Between 2018 and 2023, retailers are expected to lose about $130 billion to card-not-present fraud, according to Juniper Research. Small businesses are particularly vulnerable, given their limited resources to fight cybercrime. But a new tool from American Express could offer some relief.
Between 2018 and 2023, retailers are expected to lose about $130 billion to card-not-present fraud, according to the technology consulting and forecasting company Juniper Research.
Because of the U.S. shift to EMV technology, “card-present fraud is pretty well gone,” says Brady Cullimore, director of global fraud risk management for American Express.
Instead, “online merchants are getting attacked a lot more,” Cullimore says. In many cases, “they’re not equipped to handle that fraud. It’s not something they want to do or are prepared to do.”
And many small businesses are still adjusting to doing business using newer online shopping channels, such as apps and mobile devices, Cullimore says.
Making use of third-party vendors to provide fraud protection might be cost-prohibitive for small businesses, so they can be “kind of left to their own devices,” Cullimore says.
From the second quarter of 2018 to the second quarter of 2019, the dollar value of online fraud soared almost 12%, according to the fraud protection company Forter.
The number of fraud attempts increases each year, because it “remains a decent place for fraudsters to make a living,” says Colin Sims, Forter’s chief operating officer.
“The scale of fraud operations out there is massive and growing,” Sims says, and fraudsters specialize in different segments of the fraud market. Some build the tools used to steal consumers’ financial data, some focus on selling that stolen data and some specialize in monetizing that data.
The use of cryptocurrency “facilitates [an] ecosystem that allows fraudsters to buy and sell data,” Sims says.
One major threat comes from formjacking, in which cybercriminals insert malicious code onto websites. An October warning from the FBI says small- and medium-size businesses and government agencies are particular targets.
The malicious code is used to steal consumers’ credit card and personal information. The cyber thieves then sell the information on the dark web or use it to make their own fraudulent purchases.
In 2018, the cybersecurity provider Symantec blocked more than 3.7 million formjacking attempts, with about one-third of those attempts occurring during the busy holiday shopping season. Because the transactions usually go through, and consumers receive their purchases, formjacking can take a long time to be detected.
Many of the formjacking incidents identified last year by Symantec involved cybercrooks who targeted third-party services, such as chatbots and customer review widgets.
When it comes to formjacking, “there has not been a lot of reaction on how to prevent it and how to respond to it,” says Ron Schlecht, founder of BTB Security, an information security company.
The malicious code may come from phishing attacks or from people downloading infected software to websites, he says.
For a consumer, “there’s nothing from a user’s perspective that’s going to be easy to spot,” when formjacking occurs, Schlecht says.
Small businesses lack the resources to defend against fraud
“Small businesses are in a tough spot,” Sims says. “They’re up against the same threats large enterprises are,” such as Target and Home Depot, which have been the targets of massive data breaches.
While such large retailers “struggle to contain fraud because the attacks are so sophisticated, small businesses lack the resources to build fraud defenses,” Sims says.
As a result, many small business owners will outsource their fraud detection and prevention to third-party providers, he says.
Despite the differences in size and resources for small businesses, consumers expect an online shopping experience on par with the major e-commerce players, Sims says.
A survey by Forter found half of Americans are less likely to buy something online if the checkout process takes more than 30 seconds. And the average respondent said they would wait just 10 seconds for their credit card to be verified. Almost one-third said they would abandon their purchase if they had to reenter their credit card information.
American Express is starting to offer some assistance for small business owners through a free tool called Enhanced Authorization, which has helped to reduce fraud rates and allow more transactions to go through, Cullimore says.
Enhanced Authorization helps retailers and American Express identify who is making online purchases. Typically, a merchant sends information such as the consumer’s credit card number, purchase amount and type of merchandise to the credit card company for approval.
- With the new tool, the retailer sends additional information, such as the IP address of the purchaser, their email address and their shipping information, to see if it matches the information American Express has on file. That extra information helps the credit card company decide whether to approve the transaction, Cullimore says.
- In some cases, American Express might consider a transaction to be risky, but the retailer has known the consumer for years, so the transaction will be approved, he says.
- Enhanced Authorization, which relies on machine learning, has resulted in up to a 60% reduction in fraud rates, while allowing more transactions to be approved.
- The approval process doesn’t add to consumers’ checkout time, Cullimore says.
But Sims of Forter noted that many of the data points checked by Enhanced Authorization, such as shipping information and IP address, are “easily manipulated” by fraudsters.
“It can help, but shouldn’t be relied upon as the exclusive fraud mitigation mechanism,” he said. “It’s more of an add-on to other tools, techniques and platforms.”
However, Cullimore noted that merchants can provide “dozens of data elements” with Enhanced Authorization.
“While a fraudster can enter actual card member data to mimic the actual card member, there are many merchant-provided data elements that a fraudster has no ability to influence,” he said. “The more data a merchant provides through Enhanced Authorization, the better it works to increase approval rates and reduce fraud.”
Small businesses fly under criminals’ radar – until they don’t
Sims says that because of their size, small businesses often can “fly under the radar for a long time” before coming under attack by cybercriminals.
But if a fraud attack takes place, “your life really changes,” Sims says. “In the worst case, you’ll lose the ability to process credit cards online.”