Everything You Need to Know about Online Fraud

The era of a global pandemic led to more people staying at home. That meant a substantial growth in online business, particularly in banking and retail sectors, along with food delivery, education, streaming services, pharmacy sales, telemedicine and others.

The UN Conference on Trade and Development reported that e-commerce grew to 19 percent of all retail sales globally in 2020, and the US alone added $105 billion in ecommerce, nearing 40 percent growth in Q1 2021.

Online fraud—including cybercrime and scams—has risen in proportion to this growth. And as fraud frequency has grown, so has its sophistication. In Q3 and Q4 of 2020, sophisticated attacks on retailers grew to 76% of all attacks. These types of attacks are slower, but harder to detect because they attempt to mimic human behavior. And as fraud has evolved, businesses report they have been less effective at fighting it.

Source

Source

Source

Fraud will continue to grow in volume and sophistication at or more than the rate of ongoing online business growth. The world’s governments are scrambling to catch up with needed changes to cyber laws to hold those committing fraud accountable, but the best option is to prevent fraud from happening in the first place.

Fraud is deception or misrepresentation, a perversion of truth to convince someone to part with something of value or surrender a legal right. Online fraud encompasses both financial fraud and identity theft on digital channels such as websites or mobile apps. It’s usually carried out by the perpetrator hiding information or providing incorrect information to trick victims out of information, products or money.

Online fraud hurts both businesses and consumers. Businesses lose money and have to pass those costs on to customers, and they also must take precautions to ensure that every potential transaction is legitimate. That can place an unwelcome burden on consumers to prove they are not trying to commit fraud.

Cybercriminals are creative, and there are myriad ways they work to defraud individuals and organizations. When online fraud detection and prevention methods evolve to slow or stop specific schemes they use, they modify their approach to circumvent that detection technique.

The ability of cybercriminals to adapt and adjust when their techniques are exposed and accounted for means that classic online fraud detection solutions struggle to detect telltale signs of fraudulent activity.

The way people go about committing fraud can be broken generally into either manual or automated efforts. Manual attempts involve individuals using the internet to hack into systems or gain access to information they use to impersonate legitimate users. Automated attempts involve programming bots or emulators to speed up and scale up efforts to access and use systems and information.

Bots or automated scripts perform simple, repetitive tasks quickly and at scale. Emulators are programs that mimic mobile devices from desktop computers. They are used separately in most cases but can be used together.

Some of these approaches include:

• Account takeover (ATO) uses existing, legitimate accounts and their stored (or stolen) credit card information and loyalty points. A fraudster gains access to the account, makes purchases, and can use or resell the merchandise, seek refunds or stick a merchant with chargebacks. A form of account takeover fraud, business e-mail compromise (BED), where someone gains illicit access to a business’s email account and makes unauthorized fund transfers, remained the costliest form of fraud in 2020, accounting for $1.8 billion in losses.

Source

• New account fraud or account creation attacks set up new accounts using stolen credit card information to pay, often while abusing coupons, loyalty points and referral programs to make purchases. They then can seek refunds and always leave merchants liable for chargebacks.

Source

• Checkout fraud, or guest checkout fraud, uses stolen credit card information and the “Guest Checkout” option on websites for customers who don’t wish to register for an account. This allows fraudsters to sidestep identity verification checks when using stolen credit card information. They often use bots to automate testing stolen card numbers on a website, then manually use the same card information on different sites (sometimes weeks later) along with discount codes to look like legitimate customers. This is also known as CNP fraud, or “card-not-present” fraud.

Source

There are also non-fraud attacks that are not illegal but are detrimental to online merchants and their customers.

• Checkout abuse is the e-commerce equivalent to ticket scalping, and it is used to do that, among other things. Fraudsters use an automated script to buy a volume of high-end, limited-edition products in minutes or seconds, depleting legitimate merchants’ inventories. Then they resell those items for much higher prices.
  
  
• Inventory hoarding uses bots to put products in shopping carts, skewing inventory data and making products appear to be out of stock. Bots can also redirect customers to competitors’ websites during busy shopping periods like Black Friday and the rest of the holiday season. Bots can wipe out inventory of an item in as little as two seconds, and up to 20 percent of traffic to online shopping carts is from bad bots.

