What does 2019 have in store for eCommerce and CNP fraud?
In 2018 eCommerce evolved in some directions we expected… and others we didn’t. The holiday season rewrote the record books again – Black Friday sales in the US were up 23.6%, and, as of writing this, it looks like holiday season volume as a whole rose 20%.
Regarding our cryptocurrency prediction, while bitcoin captured headlines last year, it had little impact on the payments landscape. As for fraud, we correctly predicted that attacks would become more commonplace in many staple (as opposed to luxury) industries. Our data shows that CNP fraud in food delivery services and consumer appliances crept up in 2018, while in North America the rate of attacks in sales for vapes (and related paraphernalia) fell slightly. In fashion, while the attack rate in Japanese and South Korean apparel orders rose in 2018, they were still much safer than similar US orders.
So what does 2019 have in store? Here are five trends omni-channel retailers and online merchants should keep an eye on to help strategize and to protect their bottom line.
1. Emerging markets: The eCommerce battleground
This past summer, Walmart paid $16B to acquire a majority stake in Flipkart, an Indian eCommerce company. The Indian digital market is projected to more than double in volume by 2022, and this was a brilliant move by Walmart to capitalize on this activity. In fact, Amazon reportedly made Flipkart an almost identical offer. To build their own presence in the region from the ground up would take Walmart years, and with Alibaba and Amazon making their own plays, Walmart couldn’t afford to wait around.
It will be fascinating to see the steps these major eCommerce players take in 2019 to win greater market share in India and beyond. The massive payoff of being the first mover to get a foothold in an emerging economy means we’re likely to see companies making acquisitions in eCommerce markets like Indonesia, South Korea, Brazil and Turkey.
2. More consumers will turn to alternative payment methods
Consumers are increasingly demanding fast, easy, and safe ways to shop and pay. Not coincidentally, this shift is happening as millennials surpass baby boomers in population size; according to a 2017 survey, US millennials are 41% more likely to shop via mobile apps than baby boomers, and they expect a seamless mobile payment experience.
Accepting payment from apps such as Venmo and Zelle is a good way to capture more market share and drive loyalty among younger shoppers. These P2P payment methods are becoming the go-to for mobile-first consumers (an estimated 40.4% of smartphones in the US will have a P2P app installed in 2019). Forward-thinking retailers who cater to millennials – such as Lululemon, Footlocker and Forever21 – are already giving shoppers the ability to complete their purchase using mobile payment apps.
Offering new payment options requires merchants to update their fraud review practices – fraudsters often test newly launched payment and shopping flows in the hopes of uncovering vulnerabilities and loopholes. By analyzing mobile-specific data, and taking into account shopping preferences and fraud patterns unique to mCommerce, retailers can ensure good customers enjoy a streamlined shopping experience while bad actors are blocked.
3. More automation for a better omni-channel shopping experience
Both eCommerce retailers and their customers stand to benefit from increased use of automation. Many merchants today are setting up flows to automatically delist products that are out of stock (and alert marketing to stop promoting these products on social media). We’re also not far from an age where fully automated fulfillment and shipping centers will be the norm for online retailers. Merchants will benefit from drastically reduced operational costs, while consumers will get faster delivery, and no ‘item not in stock’ messages.
The downside is that automated flows, when done wrong, can impede the customer experience and expose merchants to new fraud threats. For example, automating the BOPIS (buy online / pickup in-store) process often means shoppers need only a digital token or code to collect their goods. Requiring an ID when consumers pick up their goods could lead to long queues and can sour the shopping experience. So, merchants need to be especially careful when reviewing these orders for fraud – otherwise it’s just too easy for fraudsters to use stolen cards for click and collect purchase. They should be treated like orders for digital goods such as gift cards – specifically, with an emphasis on data points like IP address and device fingerprints, while ignoring the shipping address.
4. Merchants will get better acquainted with referral abuse
Taking advantage of promos is not a new concept. Even back when merchants were offering coupons in newspapers, people were forging them, or going dumpster diving for extra copies. But eCommerce promotions, while a valuable tool for online merchants, are particularly vulnerable to all sorts of abuse.
One of the most common methods is referral abuse. As the name suggests, these scams target promotions that reward customers for referring their friends. One MO is to create fake shopper accounts, and refer these nonexistent people, in exchange for store credit. And if the terms and conditions require the referred customer to purchase something, these phony accounts can place orders, and then cancel or return them.
Why do we expect to see more such attacks in 2019? Well, coupons aren’t going anywhere (and merchants certainly shouldn’t stop offering them), but techniques for abusing them are getting more sophisticated. For example, some coupon codes can be hacked by using bots – an operation quite similar to the credential stuffing mentioned below.
5. More ATO attacks. A lot more.
But when we predict that 2019 will see ATO attacks become even more widespread, it’s more than simple extrapolation. To explain why, here’s a quick refresher of how ATO attacks happen:
- Bad actors steal legitimate users’ login credentials, usually either through a data breach, or phishing attack.
- The data thief uses a bot to verify the credentials and check which eCommerce stores they work for. This is called credential stuffing.
- The thief either sells the credentials to a second fraudster on the dark web, or uses them themselves to commit an ATO.
In 2018, we saw plenty of high-profile data breaches, including data from Facebook and Uber accounts.There won’t be a shortage of compromised credentials for fraudsters to use in 2019. And then there are the disturbing trends in bot use. The rate of automated credential stuffing is rising on a monthly basis, and these attacks are also becoming harder to detect, as fraudsters embrace ‘Low & Slow’ stuffing methods.
As opposed to brute force attacks, which simply try to test as many credentials as quickly as possible, Low & Slow sacrifices speed to make these attempts appear more human-like and harder to detect. In 2019, merchants will have their work cut out for them protecting customer accounts. For tips on defending against ATOs, check out our free guide
Here’s to a safe and profitable 2019!
There’s every reason to anticipate another record-breaking year in eCommerce. To get tips to make the most of this opportunity, follow the Riskified blog – hit the button below to receive a bi-monthly email with our latest posts. For any other questions, contact us at email@example.com.