By Graeme Zwart, Head of Security
Genuine customers are not the only ones shopping with you this peak season. Fraudsters are also busy this time of year. We examine four common online fraud types and how retailers can avoid falling victim to them.
1. Account takeover
Fraudsters take over an existing customer account, either by buying stolen usernames and passwords online or by credential stuffing. This is a type of brute force attack by another name. It’s when hackers systematically guess a number of possible combinations to gain unauthorised access to a customer’s account.
Once the fraudsters have control of the account, they can make unauthorised purchases, commit loyalty/reward fraud or test stolen card numbers. Entertainment, media, gaming and retail businesses are particularly at risk.
Some simple checks include being aware if there’s an increase in customers reporting unauthorised activity on their accounts. Have a process in place for your customer service team to alert your fraud team if this happens.
Genuine login attempts by real customers look very different to credential stuffing attacks by an automated tool. Deploy analytics to spot what’s a bot and what’s not. This is usually a mix of velocity checking, IP address detection and baselining what is normal by channel, device and customer account.
2. Loyalty/reward fraud
Loyalty is big business. None bigger than the Starbucks loyalty reward programme. Customers have more money loaded on Starbucks cards and mobile apps than some banks. $1.2 billion, in fact, and that was back in 2016.1
Clearly, not every loyalty or rewards programme is as large. But as loyalty/reward points are as good as cash in some instances, it’s small wonder they’ve become a target for criminals following the money.
The loss or theft of loyalty points is likely to be particularly upsetting for customers, plus leave you out of pocket. So in this instance, prevention is better, simpler, cheaper and less painful than cure. Set system alerts for large numbers of loyalty points being purchased, redeemed or transferred between accounts.
3. Gift card fraud
There are various ways to commit gift card fraud. Criminals can buy gift cards with stolen card details. They can hack or takeover an existing gift card account. Or ask for refunds to be paid onto gift cards.
Protecting yourself against gift card fraud often comes down to understanding what normal looks like for your customers and business. If you know what your typical gift card sales by volume and value look like, any anomalies should stand out. For example, bulk purchasing of cards or usually high transaction values.
Take sensible precautions such as preventing gift card codes from being used outside your website. And be able to track gift card activity from purchase and load through to redemption.
4. Referral fraud
Affiliate or referral programmes are a cost-effective way to acquire new customers online. You only pay if the affiliate brings you a customer. However, affiliate commissions can be an attractive revenue stream for fraudsters.
Guard against affiliates referring themselves or creating fake accounts. Look out for batches of referrals concentrated around the same or similar IP addresses. Orders from certain affiliates may have unusual cancellation, refund or chargeback rates. If you sell digital goods or downloads, an obvious red flag is if customer login details are not used, even though they were paid for.
If you’re worried about fraud in the run-up to peak season or would like a review of the defences currently in place, e-mail firstname.lastname@example.org or complete your details on the contact form below for a free 30-minute consultation.
1 ‘Starbucks cards now have more money than some banks’, Fortune, 10 June 2016, https://fortune.com/2016/06/10/starbucks-card-balance/