Everything You Need to Know About Online Fraud

The era of a global pandemic led to more people staying at home. That meant a substantial growth in online business, particularly in banking and retail sectors, along with food delivery, education, streaming services, pharmacy sales, telemedicine and others.

Identity fraud is a growing problem for organizations today, with losses due to identity theft totaling over $635 billion in 2023 and account takeover attacks up 354% year-over-year.¹ Account fraud is getting more brazen as attempted fraud transactions reportedly increased 92% and attempted fraud amounts have jumped by 146%.² Fraud will continue to grow in volume and sophistication as more organizations – and individuals – choose online channels to conduct business. The world’s governments are scrambling to catch up with needed changes to cyber laws to hold those committing fraud accountable, but the best option is to prevent fraud from happening in the first place.

Fraud is deception or misrepresentation, a perversion of truth to convince someone to part with something of value or surrender a legal right. Online fraud encompasses both financial fraud and identity theft on digital channels such as websites or mobile apps. It’s usually carried out by the perpetrator hiding information or providing incorrect information to trick victims out of information, products or money.

Online fraud hurts both businesses and consumers. Businesses lose money and have to pass those costs on to customers, and they also must take precautions to ensure that every potential transaction is legitimate. That can place an unwelcome burden on consumers to prove they are not trying to commit fraud.

With the explosive growth of online business, and the accompanying explosion of the types and volume of fraud being attempted, it’s not a question of if, but of when. If you are actively selling products or services over the internet, you already have been or will eventually be the target of cybercriminals attempting fraudulent activity.

The Impact of Fraud on Businesses

Cybercriminals are creative, and there are myriad ways they work to defraud individuals and organizations. When online fraud detection and prevention methods evolve to slow or stop specific schemes, fraudsters modify their approach to circumvent that detection technique.

The ability of cybercriminals to adapt and adjust when their techniques are exposed and accounted for means that classic online fraud detection solutions can struggle to detect fraudulent activity.

The way people go about committing fraud can be broken generally into either manual or automated efforts. Manual attempts involve individuals using the internet to hack into systems or gain access to information they use to impersonate legitimate users. Automated attempts involve programming bots or emulators to speed up and scale up efforts to access and use systems and information.

Bots or automated scripts perform simple, repetitive tasks quickly and at scale. Emulators are programs that mimic mobile devices from desktop computers. They are used separately in most cases but can be used together.

Some of these approaches include:

Account Takeover Fraud (ATO)

Account takeover (ATO) uses existing, legitimate accounts and their stored (or stolen) credit card information and loyalty points. A fraudster gains access to the account, makes purchases, and can use or resell the merchandise, seek refunds or stick a merchant with chargebacks. A form of account takeover fraud, business e-mail compromise (BED), where someone gains illicit access to a business’s email account and makes unauthorized fund transfers, remained the costliest form of fraud in 2023, with losses due to identity theft totaling over $635 billion and account takeover attacks up 354% year-over-year.⁶

New Account Fraud

New account fraud or account creation attacks set up new accounts using stolen credit card information to pay, often while abusing coupons, loyalty points and referral programs to make purchases. They then can seek refunds and always leave merchants liable for chargebacks.

Checkout Fraud

Checkout fraud, or guest checkout fraud, uses stolen credit card information and the “Guest Checkout” option on websites for customers who don’t wish to register for an account. This allows fraudsters to sidestep identity verification checks when using stolen credit card information. They often use bots to automate testing stolen card numbers on a website, then manually use the same card information on different sites (sometimes weeks later) along with discount codes to look like legitimate customers. This is also known as CNP fraud, or “card-not-present” fraud.

Authorized Push Payment (APP) Fraud

Authorized push payment (APP) fraud is based on imposter scams where fraudsters trick victims into sending them cash payments. APP fraud often relies on mobile applications like Venmo or Zelle to transfer money directly from a victim’s account to a fraudster's account. Since transactions with applications like Venmo are treated like cash, they are nearly impossible to reverse. One of the most common APP scams is pretending to sell a fake product, while offering a deep discount for using Venmo or Zelle to pay.

