By Pete Barker, Director of Fraud, SpyCloud
The past two years have been a roller coaster for consumer spending habits, and fraud prevention has evolved rapidly as a result. While the pandemic drove an unprecedented 53.4 percent surge in e-commerce spending in the second quarter of 2020, online spending growth has steadily leveled off to 15.4 percent the following year and a modest 7.3 percent in the second quarter of 2022.
Historically high inflation is likely to place additional downward pressure on spending growth. On Sept. 13, the U.S. Consumer Price Index showed an 8.3 percent year-over-year increase in inflation as of August 2022, bucking expectations that consumer prices would fall from historic highs in July. Today, consumers need an extra 15 cents to match the buying power of every dollar they spent in March 2020.
As e-commerce fluctuates, fraud continues to rise. Losses from identity fraud jumped by 42 percent between 2019 and 2020 and are expected to increase to a staggering $635 billion by 2023.
Moreover, adverse economic conditions are often breeding grounds for fraudsters and scammers looking to take advantage of people struggling to stay afloat. Unfortunately, preying on those heavily impacted by inflation can be a profitable venture for criminals, and consumers and companies alike must be vigilant against increasingly sophisticated forms of fraud.
Amid this complex economic landscape, the relationship between fraud and revenue has become more fluid than ever. Businesses must respond with greater agility and accuracy in their risk assessments to maximize revenue while building customer trust.
Rethinking Static Fraud Rules
The e-commerce boom that accompanied the beginning of the pandemic required businesses to reimagine their fraud rules to fit drastic changes in consumer behavior. A transaction that might previously have looked like a case of account takeover fraud could also be a legitimate user logging into a grandparent’s account to help them purchase something they used to buy at a brick-and-mortar store.
Further, with so much consumer demand shifting to the online marketplace, retailers found that while fraud was rising, skyrocketing e-commerce revenue was enough not only to outweigh fraud losses but to make extra friction and false declines a real business concern. Cutting into online retail sales with fraud prevention measures calibrated to a pre-pandemic consumer unnecessarily reduced revenue and diminished the customer experience.
As a result, rather than enforcing static fraud rules, businesses had more room to approve transactions they might have considered too risky before, unlocking revenue and revealing key insights about new consumer spending behaviors.
Confronting a Heightened Risk Environment
If the pandemic demonstrated the benefits of accurately measuring fraud risk, a volatile cyber threat environment underscored the dangers posed by increasingly savvy criminals. Widespread remote work broke down the barrier between work and personal online activity as people worked, learned, communicated and shopped from the same device, often using the same set of credentials across dozens of online accounts.
An exponentially expanding threat surface meant online retailers faced the increased risk of consumer account takeover, and many companies invested in tools like multi-factor authentication to prevent fraudsters from accessing their customers’ accounts. In response, criminals are stepping up their tactics, deploying malware via extensive phishing campaigns targeting sensitive data en masse while largely going undetected by consumers. One malware infection on a customer’s device can allow criminals to siphon vast quantities of credentials, cookies, and PII that can be used to bypass MFA.
When retailers use popular ‘remember me’ features to reduce friction, they deploy web session cookies that allow the customer to return to shop and track orders without logging back in. Criminals can use stolen session cookies siphoned by malware or purchased on the dark web to hijack the open session, camouflaging themselves with anti-detect browsers that allow them to mimic the customer’s browser fingerprint.
This tactic enables fraudsters to appear exactly like a trusted user and can fool even fraud layers designed to detect suspicious changes in device or location. It also further complicates the process of assigning fraud risk—legitimate customers often leave sessions open for the sake of convenience, and with an exact match browser fingerprint, the only way to reliably detect trusted user fraud is to monitor for cookies that have been siphoned by malware.
Building a Dynamic Approach to Risk
Add inflation to a new era of online spending behavior, a growing cohort of fraudsters, and a menu of scams that are harder than ever to prevent and the result is an urgent need for more vigilance across the board.
While unprecedented e-commerce revenue created a cushion for more flexible fraud rules, inflation produces a decrease in spending—limiting businesses’ room for error—and can render consumers more susceptible to scams. The Better Business Bureau recently warned of scammers targeting online shoppers seeking lower prices and using stolen personally identifiable information to pose as debt collectors and convince consumers to hand over money and financial information.
In this environment, businesses must be proactive about protecting themselves and their customers. Monitoring for signs of identity exposure—exposed credentials, cookies and PII that appear in recaptured data from the criminal underground—allows retailers to assess the fraud risk of each consumer with greater accuracy and agility.
With a clearer picture of each customer’s exposure, businesses can facilitate legitimate customer journeys, remediate potential cases of account takeover, and decline the right transactions to reduce fraud and maximize revenue. More importantly, they can ensure that their online marketplace is a safe place to shop for customers grappling with an uncertain economic future.