Fraud trends e-commerce platforms should look out for in 2024
The evolution of fraudsters' economics suggests a stark reality for 2024. E-commerce businesses are estimated to lose USD 48 billion to fraud each year. For every certain amount stolen by fraudsters, e-commerce businesses typically lose approximately double that amount when factoring in associated costs, such as chargeback fees, penalties, and cost of lost goods or services.
Fraud could be a lucrative venture for the smart ones and a stepping stone for the newbies. What was once seen as a "cat and mouse game" has now turned into chess, with both fraudsters and fraud fighters trying their best to make the smartest move.
In this article, we'll discuss two key topics. First, we'll examine long-standing fraud types that continue to thrive – scams that have grown alongside us and show no signs of waning. Secondly, we'll explore new threats emerging against the backdrop of market dynamics. These include AI-based fraud, payment fraud shifting from solely targeting card-not-present (CNP) transactions to account-to-account (A2A) transactions, and clever methods of spoofing data to avoid detection. Finally, we'll provide essential best practices to help protect your e-commerce platform against both traditional and evolving threats looming this year.
Certain types of fraud, born decades ago, continue to challenge the e-commerce sector. These forms of fraud constantly evolve and adopt new methods. Over time, they have become more sophisticated: they now leverage AI, execute actions at greater speeds, and have improved their ability to spoof, dodging traditional detection methods.
So what are these ‘evergreens’? From account takeover to various forms of payment fraud, let’s go through each of them and see what makes them significant threats in 2024.
Account takeover and AI
To accelerate the potential of getting access to user accounts, fraudsters will be leveraging tools like WormGPT or PoisonGPT to perform tasks such as:
designing highly-targeted phishing emails and generating personalized messages to deceive users;
automating social engineering attacks, where the AI tools can facilitate the conversation with potential victims and extract sensitive information;
creating content for convincing fake websites or social media profiles, which are used to trick users into revealing their account credentials.
These fraud tools might not revolutionize what's already available on the Darknet market, but we shouldn't downplay their potential for improvement and becoming more effective.
Triangulation fraud is a seasoned and persistent tactic that has troubled marketplaces for years, growing increasingly complex now. As we proceed into this year, it's crucial to note the following pattern that continues to burden e-commerce businesses.
To begin with, fraudsters orchestrate three ‘stakeholders’: e-commerce platform number 1, e-commerce platform number 2, and the customer. Here is the step-by-step scenario:
The fraudster lists a product on e-commerce platform number 1, offering it at an attractive price.
A customer decides to purchase the item, thinking they're getting a good deal.
Now, the fraudster, who doesn't actually have the product, plays the role of a buyer. They go to the e-commerce platform number 2 to buy the same product they just sold.
The fraudster pays the e-commerce platform number 2 for that product using stolen credit card information. They enter the legitimate customer's shipping address for delivery.
The e-commerce platform number 2, believing it is a normal transaction, processes the order. The product is sent directly to the address of the legitimate customer who bought the item on the marketplace listing.
After some time, the real owner of the credit card notices the unauthorized charges and disputes them with the credit card issuer.
In the end, the fraudster pockets the money they received from the legitimate customer on e-commerce platform number 1. E-commerce platform number 2 bears the financial loss from the reversed payment due to the chargeback.
Noteworthy characteristics that serve as indicators for these tactics involve:
first-time customers where the billing and shipping data don't align
cards that have not yet been reported as stolen
legit CVV codes
various IPs and session IDs
small-sized orders, likely to avoid triggering anti-fraud mechanisms
gibberish email addresses
operative phone numbers, potentially untraceable after the fraud.
Payment fraud and APMs
Payment fraud was predominantly linked with CNP fraud. But, with new ways to pay that have come up, fraud is changing, too. It's not just card payments that are at risk from card testing and stolen data. APMs like e-wallets, A2A payments, and Buy Now, Pay Later options have also become targets. These options are now highly adopted by customers, and their popularity has made them attractive to fraudsters too.
E-wallets have evolved into feature-rich 'super apps'. From ride-sharing and food delivery to bill payments and shopping, these apps store personal and financial information, creating a one-stop solution for varied transactions. However, this convenience comes with risks. As super apps become de facto payment platforms, they pose a significant security concern to users. If a user's account gets compromised, the scope of potential illicit activity broadens, enabling fraudsters to misuse the account for various unauthorized purchases.
In the context of card fraud, fraudsters must clear additional steps to access the related bank account. However, A2A payments can enable quicker and direct access to bank accounts. For this reason, schemes may likely involve the misuse of QR codes or IBAN manipulation, rerouting payments from victims' accounts to those controlled by the fraudsters. This scenario can prove especially challenging if the receiving account is linked to a fintech lax about KYC procedures. As a result, tracing and recovering defrauded funds can become a demanding, if not impossible, task.
In the BNPL space, there's increasing concern that fraudsters will direct significant efforts towards manipulating credit scores, which means using the identities of reliable users with good credit histories to facilitate unauthorized transactions. In addition, as BNPL service providers expand their business models to include marketplace functionalities, they need to be more vigilant against fraud. A shift in their business model also instigate liability shift. This means if fraud happens during a payment on their marketplace, the BNPL company is directly responsible.
