Today, ecommerce is a basic need. Customers expect speed and convenience, and the 2020 coronavirus lockdowns have only accelerated that demand. Swimming in that tide that raises all boats, Kaspersky’s fraud prevention: 2019 report notes a growing number of sharks. One in 50 online financial and ecommerce sessions worldwide are conducted by cybercriminals.
As fast as online service technology evolves, fraudsters find loopholes. We’re at a crucial point of change in combatting new hacking tools and fraud schemes.
So what’s changed, and what’s changing?
Bots fake loyalty
Ecommerce customers often receive bonuses as part of loyalty programs, such as for registering, giving reviews and referring friends. With bots, fraudsters create numerous fake accounts and receive bonuses just as real users do. The fraudster then uses the bonuses to buy goods at a big discount for resale.
Bots are taking the best seats
Research by Distil Networks estimates some 40 percent of traffic to ticket sales sites comes from bots. Fraudsters buy gig, show and sports event tickets with bots, reselling on social media, peer-to-peer sites or ticket resale sites when the event is sold out. This means fans are finding it harder to get tickets and end up paying more.
Crawlers are copying prices and photos
Cyberfraudsters also use web crawler bots (used legitimately by search engines to give accurate results to search queries) to “crawl” ecommerce competitor websites, recording pricing and making theirs more competitive. They may also steal unique content like images and product descriptions to use on their website, damaging the search rankings of the original website because search engines penalize sites with duplicate content.
Bots are getting more like us
In 2019 a new generation of “human bots” emerged, designed to mimic human behavior impeccably. Previously, bots moved around web pages in repetitive and simple navigation patterns. The new-generation “human bots” do things humans do, like shake the mouse and make rapid movements.
This new human-like behavior is a problem for anti-fraud systems. So far, many have relied on these human foibles to tell bot from human.
How fraudsters manipulate
The easiest way for fraudsters to attack online businesses is through customers. They use manipulative strategies known as social engineering. They either scare people or earn their trust to get credentials like logins and passwords, and other personal information.
Imagine you get a call from someone saying they’re with the security department of an ecommerce site you visit. They say someone has tried to buy a high-value item with your credit card and that to stop the transaction, you must download an authentication app.
It’s a fraudster, of course. The app grants remote access, mirroring the screen of your device and letting the fraudster steal personal information like your full name, address or social security number.
They then sell your personal information on the dark web, opening doors to all kinds of fraud, like using your name and bank account to apply for loans.
Remote access tools (RATs,) used legitimately by IT support teams in many organizations to access your computer screen to resolve issues, are a powerful tool for fraud in the wrong hands. Fraudsters often target accountants because they work with payment orders. The fraudster accesses the victim’s screen without their knowing and substitutes bank details for their own.
You may recognize the methods employed in these growing attacks. Some are not new. Here are three emerging cyberfraud trends.
Trend 1: Fraud as a service
Cybercrime is an easy way to make money without leaving home. This has led to rapid growth in ‘fraud as a service (FaaS.)’ FaaS makes internet fraud less challenging for newcomers, and so increases the number of people involved.
On dark web forums, illegal websites or social media, anyone can buy a set of hacking tools and a leaked customer database, then pay for training on how to make illegal money.
Costs range from just 5 US dollars for stolen credit card data, to thousands of dollars for extensive fraud execution courses. The market is booming. Underground digital markets sell bots, digital fingerprints for remotely accessing devices and anonymizer tools that make internet activity untraceable.
Trend 2: Resale of bank account access
Cybercriminals often target small- to medium-sized businesses (SMBs) in finance who’ve been acquired by large players, while they adjust their security to meet the buyer’s requirements. Kaspersky found, by analyzing dark web forums and chats, criminal groups target these smaller organizations, then resell access to both organizations’ internal networks. They predict an increase in this kind of activity, especially in Africa, Asia and Eastern Europe.
Trend 3: Data leaks and deepfakes
We all love convenient and quick purchases like Amazon’s 1-click ordering, despite that these methods usually mean saving and sharing more of our personal information. Yet, a month can’t pass without a high-profile data breach from a bank, online store or telecommunications company. Sometimes sensitive personal customer data is exposed, such as biometrics.
We’re also seeing the rise of impersonation methods where one person’s image is replaced with another, using advanced audio, photo and video editing, known as deepfakes. Fraudsters have already used deepfake voice imitation and social engineering to impersonate a CEO successfully.
The best ways to protect your business from today’s fraudsters
These six steps will help your business put in place the strong front against cyberfraud.
1. Assess risks
With growth, or any kind of change in business, comes the possibility of new risks of fraudulent activities. Make sure identifying opportunities for fraud is part of your risk assessment activity.
2. Review product design
Look at the design of your digital services and loyalty program from a fraudster’s point of view. Try to find ‘loopholes’ they could exploit.
3. Use a fraud detection and prevention system
These systems may, for example, analyze online sessions, monitor transactions and analyze payment behavior. They help avoid the financial, reputational and legal consequences of fraud and cut operational costs, such as support team time.
4. Strengthen your security
Put detection and protection measures in place, such as using a web application firewall (WAF) to protect against bots and a solution to protect against Distributed Denial-of-Service (DDoS) attacks.
5. Strengthen your team
Make sure your employees understand how fraud happens and how to combat it by including cyberfraud in your cyberawareness training program.
6. Record fraud
Measure what your business is losing through fraud regularly. Include direct loss, indirect loss and the impact on your brand reputation.
If fraud hits your business, hire a fraud expert team to support you through and help you combat future incidents.
By taking these steps, you can reduce the risk of cyber fraud affecting your business and make the most of the opportunities the rise of ecommerce brings.