In an increasingly digital world, fraud trends are constantly changing and evolving, with threats to consumers, e-commerce vendors, and financial services organisations on the rise, both in number and sophistication. The total cost of e-commerce fraud is forecast to exceed $48 billion globally in 2023, up from just over $41 billion in 2022. Reasons for this include the surge of online payments and shopping due to the pandemic, omnipresence of malware and bots that extract user information from the web, and social engineering scams that prey on human vulnerabilities.
In the pre-digital world, fraud required careful planning and stealth, while the tools needed to defraud people and businesses today are easily available online, lowering the barrier to entry. With virtual marketplaces, digital wallets, and the ongoing automation of everything, criminals not only have an ever-larger target, they also have sophisticated tools and technologies to help infiltrate businesses and attack the accounts of individuals.
Here are five tips for fighting fraud in 2023 and keeping ahead of the latest threats and exploits that cybercriminals will be using to attack e-commerce and financial services organisations this year.
- Align and converge multiple security strategies to more effectively fight fraud, without compromising the customer experience.
Merchants and financial services organisations must achieve better collaboration among their security, customer identity and access management (CIAM), fraud detection, and authentication teams across the organisation. Criminals can exploit the vulnerabilities that have been introduced by teams working in silos and security strategies that leaned too heavily into CAPTCHA and multi-factor authentication (MFA) techniques. These mechanisms continuously interrupt the user experience, often without regard to the level of risk presented by the login attempt.
A transparent and continuous risk-based authentication approach allows merchants and financial services firms to better collaborate across multiple teams within their organisation, and implement an agile, reliable, low-noise fraud detection strategy without impacting the user experience.
- Expand traditional omni-touchpoint strategies for fraud prevention to include visibility and insights across the entire customer journey.
This strategy should focus on three often overlooked key areas:
- Begin with initial channel engagement: Focus on customers’ activities from the moment they enter a channel or create an account. This should improve visibility into client-side attacks like digital skimming or formjacking, which are often used to harvest credentials and card information during new account origination, leading to account takeover and fraud.
- Examine third-party API integrations: In addition to web and mobile apps, merchants and financial services firms must also include API protection in their security strategies. APIs are subject to the same attacks that target web apps, namely exploits and abuse that lead to data breaches and fraud and introduce unintended risk from third-party integrations and ecosystems.
- Review fraud potential from Card not Present (CNP) transactions: Merchants that offer new services such as proximity-based checkout, buy online and pickup in store (BOPIS), and buy now, pay later (BNPL) must understand and address the risks that these transactions entail and share these insights across all channels.
- Be alert for new friendly fraud challenges in a recessionary environment.
A major new type of ‘fake-friendly fraud’ that merchants should expect to see ramp up during a recession, occurs when criminals create synthetic identities that look like real customers and transact with no intention of paying for the merchandise they purchase. Fake friendly fraud practitioners can bypass prevention efforts by recycling stolen identity info and creating new synthetic identities to open new accounts and avoid being blocked by a deny list. These friendly fraud activities can include BNPL program abuse, loyalty point and refund fraud scams, and bust out fraud.
Protect against this by leveraging insights from behavioral biometric patterns augmented with machine learning to give security and fraud teams insights into compromised accounts.
- Be prepared for the EU’s Payment Services Directive 3 (PSD3) with new regulations for digital payments.
The threat, payment, and regulatory landscape for merchants and banks has dramatically changed since the Payment Services Directive’s initial 2018 rollout. To prepare for the enhanced regulations of PSD3, merchants and banks should take inventory of any recently adopted services, channels, and payment options, such as digital wallets and crypto payments.
Merchants and financial services organisations should also proactively anticipate and manage the full scope of security and fraud risks that the modern API environment brings.
- Get ready for Shadow API and JavaScript supply chain attacks and the upcoming Payment Card Industry Data Security Standard (PCI DSS) 4.0
As organisations expand their third-party ecosystem and the number of scripts on their site rise, they introduce new potential points of vulnerability that can lead to client-side attacks such as digital skimming, formjacking, and Magecart attacks. A digital skimming attack occurs when a criminal either injects one or many malicious script(s) or manipulates an existing script on a legitimate page or application to create a software supply chain man-in-the-browser attack. These attacks are difficult to detect since these scripts are updated frequently by third parties, often without a process for your organisation to perform security reviews.
In addition, new PCI DSS 4.0 requirements will focus on the need to monitor and manage browser-based, third-party JavaScript libraries that are incorporated into e-commerce websites to enable functionality such as payment processing iFrames, chatbots, advertising, social sharing buttons, and tracking scripts. Although PCI DSS 4.0 is currently considered best practice, it isn’t mandated until 2025. Criminals won’t wait around to act, and neither should you!
Organisations need visibility into the JavaScript libraries running in their web applications, and they need to know what data the scripts are collecting to prevent violating data privacy regulations like GDPR and CCPA and maintain compliance with the new PCI DSS 4.0 requirement 6.4.3 and 11.6.1.
Most organisations do not have centralised control and governance over script management. If a third-party script on your site has a vulnerability and you are not aware of it, you are unable to patch it. Criminals know that many organisations struggle to manage, track, and secure the volume, scope, and scale of scripts now embedded into websites, and they know how to exploit these scripts for their own gain.
Discussion about this post