The issue at hand is not merely an increase in chargeback fraud, as fraud generally grows in multiple aspects. The problem here is that consumers misuse the policies. Dishonest users exploit their chargeback rights, knowing that banks often side with the customer. Recognizing and curbing such customer behavior without negatively impacting genuine customers may represent a significant challenge for ecommerce platforms.
The emerging threats
AI and bot-driven fraud
The main issue with AI is that it serves both seasoned and novice fraudsters alike. In skilled hands, AI can be dangerously powerful. For those with limited technical know-how, it's user-friendly and can generate the desired results with just a basic understanding of how payment security works.
Fraudsters will increasingly leverage AI-enabled technology to automate their actions and produce new fraud streams. AI-based fraud has been around for a while, but one variable that has changed is the increased development and use of Generative AI. For example, many online platforms use video verification, or certain documents to confirm the identity of their sellers as part of the KYC process. Generative AI can help fraudsters create hyper-realistic synthetic data, visuals, and documentation that can trick KYC checks.
In close relation to the topic above is the use of bots. Most bot-driven fraud attempts to mimic human behavior online. As AI and machine learning techniques become more advanced, the ability of bots to mimic human behavior will also increase. Moreover, with the fast growth of online platforms, interconnected apps, and embedded economy, bots will likely be used more in cross-platform fraud. This means using information or access gained on one platform to commit fraud on another.
Spoofing data points
Typically, fraudsters spoof their digital fingerprints, which include elements like browser details, IP addresses, media devices, mime-type data, geographical location, and time zones. The underlying purpose of these manipulations is twofold: to mislead risk detection systems and, in case their fraudulent activities are discovered, to ensure they remain anonymous.
Essentially, spoofing digital fingerprints allows fraudsters to bypass any restrictions imposed by e-commerce sites that have blocked, for instance, certain geo locations known for being sources of high-value or high-volume fraud attempts. Moreover, VPNs, residential proxies, or TORs are tools used to hide a user's location, making it appear as if they're connecting from another place. Changing service addresses constantly makes it difficult to prevent fraud just by using a list of allowed or blocked connections. Experienced fraudsters usually use lesser-known, illegal VPN services and proxies that are hard to spot.
‘Warming up’ the shop
Fraudsters have gained enough experience over time to realize that in order to get away with fraud, they need to act like genuine users. Before attempting any major fraud, these culprits prepare by ‘warming up’ the shop, that is, acting like regular customers to deceive anti-fraud systems and merchant surveillance. This tactic is not for those who are looking for quick wins. Fraudsters that warm up the shop do not rush through the process.
The initial steps include looking at the account owner's previous orders to tailor their fraudulent purchases accordingly and avoiding major disparities that may raise red flags. They take the time to browse shops like any normal user would, adding various products to their shopping carts, and reviewing recommendations. Sometimes, they might even make an actual purchase, sending the package to the account owner's address as a means of legitimizing the device used to access the stolen account.
And here’s the most interesting part. AI can give an edge to fraudsters as it allows them to scale their fraudulent activities and automate processes. However, AI-based tactics can often be more predictable and detectable, as they follow specific patterns and algorithms that good AI tools can detect. On the other hand, intelligence schemes that rely on social engineering, patience, and a deep understanding of consumer behavior can potentially be more insidious and harder to detect as they don't follow the common patterns that AI and machine learning are often trained to identify.
What you need to stay ahead of fraudsters
As we noted in the beginning, detecting fraud is more of a strategic chess game than a cat-and-mouse chase. Therefore, e-commerce platforms need to step up their fraud prevention strategies to keep winning. Here are a few ways to stay vigilant.
In-depth user profiling
By combining certain data points and risk signals, e-commerce platforms can receive a comprehensive digital profile of each and every user visiting their website or app.
Know your users
In a world where data is the new gold, one could assume that gathering vast amounts of it is the answer. In reality, it's more about capturing the crucial data points from key sources. For example, if we look at the user’s hardware, software, network, and behavioral biometrics, we can analyze aspects such as user navigational habits, device ID, device type, connection type, and more and look for any anomalies.
Know your fraudsters
While it’s important to extract certain data points from the resources mentioned above, it’s also important to detect data that is not made available by the user to discover their true intentions. It’s essential, for example, to detect whether the claimed browser and OS are the ones actually used or to distinguish a regular computer from a compromised one. Dishonest users leave traces when they attempt to hide or spoof certain data. Uncovering their traces and methods lets you detect advanced threat actors performing payment fraud or account takeover.
AI and machine learning to fight fire with fire
AI has been used for decades to protect payments and accounts. However, fraudsters have recently ramped up their use of AI to improve their strategies. This points to a possible lag between the use of AI for good, and AI used for harmful purposes, which could imply fraudsters may require additional time to mature their skills in leveraging AI. But their learning curve seems to be steep and swift. ML models need to learn faster before fraudsters catch up on how to bypass new detection and prevention measures. What’s more, machine learning models built on generative AI can identify patterns and anomalies that signal potential fraudulent behavior better and faster. Generative models can produce synthetic data to train fraud detection systems and make them stronger and more precise.
We might not witness radical changes in fraud patterns this year, but we anticipate some key shifts, such as more automation, improved tricks using generative AI, and new sneaky ways to avoid detection.
Stay safe and stay in the know in 2024 and beyond!
To find out more about how Mangopay can help you select and connect the products you need to succeed, get in touch with us.