Other Common Challenges

There are also other types of attacks that can harm organizations doing business online. They aren’t as straightforward as fraudulent transactions, but all are ultimately detrimental and can lead to financial loss, reputational damage, and other problems.

Checkout Abuse

Checkout abuse is the ecommerce equivalent to ticket scalping, and it is used to do that, among other things. Fraudsters use an automated script to buy a volume of high-end, limited-edition products in minutes or seconds, depleting legitimate merchants’ inventories. Then they resell those items for much higher prices.

Inventory Hoarding

Inventory hoarding uses bots to put products in shopping carts, skewing inventory data and making products appear to be out of stock. Bots can also redirect customers to competitors’ websites during busy shopping periods like Black Friday and the rest of the holiday season. Bots can wipe out inventory of an item in as little as two seconds, and up to 40 percent of traffic to online shopping carts is from bad bots.¹¹

Loyalty Fraud

Loyalty fraud exploits businesses that offer loyalty programs and reward points. A common scenario is fraudsters employing ATO to steal points, which can have real financial value, particularly in the travel and hospitality industry. To illustrate, a customer might receive an email from a criminal posing as an airline advertising a new promotion. Once the user types their login info to the fake site, the fraudster quickly takes the stolen credentials and uses them to drain the real account of points. While the travel industry has long been a target of loyalty fraud, any business with reward points could be a target. With this fraud, criminals take advantage of the fact that consumers often don’t monitor their loyalty points - sometimes letting crimes go undetected.

Promo & Bonus Abuse

Promo and bonus abuse fraud occurs when criminals create multiple fake accounts to take advantage of bonuses and promotions offered to new customers. While this type of fraud is widespread in the online gambling industry, it can occur anywhere that businesses offer financial incentives for new account signups. While simple in nature, promo and bonus abuse fraud can be extremely lucrative when conducted at scale.

Because fraudsters have become more sophisticated and agile in their responses to efforts to detect and stop their schemes, classic online fraud detection approaches struggle to detect these more complex approaches. At an increasing rate, fraudsters have worked to bypass detection tools through efforts to emulate legitimate customers.

Due to the dramatic increase in internet use across the globe, online fraud has grown into a systemic problem in today’s society. Certain industries that store a significant amount of PII, financial information, or both, are very attractive targets for fraudsters.

Financial Services

Financial institutions are among the most frequent targets of online fraud. Identity theft can be a particularly powerful tool for fraudsters looking to commit financial scams.

• Account Takeover with banks and credit card companies can happen when fraudsters get a hold of a victim’s personal information. Credentials may be stolen, or a bank employee acting in bad faith may even sell sensitive personal account information to fraudsters. With critical account numbers, criminals can write checks, transfer cash, and drain funds.

• New Account Fraud in the finance and banking industry is often initiated using a stolen or synthetic ID. With the ability to impersonate victims, fraudsters will brazenly apply for new credit card accounts or even loans from a large number of vendors. Once the new accounts are active, criminals will generate massive debt on anything from retail shopping sprees to new vehicles.

• Authorized Push Payment Fraud is often linked to social engineering in the financial industry. For example, a victim might receive an email or SMS from a source claiming to be their bank or credit card company. The message is written in an exclamatory tone warning that the user is “late on a payment.” In turn, they urge the person to transfer money immediately with an app like Zelle to avoid penalties for late payments.

Retail & Ecommerce

With nearly 20% of all shopping happening online in today’s retail market, ecommerce fraud is a widespread problem.

• Account Takeover fraud in ecommerce happens when fraudsters steal credentials and log into accounts to acquire PII, payment info, or change the shipping address to reroute packages. In other instances, they might take over an account in good standing and make purchases with a stolen credit card. In turn, they leave the legit user “responsible” on paper for using a stolen form of payment.

