July 16, 2019
Cybercrime Report: Retail eCommerce Has a Big Bot Problem
Posted March 19, 2019
Our latest report on global cyberattack trends finds that retail eCommerce fraud hit an inflection point during the second half of 2018. What it means for the industry’s bottom line could leave merchants cheering, jeering—or most likely, both—in the year ahead.
According to the new H2 2018 Cybercrime Report from ThreatMetrix, sophisticated attacks against retailers have actually been dropping over the last several months. The sector’s commendable investments in cybersecurity have surely played a major role in that. But those reductions may also stem from the fact that cybercriminals are finding more efficient ways to do their bidding.
The report, which tracks actual cyberattacks within the ThreatMetrix Digital Identity Network from July through December of 2018, is widely considered a reliable proxy for global cyberattack trends. It finds that reductions in overall eCommerce fraud also coincide with the deployment of 2.1 billion automated bot attacks. That’s a 142% increase year-on-year, and includes 12% growth in bots targeting the mobile channel.
In fact, retail eCommerce was the target for 2/3 of all bot attacks last year. Despite the fact that human-initiated attacks have declined, the pernicious and widespread impact from high-volume bot traffic cannot be overstated, or more painful.
An Increasingly Digital Money Machine
It’s not all bad news, however. Last year, consumers in the US alone spent more than $517 billion with online and mobile merchants, up 15% from the year prior.
What’s more, 2018’s blockbuster holiday shopping season saw more than $17.8 billion in online sales just in the five day period beginning on Thanksgiving, with a record $6.6 billion transacted on Cyber Monday. And Black Friday marked the first day in history to see more than $2 billion in sales come through smartphones, marking a major milestone in the mobile revolution.
59% of all online sales were made via smartphone or tablet, up from 52% in 2017. Yet it’s worth noting that the desktop still accounts for 69% of all logins—compared to 41% of account creations and 44% of payments. It seems consumers still prefer to browse goods and services on a larger screen, even if they’re happy to open new accounts or make payments via the mobile channel.
But the frisson sparked by all this merchant merrymaking was tempered somewhat in 2018, as fraudsters continued to exploit the ever-increasing availability of stolen identity credentials for monetary gain.
Cloak and Data
Despite that drop in human-initiated eCommerce attacks, online merchants continue to experience a high rate of new account creation attacks, with 1 in every 7 transactions rejected as fraudulent. Armed with stolen identity credentials, fraudsters also view eCommerce account takeovers as an easier target than many other industries, with an attack rate of 4.9%.
However, the bigger eCommerce story is one of heightened risk from all those automated bot attacks. As it stands now, bots designed to test identity credentials can sometimes make up more of a merchant’s daily transaction volume than legitimate traffic. This makes it harder to balance an optimized customer experience and low-friction authentication, while also maintaining effective fraud control.
At times, this might mean accepting a higher percentage of fraud in order to process more genuine orders from good customers. But once bots validate all those stolen identity credentials, they’re then used to impersonate legitimate consumers or to create synthetic identities for use in costly new account creation- and account takeover-based attacks. So it’s little wonder that this bot barrage is spreading fast.
The Rise of Global Bots
The fact is, eCommerce is increasingly a key target for automated bot traffic around the world, with a growing proportion of that traffic flowing from a wider array of regions. Top bot originators during H2 2018 include Malaysia, Indonesia, Vietnam, Japan, South Korea, Russia, India and Brazil, as well as the U.S.
The risk from automated bot attacks appears to be growing year-on-year, perhaps indicating the fact that cybercrime is developing into an industry in its own right, serving smaller growth economies with stolen identity credentials and the tactics for how best to monetize them.
Bot-based or otherwise, overall cyberattack trends within specific regions are well, all over the map. New account creation transactions from North America are attacked less than the global average at 11%, even while the attack rate in South America is as high as 33%—and 41% in Southeast Asia. At the same time, new account creations are attacked at 16.4% in EMEA, though they’re down 19% in the last year.
Meanwhile, payments transactions in Canada are experiencing significant growth in attacks, up 87% overall, and 164% for mobile transactions. Same for Asian markets, where mobile payments attacks are up 92% in the last six months—even while overall payments attacks are down globally.
2019 Outlook: The Battle Grows More Complex
As 2019 progresses, it’s likely that trends seen in the latter half of 2018 will continue to evolve, further aggravating an already complex cybercrime landscape. In the year ahead, look for fraudsters to up the ante, using artificial intelligence and employing global networks of machines and humans to increase their chances of success.
One thing is clear: Single-point solutions are unlikely to succeed in helping online and mobile merchants win the battle against cybercriminals. As many digital merchants are no doubt discovering, a layered defense of fraud, identity and authentication capabilities, executable in real time, and across the entire customer journey, is the most robust solution to this growing problem.
For many, this will depend on uniting world-class digital identity intelligence with physical identity and authentication capabilities that can help streamline the customer experience, reduce friction and detect and block complex fraud.
The good news: It won’t just help merchants defend against the $19 billion in cybercrime losses the sector suffered in 2018. According to Accenture, the trust this kind of protection could engender may translate into 2.8% in additional growth for those that can attain it. That sounds like an excellent goal to me.
To learn more about global cyberattack trends and best practices for defending against them, download a copy of the H2 2018 Cybercrime Report from ThreatMetrix