The pandemic keeps changing ecommerce. That makes fraud harder to fight.

As the second holiday season under COVID-19 gets underway, fraud finds new forms.

A man in front of a computer, holding a credit card, looking upset with his hand over his eyes

Online fraud is frustrating consumers and merchants.

Photo: fizkes/iStock/Getty Images Plus

Click banner image for more Shopping Week coverage

The second pandemic holiday shopping season is underway. That means cybersecurity experts get another chance to figure out how fraudsters operate in the COVID era.

It's a huge and constantly shifting challenge. The way consumers shop and spend their money has changed dramatically since the crisis began, and it also opened up new and expanded opportunities for identity theft, fraudulent accounts and transactions and account hacking.

The waves of change have upended established assumptions about fraud. Waves of new shoppers have come online, making predictions about which shoppers are real and fake and less reliable. Contactless pickup might mean less chance to check a shopper's identity, blending online and offline fraud. And more and more stolen data leaks online all the time, fueling automated attacks on ecommerce and payment systems.

"The pandemic spending behavior has all been anomalous," said Jay Budzik, chief technology officer of Zest AI, whose software uses machine learning to help businesses assess borrower risk. "We've been in a very abnormal period this whole time. The idea that we're able to tell you what's normal and what's not normal is kind of a hard thing. That's the challenge that people are going to face."

In the first year of the pandemic, more consumers were forced to shop and spend money online, and that led to a spike in different forms of online fraud and heftier losses for businesses.

Those losses are expected to swell: Juniper Research estimates that merchants will lose $206 billion to payment fraud between 2021 and 2025.

Kimberly Sutherland, vice president of Fraud and Identity Strategy at LexisNexis Risk Solutions, pointed to a sharp rise in automated attacks. In the first six months of 2021, the number of bot attacks soared to 1.2 billion, up 41% from last year, featuring huge amounts of stolen identity credentials, according to her firm's data.

But human-initiated attacks are still thriving. In fact, they're easier to pull off given broader access to stolen personal information, said Sunil Madhu, founder and CEO of Instnt, a customer-onboarding software company.

"All your personal information is already stolen and easily purchasable for about two bucks online," which could easily be used to create fake accounts, he told Protocol.

In some cases, fraudsters create a fake account to make a purchase, which they pick up at a physical location, he said. With busy holiday pickup queues, stores might be too busy to closely scrutinize IDs. Sutherland of LexisNexis agreed: With more stores open, this holiday season will be distinguished from last year in "the challenge of omnichannel fraud," she said.

Another relatively new vulnerability is "buy now, pay later." Once used mostly for big-ticket purchases like Pelotons, pay-later purchases are expanding to less expensive items in categories like apparel and beauty.

Rick Song, co-founder and CEO of Persona, an identity verification software company, said pay-later transactions pose "one of the biggest challenges" in fraud monitoring today. Unlike credit cards, "there is no centralized network and a lot of the underwriting is being done at the time of the purchase," he told Protocol.

The growth of automated fraud has pushed businesses to embrace more sophisticated security technology. Sutherland cited the use of behavioral analytics, software that can quickly track and analyze "everything from mouse and keyboard movement, how you hold the device, time on page."

AI may prove crucial, even though the technology has drawn heightened scrutiny amid worries about misuse.

Budzik of Zest AI said AI has become a powerful fool in flagging increasingly sophisticated fraud. "They're great at noticing subtle patterns that people can't," he said.

He cited a type of fraud in which a fraudster sets up an account under a synthetic identity — a made-up persona — which they use responsibly for years before making huge transactions from which they simply walk away.

The market for fraud-fighting tools is growing, too. Juniper projects companies will spend $9.3 billion to detect and prevent fraud in 2021, a figure that will grow to $11.8 billion in 2025.


Musk’s texts reveal what tech’s most powerful people really want

From Jack Dorsey to Joe Rogan, Musk’s texts are chock-full of überpowerful people, bending a knee to Twitter’s once and (still maybe?) future king.

“Maybe Oprah would be interested in joining the Twitter board if my bid succeeds,” one text reads.

Photo illustration: Patrick Pleul/picture alliance via Getty Images; Protocol

Elon Musk’s text inbox is a rarefied space. It’s a place where tech’s wealthiest casually commit to spending billions of dollars with little more than a thumbs-up emoji and trade tips on how to rewrite the rules for how hundreds of millions of people around the world communicate.

Now, Musk’s ongoing legal battle with Twitter is giving the rest of us a fleeting glimpse into that world. The collection of Musk’s private texts that was made public this week is chock-full of tech power brokers. While the messages are meant to reveal something about Musk’s motivations — and they do — they also say a lot about how things get done and deals get made among some of the most powerful people in the world.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Circle’s CEO: This is not the time to ‘go crazy’

Jeremy Allaire is leading the stablecoin powerhouse in a time of heightened regulation.

“It’s a complex environment. So every CEO and every board has to be a little bit cautious, because there’s a lot of uncertainty,” Circle CEO Jeremy Allaire told Protocol at Converge22.

Photo: Circle

Sitting solo on a San Francisco stage, Circle CEO Jeremy Allaire asked tennis superstar Serena Williams what it’s like to face “unrelenting skepticism.”

“What do you do when someone says you can’t do this?” Allaire asked the athlete turned VC, who was beaming into Circle’s Converge22 convention by video.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at or via Google Voice at (925) 307-9342.


Is Salesforce still a growth company? Investors are skeptical

Salesforce is betting that customer data platform Genie and new Slack features can push the company to $50 billion in revenue by 2026. But investors are skeptical about the company’s ability to deliver.

Photo: Marlena Sloss/Bloomberg via Getty Images

Salesforce has long been enterprise tech’s golden child. The company said everything customers wanted to hear and did everything investors wanted to see: It produced robust, consistent growth from groundbreaking products combined with an aggressive M&A strategy and a cherished culture, all operating under the helm of a bombastic, but respected, CEO and team of well-coiffed executives.

Dreamforce is the embodiment of that success. Every year, alongside frustrating San Francisco residents, the over-the-top celebration serves as a battle cry to the enterprise software industry, reminding everyone that Marc Benioff’s mighty fiefdom is poised to expand even deeper into your corporate IT stack.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or


The US and EU are splitting on tech policy. That’s putting the web at risk.

A conversation with Cédric O, the former French minister of state for digital.

“With the difficulty of the U.S. in finding political agreement or political basis to legislate more, we are facing a risk of decoupling in the long term between the EU and the U.S.”

Photo: David Paul Morris/Bloomberg via Getty Images

Cédric O, France’s former minister of state for digital, has been an advocate of Europe’s approach to tech and at the forefront of the continent’s relations with U.S. giants. Protocol caught up with O last week at a conference in New York focusing on social media’s negative effects on society and the possibilities of blockchain-based protocols for alternative networks.

O said watching the U.S. lag in tech policy — even as some states pass their own measures and federal bills gain momentum — has made him worry about the EU and U.S. decoupling. While not as drastic as a disentangling of economic fortunes between the West and China, such a divergence, as O describes it, could still make it functionally impossible for companies to serve users on both sides of the Atlantic with the same product.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

Latest Stories