• New Account Fraud occurs in ecommerce when criminals create fake accounts and let them “age” to get them into good standing. These shrewd fraudsters are aware that threat policies often attribute lower risk scores to long-standing accounts. When sufficient time has passed, criminals will add stolen banking info or credit cards to the account to make fraudulent purchases.

• Checkout Abuse regularly happens through the guest checkout option on websites. While businesses offer guest checkout to avoid cart abandonment, it leaves them vulnerable to fraudsters. Armed with stolen credit card data and PII acquired through ATO and/or identity theft, criminals utilize sneaker bots, ticketing bots, and grinch/jingle bots to make purchases. In turn, fraudsters will attempt multiple purchases at the same time from unique IP addresses to overwhelm the system.

Healthcare

As the number one attacked industry for cybercrime overall,the healthcare industry  is also a prime target for fraudsters. Cyberattacks can wreak havoc on organizations , severely damaging their reputations and life-critical missions.

• Account Takeover often takes place in the healthcare industry when a fraudster uses someone else’s name and health insurance card to receive medical benefits such as prescription drugs and doctor’s visits. While these crimes are perpetrated in person, they begin online when fraudsters overtake accounts on health insurance websites. When a patient’s medical records are tarnished with fraudulent activity, the ramifications are felt by other healthcare stakeholders such as payers and retailers. This problem can persist for years into the future.

• New Account Fraud in the healthcare industry is tied directly to identity theft With stolen PII in hand, fraudsters can receive doctor’s visits, as well as expensive surgeries at hospitals in certain circumstances. Again, this type of NAF is commonly traced back to some type of weak point found online – such as poor password management. When criminals steal sensitive patient and insurance data, they can take the information to get medical treatment at new and/or different facilities.

Social Media

With an average of nearly 5 billion daily users worldwide, social media sites like Facebook and Instagram are prime breeding grounds for fraudsters.

• Account Takeover with social media can be very problematic since family and friends trust the legitimacy of established accounts. A common scenario is for a fraudster to overtake an account, and then begin posting about newfound wealth or business opportunities. With their curiosity piqued, social media connections might begin inquiring about investment opportunities with the fraudster. With trust established, the fraudster then requests money be transferred to the account of an “investment manager,” who then disappears with the cash.

• New Account Fraud statistics in the social media space are nothing short of astounding. In fact, Facebook reported having an incredible 450 million fake accounts either established or used in the year 2020 alone.¹² From senior scams to sweepstakes scams, NAF on social media gives fraudsters free rein to conduct all types of shady behavior under the guise of fake identities.

• Authorized Push Payment Fraud is rampant in the realm of social media. With billions of people connected worldwide through popular social media platforms like X and TikTok, there are near endless opportunities for fraudsters. A common APP scam is to trick a user into donating money to a fake charity directly through a mobile app like Venmo or Zelle. Once the transfer is made, the money's gone and the fraudster disappears.

Media & Entertainment

As seen with just about every industry today, the media and entertainment market also has its share of online fraud.

• Account Takeover is very problematic in the online streaming market due to poor password management. It's a common practice for people to use the same password across several streaming sites for the sake of convenience. Once ATO occurs, criminals can then access sensitive data like credit numbers and PII, which opens the doorway to other fraud and malicious behavior.

• Promo & Bonus Abuse causes major financial woes for online gambling businesses. Since many gaming operations incentivize new account creation with free promos, fraudsters will establish several identities to collect a bonus from each. With enough fake accounts created, a criminal can convert several small frauds into one large profit.

As new fraud trends emerge, it’s vital to examine your fraud data to understand and defend against fraudulent behavior patterns.

The best way to understand the scope of ATO, new account fraud and other fraud attacks is to look at each fraudster’s actions on your site. Analyze their movements and behaviors for unusual, non-human trends—everything, including keystrokes, scrolling, mouse movement, how they interact with touch screens, how the device is held and how much pressure they place on the screen.

All this behavioral data enriching the data you already collect means fewer sessions for manual review.

Use Tools to Reduce Manual Reviews

Fraud detection is largely automatic, with flagged sessions handled by manual reviewers who review the session to determine if there’s fraud afoot or there’s a false positive. This delays orders and slows down workflows, especially if reviewers are looking at myriad sessions.

