Beware of These 5 E-Commerce CNP Fraud Trends

E-commerce is booming, but so is card-not-present (CNP) fraud. In fact, CNP fraud is growing at 14 percent per year because fraudsters have become more sophisticated about leveraging all the stolen data that’s out there. While this isn’t great news for online merchants, knowledge is power. Here are five fraud trends every e-commerce seller needs to focus on in 2019, along with suggestions on how to fight them.

Fraudsters Impersonate Companies and Executives

One of the fastest-growing types of fraud against all kinds of organizations is business email compromise (BEC). BEC can target a retailer’s customers by sending an email impersonating customer service and asking for account credentials — a common type of phishing that leads to account takeover fraud. BEC can also do major damage when scammers pose as company executives and then email “urgent” wire transfer or invoice payment requests to other people within the company.

Some BEC scammers even time their messages to reach victims when they’re likely to be checking email on their smartphones. That way the victim sees a sender name they trust but not the unusual sender domain name that would tip them off to the scam. To protect against BEC, e-commerce merchants need tools to authenticate sender identity and prevent domain spoofing. They should also train employees to use extra diligence with “urgent” emails.

Bad Bots Go Mobile

Fraudsters are deploying botnets in many ways to get around fraud controls. One method is to rent “armies” of infected devices to mask the origin of their attacks on merchants, banks and other organizations online. This approach also allows for large-scale attacks. While most of the coordinated botnet attacks reported in last year's second quarter targeted social media, online gaming and e-commerce were also frequent targets.

Fraudsters are also increasingly using smartphones for botnet attacks. A 2018 report found that one in 17 mobile devices across half a dozen major carrier networks was being used for bot traffic. These mobile bots accounted for 8 percent of malicious botnet activity. Analysts say the way mobile devices use IP addresses (many devices on one IP, frequent IP changes) make it difficult to screen out bots without blocking a lot of good traffic, too. If your store doesn’t already use channel-specific fraud prevention for mobile and desktop, now is the time to begin.

More Cross-Border Orders, More Rejections

Fifty-four percent of e-commerce was cross-border in Q2 2018, but international orders were 69 percent more likely to be rejected than domestic orders. While there are some additional risks with cross-border orders, such as higher rates of device and identity spoofing, many of those rejected orders were probably false declines based on assumptions about the risks from particular countries.

This is an expensive mistake to make. The global value of cross-border e-commerce is projected to reach more than $1.2 billion by 2020. Merchants that don’t want to miss out on cross-border opportunities should make 2019 the year to take a look at their rules for evaluating risk to reflect the real risks, rather than simply blocking orders from entire countries or regions.

More Data Breaches, More Fraud

As criminals discover new ways to exploit consumer data for CNP fraud and other types of fraud, the market for stolen data is growing. Juniper Research projects that the number of records stolen in data breaches will increase 22.5 percent per year through 2023, compromising some 146 billion records in all. Worse, not all those breaches will be detected and reported, although Juniper expects reporting rates to close in on 90 percent during the same period.

With every breach, of course, criminals have more material to commit CNP fraud, take over consumer accounts, synthesize new identities for fraud, and impersonate real people (usually corporate executives) to commit identity-deception fraud. That means it’s the responsibility of every merchant to protect their data from theft by encrypting data, storing it securely, and maintaining up-to-date versions and patches on all software and operating systems.

Costly GDPR Consequences for Data Loss

The European Union's GDPR may start having an impact on the way companies obtain data, store it, and disclose breaches when they’re discovered. That’s not only because the sweeping law, which took effect in 2018, covers all businesses that have customers in the EU. It’s also because this may be the year we see high-profile companies pay the consequences for a lack of security or due diligence. For example, Marriott may be liable for fines up to 4 percent of its yearly worldwide revenue in the wake of the Starwood data breach, which compromised half a billion guest records. The message is clear: Any company that operates in the EU and has access to customer data must step up its security and breach-detection practices.

All these trends show that e-commerce merchants must keep up with the latest threats and best practices in fraud protection. That means recognizing that no single fraud prevention tool can be effective against the large number of rapidly evolving schemes that criminals use. E-commerce businesses that deploy multiple layers of fraud protection will be the most successful at detecting and stopping CNP fraud threats in 2019 and beyond.

Rafael Lourenco is executive vice president at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen.