Everyone said that fraud would move online in the U.S. post-EMV—and we now have proof that it has. A new report by PYMNTS and Forter shows that the rate of online fraud attacks has jumped by 11 percent since October, and by 215 percent since last year. The Global Fraud Attack Index digs into how and where the attacks are happening, who’s most at risk, what merchants can do to hold fraudsters at bay, and how much those attacks cost merchants.
Not too many eCommerce verticals are more appealing to fraudsters than those that deal in electronics, offering as they do big-ticket items that can easily be resold. But even Laura Park, Director of OWC (who runs the eCommerce website MacSales.com), was surprised at first to learn that fraud attempts on the site experienced a significant bump in Q2 — even though it aligns with latest industry data regarding the electronics segment.
“We’ve always seen the highest number of fraudulent attempts in our busy season — middle of December, early January,” Park said in a recent conversation with PYMNTS. “So it was really interesting, when we looked at the data, to find that we actually did have a huge bump typically around March into early April.”
Noting that the time period tends to represent a lower volume order compared to others (such as the holiday season), Park attributes the peak in fraudulent activity on MacSales.com to the fact that “the percentage of good orders to bad orders is going to be a little bit more off than it would be during our busy season.”
Oh Where, Oh Where Does That (Big) Fraud Come From?
As for where those fraud attempts are coming from, OWC has found that a significant amount originate within the U.S. — and that does not surprise Park, as her experience is that other countries with which her company does business do not generally report the same rates of online fraud that occur domestically.
Those U.S.-based cybercriminals, notes Park, tend to be recognized by multiple attempts.
“You’ll see the same people that we’ve blacklisted from multiple occasions in the past coming back again and again,” she tells PYMNTS. “They’re basically just poking at your system to try to see what works, and as soon as they find a flaw, everybody adjusts and here they come.”
Fighting Back – Hard
In combatting that practice, OWC finds value in keeping an eye on even the smallest of changes in ordering activity. For example, if a large influx of orders in a single day appears to be coming from the U.S. but the IP is pinging to another country, the company will adjust how they’re looking at it so that that behavior gets flagged more often.
OWC has recognized that a lot of the fraud attempts in the space of online electronics sales begin in the form of a small order — with the fraudster testing the system — after which they will attempt a much larger one.
But the problem for a lot of online merchants is that once the “test” order has gone through, their system will then recognize that fraudster as an existing — and therefore legitimate — customer, making the subsequent, more serious theft harder to stop before it occurs.
To avoid that conflict on its site, OWC has implemented into its own system a rule that tracks additional attempts.
By Park’s account, the most common fraudulent attempts on MacSales.com fall into two categories: those in which the fraudster will place an order using a legitimate customer’s shipping address and attempt to reroute the item(s) to a different one when in transit, and “friendly fraud” — a situation where the fraudster has so much of a legitimate customer’s information that they will contact his or her bank and attempt to change it.
To address the former scenario, OWC has implemented safeguards with its carriers: If a person attempts to reroute a package in transit, it will automatically be sent back to the company.
Fraud Is Never Friendly
Combatting “friendly fraud” — which Park describes as “utterly terrifying, from a merchant standpoint” — meanwhile, takes a little more work. OWC uses a couple of different tools to monitor a customer’s behavior prior to purchase, with Park noting that while a legitimate customer will typically “shop around, look at different things, check the prices on a few different items before going through,” a fraudster, on the other hand, will “put 50 hard drives in their cart and [immediately] check out.” The latter behavior is usually suspicious.
Of course, as Park says, monitoring it manually “is a little bit of a nightmare,” as the task requires that the merchant essentially have the order flagged already before it can go back and check. In that regard, OWC’s experience with Forter has been of great help, she adds.
OWC’s primary method of confirming legitimate customers was whitelisting IP addresses, a process Park says was “used much more carefully” than the corresponding method of blacklisting them.
“The blacklist,” Park explains, “did not actually prevent the orders from coming through. We let [the fraudsters] in, so that we could see what they were trying to do. And we would just review the order and then cancel it so that we still had that kind of back end data about where they were coming from, what the IP looked like,” and so on.
“The more ‘bad’ orders we saw,” she continues, “the easier it was to identify what we were looking for. Whenever it was time to review [be it quarterly or yearly], that was when we would pore over all that data — determine trends, how they’re changing, the big problems going forward, what we can adjust on our end, et al — to stop more bad ones and let more good ones through.”
Park adds that there was “always a fine line” in doing that procedure manually, “Because you don’t want to stop too many orders, or you’re just annoying your good customers. But you also don’t want to let too many go because those are the ones that are going to hurt when they come back later.”
There’s Gold In The Data
Although industry data shows that the prior trend of a decline in fraud attacks on eCommerce sites during Q4 (as a result of an increased number of legitimate transactions during the holiday season) has begun to shift — with the fraud rate having actually risen by 11 percent from Q3 to Q4 of 2015 — with the October EMV shift being attributed as a likely cause, Park tells PYMNTS that OWC itself has not experienced that same trend.
Her belief, in fact, is that the expanding implantation of EMV in the U.S. is not going to necessarily lead to an uptick in attempted online fraud (compared to offline), but rather to fewer instances of major data theft.
Despite the consumer perception of the use of a credit card online as being more dangerous than the use of one in a physical store, Park states plainly: “Working for an eCommerce company, we spend way more time thinking about how we’re going to protect our customers’ data than brick-and-mortar stores do.”
What EMV is really going to protect against, in Park’s estimation, is instances of fraudsters using electronic methods — such as piggybacking on a store’s heating vent electronics, for example — to access card data that is stored on merchant terminals.
If Wishes Were Horses …
Park finds it unfortunate that the current legal procedures prevent her from “spreading the wealth,” as it were, by red-flagging cybercriminals for the benefit of other eCommerce platforms.
“As a merchant, you can only report the fraudulent transactions that go through — and ship and deliver — as theft,” she explains. “You cannot report the attempts.”
“Unless you’re looking at massive amounts of data and not just one customer’s at a time — you can’t really pool that information,” states Park.
She describes the situation as “frustrating” that “the law is not as ‘on top of it,’ shall we say, as it should be.”
Other than a merchant’s ability to notify a bank that one of their customer’s information has been compromised — a step that OWC itself would often take — or a customer perhaps turning to the FBI’s cybercrime division, Park says that the industry-wide solution for right now otherwise comes down to customers being well-informed and vigilant on the lookout for fraud.
“That might not be happening a lot,” admits Park, “but really, the ball’s in their court. It’s the only way to report [fraud] to the proper authorities.”
To download the 2016 Q2 PYMNTS.com The Global Fraud Attack Index™, powered by Forter, click the button below.
About the Index
The Global Fraud Attack Index™, a PYMNTS/Forter collaboration, measures how the rate of fraud attempts on U.S. merchant websites change over time and examines the types, sources and geography of fraud attacks. The report also quantifies the potential cost to merchants, left unchecked, of these attempts based on attack amounts and how these amounts are trending over time.