What's your fraud score?

Payment fraud is already a billion dollar business, and it’s growing. According to Juniper Research (2018), online sellers will lose $130 Billion to fraud between 2018-2023. Did you know that online payment fraud also costs global businesses 1.8% of their entire revenue on average?

Our 2016 customer survey revealed that only 20% of consumers understand that the retailers are actually the ones who bear the costs of fraud. Often, customers incorrectly believe their bank or card provider will bear these costs. This is another example to show it’s not only about the financial cost - fraud also impacts brand and customer loyalty. Because general consumers aren’t aware of how fraud works, they often blame the online seller and are less likely to buy from their site again.

Card-not-Present fraud, also known as 'Identity Theft' is the most common form of e-commerce fraud, comprising a tremendous 71% of all attacks. Identity fraud is often one of the methods used by cybercriminals, either as the end goal or the precursor to another attack.

When a customer has been defrauded on an online seller’s website, they notify their bank and the seller will receive a chargeback. As well as refunding the cardholder, the seller also has to pay chargeback fees to their payment provider. Chargeback fees can be as high as $50 and are payable even if the chargeback is not upheld. On top of these fees, the card schemes put a limit on the amount of chargebacks an online seller receives before they get even heavier fines for breaking limits.

There are a few different ways fraudsters can get into an account, with different levels of effort and time required. Malware or phishing are the most targeted and sophisticated methods. These both require a lot of effort, so they are more common in takeovers of bank accounts or corporate accounts with a much higher potential payoff. Fraudsters can buy credentials in bulk on the dark web for relatively low cost. Once they have a set of logins to try, they are more likely to use credential stuffing against multiple platforms to find out if any of these logins work on any site.

These are all major risks of a significant account takeover attack. Unfortunately, when a customer's account on a merchant platform has been compromised, even though the source of the breach is often not from the merchant platform itself, the customer may often believes the merchant has poor security. This impacts customer loyalty and retention as well as brand reputation. Mass account takeovers create mass requests for refunds and chargebacks, putting strain on the operational team and causing customers to feel frustrated if they can't get through to customer service quickly.

The same thing that makes account takeover so successful is also what makes it so hard to detect. A fraudster poses as a real customer with a trustworthy purchasing history and no indicators of fraud - making it more difficult for systems to spot abnormal behaviour and prevent the attack. However, an increase in transactions using alternative payment methods is unlikely to be a sign of account takeover - in fact methods such as ApplePay often have two-factor authentication, which makes account takeover less likely.

Social engineering is the art of manipulating people so they give up confidential information. The criminals usually try to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software. Examples of social engineering attacks are: an email from a friend containing a link/download, an email from another trusted source, baiting scenarios (eg. an amazingly great deal on classified sites, auction sites etc) and responding to a question you never had (eg. an email about your computer’s operating system).

Arbitrage is the practice of taking advantage of a price difference between two or more markets, striking a deal that capitalize upon the imbalance. In this case, it could cost the the pizza restaurant $5 to make the pizza, but they collect $6.50 when they sell it through the app.

This network shows multiple customer accounts all connected to the same device at the centre - a clear sign of an account takeover attack. Large networks with few shared devices can often alert investigators to an account takeover, but fraudsters are increasingly using sophisticated methods to disguise their device ID which can make it more difficult to detect.