The second pandemic holiday shopping season is underway. That means cybersecurity experts get another chance to figure out how fraudsters operate in the COVID era.
It's a huge and constantly shifting challenge. The way consumers shop and spend their money has changed dramatically since the crisis began, and it also opened up new and expanded opportunities for identity theft, fraudulent accounts and transactions and account hacking.
The waves of change have upended established assumptions about fraud. Waves of new shoppers have come online, making predictions about which shoppers are real and fake and less reliable. Contactless pickup might mean less chance to check a shopper's identity, blending online and offline fraud. And more and more stolen data leaks online all the time, fueling automated attacks on ecommerce and payment systems.
"The pandemic spending behavior has all been anomalous," said Jay Budzik, chief technology officer of Zest AI, whose software uses machine learning to help businesses assess borrower risk. "We've been in a very abnormal period this whole time. The idea that we're able to tell you what's normal and what's not normal is kind of a hard thing. That's the challenge that people are going to face."
In the first year of the pandemic, more consumers were forced to shop and spend money online, and that led to a spike in different forms of online fraud and heftier losses for businesses.
Those losses are expected to swell: Juniper Research estimates that merchants will lose $206 billion to payment fraud between 2021 and 2025.
Kimberly Sutherland, vice president of Fraud and Identity Strategy at LexisNexis Risk Solutions, pointed to a sharp rise in automated attacks. In the first six months of 2021, the number of bot attacks soared to 1.2 billion, up 41% from last year, featuring huge amounts of stolen identity credentials, according to her firm's data.
But human-initiated attacks are still thriving. In fact, they're easier to pull off given broader access to stolen personal information, said Sunil Madhu, founder and CEO of Instnt, a customer-onboarding software company.
"All your personal information is already stolen and easily purchasable for about two bucks online," which could easily be used to create fake accounts, he told Protocol.
In some cases, fraudsters create a fake account to make a purchase, which they pick up at a physical location, he said. With busy holiday pickup queues, stores might be too busy to closely scrutinize IDs. Sutherland of LexisNexis agreed: With more stores open, this holiday season will be distinguished from last year in "the challenge of omnichannel fraud," she said.
Another relatively new vulnerability is "buy now, pay later." Once used mostly for big-ticket purchases like Pelotons, pay-later purchases are expanding to less expensive items in categories like apparel and beauty.
Rick Song, co-founder and CEO of Persona, an identity verification software company, said pay-later transactions pose "one of the biggest challenges" in fraud monitoring today. Unlike credit cards, "there is no centralized network and a lot of the underwriting is being done at the time of the purchase," he told Protocol.
The growth of automated fraud has pushed businesses to embrace more sophisticated security technology. Sutherland cited the use of behavioral analytics, software that can quickly track and analyze "everything from mouse and keyboard movement, how you hold the device, time on page."
AI may prove crucial, even though the technology has drawn heightened scrutiny amid worries about misuse.
Budzik of Zest AI said AI has become a powerful fool in flagging increasingly sophisticated fraud. "They're great at noticing subtle patterns that people can't," he said.
He cited a type of fraud in which a fraudster sets up an account under a synthetic identity — a made-up persona — which they use responsibly for years before making huge transactions from which they simply walk away.
The market for fraud-fighting tools is growing, too. Juniper projects companies will spend $9.3 billion to detect and prevent fraud in 2021, a figure that will grow to $11.8 billion in 2025.