Holiday Shopping Means Discount Deals…and Cyber Fraud

November 27, 2019

Since 1952, the Friday following Thanksgiving, known as Black Friday, has traditionally been considered the start of America’s holiday shopping season. As online shopping became more prevalent, Cyber Monday was added. The discounts and deals offered in stores and online during this period draw record numbers of shoppers resulting in billions of dollars in sales. Unfortunately, it also attracts scores of fraudsters looking to gain access to goods and money from consumers and vendors alike.

This time of year is rife for both New Account Fraud, where an individual’s personal information is used to open an account using fabricated credentials, and Account Takeover, where cybercriminals obtain and use another person’s account information (e.g., credit card numbers). In fact, a 2018 survey by Experian found more than 40 percent of identity theft victims say it occurred during online holiday shopping. And according to Juniper Research, in the next five years online payment fraud losses are set to more than double annually to approximately $48 billion.

Hackers use a number of ways to target victims and procure this PII (personally identifiable information). They may spread malware via email, pop-ups and advertisements, fooling consumers by posing as a legitimate company consumers commonly use. A common tactic is to send an email confirming a supposed order or tracking number with a link or attachment that once clicked or downloaded infects the user’s PC. And with more than 75 percent of consumers planning to do at least half of their shopping online this year, according to TransUnion’s 2019 Holiday Retail Fraud Survey, it’s likely more than a few shoppers will fall prey to this tactic.

Cyber criminals aren’t just limiting their fraud efforts to email. Cell phone numbers have also become the aim of digital identity thieves. SIM card swaps also present a problem for consumers. Hackers simply convince a target’s carrier to switch a phone number over to a SIM card of their own. This not only gives them access to any phone based two-factor authentication checks that protect sensitive accounts, but also to any apps the user has downloaded that might be used for making purchases.

It’s clear consumers are aware of and concerned by these attacks and scams. The same TransUnion survey found that nearly half of respondents are concerned with being victimized this holiday season. At the same time, consumers increasingly expect seamless and speedy transaction experiences. While nearly all appreciate the need for additional identity validation, better security often generates more friction and many will choose the faster, smoother payment option over increased verification if it proves a drag on the user experience.

This puts retailers and payment services operators in a difficult position. Consumers won’t shop with a company that has experienced a recent data breach, believing the protection of personal data is the business’ responsibility. At the same time, they don’t want to be aware of additional security measures, preferring they take place in the background and without their engagement and may choose retailers or payments processors that provide an uninterrupted transaction experience. Meanwhile, Americans continue to use the same passwords across multiple sites, creating a myriad of opportunities for cyber thieves using stolen passwords to break into other accounts. Additionally, 64 percent of credit or debit cardholders say have saved their card number online or in mobile apps despite safety concerns, according to a recent survey from Bankrate Credit Cards. Companies are caught between a customer experience rock and a security hard place, with few solutions.

As the digital payments landscape accelerates alongside the introduction of new devices and 5G networks, and shifts in security innovations and consumer expectations, e-commerce fraud will continue to present challenges. While a complicated endeavor, preventing cyber attacks in this environment is not impossible. The right authentication can dramatically reduce risk while leaving the user experience largely uninterrupted. Deep Authentication, like that available as part of BehavioSec’s Behavioral Biometrics Platform, doesn’t rely on Personally Identifiable Information (PII) or other singular factors for digital verification while also being fully compliant with both EU and U.S. regulations and PSD2 as a frictionless inherence factor.

To learn more about how behavioral biometrics can maintain trust, security and data privacy, while making digital transactions fast and fluid, contact us here: