One of our favorite year-end traditions is to predict what types of fraud attacks will emerge over the next twelve months.
Fraudsters and fraud systems are in a constant arms race. While fraud management solution providers constantly develop new tools, fraudsters perfect their craft by studying new ways to circumvent any walls put up to keep them out. For instance mule scams used to be fairly simple, with fraudsters using basic package rerouting efforts to receive their stolen goods. But today’s mule scams feature skilled social engineering tactics to target potential victims.
Fraudsters are now not only looking to get away with fraud but also to invest more time and resources to scale their operations, and boost their ROI by exploiting three main eCommerce customer touchpoints: shopping, payment, and retrieval. They have to seem like legitimate customers at each of these steps, so they are concentrating their efforts in finding new vulnerabilities to exploit. So what new incarnations of fraud will we see in 2020?
1. New and Improved Spoofing
Spoofing is the practice of concealing your true online identity by impersonating that of another. It is by no means a new tactic since proxy servers have been around for years. But caller ID spoofing is a good example of how this method works today. A fraudster — let’s call her Maude the Fraud — can use a spoofing application that makes it look like she’s calling from Safe Sally’s phone number. This method allows the fraudster to disguise her online identity and masquerade as a good customer, sailing through the first eCommerce customer touchpoint.
As the ability to detect risky indicators like device, browser, and IP get refined over the years, fraudsters find better ways to hide. They begin masking more unique session information features like time zone and touch control, which are behavioral characteristics based on the user agent. Until recently, only the more seasoned fraudsters were able to successfully carry this out. But now with user agent data easily found on the dark web, alongside free apps that generate mock data, spoofing has become more commonplace. Because of this, we expect a boost in spoofing attacks in 2020. Last year, we saw plenty of spoofed orders, and we found that orders with spoofing indications were 130 times more likely to be fraudulent than those with none.
So what can merchants do? The first line of defense is to become familiar with session irregularities. For instance, the Safari web browser reports only one language per session, so detection of multiple languages per shopping journey, when the user agent claims a Safari browser, would be a strong indicator of attempted spoofing.
2. Address Scrambling
The second touchpoint – payment – is the step in which fraudsters must enter the billing and shipping information to pass payment authorization. They understand fraud solutions tend to look for a match between these two details to weed out fraud. To avoid or delay merchants’ blocking orders by address, they scramble the shipping information. Extra characters are inserted into the address fields so to confound the merchants’ systems and make the addresses appear unique.
This used to be done manually and only on a handful of addresses. Today fraudsters have scaled this tactic, using bots to generate thousands of address alterations, with only one valid address hidden among them. In one fraud ring attack last year, we saw addresses stuffed with random characters in an attempt to defraud a retailer of more than $40 million worth of goods.
We expect bots to continue to be the preferred method for future fraud attacks as fraudsters get better at using them. This means that fraud solutions will have to continue to develop and improve their bot detection. One way to do this is to engineer features that specifically address the threat of bots. Device orientation and scroll pattern are two effective indicators of bot use, and can help prevent large scale address scrambling attacks.
3. Socially Engineered Mule Scams
Once fraudsters are able to effectively order the goods, we see mule scams as fraudsters’ solution to the final and most challenging touchpoint to overcome: goods retrieval. Fraudsters have always needed to be careful to not lose their cover. They historically have posted job listings for shipping mules in the victim’s zip code to have a full AVS match. By having the goods delivered to an area close to where the fraudster placed the order, the fraudster remains invisible to most fraud solutions. What we are seeing today is in the same effort, but executed in a more complex manner.
Fraudsters these days manually locate and target victims, in some cases fostering close relationships with them. In fact, each year, millions of elderly Americans fall victim to some type of financial fraud. Some scammers use dating sites to find the unsuspecting accomplices. Others pose as tech support, offering to fix non-existent issues to gain access to the victim’s computer. We’ve also seen fraudsters target activists and volunteers, convincing them that the goods are for the homeless or for a non-profit organization. Whatever the approach, the successful manipulation of these victims to participate in a mule scam is where we get a glimpse of the time, resources, and expertise dedicated to these social engineering efforts. Once a mule is secured, fraudsters pose as the legitimate credit card holder and change the billing information registered with the bank to match that of the mule. Once the mule receives the package, they then forward it to the fraudsters.
To fraud management systems, mule orders are tricky because they appear to be ‘perfect’ without any mismatches. We learned through the billions of orders we’ve reviewed that expensive appliances and precious metals are often the target for this type of attack. In fact, we found one credit card BIN used for 65% of related orders. Upon discovery, we quickly integrated a new data source to detect such BINs and our models were able to stop this fraud ring from causing any damage.
In addition to this kind of anomaly detection, an important method of identifying and blocking mule orders is through linking. When a customer with years of low-cost orders suddenly purchases $5,000 worth of gold, or an elderly customer suddenly buys several Apple MacBook laptops, red flags must be raised.
In an ideal world fraud attacks would be stopped before they ever take place. Realistically, merchants can address fraud by leveraging the best fraud management solution: one that evolves to adapt to the latest attack vectors, with technology that can both register and analyze the vast amount of eCommerce data flows. Coupled with an extensive network of orders, merchants can gain cross-industry, cross-market insights that fraudsters would never have. Fraud teams with the right resources can get a jumpstart in 2020, in combating new types of fraud and securing and growing revenue. To learn more about how Riskified can help your business grow and defend against fraud, contact us at firstname.lastname@example.org.