Implementing a fraud detection tool gives visibility into behavior patterns that trip alerts. Increasing the confidence in automatic detection means fewer orders flagged for manual review, allowing reviewers to focus on tougher cases.

Monitor Behavior for Earlier Fraud Detection

Fraud is complex. Emerging trends like ATO are more challenging than payment fraud, because when payment fraud occurs, the payer receives a chargeback and doesn’t lose money. More sophisticated fraud requires a deeper understanding of your data.

Continuous monitoring of behavioral data for entire user sessions allows fraud to be detected earlier. This spots fraud as soon as it occurs, and the data collected helps optimize fraud detection and reduce the number of incidents that are successful or require manual review.

Timely Detection Reduces Incidents and Friction 

Decreasing the time bots have to perform credential stuffing forces fraudsters to manually explore and monetize an account. This reduces the frequency and impact of a fraud attack. Looking into each full user journey enables early detection and the minimizing  fraud incidents across your site.

Meanwhile, accurate, timely detection and fewer false positives reduces friction with real customers and keeps them moving through their journey efficiently. It improves the user experience by dramatically reducing security events like CAPTCHA.

Customer Education

Once an organization has builts out an effective counter-fraud strategy, one challenge remains: customers are frequently not aware of best practices for creating passwords or securing their accounts. Although 72% of customers are confident their passwords are safe, that same group also admits to only using 3 unique passwords across multiple logins, and 12% use the same password for everything.¹³ Organizations can help keep customer accounts safe by educating users and offering the following tips.

Cyber Safety Tips for Individuals

• Keep systems and software up to date and install a strong, reputable anti-virus program.

• Be careful when connecting to a public Wi-Fi network and do not conduct any sensitive transactions, including purchases, when on a public network.

• Create a strong and unique passphrase for each online account and change those passphrases regularly.

• Set up multi-factor authentication on all accounts that allow it.

• Examine the email address in all correspondence and scrutinize website URLs before responding to a message or visiting a site.

• Don’t click on anything in unsolicited emails or text messages.

• Be cautious about the information you share in online profiles and social media accounts. Sharing things like pet names, schools, and family members can give scammers the hints they need to guess your passwords or the answers to your account security questions.

• Don't send payments to unknown people or organizations that are seeking monetary support and urge immediate action.

Fraud analysts examine current and historical information related to user, device and IP in context to determine if a given user session or transaction is a risk or legitimate. This allows them to analyze not only transactions but also the behavior that preceded them, shedding light on fraud indicators that were previously ignored.

For example, looking at a user journey within a session, mouse movements, copy-paste usage, autocomplete, etc. together provides insight into a user’s behavior and allows the analyst to identify fraudulent activity with greater accuracy and earlier. Unconscious behaviors like clicks and mouse movements, scrolling, and more look different when a human is doing them compared to a bot or script. Conscious behaviors—navigation, actions and their order, speed, and more—reveal a user’s intent, and those also show pronounced differences between human and bot.

Without data from a fraudster’s full journey, it’s difficult to eliminate false positives. For instance, if a tool only does transaction analysis, by the time a transaction is categorized as fraud, it's too late, the damage is done. There’s a large gap between the initial session, when a user first enters a website or a mobile app, and when the user checks out. That gap gives cybercriminals all the time they need to defraud you.

This lack of insight into what is actually happening during a session is what must be addressed. When you continuously collect dynamic data throughout the user journey, you can identify weaknesses that are being exploited and detect and stop fraud attempts before they do damage.

With data analysis through the entire user journey by way of continuous monitoring, fraudsters' efforts can be flagged well before checkout. It catches them in the act, and exposes patterns manual reviewers can look for when evaluating whether a particular case is fraudulent or not.

Behavioral data analysis opens a window into what fraudulent behavior looks like and provides in-depth insight into how to act on that data to create a safer, more efficient experience for your customers.

