Shopping-related fraud: The coal in retailers’ stockings this holiday season

Check out all the on-demand sessions from the Intelligent Security Summit here.

For many of us, the upcoming holidays are a time to gather with family and friends and exchange gifts.

But they also mean good tidings for fraudsters and scammers. 

Card-not-present (CNP) tactics, credential theft, co-opting of gift cards, advanced phishing scams, refund abuse — these are all gifts that can keep on giving for bad actors (or less nefariously-minded “friendly” fraudsters).

American Express and Accertify teamed up 12 years ago to help thwart such scams. And, as Tina Eide, EVP of fraud and banking product risk at American Express, noted: “Over the course of our work together, we’ve consistently identified new trends and techniques that fraudsters are using.”


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

“The threat landscape for fraud is constantly changing and we have to anticipate what’s coming to help provide protection,” she said.

Here are some threats that retailers must look out for — and be vigilant about — during this holiday shopping (and inevitable returning) season, according to Eide and Accertify CEO Mark Michelon. 

Captured credentials

Bots are increasing in sophistication and use — and attack methods. 

In particular, bots have been driving credit master attacks, said Eide. This is the tactic of trying multiple combos in both logins and transactions to guess details and perpetrate either identity take-over or approved card transactions. 

Fraudsters have ramped up their use of them to be more efficient and cover more ground, she pointed out. And, one-time passcode (OTP) bots place automated calls to customers to get to the OTPs required for account logins and 3D security protocols. 

‘Friendly fraud’ not really all that friendly

First-party misuse or refund abuse — less nefariously referred to as “friendly fraud” — is when consumers make legitimate purchases, then dispute the transaction or claim that the item was never delivered, Michelon explained.

“With online shopping at an all-time-high, orders placed for delivery are significantly increasing, and some delivery companies are still practicing contactless delivery,” he said. 

So, regardless of order value, there may not be a signature for proof of delivery, he said. Fraudsters can then claim that they never received an order (when it in fact was) and will demand a full refund or a duplicate shipment. 

This can happen for many reasons — buyer’s remorse being a common culprit, said Michelon. 

This impacts retailers with recurring subscription charges, too, he said. Instead of trying to cancel a subscription, a customer may simply dispute the charge. And, another “less malicious” example is when consumers do not recognize a charge or merchant descriptor on their statement, thinks a charge is suspicious, then disputes it. 

Prevention, not just detection

Scammers of all kinds are not to be overlooked. Not surprisingly, they’re growing in sophistication. As such, said Eide: “It’s important for organizations and consumers to stay vigilant.”

Organizations should be aware that gift card scams are especially prevalent during the holiday season. They must actively warn customers to never purchase gift cards from a third party that they aren’t familiar with, and to also be wary of alleged requests from bosses or other trusted parties to buy gift cards in bulk. 

“Most often, such requests are scams and are coming from bad actors,” said Eide. 

Organizations should also be on the lookout for new types of “social engineering” scammers, where criminals pose as the organizations themselves to access one-time codes and customer card data, said Eide. To combat this, they should consider bolstering defenses with multifactor authentication (MFA) and biometric authentication, as well as campaigns to educate consumers on best practices. 

Ultimately, said Eide, it is critical to shift focus from just detection to more active prediction. Understanding when scams and fraud could occur, and educating customers about how they can help protect themselves, is of utmost importance.

“Prevention is always better than a cure,” said Eide. 

Comprehensive fraud pretection

The key to helping prevent fraud during the busiest shopping seasons is to come at it from several angles, said Michelon. 

“It is critical to have a multilayered fraud prevention solution that can help keep merchants protected,” he advised. 

And, if attacks occur, it is important that merchants already have solutions in place to help with device identification, user-behavior analytics, machine learning (ML) and payment fraud detection, among others, he said. 

Also, state terms and conditions “clearly and visibly,” including your refund, return and exchange policy, he advised. And, make it easy for customers to reach the support team if they have questions about transactions. 

“Quick actions and agile customer service can help prevent disputes and fraud-related chargebacks,” said Michelon. 

Consumer vigilance also critical

Shoppers should actively educate themselves and be aware of how to steer clear of such fraud attempts, too, said Michelon. 

For starters, always keep an eye out for phishing attempts, he said. Be skeptical of messages with warnings such as “Your bill is past due,” or “Your account will be locked unless you take action.” (And look closely, as they may seem legitimately branded, but a letter could be off or they could contain typos; this is a common tactic among hackers.) 

“These could indicate the email is from a fraudster attempting to obtain private information that would allow them to access your account,” said Michelon. 

Just as importantly, be wary of unexpected phone calls or texts. Bad actors can pretend to be from a financial institution and ask to verify account details, PINs, and verification or card security codes. These are what as known as “vishing” attempts. 

Fraudsters can also try to obtain private information via text (“smishing”) prompting users to click on a link or suspicious messages about purchases they didn’t make, or messages with gift card offers. Upon a user click, fraudsters can quickly install malware. 

“When in doubt, call the number on the back of your card and speak with a customer care professional to determine if your bank or credit card company is truly trying to contact you,” said Michelon. “Also, be conscious of any caller who urges you to act with utmost urgency.” 

Importantly, sign up for MFA, which can prevent fraudsters from accessing an account even if they have a correct username and password. 

“Once enrolled for two-factor authentication, never reveal these security codes to unsolicited callers, even if they claim to be from your bank,” said Michelon.

Originally appeared on: TheSpuzz