International Fraud Trends

Andrew Edem, Head of Engineering & Information Security Officer at PPRO Group

17.05.2016 01:00 pm

The fraudsters’ calculation is simple: where there’s a great deal of revenue to be earned, there’s a great deal of fraud to be committed. And where there’s even more revenue to be earned, there’s even more fraud to be committed. In international e-commerce, the signs are pointing the way to increased revenue – and the fraudsters have already muscled in with new techniques.

Trend 1: E-Commerce is an Easy Target

The more online merchants and e-commerce customers there are, the more potential victims there are for fraudsters. The internationalisation of e-commerce is enabling highly specialised online criminals to become internationally active. Whereas online fraud attacks used to target primarily banks and payment providers, these are now very well equipped to deal with such threats, leveraging technical protection measures and advanced fraud detection services, as well as regulatory standards for the financial industry. Attackers must therefore overcome major obstacles in order to plunder financial institutions. Although online shops tend to be much less well protected, they also process customer data and receive confidential financial information. The protection mechanisms used by many merchants are not yet state of the art: they do not tend to perform live checks on the customer information entered or deploy sophisticated risk management systems.

Trend 2: Identity and Account Theft

If we look at the methods preferred by cybercriminals, we find that identity theft (often described as “appropriation of identity”) and account theft are particularly popular. In identity theft, instead of creating completely new false identities, criminals use stolen personal information as a basis. Account theft, on the other hand, usually involves email addresses and login passwords, which are often siphoned off during hacker attacks on online services. In Internet purchase fraud, thieves merely change the shipping address in order to make someone else pay for their purchases.

Trend 3: E-Commerce Fraud

Mobile is the new desktop. Users are increasingly moving away from traditional PCs and laptops towards smartphones and tablets. The problem here is that protection mechanisms for mobile devices are by no means as comprehensive as those designed for traditional computers. Another oft-neglected factor is that small mobile phone screens make it much easier to stumble upon fraudulent websites—users simply can’t see the details as well. Behaviour patterns on mobile devices are different, too: smartphone users are accustomed to controlling everything through a few taps, so complex security functions are just not practical. Payment is usually made using one-click methods. Risk management for mobile customers also tends to be problematic, as it is no longer possible to simply evaluate their location – after all, the whole point of mobile devices is to give users freedom of movement. Malware threats on smartphones and tablets also remain an exciting topic. Although it has been talked about for years, experts believe that the great plague of smartphone viruses is yet to come. In 2014, there were around 400,000 new viruses for mobile devices. In 2017, this number is expected to reach 12 million.

Trend 4: Malware is Getting Smarter

No matter how comprehensive technical protection becomes, fraudsters use clever malware to keep up. This means that the threats will continue to increase — and not just on mobile devices. All e-commerce channels, whether phone sales or sales via partner platforms, are constantly under fire. The reason for this is that, over the past few years, the malware scene has become extremely professional. As part of its study (1), EMC collected figures relating to online crime. 55 percent of all attacks on financial data are perpetrated by massive criminal rings. With viruses, however, it is not the sheer number which is terrifying: it is the fact that it is now possible not only to clone viruses, but to modify them in such a way that they form entirely new entities: ones which cannot be detected by existing security mechanisms. Whereas, in 2014, there were around 82 million new viruses a year, there are estimated to be as many as 166 million in 2017 (1).

Trend 5: KYC is Not Enough

This trend is a result of the aforementioned points. Even if merchants believe they know their customers inside and out, they still need to be cautious. KYC (Know Your Customer) strategies are important, but they are not enough by themselves. Customer classification is a good thing: after all, customers who pay their bills quickly and reliably and bring in large amounts of revenue deserve to choose their payment method. But what if a customer account is hacked? In such cases, it's not the trusted customer making the purchases, but the fraudster—using the customer's good name. In addition to the well-known KYC functions, therefore, stores must use fraud detection solutions to recognise when a customer makes unusually frequent purchases or transactions with unusually high totals.

Putting Protection Mechanisms in Place

As sad as it sounds, there is no such thing as perfect protection. Merchants can, however, use multiple methods resources to implement effective measures which do not interfere overly with online business:

Multistep Security: Security should always be a multistep process. Instead of relying on a single product or strategy, merchants should take a multi-pronged approach, placing particular emphasis on tools and services which can be flexibly adjusted. A behaviour recognition program can, for example, be a valuable enhancement to existing KYC components.

Encryption: As a general rule of thumb, merchants should store only the most necessary data and – if possible – focus on encryption. Of course, data traffic should be transmitted only using encrypted connections.

Learn from Your Mistakes: As has already been mentioned, there is no such thing as perfect security. But merchants should learn from their mistakes – and from those of others. When it comes to fraud, it helps to deploy a feedback loop which ensures that certain crimes are not repeated. This is how merchants can improve their systems step by step.

Consider Security A Process: Security cannot be achieved using either a single product or service. Instead, it must be constantly scrutinised and optimised.

(1) emc.com/collateral/analyst-reports/financial-merchants-cyber-threats-aite-102013.pdf