In an increasingly digital world, fraud trends are constantly changing and evolving, with threats to consumers, e-commerce vendors, and financial services organizations on the rise not only in number but in sophistication. The total cost of e-commerce fraud is forecast to exceed $48 billion globally in 2023, up from just over $41 billion in 2022. The reasons for this increase in fraud costs are many, ranging from the surge of online payments and shopping due to the pandemic, omnipresence of malware and bots that extract user information from the web, and social engineering scams that prey on human vulnerabilities.
In the pre-digital world, fraud required careful planning and stealth, while today the tools needed to defraud people and businesses are easily available online, lowering the barrier to entry. With virtual marketplaces, digital wallets, and the ongoing automation of everything, criminals not only have an ever-larger target, they also have sophisticated tools and technologies to help infiltrate businesses and attack the accounts of individuals.
Review our five tips for fighting fraud in 2023 and keep ahead of the latest threats and exploits that cybercriminals will be using to take aim at e-commerce and financial services organizations this year.
- Align and converge multiple security strategies to more effectively fight fraud, without harming the customer experience.
Merchants and financial services organizations must achieve better collaboration among their security, customer identity and access management (CIAM), fraud detection, and authentication teams across the organization. Criminals can easily exploit the vulnerabilities that have been introduced by teams working in silos and security strategies that leaned too heavily into CAPTCHA and multi-factor authentication (MFA) techniques. These mechanisms continuously interrupt the user experience, often without regard to the level of risk presented by the login attempt.
A transparent and continuous risk-based authentication approach allows merchants and financial services firms to better collaborate across multiple teams within their organization, and implement an agile, reliable, low-noise fraud detection strategy without negatively impacting the user experience.
- Expand traditional omni-touchpoint strategies for fraud prevention to include holistic visibility and insights across the entire customer journey.
This strategy should focus on three often overlooked key areas:
- Begin with initial channel engagement: Focus on customers’ activities from the moment they enter a channel or create an account. This should improve visibility into client-side attacks like digital skimming or formjacking, which are often used to harvest credentials and card information during new account origination, ultimately leading to account takeover and fraud.
- Examine third-party API integrations: In addition to web and mobile apps, merchants and financial services firms must also ensure they include API protection in their security strategies. APIs are subject to the same attacks that target web apps, namely exploits and abuse that lead to data breaches and fraud and introduce unintended risk from third-party integrations and ecosystems.
- Review fraud potential from Card not Present (CNP) transactions: Merchants that offer new services such as proximity-based checkout, buy online and pickup in store (BOPIS), and buy now, pay later (BNPL) must understand the risks that these transactions entail and address them in their fraud prevention strategies. This includes gaining insights into fraudulent behavior patterns and sharing it across all channels.
- Be alert for new friendly fraud challenges in a recessionary environment.
A major new type of friendly fraud that merchants should expect to see ramp up during a recession is “fake friendly fraud,” which occurs when criminals create synthetic identities to appear like a real customer and then transact with no intention of paying for the merchandise they purchase. Fake friendly fraud practitioners can successfully game and bypass prevention efforts because they can easily recycle stolen identity info and create new synthetic identities to open new accounts and avoid being blocked by a deny list. These friendly fraud activities can include BNPL program abuse, loyalty point and refund fraud scams, and bust out fraud.
Protect against new account enrollment with synthetic identities by leveraging insights from behavioral biometric patterns augmented with machine learning to give both security and fraud teams insights into compromised accounts.
- Be prepared for the EU’s Payment Services Directive 3 (PSD3) with new regulations for digital payments.
The threat, payment, and regulatory landscape for merchants and banks has dramatically changed since the Payment Services Directive’s initial 2018 rollout. To prepare for the enhanced regulations of PSD3, merchants and banks should take inventory of new services, channels, and payment options they have recently adopted. For example, are you now supporting digital wallets and crypto payments? How many new APIs with different formats from third-party providers have you integrated into your systems and web properties?
Merchants and financial services organizations need to move away from just focusing on a compliance-risk mindset for their existing API and authentication strategy. They should proactively anticipate and manage the full scope of security and fraud risks that the modern API environment brings.
- Get ready for Shadow API and JavaScript supply chain attacks and the upcoming Payment Card Industry Data Security Standard (PCI DSS) 4.0
As organizations expand their third-party ecosystem and the number of scripts on their site rise, they introduce new potential points of vulnerability that can lead to client-side attacks such as digital skimming, formjacking, and Magecart attacks. A digital skimming attack occurs when a criminal either injects one or many malicious script(s) or manipulates an existing script on a legitimate page or application to create a software supply chain man-in-the-browser attack. These attacks are difficult to detect since these scripts are updated frequently by third parties, often without a process for your organization to perform security reviews.
In addition, new PCI DSS 4.0 requirements will focus on the need to monitor and manage browser-based, third-party JavaScript libraries that are incorporated into e-commerce websites to enable functionality such as payment processing iFrames, chatbots, advertising, social sharing buttons, and tracking scripts. Though compliance with the new PCI DSS 4.0 requirements isn’t mandated until 2025, client-side attacks are increasingly common right now, so put the enhanced protections in place as soon as possible.
Organizations not only need visibility into the JavaScript libraries running in their web applications, they also need to know what data the scripts are collecting to prevent violating data privacy regulations like GDPR and CCPA and maintain compliance with the new PCI DSS 4.0 requirement 6.4.3 and 11.6.1
Most organizations do not have centralized control and governance over script management. If a third-party script on your site has a vulnerability and you are not aware of it, you are unable to patch it. Criminals know that many organizations struggle to manage, track, and secure the volume, scope, and scale of scripts now embedded into websites, and they know how to exploit these scripts for their own gain.