Online sales are projected to exceed $100 billion for the first time this holiday season, according to Adobe Analytics, with Cyber Monday sales alone projected at $6.6 billion. Americans are drawn to the convenience of online shopping and promise of lower prices. Unfortunately, hackers and criminals are also getting into the holiday spirit—and not the jolly kind.
More people shopping online—and more doing it on mobile devices—raises the risk of ecommerce fraud this holiday season. Here's a primer on the topic and some advice on how to protect yourself from this fast-growing form of fraud.
Oregon is the top state for ecommerce fraud ranking #1 for both billing and shipping fraud.
What is ecommerce fraud?
Ecommerce fraud is when a criminal leverages stolen payment information or fraudulently acquired bank or credit card accounts to attempt retail transactions without the account owner's knowledge.
More than 32% of Americans complained about credit card fraud in 2016, double the rate from 2015, according to the Federal Trade Commission. Javelin Strategy reported that criminals stole $16 billion via identity fraud in 2016 and ecommerce fraud increased more than 30% in the first six-months of 2017 according to Experian.
One of the major drivers for this spike in attacks is the switch to credit cards with a computer chip in them. Today 90% of credit cards have a chip in them and almost all major retailers have changed their point of sale payment systems.
The good news: Visa found that counterfeit card fraud has declined 52% since merchants started using chip-enabled cards.
The bad news: Criminals are migrating their fraud activity online where a physical credit card is not necessary.
The availability of compromised payment and identity data from data breaches is the other significant driver of increasing ecommerce fraud. This data makes it easier for fraudsters to get their hands on legitimate consumer accounts. It also makes it easier to match the victim's correct billing address and identity data, to pair with that account and enable more successful fraudulent attempts.
The final contributor is the significant advance in automation technology, enabling attackers to script or automate fraudulent transactions against online portals with ease, using a multitude of compromised payment data. (See also: Payment Security Evolves with Advances in Encryption)
What are the most common forms of ecommerce fraud?
The most common forms of ecommerce fraud involve a fraudster purchasing high-end or other fencible goods like electronics, jewelry, or gift cards—but doing so in a way that raises less suspicion at the time of checkout. That may involve more upfront staging, such as setting up an online customer profile with the business and allowing that profile to be established for a period of time before attempting a fraudulent transaction. This is to counter most merchants' strategies around guest checkout or recently-established customer profiles being deemed a higher risk.
Another way for fraudsters to appear lower risk to a merchant or a business—and have success in ecommerce fraud—is to take over a legitimate customer's profile or account, and then have the merchandise shipped to another address.
These profiles are typically secured by usernames and passwords that are often reused by consumers across online properties. For example, a single compromised email or username and password combination on one site (or available through a major breach), often leads to multiple downstream account compromises. This is no different in ecommerce, and it allows attackers to mask their activities behind a legitimate and often tenured customer profile. These synthetic identities make differentiating a good customer from the bad customer even more difficult.
Other common instances of ecommerce fraud include:
|Chargeback fraud||Chargeback fraud, also referred to as friendly-fraud, occurs when a consumer purchases an item online with their own credit card but challenges the charges—telling their credit card provider they never received the items when they actually did receive the purchased items.|
|Billing fraud||Billing fraud occurs when the suspected victim's address is tied to the payment account used to purchase the stolen goods.|
Typically items are bought using the victim's billing address but then shipped to an address where the fraudster can pick up the items.
Billing fraud is not location specific and can happen all across the country, whereas as shipping fraud tends to happen in certain areas near the coast or port cities.
|Shipping fraud||Shipping fraud occurs when the delivery address used for the purchased good is actually for the fraudsters. Sometimes a business address is used as the shipping address and the business may or may not know they are part of a fraud ring.|
Shipping fraud activity is concentrated in coastal states with major port cities and airports.
|Reshipping fraud||Reshipping fraud is a relatively new scheme targeting businesses and credit card owners. The scam begins when criminals buy high-dollar merchandise—such as computers, cameras, and other electronics—via the Internet using stolen credit cards.|
They then have the merchandise shipped to U.S.-based addresses of paid "reshippers" (who may be unaware they are handling stolen goods). These reshippers repackage the merchandise and mail it to locations internationally where the items can be sold.
|Freight forwarder fraud||Freight forwarder fraud is a person or company that organizes shipments for individuals or corporations to get goods from the manufacturer or producer to a market, customer or final point of distribution.|
What can I do to protect myself from ecommerce fraud?
The best way for consumers to protect themselves from ecommerce fraud is to manage your personal data carefully and ensure that you are not re-using usernames and password combinations across online sites. (See also: What if Everything You Know About Passwords is Wrong?)
Unfortunately, the average consumer has over 25 online accounts but only 5 shared passwords across those accounts. Millennials likely have over 100 online accounts and can only manage a few passwords across sites. This leads to an environment where the weakest link can be breached, exposing that consumer to significant identity and fraud risk across all of the accounts where those same credentials are being used. You can look into password management tools that help you with storing passwords, such as LastPass and 1Password.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.
This article was originally published on November 28, 2017, and has been updated.