The pandemic — and specifically, the lockdowns resulting from it — has spurred criminals to shift their cyber fraud schemes to exploit new avenues of attack.
To that end, the bad guys lie in wait, and then like everyone else, come out of isolation — only in the bad guys’ case, it is to begin attacks in earnest, as Carl Tucker, vice president of managed risk services at CyberSource, a Visa solution, told PYMNTS in an interview.
Fraud and hacking are becoming most prevalent in areas like card attacks, account attacks and — in a nod to the pivot toward eCommerce — delivery attacks.
Drilling down into various attack vectors, said Tucker, we can see various patterns in how fraudsters ply their trade, and where we’ll see spikes on the other side of the pandemic.
“Card testing, a facet of card attacks, is really related to gathering information," he said. The fraudsters are trying to verify that a stolen credential is valid. And on the account side, Tucker said there has been an acceleration in phishing scams.
“We are seeing fraudsters building out what we call ‘dormant’ accounts,” Tucker told PYMNTS.
As he illuminated, criminals will set up customer accounts and let those accounts establish relationships with a merchant, who then can be lulled into thinking they are dealing with a longtime customer who is worthy of a higher degree of trust and perhaps more relaxed fraud strategies.
The waves of new account creation are thus a concern, maintained Tucker, and weeding out “good” accounts from those set up with bad intentions can be a challenge. Account takeovers have also become increasingly common as merchants try to streamline the customer experience with card-on-file models, he noted.
And then there are “delivery attacks” — specific to the age of the coronavirus — which Tucker said have taken root as buy online, pick up in-store (BOPIS, at curbside) offerings have accelerated dramatically as merchants try to accommodate social distancing.
That fraud can be observed in “hotspot” states and cities that have yet to fully reopen.
The last leg of a BOPIS/curbside transaction can be a point of vulnerability. “We're seeing increased fraud, where checking information against who purchased it is not always consistent,” said Tucker.
Fraud As A Business
The emergence of these new attacks, and the new variations on existing themes, spotlights the fact that fraud regimes are sophisticated and organized.
But, Tucker cautioned, the pandemic has also made room for “startup fraudsters” who are relatively new to the game, who have time on their hands and are looking to make money quickly and easily.
As to where the fraud is headed, Tucker said there’s been a “strain on inventory” for many merchants of physical goods, and verticals such as travel and entertainment have been seen extreme pressure.
But those same industries can serve as fertile ground for fraudsters to collect data, test cards and wage bot attacks.
“It’s a good time right now for fraudsters to use resources they normally would use trying to steal products — whether physical or digital — to actually collect data to steal products, but at a later date,” Tucker said. “We all need to be prepared to see an increased level of fraud attempts.”
To mitigate those efforts, and to combat the fraud that is happening now, he said that although anti-fraud systems are critical, advanced technologies are just some of the tools in the arsenal.
“It’s important to note that this [fraud fight] cannot be done with AI [artificial intelligence] or ML [machine learning] alone,” Tucker said — especially when consumers’ buying patterns have been changing so rapidly.
He pointed to the travel industry, where a last-minute purchase of a one-way ticket would have once been flagged as high-risk. But as COVID-19 has shown, many individuals were (and have been) purchasing tickets to return to their home countries or cities before lockdowns and travel restrictions took effect.
Along the way, there has also been a spike in efforts to steal and use eGift cards, which can be converted to cash. There’s even been a rise in fraud rates on corporate cards.
“What’s interesting here is that … there’s not a lot of corporate spend in those areas, so it’s relatively easier to spot fraudulent purchases tied to those cards," Tucker told PYMNTS.
These kinds of shifts in buying patterns, and cybercriminals' willingness to try pretty much everything and anything, show the need for a multi-layered fraud-fighting approach, which combines AI and ML with a rules-based strategy. AI and ML alone require an established pattern to assess divergent behaviors that constitute fraud. In a quickly moving world amid COVID-19, the combination of AI/ML and rules-based strategies enables a business to set the context and define parameters based on daily shifts in the global ecosystem.
As Tucker said, “AI/ML is great, but the ‘black box’ alone can be particularly dangerous in these unknown times of COVID-19.”