Fintech Insights

With best-in-class cybersecurity strategies merchants can beat new fraud trends

John Winstel | Director, Fraud & Risk Product Management | Worldpay from FIS

September 21, 2020

While most of the world was on lockdown due to COVID-19, consumer purchasing behavior changed almost as rapidly as the virus was spreading. With many retailers open only for online orders and curbside pickup, a vast majority of consumers had to switch to online or other digital means to make purchases for basic goods and services.

The change in purchasing behavior is not just a blip in response to the pandemic. A recent FIS survey says 40% of consumers found they are now more likely to shop online in the future than in-store. The payments industry is also seeing a dramatic rise in the use of P2P payment options like Zelle and Venmo which are rapidly becoming the preferred way to move money without actually having to use cash.

Even before COVID-19, fraudsters were creating new methods to defraud merchants, customers and financial institutions. The pandemic has accelerated what they already started. According to a 2019 Juniper Research report, retailers were projected to lose an estimated $130 billion globally in card not present fraud over the next five year, a number that is sure to grow as merchant and consumer response to COVID-19 continues to evolve.

What merchants should be on the lookout for today

The major trends we are seeing in cybersecurity effecting merchants are the same ones impacting all of us as individuals. For example, there has been a huge increase in phishing attacks. Google reports they are stopping 240 Million COVID-19 spam emails and 18 million malicious COVID-19 emails each day. Additionally, “smishing” attacks are on the rise. Smishing is any kind of phishing that involves a SMS text message.

The BOPIS (buy online pickup in store) buying trend or “Mobile Order Ahead” in the restaurant industry, covers the combination of physical and digital experiences. Fraudsters have followed the popularity of BOPIS by using stolen credit cards or stolen account credentials to place an order online, pick up the goods at a store, and then either keep the items or resell them for a profit. Since BOPIS pickups often require minimal proof of purchase, it is easy for fraudsters to get in and out without detection.

EMV technology has proven very effective in reducing card present fraud. In the United States those rates have dropped by 88% since merchants started upgrading their POS terminals. But when it comes to eCommerce fraud, a Mastercard/LexisNexis study reports that overall retail fraud attempts doubled year-over-year and tripled since 2017. Fraud Rings use artificial intelligence (AI) tools and deploy sophisticated bots to test cards and credentials purchased from the dark web.

Account takeover (ATO) is seeing significant growth and is a lucrative market for loyalty points on the dark web and login credentials for accounts loaded with points. These accounts can fetch hundreds of dollars. With the precipitous decline in travel, consumers are less likely to spot suspicious activity in their airline and hotel accounts making them ideal targets for criminals. When a fraudster finds or steals user credentials, they enter the account, change their settings (like email and phone number) and lock out the user. Next, the fraudster essentially takes over the account and purchases from the site.

There has been an uptick in friendly fraud though it’s not typically as malicious as criminal fraud. But it still results in massive losses for businesses from chargebacks and fees, double refunds, the cost of lost goods, and placement in chargeback monitoring programs, friendly fraud can be accidental or intentional. Sometimes a consumer simply doesn’t recognize or remember a purchase, or their card was used by a family member without their knowledge. It could also be the result of someone making a purchase and not having the money to pay for it.

BOT or carding attacks are also increasing for merchants. A fraudster can place a BOT on a merchant’s site to match up account numbers they stole from a data breach are still valid. The BOT will run through thousands of cards to find an active account number and they will use that card number to illegally purchase items.

Developing fraud strategies and best practices

So, what are the most effective strategies and best practices that merchants can use to help mitigate current fraud trends? Here are several to strongly consider:

  • AI-based machine learning technology. Worldpay’s FraudSight follows the cardholder’s shopping patterns by creating profiles for each cardholder spend behavior across the different merchant verticals within our Worldpay network. Each authorization is profiled for risk; from the first instance seen within our ecosystem and then continues to profile that card’s activity which allows the machine learning to identify “normal” cardholder spend patterns from transactions that may be “riskier” from normal spend. FraudSight will stop bad transactions while letting the good transactions through.
  • Device fingerprinting & behavioral data are essential with the rise in e-commerce and m-commerce and they have been known effective tool in fighting CNP fraud over the past decade. Today’s retailers need to consider how they can utilize the information within the device fingerprint to help detect fraud before a transaction occur. Afterall, data is king, and the more unique elements you can bring into decisioning the better chance you have of correctly determining the risk profile of a transaction.
  • Fine tune fraud strategies to address for unique scenarios. At Worldpay we pair AI-machine learning with device fingerprint components to develop targeted strategies. Worldpay partners with the client’s fraud/risk teams in a collaborative approach to develop merchant-by-merchant unique strategies. Combining our knowledge of industry trends with merchant sensitivities and insights around their customers in a collaborative approach have helped us mitigate emerging trends.
  • Protect from account takeover with online account creation parameters that require a strong password and offer two-factor authentication for your customer accounts and encourage your customers to use it. This coupled with fraud detection and prevention technology can curb the fraudulent purchases made from an ATO attack.