Because fraudsters have become more sophisticated and agile in their responses to efforts to detect and stop their schemes, classic online fraud detection approaches struggle to detect these more complex approaches. At an increasing rate, fraudsters have worked to bypass detection tools through efforts to emulate legitimate customers.

Evaluate activity before, during, and after login to prevent account takeover and new account fraud without adding unnecessary friction. Introducing PingOne Protect.

Online retail, video streaming, social media, entertainment and financial services are among the most targeted industries for fraud via ATO.

Financial institutions and issuers are frequent targets of new account fraud, particularly credit cards, online accounts and loans.

Checkout abuse is carried out against retailers by sneaker bots, ticketing bots and grinch or jingle bots. They often go against a site’s terms and conditions.

Checkout fraud, or guest checkout fraud, also primarily targets retailers. It’s driven by availability of stolen credit card information, which tripled during 2019 to more than 76 million records. Merchants have a big incentive to continue to provide a guest checkout option on their websites because the second-most common reason for shopping cart abandonment is a site requiring a customer to create an account.

With the explosive growth of business being done online, and the accompanying explosion of the types and volume of fraud being attempted, it’s not a question of if, but of when. If you are actively selling products or services over the internet, you already have been or will eventually be the target of cybercriminals attempting fraudulent activity.

As new fraud trends emerge, it’s vital to examine your fraud data to understand and defend against fraudulent behavior patterns.

The best way to understand the scope of ATO, new account fraud and other fraud attacks is to look at each fraudster’s actions on your site. Analyze their movements and behaviors for unusual, non-human trends—everything, including keystrokes, scrolling, mouse movement, how they interact with touch screens, how the device is held and how much pressure they place on the screen.

All this behavioral data enriching the data you already collect means fewer sessions for manual review. 

Use Tools to Reduce Manual Reviews

Fraud detection is largely automatic, with flagged sessions handled by manual reviewers who review the session to determine if there’s fraud afoot or there’s a false positive. This delays orders and slows down workflows, especially if reviewers are looking at myriad sessions. 

Implementing a fraud detection tool gives visibility into behavior patterns that trip alerts. Increasing the confidence in automatic detection means fewer orders flagged for manual review, allowing reviewers to focus on tougher cases.

Monitor Behavior for Earlier Fraud Detection

Fraud is complex. Emerging trends like ATO are more challenging than payment fraud, because when payment fraud occurs, the payer receives a chargeback and doesn’t lose money. More sophisticated fraud requires a deeper understanding of your data. 

Continuous monitoring of behavioral data for entire user sessions allows fraud to be detected earlier. This spots fraud as soon as it occurs, and the data collected helps optimize fraud detection and reduce the number of incidents that are successful or require manual review.

Timely Detection Reduces Incidents and Friction 

Decreasing the time bots have to perform credential stuffing forces fraudsters to manually explore and monetize an account. This reduces the frequency and impact of a fraud attack. Looking into each full user journey enables early detection and the minimizing  fraud incidents across your site.

Meanwhile, accurate, timely detection and fewer false positives reduces friction with real customers and keeps them moving through their journey efficiently. It improves the user experience by dramatically reducing security events like CAPTCHA.

Fraud analysts examine current and historical information related to user, device and IP in context to determine if a given user session or transaction is a risk or legitimate. This allows them to analyze not only transactions but also the behavior that preceded them, shedding light on fraud indicators that were previously ignored.

For example, looking at a user journey within a session, mouse movements, copy-paste usage, autocomplete, etc. together provides insight into a user’s behavior and allows the analyst to identify fraudulent activity with greater accuracy and earlier. Unconscious behaviors like clicks and mouse movements, scrolling, and more look different when a human is doing them compared to a bot or script. Conscious behaviors—navigation, actions and their order, speed, and more—reveal a user’s intent, and those also show pronounced differences between human and bot.

