Online Retailers Set for Cybercrime Christmas After 45 Million Fraud Attempts in the Last 90 Days Alone
Posted November 17, 2015
Online retailers beware: you could be in for a torrid time over the festive period according to fraud pattern outlined in the ThreatMetrix Cybercrime Report: Q3 2015. Gathered from our Digital Identity Network, which analyses over one billion transactions each month to help protect our 4,000+ customers, the report paints the picture of an online fraud landscape growing increasingly more sophisticated and menacing. Data breaches like the recent high profile attack on TalkTalk send ever more personal data onto the darknet, fueling a rise in fraud attempts.
But all is not lost…
The sorry state of compromised data and login credentials means that organisations are urged to turn away from traditional authentication methods and embrace an approach which unmasks true Digital Identities in real-time, in order to accelerate digital revenues.
What happened in Q3?
A major spike in fraud is anticipated this festive season, based on the cybercrime trends over the past 90 days. It’s normally a quieter time for consumers as they gear up to the big shopping season, but Q3 this year saw a 25% jump from the previous quarter in fraud attempts targeting online retailers. A massive 45 million attempted attacks against e-commerce alone were blocked by ThreatMetrix, while overall customers were saved from over 90 million fraud attempts by our platform – representing millions in potential losses.
Given this pattern of attacks, and the estimated £1bn+ set to be spent on Black Friday in the UK alone, this year could see fraud attempts at almost double the 11.4 million we blocked in 2014 over the peak shopping period.
So where was fraud most concentrated in the previous three months? Our data shows that when it comes to e-commerce account creation fraud was most risk, as 7% of these were deemed to be fraudulent. This is in contrast to payments (3.2%) and account log-ins (5%). Across sectors, the pattern was slightly different, with account log-ins (4.1%) the most risky type of transaction, followed by account creation (3.7%) and payments (3.3%). Once again the top digital nations were the major attack originators, including the US, UK, Germany and France.
The story behind the stats
So what’s driving this uptick in online fraud? Poor cybersecurity on the part of the firms that store our personal and financial information is a major culprit. This has led to an increase in headline grabbing data breaches – particularly across the US on the part of retailers like Target, Home Depot and others. But we’ve also seen with the attack on UK ISP TalkTalk, showing that firms on both sides of the Atlantic are at risk. As this stolen data floods the cybercrime underground markets, it is snapped up and used by eager fraudsters keen to make some money.
The use of botnets to run massive identity testing sessions has made it even easier to bypass traditional anti-fraud defences at scale. Cybercriminals are turning to ‘low and slow’ attacks, which bypass traditional botnet detection techniques.
Proxies and device/location spoofing tools help to mask criminals’ true identity, and malware readily available on the cybercrime underground is being used to hijack user sessions in another common modus operandi. Mobile also represents a challenge for online retailers and indeed all businesses. The channel now accounts for a third of all transactions according to our data with 35% of consumers accessing services using both mobile and desktop in the past month alone. But the fraudsters are ready to take advantage. Device spoofing was the top attack vector in Q3, accounting for 6% of transactions.
Fighting back with layered security
With stolen identities flooding the cybercrime underground, with malware, bots and cloaking technologies providing scammers with even more sophisticated ways to launch attacks, it’s become obvious that organisations need a better way to combat the global fraud epidemic. Organisations that have relied on static login credentials, clunky two factor authentication or challenge questions need a context-based approach which builds a picture of their customers’ true digital identities. This can combine device identification, geolocation, big data analytics, behaviour analysis, phone number and address validation, credit card fraud detection, identity validation, and identity scoring.
More than that, they need technology that’s able to analyse consumer data to compare traffic against global models, pick out behavioural patterns across industries and apply machine learning. Only with this kind of next-generation approach can firms meet the ever-growing sophistication and menace of online fraud.