eCommerce Fraud Soars 19% in 2024: A Shift from Credit Card Theft to Account Takeovers
The eCommerce landscape is witnessing a troubling surge in fraud, with data from Signifyd showing a 19% increase in fraudulent activity during the first half of 2024 compared to the same period in 2023. While credit card theft remains a major concern, this wave of fraud is increasingly driven by a more sophisticated method: account takeovers.
The Rise of Account and Password Theft
Fraudsters are no longer simply targeting credit card details; they are now focusing on stealing personal account information and passwords. Once they gain access, these criminals have free rein to place orders for high-value goods—everything from electronics to designer items—using stored payment methods. They often deliver these items via third-party (3P) providers to drop-off locations, further complicating the tracking of stolen goods.
This shift represents a more dangerous type of fraud because it involves the compromise of entire customer profiles. With access to user accounts, fraudsters can make it appear as though a legitimate customer is making a purchase. This leaves businesses struggling to differentiate between genuine and fraudulent orders, damaging both their bottom line and customer trust.
The Fraudster's Playbook: From Order to Resell
The process typically begins with cybercriminals employing phishing schemes, malware, or exploiting weak passwords to gain control of user accounts. Once inside, they place orders for expensive, high-demand items that are easily resold for profit.
A key element of these fraud schemes is the use of 3P delivery services. By employing these services, fraudsters can have the goods shipped to drop-off sites or package lockers that are difficult to trace. From there, the items are quickly resold on secondary markets—often before the fraud is even detected.
The Impact on Businesses
Retailers are increasingly bearing the brunt of this type of fraud. Because the transactions look legitimate—after all, they're coming from the real account holder’s login—many businesses are fulfilling these orders, only to later discover that they’ve been victims of a scam. By the time the fraud is detected, the goods are already long gone, leaving businesses with little recourse but to bear the financial loss.
Moreover, the reputational damage can be severe. Customers whose accounts have been compromised may lose trust in the retailer’s ability to safeguard their personal information, leading to a decline in loyalty and future sales.
Combatting the New Age of eCommerce Fraud
As account takeover fraud becomes more common, businesses must evolve their defenses. Here are some strategies to help combat this growing threat:
- Two-Factor Authentication (2FA): Encourage or mandate 2FA for customer logins to add an additional layer of security beyond just a password.
- AI and Machine Learning Fraud Detection: Invest in advanced fraud detection systems that use artificial intelligence to identify abnormal patterns in purchasing behavior.
- Customer Education: Educate customers on the importance of strong passwords and how to spot phishing attempts. The more informed they are, the harder it is for fraudsters to gain access.
- Monitoring 3P Delivery Providers: Establish partnerships with delivery providers who have strong verification processes and ensure they monitor and track drop-off points closely.
Training Front-Line Help Desk Teams to Recognize Social Engineering
One of the biggest risks in eCommerce fraud today is social engineering. Cybercriminals use psychological manipulation to trick customer support teams into providing access to sensitive account information or bypassing security protocols. To help desk teams, the person on the other end of the line might sound like a genuine customer in distress. But with training, they can learn to spot red flags.
Here are key strategies for training help desk teams to recognize when social engineering might be in play:
- Recognize Unusual Requests: Train staff to be alert to requests that don’t follow standard procedures, like asking for access to an account without verifying identity through proper channels. If the person is in a rush or shows frustration too quickly, it may be a manipulation tactic.
- Question Familiarity: Social engineers often try to sound friendly or overly familiar, hoping to build trust quickly. Help desk teams should be trained to recognize when a caller is being too "buddy-buddy" or trying to rush them into making an exception.
- Stick to Protocols: No matter how convincing the person sounds, help desk employees should never skip identity verification processes. Reinforce that protocols are there for a reason, and should not be bent—no matter the urgency the caller portrays.
- Watch for Common Social Engineering Tactics: Help desk teams should be made aware of typical social engineering tactics, such as emotional manipulation (claiming a family emergency), leveraging authority ("I’m an executive"), or guilt-tripping ("If you don’t help me, I’ll lose my job").
- Encourage Escalation: Employees should feel empowered to escalate suspicious cases to a supervisor without fear of negative repercussions. Providing a clear escalation pathway can help prevent fraud before it happens.
- Ongoing Training: Regular training sessions, including role-playing scenarios, can prepare help desk employees to handle social engineering attempts confidently. Keeping training up-to-date with the latest threats is key to staying ahead of fraudsters.
Looking Ahead
As eCommerce continues to grow, so too will the sophistication of fraud schemes. With fraudsters shifting from simple credit card theft to full account takeovers and social engineering, the risk to retailers is higher than ever. However, by adopting more secure authentication methods, employing advanced fraud detection systems, and ensuring that front-line teams are trained to recognize manipulation, businesses can stay one step ahead of the criminals.
This surge in account-based fraud is a wake-up call for the eCommerce industry. The faster businesses respond, the better they’ll be able to protect both their customers and their bottom line.