cart abandonment is a site requiring a customer to create an account.
What are your chances of being an online fraud victim?
With the explosive growth of business being done online, and the accompanying explosion of the types and volume of fraud being attempted, it’s not a question of if, but of when. If you are actively selling products or services over the internet, you already have been or will eventually be the target of cybercriminals attempting fraudulent activity.
What can I do to lessen the risk of online fraud in my business?
As new fraud trends emerge, it’s vital to examine your fraud data to understand and defend against fraudulent behavior patterns.
The best way to understand the scope of ATO, new account fraud and other fraud attacks is to look at each fraudster’s actions on your site. Analyze their movements and behaviors for unusual, non-human trends—everything, including keystrokes, scrolling, mouse movement, how they interact with touch screens, how the device is held and how much pressure they place on the screen.
All this behavioral data enriching the data you already collect means fewer sessions for manual review.
Use Tools to Reduce Manual Reviews
Fraud detection is largely automatic, with flagged sessions handled by manual reviewers who review the session to determine if there’s fraud afoot or there’s a false positive. This delays orders and slows down workflows, especially if reviewers are looking at myriad sessions.
Implementing a fraud detection tool gives visibility into behavior patterns that trip alerts. Increasing the confidence in automatic detection means fewer orders flagged for manual review, allowing reviewers to focus on tougher cases.
Monitor Behavior for Earlier Fraud Detection
Fraud is complex. Emerging trends like ATO are more challenging than payment fraud, because when payment fraud occurs, the payer receives a chargeback and doesn’t lose money. More sophisticated fraud requires a deeper understanding of your data.
Continuous monitoring of behavioral data for entire user sessions allows fraud to be detected earlier. This spots fraud as soon as it occurs, and the data collected helps optimize fraud detection and reduce the number of incidents that are successful or require manual review.
Timely Detection Reduces Incidents and Friction
Decreasing the time bots have to perform credential stuffing forces fraudsters to manually explore and monetize an account. This reduces the frequency and impact of a fraud attack. Looking into each full user journey enables early detection and the minimizing fraud incidents across your site.
Meanwhile, accurate, timely detection and fewer false positives reduces friction with real customers and keeps them moving through their journey efficiently. It improves the user experience by dramatically reducing security events like CAPTCHA.
How does data collection and analysis improve fraud prevention?
Fraud analysts examine current and historical information related to user, device and IP in context to determine if a given user session or transaction is a risk or legitimate. This allows them to analyze not only transactions but also the behavior that preceded them, shedding light on fraud indicators that were previously ignored.
For example, looking at a user journey within a session, mouse movements, copy-paste usage, autocomplete, etc. together provides insight into a user’s behavior and allows the analyst to identify fraudulent activity with greater accuracy and earlier. Unconscious behaviors like clicks and mouse movements, scrolling, and more look different when a human is doing them compared to a bot or script. Conscious behaviors—navigation, actions and their order, speed, and more—reveal a user’s intent, and those also show pronounced differences between human and bot.
Without data from a fraudster’s full journey, it’s difficult to eliminate false positives. For instance, if a tool only does transaction analysis, by the time a transaction is categorized as fraud, it's too late, the damage is done. There’s a large gap between the initial session, when a user first enters a website or a mobile app, and when the user checks out. That gap gives cybercriminals all the time they need to defraud you.
This lack of insight into what is actually happening during a session is what must be addressed. When you continuously collect dynamic data throughout the user journey, you can identify weaknesses that are being exploited and detect and stop fraud attempts before they do damage.
With data analysis through the entire user journey by way of continuous monitoring, fraudsters' efforts can be flagged well before checkout. It catches them in the act, and exposes patterns manual reviewers can look for when evaluating whether a particular case is fraudulent or not.
Behavioral data analysis opens a window into what fraudulent behavior looks like and provides in-depth insight into how to act on that data to create a safer, more efficient experience for your customers.
How can I avoid negatively affecting the customer experience?
Quite simply, don’t interrupt your customers and don’t treat them like criminals. They are quick to abandon shopping carts or move to a competitor’s website if they encounter intrusive measures to prevent fraud that treat them as a possible threat.
The easier you make it to complete a transaction, the better the chances they will follow through on it and return in the future. Improve the user experience by removing intrusive authentication measures like CAPTCHA or collecting personal identifiable information (PII).
That means that you need to monitor behavior and evaluate the risks that fraud is occurring without actively impeding users. Your ideal fraud prevention solution provides a seamless experience for customers as they shop and keeps fraud detection invisible yet effective.
Features to look for in a solution include:
Full data visibility through the entire user journey Full data transparency helps you understand why fraudulent behavior is flagged. By collecting behavioral and device data, all the actions that occur during the entire customer journey are at your fingertips.
An effective, adaptive integrative tool Along with seeing each user’s activity, it’s helpful when your solution adapts to the ever-changing landscape of fraudulent behaviors and patterns effectively and efficiently. When fraudsters apply new methods or adjust existing ones trying to beat or bypass your barriers, your fraud prevention tool should be able to keep up and flag discrepancies.
Seamless data collection invisible to the customer Collect behavioral data through the entire user journey without disrupting your legitimate customers' experiences through session monitoring.
Solutions like PingOne Fraud work invisibly to protect your enterprise without imposing burdens on your customers.
How does Ping Identity protect against fraud?
PingOne Fraud detects and prevents online fraud by continuously monitoring individual user sessions as they start, well before they add items to a cart and then check out. Sessions are analyzed using machine learning to evaluate behavioral biometrics, navigation and device attributes to recognize a legitimate consumer from scripts, bots and emulators. The result is detecting and stopping online fraud almost before it starts, rather than waiting until checkout.
Why did Ping Identity add fraud protection to our identity security platform?
Fraud protection is a natural extension of our overall cybersecurity and identity protection efforts. It’s important to know who customers are and when someone is trying to impersonate a customer for nefarious reasons. Just as our platform works to keep our customers’ systems and data secure by detecting and preventing attempts at unauthorized access, we recognize that the best way to protect your organization from fraud is to prevent it from happening in the first place.
Companies undergoing digital transformation need frictionless, yet secure identity solutions. Detecting and preventing fraud is a key addition to our intelligent identity solutions that combat malicious activity by bots, emulators and humans.
There’s no better way to lower your business’s risk of online fraud.
Protect your business from all types of online fraud
Online fraud is a high-growth enterprise. As attempts to thwart cybercriminals advance, they adapt and get more creative in their attempts to go undetected. They are constantly working to come up with new ways to design and execute attacks. Traditional approaches to fraud detection are not up to the task of detecting today’s sophisticated attacks, but a powerful fraud prevention tool that leverages behavioral and device data can close many of the gaps that other solutions leave open for fraudsters to exploit.
PingOne Fraud gives you advanced protection against attacks using sophisticated behavioral analysis that differentiates legitimate customers from manual and automated fraud attempts, without making genuine transactions more difficult for your customers.
If you’re concerned about digital fraud and what it can cost your business, visit our website to learn more about how to reduce the risk of fraud in your enterprise.