Saks Fifth Avenue Credit Card Breach Likely Impacted Canadian Stores

Social media shopping is booming in popularity, as platforms roll out new and creative ways for users to buy directly from posts and merchants use social marketing to attract new customers. From established tools like Instagram Shopping to Snapchat’s new augmented-reality tools for trying on shoes, shades and cosmetics, there’s a lot of creativity and opportunity in the social commerce space. In the U.S., social commerce was worth $26.9 billion last year, and globally it’s projected to grow to more than $604 billion by 2027. Those are appealing figures for retailers who want to grow their ecommerce revenue, as in-store traffic remains low in many places. Unfortunately, there’s also a lot of opportunity for fraudsters to exploit social commerce through account takeover (ATO) fraud. Merchants who want to grow their social sales channels, protect their revenue and maintain a good customers experience must understand how social ATO fraud happens, how it can impact them and how they can prevent it. Rise of social shopping Why is social shopping so popular now? It blends two things most of us have been doing more often over the past year -- spending more time on social media and buying things online. Among consumers who use social media, 40% say they’ve bought something through Facebook, while more than 10% also report buying from Instagram and Pinterest. CMOs report a 24% increase in social media’s contribution to company performance since February of last year as well as a “historic return on their social media investments.” With a low barrier to entry for many shopping features, vast user bases and huge amounts of data on user interests and behavior, it’s easy to see why so many retailers are enthusiastic about social selling. Where good customers go, fraudsters follow Of course, when a new sales channel emerges—and especially if it becomes popular with consumers-- fraudsters move in as well. And just as social commerce combines social media activity and online shopping, social commerce fraud exploits two potential areas of weakness – social login credentials and comprehensive order screening. Part of the problem is human nature. Most people are not rigorous about choosing secure passwords. Consider that in 2020 more than 2.5 million people reported using the password “123456” for at least one account. Weak passwords are easy for malicious hackers to guess and easy for password-cracking bots to reveal in a fraction of a second. In practical terms, there’s virtually nothing keeping attackers out of these accounts. Worse, 53% of people admit reusing the same password for multiple accounts like social media and email. That means that when someone’s login credentials for one account are exposed in a data breach, savvy fraudsters using automated tools can quickly attempt to credential-stuff that information into other platforms to see where else they can break in and take over. The consequences are easy to see. A 2019 study found that 53% of social media logins are fraudulent, while 22% of internet users report that their online accounts have been hacked at least once and 14% reported they were hacked more than once. There’s another social media fraud risk on the user side: Fully ¼ of all new social media accounts are fake, created with synthetic, false or stolen data. Social media account takeovers put consumers’ personal and payment data at risk, and fake accounts create synthetic fraud risks for merchants. When customers appear to be authentic, it can make it harder for merchants to detect fraud attempts at checkout. That means that if a fraudster gets past a social accountholder’s login, they may be able to commit fraud with impunity, at least until the accountholder notices and reports the charges. The impact of social ATO fraud on merchants Obviously, when criminals get access to victim’s social media accounts, they can use any payment methods on file to make purchases. Fraudsters can also add stolen payment data from the dark web to fake social accounts they create on their own. In both of these cases, merchants who don’t catch these fraudsters before the orders are approved can find themselves liable for costly chargeback fees, in addition to the cost of lost goods. Overall losses from ATO grew by 15% from 2018 to 2019, according to Javelin’s 2020 Identity Fraud Report, with other reports indicating a dramatic jump in ATO fraud since the beginning of the pandemic. As social commerce’s popularity grows and more merchants sell through social platforms, it’s likely that fraudsters will continue to target the channel. How can merchants protect themselves against social media fraud? It’s important for merchants to keep in mind how common social account takeovers are and to avoid relying on a successful log in to authenticate the customer’s identity. Other real-time and historical customer information should factor into order decisioning on social platforms. For example, comparing the customer’s current location, device, behavioral biometric data and purchasing history can all aid in detecting ATO fraud. If a customer who always logs in from their laptop in Iowa and purchases clothing is suddenly logged in from Florida on a phone and buying electronics, the order should be flagged for manual review. That review can determine whether the order is from the Iowa customer, who is buying gadgets while traveling for work, or from an ATO scammer trying to buy items for resale. Social commerce promises to help merchants grow their customer base, earn more repeat business and generate more revenue. In order to succeed in this channel, merchants need to make sure they understand the risks, know how to properly validate their customers and review flagged orders to ensure that they don’t turn away good orders, while stopping ATO-related fraud.