As everything shifted to digital, merchants had to innovate. They rolled out new omnichannel flows, streamlined processes to improve fulfillment, and offered new perks and policies to boost loyalty. 

With more online shopping activity comes greater opportunity for fraud, and fraudsters rose to the occasion. They were quick to pivot and detect new vulnerabilities during the mass-migration online. The effect? This year’s fraud MOs challenged tradition, and as merchants strategized to meet the latest trends, fraudsters weren’t far behind. As bad actors challenge the status quo and invent new methods for their craft, what kind of fraud can we expect in 2021?

1. Sleepy accounts become the target

In their attempt to gain market share and earn customer loyalty, many merchants rolled out special offers and improved shipping and delivery options for account holders. Store accounts became more active, a trend we saw play out in our data with the sharp increase in activity from ‘lapsed’ customers. These are customers who had an unused account with a merchant or had not shopped within Riskified’s network in the past year. 

Fraudsters were quick to take advantage of good customers returning online–our data revealed a surge in account takeovers over the last few months, most noticeably in these ‘lapsed’ customer accounts. For fraudsters, it’s the golden opportunity to hide among returning customers, because these orders are much harder to decline. An account that hasn’t been used in months or years suddenly seeing a surge in activity would likely raise red flags, but during the pandemic, this became the norm. Fraudsters knew that merchants would be reluctant to decline these transactions, not wanting to push away their loyal customers in such a critical time. 

As more customers shop online after a long hiatus and adjust their account settings, merchants will have to keep up with changing data points: new IP, new addresses, and even new phone numbers. Account changes are normally a risky behavior since fraudsters update account details to match their own. But as legitimate customers return online and update their accounts, fraudsters can get lost in the crowd. So what can merchants do? Comparing IP addresses and device fingerprinting are a good start. But merchants should leverage data that is based not only on the account, but on the fraudster’s digital footprint. Bot-detection, behavioral analysis, and drawing on a strong network of consumer data are all critical to distinguish returning customers from fraudsters.

2. ATOs with a twist

In a typical account takeover attack (ATO), fraudsters obtain account credentials—through phishing, data breaches, or hacking—and use them to purchase goods with stolen or stored credit cards. In this scenario, the fraudsters obtain the goods and resell them. Today, fraudsters have upgraded this process, and the breached accounts are the goods resold. How does it work? Once a fraudster has the victim’s login details, they place an order using a stolen CC or the stored payment method. They purchase a low-risk product to avoid raising red flags and ship the product to the victim’s address. 

After the order is approved, the fraudster quickly cancels it before fulfillment, asking for the value in store credit. Now the fraudster has a stolen account with stored credit in it, which increases its dark web market value. What does this fraud MO look like in our system?

  • Customer account created 2 years ago
  • Credit card used 1 year ago with the same customer
  • Billing and shipping address match
  • Product purchased: 30 cat hammocks 

It looks like a perfectly safe order, and this is the fraudster’s goal. Loyalty accounts usually sell for $5-10 on the dark web, but an account with a refund that can be redeemed with no further verification could be resold for $100 or more. For fraud management systems, these orders are tricky because the information matches perfectly. 

During the pandemic, many merchants relaxed their policies to foster loyalty. For example, airlines are now allowing their customers to get their money or miles back without paying fees to re-deposit them if they cancel their flight. As merchants become more lenient in their refund policies, we expect this type of ATO to continue to grow. This means that fraud solutions will have to further improve account protection. One way to do this is to leverage accurate decisioning at login. Once the fraudster is blocked from entering the account, the entire flow is blocked. Merchants should leverage data points like spoofing detection and password entry behavior to detect a bad actor at the first point of contact, rather than at checkout, when these orders are much harder to decline.

3. INR abuse 

The global economy took a hard hit in 2020, with many losing their income as unemployment rates soared and lockdowns restricted new job opportunities. During this time, many looked for available and lucrative WFH opportunities. Fraudsters were no exception, but they weren’t the only ones trying to game the system. Since March, we detected an uptick in policy abuse. What does this mean? Similar to ‘liar-buyers’, customers who claim they did not authorize the purchase, there are also cases of shoppers who take advantage of the returns process. For example, customers who are dissatisfied with their purchase might claim that it was lost or simply not as described, rather than go through a complicated returns process. This is known as “item not received’’ or INR abuse. 

Most abusers are just good customers who just wanted to cut corners once or twice. But abuse can become much more malicious. For instance, after submitting a false claim, they can resell the product for a profit, while the merchant eats the costs. In June 2018, three people were given a prison sentence for requesting returns for items they never shipped back to Amazon, defrauding the eCommerce giant out of over $1.2 million. Customers who methodically abuse merchants’ policies work strategically, and like fraudsters, we can find similarities in their orders, such as:

  • Targeted products
  • Patterns of INR claims at your store
  • Repeat, cross-merchant abuse cases

Staying on top of trends at the order level is critical to detecting INR abuse at scale. Unfortunately, blocking abusers isn’t all that easy. Customers can respond by using guest checkout or changing the details of their order to avoid being blocked or restricted by the merchant. Ultimately, the most powerful tool merchants can leverage is cross-merchant linking. This type of machine learning identifies abuse patterns before they become a greater issue, so retailers can safely apply their policies in a way that makes financial sense. Instead of blanketed restrictions, merchants can apply selective friction to suspected INR abusers. Merchants could require the customer to answer additional questions before honoring the claim, or remind them of their policies. In this way, merchants can curb their losses while continuing to offer a policy that promotes customer loyalty.

Looking ahead

In 2020, we were pushed to learn and progress more quickly than ever before. Challenging our existing assumptions is, perhaps, the best way to tackle fraud. Fraudsters, like merchants, are constantly innovating and optimizing their strategies. But with a dynamic and comprehensive approach to fraud review that looks at hundreds of data points in real-time, merchants can find patterns in the unpredictable, and swiftly adapt. This way, by the time fraudsters discover new tactics, they are already one step ahead.