The retail sector has become a breeding ground for targeted cyberattacks and organisations must keep their defences up to date in order to remain resilient. Ravelin has revealed that new approaches are urgently needed to fight fraud and minimise losses, while findings from Akamai Technologies report that over 1.15 billion web attacks were recorded in Asia-Pacific and Japan’s commerce sector, across retail, hotel and travel verticals.
E-commerce fraud is growing fast and financially impacting businesses across the globe, according to new research from Ravelin.
In the last 12 months, merchants have seen a huge leap in online payment fraud (up 59%), account takeover (up 51%), promotion abuse (up 52%), refund abuse (up 53%) and customer fraud / friendly fraud (up 40%).
Merchants are now throwing more and more money at the crisis and expanding fraud teams in a bid to mitigate losses.
Three-quarters (75%) of all online merchants say fraud budgets will grow this year (global average figure). In the UK, 62% will be spending more on managing fraud. This rises to 70% in France, 74% in Germany, 69% in the US and 84% in Canada.
In the UK over half (58%) of online businesses polled plan to grow their fraud teams in the next 12 months. In other parts of the world, the trend is even more pronounced. A large sum (80%) of merchants in Germany, 72% in the US and 86% in Australia expect teams to grow in size, Ravelin has found.
New approaches are urgently needed to fight fraud and minimise losses.
But when it comes to tools for tackling fraud, most businesses (78%) opt for in-house solutions which are expensive to maintain and quickly become unsustainable as a business grows. In the UK the figure is 80% while in France it’s 81% and in Germany 77%.
Ravelin CEO, Martin Sweeney, said: “Over the years merchants have built up fraud investigation teams which they’re justifiably proud of. But fraud continues to grow and mutate – simply throwing more people and money at the problem won’t make it go away. Losses will continue to grow.
“Businesses need to get on the front foot managing fraud: using automation to nip fraudulent transactions in the bud. Better automation helps teams scale and frees up fraud investigators from mundane tasks enabling them to focus on informing product development, identifying other sources of profit erosion and other more important strategic tasks that drive growth. With the economy in an uncertain place, enabling growth must become the priority.”
Ravelin’s Global Fraud Trends 2023 survey also examines the most effective tools for fighting fraud.
Machine Learning and Two-Factor Authentication (2FA) are being adopted more regularly by e-commerce businesses to help with the issue. Almost half (48%) of UK businesses say ML is one of the most effective tools in their arsenal. Three-quarters (75%) of UK merchants say 2FA is crucial.
From feedback across regions, the survey found that there isn’t a singular ‘one and done’ fraud strategy that’s most effective. Different solutions are effective at fighting different frauds and having a robust tool stack allows teams to consider the complex nature of fraud.
The survey, which spoke to 1,900 global fraud professionals, also examines the increase of ‘newer’ types of fraud which are prevalent globally.
Policy abuse is experienced by 40% of businesses spoken to. The UK has the biggest problem with this type of ‘friendly fraud’ with over half (52%) of merchants experiencing it.
Reseller and bot activity sits at 53% globally whereas ‘fraud as a service’ schemes were an issue for 56% of those spoken to. Social engineering via customer service was experienced by 45% of the companies who took part in the survey.
These quantitative surveys were commissioned by Ravelin and carried out by Qualtrics. The survey was carried out using a panel of 1,900 global fraud professionals. Survey participants work for online merchant businesses with over US$50 million in annual revenue. The survey was translated into each respondent’s local market language for clarity.
In light of Ravelin’s findings, Akamai Technologies, the cloud company that powers and protects life online, recently released a new State of the Internet report that spotlights the increasing number and variety of attacks on the commerce sector. Entering through the Gift Shop: Attacks on Commerce finds that in Asia-Pacific and Japan (APJ), over 1.15 billion web attacks were recorded in the commerce sector, across retail and hotel and travel verticals.
Globally, commerce remains the most targeted web attack vertical, accounting for over 14 billion (34%) of observed incursions, largely due to the industry’s continued digitalisation and the attackers’ available selection of web application vulnerabilities to breach their intended targets.
The new Akamai research also finds that Local File Inclusion (LFI) attacks increased 300% between Q3 2021 and Q3 2022 and are now the most common attack vector used against the commerce sector. Just a few years ago, SQL injection (SQLi) was the most common incursion. This indicates an attack trend towards remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.
Attack vectors such as Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI) and Server-Side Code Injection have also been gaining popularity. They pose a significant threat to commerce organisations and other verticals, preventing online sales and damaging a company’s reputation.
As commerce organisations increasingly rely on web applications to drive customer experience and online conversions, adversaries target vulnerabilities, design flaws or security gaps to abuse web-facing servers and applications. Globally, retail remains the most targeted subvertical within commerce, accounting for 62% of attacks on the sector.
The top web attack target areas in APJ for retail are India and China. Loyalty and rewards programmes, in combination with a proliferation of shopping days across these areas, present attractive opportunities for cybercriminals to ply their trade.
Malicious bot activity
Akamai observed malicious bots targeting the APJ commerce vertical surpassing 765 billion in 15 months, contributed by the number and frequency of holiday shopping events throughout APJ and the growth in online travel booking.
Notably, after quarter-on-quarter growth throughout 2022, malicious bot activity decreased substantially in Q1 2023.
“These insights around the commerce sector present a timely reminder that commerce organisations need to be on high alert to adapt to a myriad of methods used by attackers – from web applications and bots to phishing and the use of malicious third-party scripts,” said Reuben Koh, Security Technology and Strategy Director (APJ), Akamai Technologies.
“To stay ahead of attack attempts, commerce organisations should stay updated on the latest attack trends and constantly re-evaluate their security posture and controls. When considering specific cyberdefence solutions, organisations need to make sure that the chosen solutions are adaptive enough to counter against the ever-changing threat landscape and minimise the risks posed by adversaries who are getting more sophisticated every day,” concluded Koh.
Click below to share this article
