Meet Sandra. You know Sandra. Because most of you have a lot in common with her. She is also key to understanding online retail fraud in 2019, and where we're headed in the coming year. Sandra is a millennial who commutes to her job on the other side of the city. She, like many of her colleagues, spends more time than she'd like to admit on the train every day. But these daily commutes don't bother her because that's probably the most productive time of her day.
In the hour it takes to get to work, Sandra uses her phone to listen to a playlist, which is automatically personalized to her tastes while also doing her online food shopping for the week. And lately, she has also been using the time to do some light online window shopping. She's looking for a dress like the one her favorite character wore in the last episode of The Good Place. She finds an almost identical copy within her budget and adds it to her cart, only to be put off by the complicated checkout process. Sounds familiar?
It's Now or Never
Welcome to the world of consumer-driven retail, where immediacy and convenience are all that matter. Most modern consumers are impatient, and like Sandra, they demand ease of use. Modern consumers have come to expect a seamless, hassle-free online retail experience. Consumers who don't get that will look elsewhere quicker than you can say CVV. And this explains a lot about online retail fraud in 2019. Because a huge part of understanding online retail fraud is making sense of what consumers, like Sandra, have come to expect and how the industry has shifted in response.
The retail industry is one of the most dynamic industries and is constantly changing and shifting in response to consumer demand and technological advancements. In 2019, we saw how increasingly the innovation in online retail presents a unique opportunity for fraudsters who have learned to capitalize on the frictionless nature of the online customer journey. A good example of this is loyalty programs.
Retailers offer loyalty programs as a way to attract and reward repeat customers. Generally the standard for customer login is a simple username and password and, unlike bank accounts, customers check their accounts infrequently. This makes loyalty programs particularly appealing to frauders. Considering that the estimated amount of stolen credentials increased by 17% in 2019 to 165 million, fraudsters have both access and opportunity to carry out account takeover attacks before any suspicious activity is flagged.
Last year thousands of Dunkin Donuts Perks reward accounts were compromised in a credential stuffing attack. While credential stuffing is usually the first stage in an account takeover attack, these particular hackers seemed to be more interested in monetizing much earlier and chose to sell the validated account credentials on the dark web. This is likely due to the reduced risk factor of being caught while still earning a positive ROI. What we're seeing is that by prioritizing customer experience, convenience and ease of use, security is being overlooked.
What Trends Shaped Online Retail Fraud in 2019?
In many ways, 2019 was a standout year with a 12% increase in the total dollar amount of all online fraud year-over-year from 2018 to 2019. What we noticed increasingly is that not only did incidences of fraud increase in 2019, but the sophistication and pervasiveness of these attacks is unlike anything we've seen before. Sandra, and the millions of other online shoppers like her, is a prime example of the demand for a seamless and instant online shopping experience. This makes retailers increasingly reluctant to introduce friction into the customer journey. For good reason. Research from Splitit found that over 80% of online consumers will abandon their cart if the checkout process is too complicated. Another survey conducted by Forter found that the average American consumer was more likely to abandon the checkout process if it took longer than half a minute! So what's an online retailer supposed to do?
And that's where the problem comes in. Innovation is all good and well until fraudsters start taking advantage of the vulnerabilities that emerge as a result of the frictionless customer experience. Which is happening with increasing frequency. We're also seeing a shift from many indiscriminate brute force attacks to precise and highly targeted attacks that come with the promise of a big payday for fraudsters. Aaron McPherson, VP of Research Operations at Mercator Advisory Group, said: "Generating a large number of attacks makes it easier for law enforcement to track you. Better to keep a low profile and be more selective." This can also be linked to the fact that fraudsters are becoming more and more skilled and are learning more about how online payments are handled.
"Generating a large number of attacks makes it easier for law enforcement to track you. Better to keep a low profile and be more selective."
Reflecting on 2019 and an Opportunity to Do Better
What makes these trends of 2019 especially significant is that they give us an indication of what's not working. They shine a light on what we all could be doing better to thwart fraudsters' efforts, and in that sense, serve as a guide for combating fraud in the coming year. Because if you consider the trends that dominated online retail fraud in 2019, it becomes clear that we need a fresh approach and a new set of tools if we're going to navigate this ever-evolving threat landscape successfully.
Increasingly what we're seeing is that the siloed and reactive nature of traditional fraud detection solutions is holding us back. Consider the fact that many businesses rely on transaction analysis to approve payment at the checkout using a variety of checks from CVV to AVS to blacklists. Sounds like a foolproof approach, right? Well - the problem is that the data used here is static and fails to account for advanced attack vectors resulting late detection and a plethora of other costs for both merchant and customers. Some merchants may choose to also require a user verification tool at the login or account creation stage by incorporating device fingerprinting and bot detection tools. While this is a step in the right direction, these tools can't keep up with the sophisticated nature of the attacks we're seeing.
But more than anything, what all these solutions have in common is that they ignore what happens during the session. This stage is critical as, in addition to the sophistication in tools used, fraudsters are looking for alternative ways to monetize their tasks. A fraudster can make changes to an account, such as changing the shipping address or email address associated with the account. Alternatively, they can use it as a means to acquire more PII to sell or use in a future attack.
In the case of an account takeover attack, a fraudster always prefers high value accounts. Established accounts with a lifecycle of regular, undisputed transactions have higher ‘reputations’. Unsurprisingly, merchants want to retain these customers and in order to avoid any unnecessary friction, they are unlikely to block a somewhat unusual transaction that may be deemed risky. Accounts on high value websites are also attractive as infrequent, expensive purchases are the norm.
It's 2020 and Time to Meet Fraudsters Where They're At
Most fraud prevention solutions fail because they don't think like a fraudster. They rely on tried-and-trusted ways of doing things, and yet when it comes to online fraud prevention, it's all about being smart and adaptive, about being on the offence instead of the defense. But to stand a chance at effective online retail fraud prevention, it's about leveling up and meeting fraudsters where they are while guaranteeing a seamless customer experience. No small feat!
There are many technologies that are hailed as the answer to online retail fraud. And yet at the rate at which online retail fraud evolves few solutions are comprehensive enough. What we’re seeing is that few technologies get to the heart of the matter. Instead, perhaps it’s time to embrace a layered approach that offers comprehensive protection in real-time across the customer journey. This ensures continuous fraud detection and increases the likelihood that fraudulent activity will be stopped earlier in the customer journey.
We need to understand that just as fraudsters techniques are always evolving, so too must an effective fraud prevention strategy. 2020 is about meeting fraudsters where they're at, and the only way to do that is by embracing technology that works continuously and is invisible. If we have learned anything from online retail fraud in 2019, it's that we need solutions that can detect unknown threats with precision and that focus on the entire customer journey.
We all know that online retail fraud is here to stay. It's not going anywhere, anytime soon. In fact, most online retailers have accepted that at some point, fraudsters will compromise their business. And so retailers give in to overwhelm, and budget for fraud losses. But what if there was another way?
Retailers don't have to accept this status quo. They can choose to fight back. And that starts by implementing effective fraud prevention which is mindful of the customer journey. 2020 is an opportunity for online retailers to level up and understand that the only way to deal with online retail fraud is to be seamless, continuous, and adaptive.
Yes - fraud happens. But it doesn't have to destroy your business.
What are you doing to get smart about online retail fraud and fight back?