Fraud detection is a never-ending learning process for experts and e-commerce merchants. The moment we figure out a fraudster’s attack pattern, we can slow down his fraud attempts ─ until he realizes his approach no longer works. Then he tries something different and often more complex, and the detection-and-prevention cycle turns again. In addition to stopping millions of different fraud patterns in 2016, ClearSale collected and studied those patterns to understand how they’ll evolve. Based on that knowledge, the ClearSale fraud analytics team expects to see more of these types of emerging and growing fraud in 2017.
Some types of ecommerce fraud recur year after year. First, let’s talk about the old standbys. Certain types of e-commerce fraud may always be with us. They’re usually simple patterns that are easy to detect with the right tools. For example, some criminals launch multiple fraud attempts from a geographic area associated with a fraud victim's name, IP address or post office box.
Reoccurring usernames, like a series of random first names finishing with the same numbers (email@example.com,firstname.lastname@example.org) are also strong indicators of fraud. Harder-to-detect but perennially popular fraud patterns exploit websites’ blind spots. For example, if a merchant’s checkout process doesn’t require a CVV validation number for card purchases, fraudsters will eventually find it and flock to it with a list of stolen card numbers for which they don’t have CVV codes.
In 2017, watch for these types of online retail fraud. Most fraud is much more complex than those basic types. Based on our analysis of 2016 trends, we expect more of these newer fraud patterns in the year ahead:
Even more fraudulent bot transactions. Over the past year, there’s been a dramatic rise in fraudsters’ use of tools that randomly generate credit card numbers. They test those, along with randomly generated CVVs, at under protected merchant sites to find effective card-number-and-CVV combinations. They can also test randomly generated CVVs against known valid credit card numbers they’ve purchased on the dark web.
As soon as they find card and CVV matches that work, these criminals can commit fraud at speed, using bots to place multiple orders at once. Fraudsters also use bots to place many orders in sequence with computer-generated e-mail addresses. Sometimes they use the same random e-mail address for several orders with different credit cards. A decade ago, automated fraud at this scale and velocity was impossible to achieve; today it’s business as usual.
Online fraudsters exploit in-store pickup. Omnichannel retailers and customers like the convenience of online ordering with in-store pickup, but it’s convenient for fraudsters, too. That’s because fraud screenings of online orders rely on checking information like the customer’s shipping address. If that address doesn’t need to be correct for customers to get their merchandise, a thief can enter information that doesn’t match the card, complete the order, and pick up the merchandise before the fraud is discovered. There are simple ways retailers can modify the pick-up process to make it more secure without discouraging real customers, but not all retailers are using them yet.
Same-day shipping helps fraudsters beat the clock. Eighty percent of shoppers want same-day shipping from retailers, and fraudsters want it, too. Faster shipping means more successful fraud, because — as with in-store pickup — criminals can get their hands on the merchandise before their fraud is detected. Once a fraudster finds same-day shipping success with a particular retailer, he can target them repeatedly until they tighten their screening to block him.
The post-EMV online fraud wave hasn’t crested yet. Like every other country that’s switched to EMV (chip) cards for in-store purchases, the US has seen a dramatic rise in online fraud as criminals move from point-of-sale fraud to easier targets. Experts warned about this expected rise since well before the EMV liability shift in October 2015, and fraud attacks have increased as predicted. However, as of this writing, only 29% of US retailers accept chip cards at their point-of-sale terminals. As more retailers convert their POS terminals in 2017 to comply with card company rules, expect even more fraud in the online space.
In the end, there will always be countermeasures retailers can use against fraud patterns, no matter how new or old those patterns are. The most successful online retailers in 2017 will deploy countermeasures that reduce traditional online fraud and new fraud trends without turning away good customers.