Account Takeover / Credential Stuffing / New Account Origination

Fraud and Abuse Continues in the New Normal of eCommerce and Travel

January, 4, 20227 min Read

Evolving trends in fraud and abuse show eCommerce and travel providers are prime targets as attackers leverage online shopping conveniences to monetize stolen credentials and payment details.  

In-person transactions shifted to online in 2020, as shopping at physical storefronts came to a halt. Consumers had to rely on digital channels to shop even for the most basic needs. As these habits become the new norm, the future of shopping stands changed for good.

This mass transition to online was a fraudster’s dream come true. Insights from the Arkose Labs network reveal that during Q4 of 2020 retail was highly attacked. This was because consumers resumed spending through Black Friday and the holiday shopping season. Ecommerce fraud continued into the early part of the first quarter in 2021, before easing up a little by spring. As fraud teams try to catch up to the new normal volumes of digital commerce—redefined by the pandemic—fraudsters are focusing on payment attacks and scraping for information.

Another area where consumer spending has returned is travel. Travel industry was perhaps the worst affected due to the pandemic with airlines, cruise operators, car rental agencies, and hotels shuttering down almost overnight. For several months at a stretch, demand slowed down to a trickle. However, as the world begins to open up and more people get vaccinated, travel is making a roaring comeback. Air and hotel bookings have nearly reached the pre-pandemic levels. Fraudsters, too, are scouting for opportunities to steal credit cards, gift cards, and rewards to capture their share of consumers’ dollars.

2021 took off from where 2020 left

The beginning of 2021 was not much different from how 2020 ended for the eCommerce and travel industries – However, things quickly changed as pandemic-related restrictions lessened and life seemed a bit closer to normal. 

Since the beginning of the year, eCommerce and travel attacks increased by 63% as traffic across these platforms soared back to pre-pandemic levels. Following these changes, peak eCommerce and travel periods like Black Friday saw spikes up to 20x the average attack volume.

Payment methods are prime target of eCommerce fraud

With volumes of new users increasing during the pandemic — as well as an increase in the traffic from returning eCommerce customers — fraudsters are targeting users for their payment methods. Fraudsters can monetize compromised accounts in several ways, including stealing the payment or bank account information stored in the account, money laundering, payments fraud, stealing and redeeming loyalty or rewards points, and much more.

Ecommerce fraud, especially payment fraud on gift cards is on the rise. Attackers use automation to brute force attacks on gift card websites. They test thousands of card numbers and PIN combinations every minute. Also, they deploy bots and sweatshops to continually check card balances in order to redeem them as quickly as possible.

Gift card fraud is particularly attractive to fraudsters due to low authentication barriers when compared with authentication requirements for credit cards. In the case of gift cards, there is no additional verification for points redemption, making it easy for fraudsters to escape with their loot, undetected. Also, much like cash theft, gift card fraud is difficult to trace.

Fraudsters loom long before the checkout

In order to serve their customers better through interaction across numerous digital touchpoints and meet their evolving needs, retailers are expanding their footprint. This proliferation in digital touchpoints has made it easier for fraudsters to blend in and gain from commerce providers long before the transactions occur. Merchants with limited-edition or limited-supply products are also a prime target for price scraping or denial of inventory, as fraudsters work to steal revenue from merchants on gray market sites.

Fraudsters have come a long way from using stolen credit card details to make fraudulent purchases. They have become more strategic in their approach and are launching complex, targeted attacks using sophisticated tools. Credential stuffing, account takeovers, and fake account creation are now the common tactics employed to monetize bonuses, utilize rewards, or act as money mules.

Regular users are supplementing fraud

Q1 2021 brought with it an unprecedented rise in human-based attacks targeting online retail. There was a drastic increase in human labor being deployed for attacks. As a result, the Q1 2021 human attack rate targeting eCommerce jumped to 33.6%, compared to around 19% during Q4 of 2020. Bouncing back from the pandemic, eCommerce and Travel industries now see a 37% attack rate due to the recent large influx in traffic.

In addition to the seasoned attackers, financial hardships due to lockdowns last spring caused regular users to turn to fraud as a way to earn cash or avoid paying for goods. They dabbled in fraud occasionally or full-time out of their desperation to make ends meet. However, a year later, digital commerce continues to see a rise in friendly fraud.

Those ‘first-timers’ continue to engage in fraudulent activities as it continues to bring them monetary rewards. This only underscores the fact that there’s not just one profile of a fraudster, which further compounds the challenge for digital businesses. As more and more fraudsters look like average users, detecting the subtleties in behaviors between a person with good intent and not-so-good intent is more critical than ever.

Consumers (and fraud) return to travel

Travel has been a highly targeted industry this year as global restrictions begin to ease and the pent-up people of the world are ready for their long-awaited vacation. Since earlier this year, the travel industry reached a whopping 53% attack rate after largely lying dormant through 2020. Overall, digital traffic to travel sites has increased by 40% in the last quarter which has led to a spike in attacks throughout the industry. After waiting for what seemed like eternity, Americans are finally able to travel home for the holidays which has led to a huge spike in traffic on U.S. travel sites. Due to the strong desire for travel, 66% of digital traffic in the U.S. to travel sites in Q3 was an attack. There has also been a strong focus on desktop-based attacks which accounted for 85% of all attacks targeting travel companies. 

Fraudsters are also ramping up account takeover attacks on travel user accounts in order to steal and resell (or cash in) unused reward points. They may use these for personal use, but more often they resell on a third-party platform.

Prepare for complex, always-on attacks

Now that fraudsters are trying to exploit the new digital users and heightened eCommerce activity, the scales of eCommerce fraud has begun tilting towards payment transactions. And with travel back in business, fraudsters are targeting this industry with account takeover attacks and inventory hoarding.

In the post-pandemic world, rising incidents of eCommerce fraud and abuse of travel companies, must serve as a wakeup call for eCommerce platforms and travel sites. They must prepare for constant and refined attacks. They also need to keep abreast of the evolving threat landscape, so they can prepare to fend off ever-increasing attacks.

Securing customer accounts against a technically skilled adversary, without disrupting conversions, is critical. Therefore, to fight eCommerce fraud and abuse in travel, businesses need fraud solutions that can live-up to the demands of today’s always-on digital world and help strike a balance between fraud defense and optimum user experience.

Opt for long-term protection against eCommerce and travel fraud

Arkose Lab’s approach goes beyond traditional fraud mitigation to provide eCommerce and travel companies long-term deterrence that sabotages the true underlying motive of the fraud industry – financial gain. 

Using real-time risk assessment and a challenge-response mechanism, the Arkose Labs platform accurately identifies suspicious actors and engages them in a long-drawn battle that wastes time, effort and resources of the attackers to bankrupt their business model of fraud.

To learn how Arkose Lab’s zero tolerance to fraud approach helps fight eCommerce fraud and abuse in travel,  book a demo now.