By Karisse Hendrick, Principal, Chargelytics Consulting
Before diving into the fraud methods that impacted online retailers in the holiday season of 2020, it’s important to list some factors (obvious and not-so-obvious) that made last year so challenging. Many of the newer or harder-to-identify fraud trends have stemmed from these impacts.
- E-commerce grew as much in the last 10 months of 2020 as it did in the last 10 years (per digital commerce). That’s A LOT of orders to review, customer service calls to answer, packages to ship, and problems to investigate. Nearly all of that activity had to be accomplished remotely or while implementing social distancing policies within offices and warehouses.
- Third-party shipping partners struggled to keep up with demand, causing late arrival of packages (sometimes weeks after the holiday) or non-delivery of items. This has caused high customer service calls, and chargebacks for non-receipt of goods in the weeks after the major winter holidays of 2020, despite delivery issues being outside the merchant’s control.
- At least one shipping company in the U.S.—UPS—had to suddenly suspend delivering packages for some of the largest retailers online over the Black Friday/Cyber Monday weekend due to too much volume. This wreaked havoc on the impacted companies, forcing them to quickly find alternatives. In private reports from some of the retailers, their new shipping partners stored the overflow of packages in warehouses for indefinite amounts of times, just showing the package “in transit” for weeks.
- The 2020 Holiday season started much earlier than in years past. Typically in the U.S., consumers and retailers wait to shop until Black Friday/Cyber Monday. This year, retailers reported record-breaking sales beginning in early November with Veterans Day in the U.S., and Singles Day in China on November 11.
Despite all of the above factors, many top retailers have shared their surprise and relief that there were fewer hostile payment fraud attempts than expected and budgeted for. This does not mean they were not targets or there weren’t losses. Instead it’s a reflection that online fraud is changing. This year, the above factors helped provide cover for a lot of fraud to occur post-transaction, and/or not result in a chargeback. After speaking with at least 50 of the top retailers online in the last several weeks, here are the biggest impacts of loss on retailers from this past holiday season, that will still be making an impact throughout 2021.
One of the biggest threats to online retailers’ bottom line is now referred to in fraudster communities as “refund fraud.” Whether it is an opportunistic shopper that calls Customer Support to claim a package was not received (when it really was), or a more nefarious customer hires a professional refunder to obtain a refund for the cardholder without having the send the item back, these losses are having a significant impact on online retailers.
The circumstances of 2020 have made it even more challenging. When there are thousands of cases of packages legitimately not being delivered to customers, it is especially challenging for merchants to accurately measure the impact of refund fraud. In most cases, orders placed with the intention of receiving a full refund via customer service do not result in chargebacks, making it even more difficult to know the exact impact. However, one recognizable retail brand confided that when diving into their numbers, claims of “did not receive” tripled their losses due to fraud chargebacks.
Because returns have been piling up at most warehouses, especially in January, several companies are providing proactive refunds before opening a box a refunder has returned with a can of peas or little plastic green army men. Refunders are also faking tracking numbers making it appear packages have arrived at the warehouse, but calling customer service for a refund before the fulfillment center can determine that for sure. The latter version is allowing some professional refunders to offer their services for exceptionally high-value purchases—up to $25,000 at some brands.
Refund fraud attacks occur after a legitimate consumer has had an order delivered, so merchants have been unable to rely on traditional fraud prevention methods. Merchants have had to look outside existing partnerships for solutions, including intelligence from the refunding communities to identify the specific methods impacting your company.
Device Emulators Being Used for Account Takeover
Gone are the days of credential stuffing and being able to easily identify when a legitimate user’s account has been taken over by a bad actor. Thanks to very sophisticated malware used to harvest account credentials and full-session data from infected devices, fraudsters are able to purchase a lot more than just a consumer’s username and password. This allows them to use services such as Linken Sphere to spoof variables about an account holder’s device that make it much more difficult for some fraud prevention systems and device ID providers to identify.
Some retailers have found it challenging to identify, given their automated systems might not be configured to spot a few subtle differences between the devices of a legitimate user and a fraudster who has information such as device type, browser version, language settings, screen resolution, GPS coordinates, etc. This information is widely available and being produced and emulated at scale, in an automated fashion. Some of the biggest brands are currently being targeted, while we expect others to see more of this in the coming months.
Some merchants have started to work with a top e-crime intelligence agency to receive information about specific compromised accounts before being sold to fraudsters to monetize, while others are trying to work with their current providers to request automated detection improvements on their existing services.
E-mail Inboxes are Compromised, Making OTPs Challenging
While the account takeovers described above are somewhat sophisticated, there is a less sophisticated method that is causing just as much trouble for online companies. A faction of cybercriminals, tasked with harvesting data to sell to fraudsters to monetize it, have set their sights on compromising e-mail inboxes. They do this via referencing previous breaches and targeting users that did not update their e-mail passwords, through targeted phishing attacks, or through brute force attacks via bot.
Once a cybercriminal has gained access to a consumer’s inbox, they can request password resets for all the online accounts associated with that email. The bad actors will often route password reset e-mails automatically to the inbox trash folder, or will flood the inbox with thousands of spammy e-mails, to hide the legitimate notification of the password reset. Once a bad actor changes the password for a user’s account, they can sell the account to fraudsters to monetize, by either making fraudulent payments, or to drain the account of anything of value (loyalty points, store credits, funds in an e-wallet, etc.).
Other Methods of “Friendly Fraud”
Similar to the 2008 financial crisis, the economic crisis in 2020 also led to what the industry usually calls “friendly fraud.” While there are multiple definitions of this term, for the sake of this article, it is when the cardholder knowingly participates in a transaction and then issues a chargeback.
This could play out because of buyer’s remorse (bought an item, received the item, but can’t afford the item), family fraud (when a child or other member of the home uses a credit card with or without the cardholder’s knowledge), or the cardholder is unhappy with the quality of a product, but refuses to return it to the merchant.
While these methods are not new, retailers have seen a resurgence in volume over the last several months. Causing many to revisit their chargeback response strategies.
While the above are the most common issues retailers have reported over the last few months, as more fraud companies approach online fraud detection differently, the specific types of fraud a specific merchant will encounter vary based on the capabilities of the system they deploy. Whether a merchant is using a legacy system, a real-time machine learning platform with regular data refreshes, or various layers of identity verification will determine the level of sophistication, types of techniques and overall volume of fraud each merchant experiences. The variables have become more apparent with the massive growth of e-commerce, and how fraudsters have adapted to fraud-fighting technology.
The most important thing any online merchant can do right now is study all areas of a transaction within your company, look into the root cause of chargebacks, as well as any increases to refunds without item returned, calls to customer service and/or shipping issues. Often the details of even a subset of orders will help provide insight into the specific fraud methods targeting your company. Many retailers have also learned a lot from their peers, through collaboration calls, networking via LinkedIn, or hosted calls by service providers. With in-person events unable to continue for the foreseeable future, it can be incredibly helpful to keep networking virtually to learn what your peers are facing, along with establishing some best practices.
E-commerce fraud fighting changed dramatically in 2020. These changes will continue into 2021, creating a need to be flexible and alert to changes in the system that could impact online fraud.