‘Tis the Season to be Wary: Holiday Mobile Commerce Fraud Trends

Mobile is the way of the future – or rather, the present – for e-commerce. Holiday shoppers continue to move away from brick-and-mortar stores to online sites, but are doing even more shopping via mobile devices than ever before. Fraudsters are growing savvy to the trend and capitalizing on the colossal amount of purchases made during the holiday season.

Exponential growth, by the numbers

Black Friday and Cyber Monday mark the official start of the gift-buying deluge, and this year the flood gates were thrown wide open: Black Friday online sales increased more than 23% year over year to over $6 billion, while sales on Thanksgiving Day grew approximately 28%, to $3.7 billion. Of the Black Friday online traffic, a whopping 49% was generated by smartphones. Shoppers were ready and willing to spend, with the average online basket dollar amount at $138, a 6% increase from 2017.

As a testament to the exploding demand for mobile and e-commerce shopping options, the 30 merchants that ranked well on the Checkout Conversion Index report had the fastest, most streamlined online checkouts compared to the 30 merchants with the lowest scores, who had inconsistent checkout experiences. This is worth noting, given that 39% of shoppers will use “buy now” buttons via smartphones this holiday season, and consumers are expected to spend $93.5 billion by the end of the year via mobile.

Merchants that want part of that pie will need to step up their mobile experience.

Cybercrime and the holidays go hand in hand

As is generally the case with fraud, industries experiencing a cascade of wealth are riddled with cybercriminals. The holidays are the perfect time for fraudsters to camouflage illegitimate online purchases among the sea of real transactions.

In 2017, e-commerce fraud attempts increased by 22% from Thanksgiving to December. The number of attempts was highest on Thanksgiving Day, at 1.94% (up from 1.26% in 2016), then on Christmas Eve with 1.78% (1.48% in 2016), and on December 21 – the cutoff date for express shipments – at 1.67% (1.49% in 2016). Peak fraud days were driven by shipment cutoffs, levels of consumer traffic, and pick-up-in-store transactions.

Cybercriminals create fake accounts well ahead of the peak fraud days to make these fraudulent purchases; they sit dormant, age, and then get used during the busiest days of the holidays so they draw less attention.

Fraudsters taking the cheer out of the holidays

The ease and speed of mobile commerce are ideal for holiday shopping (not to mention the ability to avoid crazy crowds by shopping at home), but it’s not without risk, and fraudsters have found ways to exploit the features that make mobile commerce so attractive.

In-store card-not-present (CNP) purchases and contactless payments. Some retailers are now allowing in-store CNP purchases involving store-branded credit cards. The associate looks up the account and the consumer verifies their identity via SMS code or QR code.

Unfortunately, fake QR codes and SMS interception hacks can make these security checks completely useless, and they’re becoming more commonplace tactics for undermining identity verification.

Contactless payment platforms like Apple Pay and Google Pay are considered much more secure forms of payment than credit cards or CNP thanks to their use of biometric authentication and tokenization, but consumer adoption rates remain low due in part to low retailer adoption rates. Only 20% of stores are contactless-enabled, but it’s a great method for protecting consumer payment information, both during and after the holidays.

Looking ahead, dual-interface credit and debit cards that support contactless payments are something more card issuers and retailers are expected to adopt, providing an alternative payment option for consumers who may be mobile averse, but with all the security of mobile contactless payments.

Convincing fakes. Increasingly believable phony websites are an easy way for consumers to fall prey to fraudsters while making holiday purchases via mobile. These sites lure in consumers with too-good-to-be-true deals, which are all the more tempting during the holidays when money might be tighter, and less suspicious since sales are happening everywhere anyway. Not only do fake sites steal money from your business, they ferret out sensitive customer data. They scrape a legitimate retailer’s site in an attempt to recreate the design and layout, but warning signs, like grammatical errors or URLs that have extra words like “deals” or “sales,” can help distinguish real from not.

Behavioral analytics are your friend. Fake accounts that sit unused until the holidays roll around can be weeded out with the help of biometrics and behavioral analytics. Examine actions, such as:

• How hard does the real user hit the keys on the screen? Bots and scripts tend to hit the same exact pixels on a screen, while a human finger has more variation and applies more pressure.
• How do they swipe from page to page?
• How do they hold their device?
• Does the user touch type or swipe type?
• Is the mobile device being charged, with a full battery, or is it just running on battery? Click farms run by humans tend to use mobile devices that are constantly charging with perpetually full batteries, versus a legitimate customer who is generally shopping from a device that either isn’t charging, or is and has less than 100% battery.

If certain actions don’t match the typical behaviors of real users, you may have a fraudster on your hands. Email validations and captchas can be triggered when suspicious activity is detected, to create roadblocks for bad users.

Additionally, mobile shoppers tend to have a smaller number of items in their carts at a given time. If you see a cart with a large number of items, particularly gift cards, consider it a red flag. (And make sure to read our blog on why gift cards are such hot ticket items for fraudsters during the holidays.)

Don’t let fraudsters take the happy out of your holidays. Consult our ebook, Maximizing Mobile Opportunities, to help you build a mobile strategy that maximizes conversions and makes life difficult for fraudsters without throwing a wrench in your customer experience.