With physical stores shuttered, events canceled, and tourism at a standstill, COVID-19 has reshaped many aspects of day-to-day life. As result, consumers have been forced to shift their spending to online channels. Since March, when much of America began its lock down, e-commerce and other online behavior has shot upwards.
Accompanying this uptick in online traffic has been a rise in fraud. The rise in both legitimate and illegitimate online behavior has thrown the need for effective fraud prevention tools into stark relief. Companies need to allow transactions and login attempts from legitimate users while declining such behavior from criminal actors.
To learn more about the current trends in online behavior and fraud, PaymentsJournal sat down with Robert Capps, VP of Market Innovation at NuData, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group. During the conversation, Capps and Sloane broke down trends in online traffic and fraud attacks and then discussed how companies can respond to these threats.
As online traffic has spiked, high-risk traffic has skyrocketed
Unsurprisingly, data from the past few months show a surge in online traffic. Between January and April of 2020, NuData witnessed a 17% increase in online traffic across all its clients’ industries compared to the first four months of 2019. The surge is “almost entirely attributable to the move of consumers online,” explained Capps.
When you drill into data from specific industries, the rise in traffic is even more pronounced. Retail traffic, for example, has increased by more than 57% from the previous year, noted Capps. Financial services have also seen a noticeable uptick in online traffic, with a 21% increase in consumer utilization of online financial services.
Sloane and Capps agreed that these numbers reflect the fact that people aren’t just sheltering inside and ignoring normal financial or commercial needs. Instead, they have adapted to the new reality and have embraced online solutions. For example, with brick-and-mortar banking locations closed, many consumers have utilized online financial services to deal with incoming unemployment benefits and the stimulus checks related to COVID-19.
While an increase in online traffic is a positive thing for many companies, it does come with a downside. Capps explained that during this time period, there was a 43% increase in high-risk traffic compared to the previous year, showing that fraudsters are looking to capitalize on any opportunity. High-risk traffic includes account takeover attempts (ATOs) and other types of misuse of online services across NuData’s customer base.
Fraud is up even in industries devastated by COVID-19
While many e-commerce and financial services companies have seen increased online traffic since the pandemic began, other industries were not so lucky. The travel industry and live-event industry were particularly hard hit. NuData’s clients in those market verticals saw their traffic plummet beginning in March.
What’s notable is that even though live events and travel companies have witnessed substantially less business since March, account takeover attempts and other fraudulent activity is still taking place. Fraudsters are just indiscriminately attacking, looking for weaknesses and vulnerabilities wherever they may exist, said Capps.
How good user behavior has been changing during COVID-19
Given that many people are now stuck at home, or at least residing at home more often, it raises the question of how much their behavior has changed when trying to access their online accounts or services. When NuData looked at how consumers are accessing online services, the company found that “they are remarkably stable.” Since people are mostly at home and using the same devices to conduct their online behavior, it’s fairly easy for NuData to detect a clear pattern.
However, there are some interesting changes to good consumer behavior, and these changes might seem suspicious if a company is not paying careful attention. For example, NuData found that the dollar amount of an average transaction has gone up. Furthermore, consumers are making more purchases at unusual times of day, due to the fact they are sitting at home when they would otherwise be out and about. Finally, consumers are also logging into their accounts more often.
Capps explained that it’s important for companies to take note of these changes in order to not accidently flag legitimate behavior as suspicious. This will allow companies to provide excellent service without adding unnecessary friction.
How criminal behavior has been changing during COVID-19
The first thing to understand about how fraudsters are operating during the pandemic is that they are still using the same tools and techniques as they had before. According to the Federal Trade Commission, nearly 20,000 phishing attacks were reported in the first four months of 2020. As Capps explained, phishing attacks have existed for over 15 years now.
However, these tools and techniques are now proving to be more effective. Even prior to COVID-19, hackers were more successful than ever before. For instance, hackers have been able to utilize the troves of people’s personal data floating around the internet to make phishing attacks more realistic. Relatively easy access to personal data has also enabled fraudsters to make synthetic accounts which are harder to detect since they are comprised of both real and fake information.
In addition, both Capps and Sloane connected the increase in effectiveness to the fact that fraudsters began specializing. It’s common now for a criminal organization to consist of a team of fraudsters focused on different parts of the attack, thereby making their efforts more sophisticated overall.
One fraudster may be tasked with the account login phase of the attack, while another may be responsible for the transaction. Then yet another criminal is responsible for monetizing the attack, be it through fleecing the stolen goods or smuggling the stolen money out of the country. Capps spoke about the rise of sophistication in fraud attacks in a PaymentsJournal podcast earlier this year.
Two real-world examples of common attacks
Capps shared two recent attacks that NuData had witnessed and helped repel. The first attack occurred in a company operating in the financial industry. The company witnessed a massive-scale ATO attack, where the fraudsters made over 100,000 login attempts over the span of several days. NuData detected the attack by homing in on the keystroke input; the velocity was slow and human-like, but the cadence was not.
“The first signs of an attack are human input that isn’t really human-like,” explained Capps. This can be discovered using passive biometric information and other device behavior, a strategy NuData refers to as device intelligence. Using this strategy, NuData flagged the suspicious login attempts and issued bot-detection challenges.
What made this attack representative of the increased sophistication of fraudsters is that the challenges were then routed to a human to solve. However, NuData was “able to identify the fact that these humans were not the ones that were initiating the page loads and the initial ATO attempts,” said Capps. Therefore, the company rejected the login attempts and protected the relevant accounts.
The second attack occurred in a company in the travel industry. Similar to the first attack, this one was slow moving and sophisticated. Capps pointed out that on average, there was about one login attempt for each account, meaning that the hackers either had really good data, or were trying to avoid being locked out of the account for too many failed login attempts. Nonetheless, NuData was able to detect the suspicious activity and reject nearly all of the fraudulent traffic.
Advice for companies worried about fraud
In reality, every single company, regardless of the industry or transaction volume, should take fraud seriously. “Attackers will attack where there is value in opportunity,” said Capps. This requires companies to be constantly vigilant of emerging threats.
Beyond just remaining vigilant, companies need to invest in the proper technology to ward off sophisticated attacks. This need has become more pronounced now that many companies are contending with decreased or unusual staffing, whether due to furloughs or employees being required to work from home.
It ultimately comes down to “finding the right technologies for your business, for your business process, for the exposures that are presented, and making sure that you don’t leave exposures for fraudsters to generate value off of your business,” concluded Capps.