International fraud trends

As e-commerce opportunities continue to develop, so too do fraud strategies. The fraudsters' approaches are multifaceted and knowing your customer is not enough says Andrew Edem.

Andrew Edem, head of engineering and information security officer, PPRO Group
Andrew Edem, head of engineering and information security officer, PPRO Group

The fraudsters' calculation is simple: where there's a great deal of revenue to be earned, there's a great deal of fraud to be committed. And where there's even more revenue to be earned, there's even more fraud to be committed. In international e-commerce, the signs are pointing the way to increased revenue – and the fraudsters have already muscled in with new techniques.

Trend 1: E-Commerce is an easy target

The more online merchants and e-commerce customers there are, the more potential victims there are for fraudsters. The internationalisation of e-commerce is enabling highly specialised online criminals to become internationally active. Whereas online fraud attacks used to target primarily banks and payment providers, these are now very well equipped to deal with such threats, leveraging technical protection measures and advanced fraud detection services, as well as regulatory standards for the financial industry. Attackers must therefore overcome major obstacles to plunder financial institutions. Although online shops tend to be much less well protected, they also process customer data and receive confidential financial information. The protection mechanisms used by many merchants are not yet state-of-the-art: they do not tend to perform live checks on the customer information entered or deploy sophisticated risk management systems.

Trend 2: Identity and account theft

If we look at the methods preferred by cyber-criminals, we find that identity theft (often described as “appropriation of identity”) and account theft are particularly popular. In identity theft, instead of creating completely new false identities, criminals use stolen personal information as a basis. Account theft, on the other hand, usually involves email addresses and login passwords, which are often siphoned off during hacker attacks on online services. In internet purchase fraud, thieves merely change the shipping address in order to make someone else pay for their purchases.

Trend 3: E-Commerce fraud

Mobile is the new desktop. Users are increasingly moving away from traditional PCs and laptops towards smartphones and tablets. The problem here is that protection mechanisms for mobile devices are by no means as comprehensive as those designed for traditional computers. Another oft-neglected factor is that small mobile phone screens make it much easier to stumble upon fraudulent websites—users simply can't see the details as well. Behaviour patterns on mobile devices are different, too: smartphone users are accustomed to controlling everything through a few taps, so complex security functions are just not practical. Payment is usually made using one-click methods. Risk management for mobile customers also tends to be problematic, as it is no longer possible to simply evaluate their location – after all, the whole point of mobile devices is to give users freedom of movement. Malware threats on smartphones and tablets also remain an exciting topic. Although it has been talked about for years, experts believe that the great plague of smartphone viruses is yet to come. In 2014, there were around 400,000 new viruses for mobile devices. In 2017, this number is expected to reach 12 million.

Trend 4: Malware is getting smarter

No matter how comprehensive technical protection becomes, fraudsters use clever malware to keep up. This means that the threats will continue to increase — and not just on mobile devices. All e-commerce channels, whether phone sales or sales via partner platforms, are constantly under fire. The reason for this is that, over the past few years, the malware scene has become extremely professional. As part of its study (1), EMC collected figures relating to online crime. Some 55 percent of all attacks on financial data are perpetrated by massive criminal rings. With viruses, however, it is not the sheer number which is terrifying: it is the fact that it is now possible not only to clone viruses, but to modify them in such a way that they form entirely new entities: ones which cannot be detected by existing security mechanisms. Whereas, in 2014, there were around 82 million new viruses a year, there are estimated to be as many as 166 million in 2017 (1).

Trend 5: KYC is not enough

This trend is a result of the aforementioned points. Even if merchants believe they know their customers inside and out, they still need to be cautious. KYC (Know Your Customer) strategies are important, but they are not enough by themselves. Customer classification is a good thing: after all, customers who pay their bills quickly and reliably and bring in large amounts of revenue deserve to choose their payment method. But what if a customer account is hacked? In such cases, it's not the trusted customer making the purchases, but the fraudster—using the customer's good name. In addition to the well-known KYC functions, therefore, stores must use fraud detection solutions to recognise when a customer makes unusually frequent purchases or transactions with unusually high totals.

Contributed by Andrew Edem, head of engineering and information security officer, PPRO Group

(1) emc.com/collateral/analyst-reports/financial-merchants-cyber-threats-aite-102013.pdf