It has been widely reported that the Covid-19 pandemic has led to a boom in online retail. While many stores have been closed and people are stuck at home, shoppers have turned to their devices to get the products they wanted, and that is expected to continue during the holidays.
Economists are predicting a flat or modest increase in holiday sales compared to 2019, but they expect a big increase in online holiday shopping. Deloitte projects holiday ecommerce sales to surge by 25% to 35%, amounting to $182 to $196 billion, compared with year-over-year growth online of 14.7% vs. 2019, when sales amounted to $145 billion.
Although these numbers are good news for stores, there is a dark side underneath it all: fraud. As online activity has increased during the pandemic, online fraud has too, and fraudsters are poised to wipe out a big chunk of merchant profits by posing as legitimate customers. In addition to the fraud losses themselves, LexisNexis says that for every $1 of fraud lost, companies lose another $3.36 in costs related to chargebacks, merchandise and remediation time and expense.
To understand the threat landscape for the upcoming 2020 holiday season, it is important to understand the creative ways criminals target the convenient ecommerce features that were designed to benefit customers during the pandemic. The common denominator at the core of this fraud is stolen information found and sold on underground marketplaces.
Who’s Really Making That Curbside Pickup?
For merchants with both online and brick-and-mortar stores, “buy online, pick up in-store” (BOPIS) enables customers to order products online and pick them up from a physical location. Consumers love it because they avoid shipping fees and delays, since the goods are often available within an hour of making an order. Merchants love it because it bolsters sales, avoids shipping and helps move inventory out of stores.
These “click-and-collect” sales are expected to jump 60% by the end of 2020, but that increase will come at a cost because customers aren’t the only ones waiting to take advantage. Criminals have learned how to scam the BOPIS process, largely because retailers generally depend on employees to confirm the recipient’s identity, instead of using other technology that is engrained in the ecommerce process to detect fraud. That leaves the retailer open to fraudsters who either take over a legitimate customer’s account or create a new fake account.
In the case of account takeover, the criminal uses stolen credentials to log in as the customer to place an order. Because the order is being picked up, they don’t have to worry about providing a shipping address or stealing the delivery off a porch. They simply place the order, drive to the store and pick it up. With touchless pickup now the standard practice, a signature for most products is not required, and if government ID is required it is not examined as closely as it may previously have been in the past.
The other common method is to create a new account using an email address, burner phone and stolen credit card information. Again, the perpetrator places the order and leverages click-and-collect and touchless pick up while the holder of the stolen card gets charged.
Is The Order Being Sent to the Right Person?
Besides curbside pickup, thieves have also gotten clever about using account takeovers to re-route deliveries. As of September, that trick has cost UK businesses $2 billion in lost merchandise, chargebacks, remediation and loss of brand confidence. Criminals favor re-routing because it typically doesn’t require any manipulation of the account holder’s information, which might trigger an alert during the transaction process.
Similar to BOPIS fraud, the thief uses stolen credentials to take over an existing account and uses the credit card on file. If the card on file doesn’t work, the criminal will then be required to modify the account to add a new address to match the AVS of the stolen card to make a purchase. With unrestricted access to the account, the fraudster can track the order confirmation and shipping/tracking status.
Once the shipping information has been added to the order, the thief will contact the shipping company to re-route the package. He or she will either ask to have it forwarded to a new address or request to pick up the goods at the shipping company’s local office. There is often a small fee to re-route the delivery, but it can be paid with a stolen credit card. At that point, the fraudster can not only change the address but also update the recipient’s name. That name change might raise questions, but to untrained clerks at the local office, it may be explained away relatively easily by saying they are picking up the item for a friend or relative.
Now with their new items in hand, the thief will keep them, or launder the goods by selling them on a secondary marketplace or returning them for full price to another merchant selling the same item.
Impact on Merchants
The obvious hits come in the form of loss of merchandise and chargebacks from the credit card companies. Stores know that customers want a smooth shopping experience, so merchants try to make the purchase process simple and fast. Unfortunately, that simplicity may come at a cost that isn’t felt for weeks or months when the fraud losses become evident.
In addition to the lost revenue and the stolen merchandise, merchants deemed as higher risk may have to deal with delays in bank deposits and potentially higher credit card processing fees. If chargeback levels remain high, merchants risk losing their credit card negotiated rates or even their credit card processors.
What Can be Done?
The best thing merchants can do is be proactive, to identify transaction risk prior to completion. Following these recommendations may save millions of dollars:
- Automate the process of checking whether their customers’ accounts have been exposed in breaches to prevent account takeovers.
- Set up Key Risk Indicators (KRI), such as velocity settings for high value or the frequency of orders from a customer, or account modifications, to trigger an action to review the order or account for suspect activity.
- Add step-up authentication or check-out verification processes when justified and based on suspect activities. Examples include requesting the entry of the credit card CVV, a security PIN or password re-entry. This will allow the transaction flow to continue while responsibly protecting the customer and the merchant’s revenue and reputation.
This year of all years, we hope for a peaceful and joyous holiday season, but there are a lot of Grinches looking to ruin the fun. Retailers should implement the right preventative measures. A small amount of friction now means ‘yule’ not be sorry when the numbers are reconciled later.
Pattie Dillon is an Anti-fraud Network Relationship Manager at SpyCloud, where she develops creative and innovative ways to fight fraud with SpyCloud’s leading-edge products and connects with others to build a safer internet through collaboration and knowledge sharing.