Merchants should expect even more consumers to shop online this holiday shopping season. They also should expect even more fraud attempts.
New research from Riskified, an Israel-based data-security provider, and cybersecurity firm IntSights finds that the number of false retailer Web sites meant to get consumers to give up their credentials increased 297% to 473 sites in the third quarter from 119 in the fourth quarter of 2017.
The danger to retailers is that when consumers visit these sites they may provide criminals with valid consumer data that can be used to shop on a legitimate merchant’s site. As of the third quarter, according to the report, “Retail & Ecommerce Threat Landscape Report October 2018,” an average of 23.6 new phishing sites per company are created per quarter.
“That’s roughly [two] new dedicated phishing sites created each week per company,” the report notes. “This is a significant increase from Q4 2017, when the rate was 5.95 new phishing sites per company, translating to roughly [one] site every two weeks. With this increase in phishing sites, organizations need a process in place to quickly identify and take down malicious sites that may be trying to phish employees or customers.”
At Forter, an e-commerce-fraud prevention company based in New York City, the notion of valid consumer data in criminal hands portends more fraud for online merchants, especially in its account-takeover form.
“Account takeover as a whole is probably the fastest-growing trend in online fraud,” Michael Reitblat, Forter founder and chief executive, tells Digital Transactions News.
The fallout from that type of fraud is multiplying, especially as retailers successfully persuade consumers to create online accounts to take advantages of offers, create shopping lists, and store payment methods.
“There will be more and more account-based checkouts rather than guest checkouts,” Reitblat says. Some retailers are providing incentives to register an account in advance of the holiday shopping season, which has its downsides. “The other side is that fraudsters can just take over the account or preregister,” he says.
Once criminals purchase goods, they need ways to convert them into cash. In 2018’s third quarter, Riskified and New York City-based IntSights found 1,082 retail goods from more than 20 of their retail customers for sale on black markets. That’s a 278% increase from 286 in the fourth quarter of 2017. The number peaked at 1,485 in the second quarter.
“As credit card fraud becomes harder for small-time fraudsters, more-sophisticated fraudsters use bots to automatically order large quantities of online goods from retailers and then sell it in Dark Web markets at a fraction of the original price,” the report says.
This combination of factors makes easily resellable items a favorite of criminals, Reitblat says. “If we look at last year’s holiday season, the two main areas that spiked are electronics and digital goods,” he says.
Sometimes, retailers will ease some of their fraud-control measures to accommodate the increased sales volume in the fourth quarter, which can make them easier to bypass, Reitblat says.
Digital goods is one type of product in which this problem can be acute. “Sometimes, they let their guard down on fraud controls” for the segment, Reitblat says. “Sometimes, for good reason. The downside is it’s easier take advantage of the [retailer].”
Digital-goods fraud increased 167% in 2017, according to the Fraud Attack Index from Forter and the Merchant Risk Council.