4 Online Fraud Concerns for Retailers this Holiday Season and How to Protect Yourself Against Them The end-of-the-year holiday season, a.k.a. the shopping season, is the time when online retailers suffer the most from fraud attempts. Being aware of the different types of fraud online retailers are exposed to is the first step in protecting against them.
- U.S. retailers face increased fraud risks during the holiday season amid rising inflation and a looming recession.
- Advanced technologies like generative AI are being utilized by fraudsters to scale up sophisticated phishing scams and other fraudulent acts.
- Retailers should enhance cybersecurity measures and implement real-time fraud detection solutions to protect consumers and their businesses.
Opinions expressed by Entrepreneur contributors are their own.
The last few months of the calendar are huge for any retailer. In the U.S., Black Friday, Cyber Monday and Christmas sales reached almost $937 billion combined just last year alone.
It's also typically the time when retailers see an increase in fraud, with an 82% higher rate of daily attempts in the long weekend between Thanksgiving and Cyber Monday last year. However, experts say that retailers should brace themselves this holiday season in particular, as many factors have combined to make it an even more opportune time for fraudsters.
First, the combination of rising inflation and predictions of a recession in the next 12 months means that consumers with ever-tightening budgets are more likely to fall prey to false "deals." Second, the latest technology such as generative AI enables fraud to be executed on a much larger scale than ever before.
Finally, crime does indeed seem to pay for fraudsters, as they are rarely held accountable for their crimes. New regulations in the U.S. are holding merchants and banks accountable for fraudulent transactions, while those behind them usually go unpunished. Generally, banks are more likely to be liable when the fraud involves an actual card, and merchants are more likely to be stuck with the cost for card-not-present transactions, when just the card's details are needed, like online payments.
Here are four types of online fraud for which merchants should be on the lookout this holiday season.
1. Malicious generative AI
AI is being used to turbo-charge fraud, with tools such as WormGPT and FraudGPT now available for free on the dark web, where they are used for malicious purposes. FraudGPT can create very believable phishing scams, in addition to launching viruses and malware from websites that look like trusted retail sites but are in fact false. WormGPT can use data from chats to mimic customer support agents / trusted retail brands and thus trick consumers into giving confidential information (e.g. their credit card details), as well as create fake products on online marketplaces, generate counterfeit coupons and promotions that seem legit, and create fake online reviews.
Email security company SlashNext conducted an experiment wherein they asked WormGPT to generate an email intended to urge an unsuspecting account manager into paying a fake invoice. According to researchers, WormGPT's email was not only remarkably persuasive but strategic and cunning, demonstrating its potential for sophisticated phishing attacks.
What can merchants do?
To defend against this latest threat, merchants should ensure that all cybersecurity training for their company, such as awareness programs, is continually updated to include the latest warning signs of fraud. These include things like language that implies urgency.
2. Website spoofing
Another type of online fraud that merchants should be aware of is website spoofing, or brand impersonation with the intent of launching phishing attempts to execute online fraud. Cybercriminals replicate a business site with an identical frontend to the original and a barely-changed domain name so that users are likely not to realize the site is fake and so to trust it with their personal data. In 2022, more than 4.7 million phishing attacks took place.
As long as the impersonated site is up, it damages the brand financially and reputationally, leading to customer churn. Memcyco's Ran Arad refers to this critical time as the 'window of exposure': the time between when a counterfeit website is detected by Threat Intelligence Solutions, and its eventual takedown. In Arad's words, "During this critical period, unsuspecting customers can be easily lured to the fake site, leading to potential monetary losses, data breaches and the exposure of personal identities. Alarmingly, many companies currently lack the insight to determine how many of their customers have fallen prey to scams during this vulnerable window."
With the help of technology, brands can take these spoof sites down. However, the process can take too long to prevent customers being conned out of their money by fraud.
What can merchants do?
Instead, merchants should implement website fraud detection solutions that are able to identify fraud attempts in real-time. These will minimize the scope of damage and exposure of customer details as much as possible.
3. Gift card fraud
With gift card sales expected to reach $2 trillion by 2030, gift card fraud is also expected to increase — specifically around December time. Although there is an annual spike in gift card purchases in mid-December, Christmas Eve sees a staggering six to seven times more sales in gift cards.
Gift card fraud occurs when fraudsters steal a user's credit card information and then buy a gift card with it. This kind of scam is effective because it leaves very little trail for the victims to follow: fraudsters can make purchases with stolen gift cards without needing any ID. For consumers, it's virtually impossible to get this money back.
What can merchants do?
Merchants can attempt to prevent gift card fraud by placing limits on the ability to make large or repeated gift card purchases. In addition, having an internal system for tracking individual gift cards helps prevent fraudsters from taking advantage.
4. Bot attacks/account takeover
Account takeover is an old threat in retail, but with a rise in ecommerce fraud rings it has taken on a new twist. Malicious actors are employing bad bots to facilitate credential-stuffing and brute force attacks, as automation can cycle through potential credentials quickly until successful. These attacks have the potential to lock retail customers out of their accounts, provide fraudsters with sensitive information, contribute to business revenue loss, and increase the risk of non-compliance.
As bot attacks on ecommerce sites increased by 71% in 2022, merchants are caught in a double bind. On one hand, it has become increasingly challenging for merchants to keep user accounts safe. At the same time, failure to do so can harm their business through fraudulent transactions, payment fraud, user distrust, and a negative impact on their brand reputation.
The sophistication of these cybercriminals and criminal rings is fast-increasing, presenting a significant threat to retailers. Ping Li, Signifyd's VP of Risk and Chargeback Operations, highlights that at one point in 2020, the automated attacks on their Commerce Network increased by 146%: "We've seen fraud rings unleash bots for everything from credential-stuffing to breaking into accounts, to rapid-fire fraud attacks, to quickly buying up the inventory of hot products for resale."
What can merchants do?
Merchants should invest in technology that identifies the newest emerging fraud tactics. Many of these tools use machine learning and artificial intelligence to defend against bot attacks by malicious actors.
Step up the protection of your business this holiday season
As retailers brace for a surge in fraud during the holidays, many factors are rendering increased vigilance crucial. In these times of economic uncertainty, merchants must put additional protections in place, especially since they are now accountable for reimbursing the victims of successful fraud attempts.
Fraudsters are also exploiting new and emerging technologies. Internal policies, including cybersecurity training and awareness, can offer increased protection. However, it is fraud detection technology — which identifies fraud attempts in real-time across multiple attack vectors, including websites — that should be the first line of defense for brands today.