Clearsale Blog | Insights on Ecommerce and fraud

Beware of These 5 E-Commerce CNP Fraud Trends

Written by Rafael Lourenco | Mar 27, 2019
TL;DR

Card-not-present (CNP) fraud is growing roughly 14 percent per year as fraudsters get more sophisticated with stolen data. Five trends to watch are company and executive impersonation through business email compromise, mobile botnet attacks, rising cross-border order rejections, more data breaches feeding more fraud, and costly GDPR consequences for data loss. Because no single tool stops every scheme, merchants that deploy multiple layers of fraud protection are the most successful at detecting and stopping CNP fraud.

E-commerce is booming, but so is card-not-present (CNP) fraud. In fact, CNP fraud is growing at 14 percent per year because fraudsters have become more sophisticated about leveraging all the stolen data that’s out there. While this isn’t great news for online merchants, knowledge is power.

Here are five fraud trends every e-commerce seller needs to focus on in 2019, along with suggestions on how to fight them.

Fraudsters Impersonate Companies and Executives

One of the fastest-growing types of fraud against all kinds of organizations is business email compromise (BEC). BEC can target a retailer’s customers by sending an email impersonating customer service and asking for account credentials — a common type of phishing that leads to account takeover fraud. BEC can also do major damage when scammers pose as company executives and then email “urgent” wire transfer or invoice payment requests to other people within the company.

Some BEC scammers even time their messages to reach victims when they’re likely to be checking email on their smartphones. That way the victim sees a sender name they trust but not the unusual sender domain name that would tip them off to the scam. To protect against BEC, e-commerce merchants need tools to authenticate sender identity and prevent domain spoofing. They should also train employees to use extra diligence with “urgent” emails.

Related story: Questions Every Merchant Should Ask Before Using Their E-Commerce Platform's Fraud Protection

Bad Bots Go Mobile

Fraudsters are deploying botnets in many ways to get around fraud controls. One method is to rent “armies” of infected devices to mask the origin of their attacks on merchants, banks and other organizations online. This approach also allows for large-scale attacks. While most of the coordinated botnet attacks reported in last year's second quarter targeted social media, online gaming and e-commerce were also frequent targets.

Fraudsters are also increasingly using smartphones for botnet attacks. A 2018 report found that one in 17 mobile devices across half a dozen major carrier networks was being used for bot traffic. These mobile bots accounted for 8 percent of malicious botnet activity. Analysts say the way mobile devices use IP addresses (many devices on one IP, frequent IP changes) make it difficult to screen out bots without blocking a lot of good traffic, too. If your store doesn’t already use channel-specific fraud prevention for mobile and desktop, now is the time to begin.

More Cross-Border Orders, More Rejections

Fifty-four percent of e-commerce was cross-border in Q2 2018, but international orders were 69 percent more likely to be rejected than domestic orders. While there are some additional risks with cross-border orders, such as higher rates of device and identity spoofing, many of those rejected orders were probably false declines based on assumptions about the risks from particular countries.

This is an expensive mistake to make. The global value of cross-border e-commerce is projected to reach more than $1.2 billion by 2020. Merchants that don’t want to miss out on cross-border opportunities should make 2019 the year to take a look at their rules for evaluating risk to reflect the real risks, rather than simply blocking orders from entire countries or regions.

More Data Breaches, More Fraud

As criminals discover new ways to exploit consumer data for CNP fraud and other types of fraud, the market for stolen data is growing. Juniper Research projects that the number of records stolen in data breaches will increase 22.5 percent per year through 2023, compromising some 146 billion records in all. Worse, not all those breaches will be detected and reported, although Juniper expects reporting rates to close in on 90 percent during the same period.

With every breach, of course, criminals have more material to commit CNP fraud, take over consumer accounts, synthesize new identities for fraud, and impersonate real people (usually corporate executives) to commit identity-deception fraud. That means it’s the responsibility of every merchant to protect their data from theft by encrypting data, storing it securely, and maintaining up-to-date versions and patches on all software and operating systems.

Costly GDPR Consequences for Data Loss

The European Union's GDPR may start having an impact on the way companies obtain data, store it, and disclose breaches when they’re discovered. That’s not only because the sweeping law, which took effect in 2018, covers all businesses that have customers in the EU. It’s also because this may be the year we see high-profile companies pay the consequences for a lack of security or due diligence. For example, Marriott may be liable for fines up to 4 percent of its yearly worldwide revenue in the wake of the Starwood data breach, which compromised half a billion guest records. The message is clear: Any company that operates in the EU and has access to customer data must step up its security and breach-detection practices.

All these trends show that e-commerce merchants must keep up with the latest threats and best practices in fraud protection. That means recognizing that no single fraud prevention tool can be effective against the large number of rapidly evolving schemes that criminals use. E-commerce businesses that deploy multiple layers of fraud protection will be the most successful at detecting and stopping CNP fraud threats in 2019 and beyond.

Rafael Lourenco is executive vice president at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen.

Original article at TotalRetail.

Frequently Asked Questions

How fast is CNP fraud growing?

Card-not-present fraud is growing at about 14 percent per year. The increase is driven by fraudsters becoming more sophisticated at leveraging the large volume of stolen data available.

What is business email compromise (BEC)?

BEC is one of the fastest-growing fraud types. Scammers impersonate customer service to phish account credentials, or pose as company executives sending urgent wire transfer or invoice payment requests, often timed for when victims are checking email on smartphones and less likely to notice an odd sender domain.

Are botnet attacks moving to mobile?

Yes. A 2018 report found one in 17 mobile devices across several major carrier networks was used for bot traffic, accounting for 8 percent of malicious botnet activity. The way mobile devices share and change IP addresses makes bots hard to screen without blocking good traffic.

Why are cross-border orders rejected more often?

Fifty-four percent of e-commerce was cross-border in Q2 2018, yet international orders were 69 percent more likely to be rejected than domestic ones. Many of those rejections were false declines based on assumptions about a country's risk rather than the real risk of the order.

How do data breaches fuel CNP fraud?

Juniper Research projected the number of records stolen in breaches would rise 22.5 percent per year through 2023, reaching about 146 billion records. Every breach gives criminals more material to commit CNP fraud, take over accounts, synthesize identities, and impersonate real people.

What does GDPR mean for data loss?

GDPR covers any business with customers in the EU and can impose large fines for security failures. The article notes Marriott could face fines up to 4 percent of yearly worldwide revenue over the Starwood breach, so companies handling EU customer data must strengthen security and breach detection.