Quite simply, don’t interrupt your customers and don’t treat them like criminals. They are quick to abandon shopping carts or move to a competitor’s website if they encounter intrusive measures to prevent fraud that treat them as a possible threat.

The easier you make it to complete a transaction, the better the chances they will follow through on it and return in the future. Improve the user experience by removing intrusive authentication measures like CAPTCHA or collecting personal identifiable information (PII).

That means that you need to monitor behavior and evaluate the risks that fraud is occurring without actively impeding users. Your ideal fraud prevention solution provides a seamless experience for customers as they shop and keeps fraud detection invisible yet effective.

Features to look for in a solution include: 

• Full data visibility through the entire user journey
  Full data transparency helps you understand why fraudulent behavior is flagged. By collecting behavioral and device data, all the actions that occur during the entire customer journey are at your fingertips.
  
  
• An effective, adaptive integrative tool
  Along with seeing each user’s activity, it’s helpful when your solution adapts to the ever-changing landscape of fraudulent behaviors and patterns effectively and efficiently. When fraudsters apply new methods or adjust existing ones trying to beat or bypass your barriers, your fraud prevention tool should be able to keep up and flag discrepancies.
  
  
• Seamless data collection invisible to the customer
  Collect behavioral data through the entire user journey without disrupting your legitimate customers' experiences through session monitoring.

Solutions like PingOne Protect work invisibly to protect your enterprise without imposing burdens on your customers.

PingOne Protect’s intelligence-based policies combine the results of multiple risk predictors to calculate an overall risk score. The score correlates to policies that determine the type and amount of friction to introduce into the user flow, such as CAPTCHA, password resets, selfie verification, and push notifications. Optimize scores for each predictor, aggregate predictors, add signals from third parties, and create overrides.

Fraud protection is a natural extension of our overall cybersecurity and identity protection efforts. It’s important to know who customers are and when someone is trying to impersonate a customer for nefarious reasons. Just as our platform works to keep our customers’ systems and data secure by detecting and preventing attempts at unauthorized access, we recognize that the best way to protect your organization from fraud is to prevent it from happening in the first place.

Companies undergoing digital transformation need frictionless, yet secure identity solutions. Detecting and preventing fraud is a key addition to our intelligent identity solutions that combat malicious activity by bots, emulators and humans.

There’s no better way to lower your business’s risk of online fraud.

Online fraud is a high-growth enterprise. As attempts to thwart cybercriminals advance, they adapt and get more creative in their attempts to go undetected. They are constantly working to come up with new ways to design and execute attacks. Traditional approaches to fraud detection are not up to the task of detecting today’s sophisticated attacks, but a powerful fraud prevention tool that leverages behavioral and device data can close many of the gaps that other solutions leave open for fraudsters to exploit.

PingOne Protect gives you advanced protection with these included predictors: bot detection, IP velocity, user velocity, geo velocity anomaly, user location anomaly, IP reputation, anonymous network, user risk behavior, user-based risk model, new device detection, suspicious device detection, custom/third-party predictors, and composite predictors.

If you’re concerned about digital fraud and what it can cost your business, check out our Ultimate Guide to Online Fraud Prevention to see how you can lower the risk of fraud in your enterprise.

Sources:

¹ Sift’s Q3 2023 Digital Trust & Safety Index

² Sift’s Q3 2023 Digital Trust & Safety Index

³ FBI Internet Crime Report 2022

⁴ LexisNexis True Cost of Fraud  Study

⁵ NICE Actimize 2023 Fraud Insights Report  

⁶ Sift’s Q3 2023 Digital Trust & Safety Index

⁷ Abnormal Security

⁸ Javelin Security 2023 Identity Fraud Study: The Butterfly Effect

⁹ Juniper Research: Online Payment Fraud: Market Forecasts, Emerging Threats & Segment Analysis 2023-2028

¹⁰ Scamscope Fraud Report

¹¹ Imperva State of Security within eCommerce 2022 Report

¹² Internet Policy Review

¹³ Ping Identity 2023 Consumer Survey