eCommerce is constantly evolving – and so are the fraudsters targeting eCommerce sites. As businesses in Australia undergo digital transformation, criminals sleuth for low-hanging fruit. Brick-and-mortars and eCommerce businesses alike simply can’t afford to fall victim to these attacks. The sophistication of eCommerce fraud tactics are only bound to evolve post-COVID. Retailers must stay on top of security vulnerabilities, outdated software, or exploitable merchant sites to avoid great losses.

The evolution of eCommerce fraud 

Retail and brick/mortar retailers are struggling, maybe even dying. Online retailers have had to pick up that slack, but the move to an online model of retail introduced a whole slew of opportunities for fraud. For example, price-scraping is a fairly common, anti-competitive attack – retailers can unleash bots to crawl all over competitors’ websites and make a note of the prices they’re charging so that they can be undercut. Alternatively, they can collect a bunch of high-profile or high-price items and abandon them in a shopping cart, where they can’t be selected by another customer. Attacks have gotten more complex as customers have gotten smarter about the retailers they patronize.

eCommerce cyber attacks for retailers post-COVID

COVID forced a lot of brick-and-mortar retailers to create online presences just to survive. The problem is that establishing a presence like that under duress may mean that some corners were cut in the name of speed.

Those corners may come back to bite those retailers in a post-COVID world: security measures that would have been paramount in a perfect rollout may have been skipped entirely in a COVID rollout. And the gaps those measures left behind are where fraudsters are going to strike. It’s the same attacks as were in play before COVID, but the targets are going to shift to those businesses that didn’t have a developed online retail presence before quarantine. It often comes back to stolen credit cards and how fraudsters look to use them most efficiently before they get shut down. If you sell lower-price or commodity items, you may be the retailer on which a fraudster will “test” a stolen card before moving on to bigger-ticket items. If you sell those bigger-ticket items, you may be the second step in the scheme.

It can run the gamut – not all attacks are sophisticated; some are, in fact, quite simple. Social engineering can be incredibly effective. Placing an order with a stolen credit card and then calling the fulfillment center and saying, “oh, I’m so sorry, I forgot to put my quarantine address in the field, would you redirect that order to this other address?” That’s a simple “attack” because it relies on talking to someone. But other attacks, like using stolen credit cards and testing them on small purchases before graduating to bigger heists? Those are more complex.

Most popular tactics and how attacks can be kept at bay by both eCommerce and bricks-and-mortar stores

Within e-commerce it’s not uncommon for fraudsters to attempt to create false storefronts, rack up frequent seller/buyer redemption points by purchasing amongst an established cohort or using arbitraged supply and demand techniques to gain price advantages for example. If there are loopholes or a way to game the platforms system that’s where the common attacks will be. If a criminal is attacking both eCommerce businesses and brick-and-mortar businesses, it may be focused on return policies and tactics. We’ve seen that particular approach on a number of occasions: criminals will take advantage of common goods between eCommerce and brick-and-mortar businesses to distort the economics of those goods. Buying from one site and returning to another for a profit…it’s frustrating for retailers and it’s difficult to track and prevent.

The easy answer is to partner with an anti-fraud organization that has seen attacks like these before and knows how to block them. The harder answer is to reevaluate how you’re acquiring new customers and whether any of those channels might be driving the troublesome traffic. If your quantitative data suggests high variance in user traffic during abnormal hours, for example, something might not be right. Look for analytical anomolies. If you didn’t have a significant online presence before COVID, expect that you may be targeted by fraudsters hoping to take advantage of your new systems and consider what measures you can take now to secure those platforms.

Ryan Murray is Regional Director for APAC at White Ops