Without data from a fraudster’s full journey, it’s difficult to eliminate false positives. For instance, if a tool only does transaction analysis, by the time a transaction is categorized as fraud, it's too late, the damage is done. There’s a large gap between the initial session, when a user first enters a website or a mobile app, and when the user checks out. That gap gives cybercriminals all the time they need to defraud you.

This lack of insight into what is actually happening during a session is what must be addressed. When you continuously collect dynamic data throughout the user journey, you can identify weaknesses that are being exploited and detect and stop fraud attempts before they do damage.

With data analysis through the entire user journey by way of continuous monitoring, fraudsters' efforts can be flagged well before checkout. It catches them in the act, and exposes patterns manual reviewers can look for when evaluating whether a particular case is fraudulent or not.

Behavioral data analysis opens a window into what fraudulent behavior looks like and provides in-depth insight into how to act on that data to create a safer, more efficient experience for your customers.

How can I avoid negatively affecting the customer experience?

Quite simply, don’t interrupt your customers and don’t treat them like criminals. They are quick to abandon shopping carts or move to a competitor’s website if they encounter intrusive measures to prevent fraud that treat them as a possible threat.

The easier you make it to complete a transaction, the better the chances they will follow through on it and return in the future. Improve the user experience by removing intrusive authentication measures like CAPTCHA or collecting personal identifiable information (PII).

That means that you need to monitor behavior and evaluate the risks that fraud is occurring without actively impeding users. Your ideal fraud prevention solution provides a seamless experience for customers as they shop and keeps fraud detection invisible yet effective.

Features to look for in a solution include: 

• Full data visibility through the entire user journey
  Full data transparency helps you understand why fraudulent behavior is flagged. By collecting behavioral and device data, all the actions that occur during the entire customer journey are at your fingertips.
  
  
• An effective, adaptive integrative tool
  Along with seeing each user’s activity, it’s helpful when your solution adapts to the ever-changing landscape of fraudulent behaviors and patterns effectively and efficiently. When fraudsters apply new methods or adjust existing ones trying to beat or bypass your barriers, your fraud prevention tool should be able to keep up and flag discrepancies.
  
  
• Seamless data collection invisible to the customer
  Collect behavioral data through the entire user journey without disrupting your legitimate customers' experiences through session monitoring.

Solutions like PingOne Protect work invisibly to protect your enterprise without imposing burdens on your customers.

PingOne Protect’s intelligence-based policies combine the results of multiple risk predictors to calculate an overall risk score. The score correlates to policies that determine the type and amount of friction to introduce into the user flow, such as CAPTCHA, password resets, selfie verification, and push notifications. Optimize scores for each predictor, aggregate predictors, add signals from third parties, and create overrides.

Fraud protection is a natural extension of our overall cybersecurity and identity protection efforts. It’s important to know who customers are and when someone is trying to impersonate a customer for nefarious reasons. Just as our platform works to keep our customers’ systems and data secure by detecting and preventing attempts at unauthorized access, we recognize that the best way to protect your organization from fraud is to prevent it from happening in the first place.

Companies undergoing digital transformation need frictionless, yet secure identity solutions. Detecting and preventing fraud is a key addition to our intelligent identity solutions that combat malicious activity by bots, emulators and humans.

There’s no better way to lower your business’s risk of online fraud.

Online fraud is a high-growth enterprise. As attempts to thwart cybercriminals advance, they adapt and get more creative in their attempts to go undetected. They are constantly working to come up with new ways to design and execute attacks. Traditional approaches to fraud detection are not up to the task of detecting today’s sophisticated attacks, but a powerful fraud prevention tool that leverages behavioral and device data can close many of the gaps that other solutions leave open for fraudsters to exploit.

PingOne Protect gives you advanced protection with these included predictors: bot detection, IP velocity, user velocity, geovelocity anomaly, user location anomaly, IP reputation, anonymous network, user risk behavior, user-based risk model, new device detection, suspicious device detection, custom/third-party predictors, and composite predictors.

If you’re concerned about digital fraud and what it can cost your business, learn more about our fraud detection solution and how to reduce the risk of fraud in your enterprise.