Scott Buchanan, Chief Marketing Officer at Forter
Fraudsters are fluid — they constantly experiment with new tactics to find cracks in a merchant’s defenses. In 2023, there are five trends that merchants need to be aware of — we saw each in 2022 and expect to see them with even more frequency in the year ahead.
Human ‘Bot’ Farms
First, let us acknowledge that while “human bots” is an oxymoron, it is also highly insensitive. At present, our industry lacks a better way of describing the practice. It used to be that human ‘bot’ farms referred to sweatshop-style arrangements in which poorly paid workers, often in developing countries, spent their days on brute force attacks, solving things like CAPTCHAs.
Now, though, a new twist on this old theme has arisen. In short, human bot farms use trafficked humans to scale their fraud operations. Often, they behave as bots, conducting brute force (and similar) attacks.
Human bots were widely recognised in fraud manager communities as a driving force behind recent repeated attacks, especially during the holiday rush. For example, human bot farms bombarded merchants that offer limited edition merchandise, decreasing the chances that prized products find their way to (and ultimately frustrating) good customers. These same operations also applied several tactics that follow at a scale that overwhelmed some fraud solution providers and their merchant customers.
Low-tech Address Manipulation
In the past year, fraudsters reverted to old tricks to circumnavigate rule-based fraud prevention as we saw an uptick in low-tech address manipulation. Consider a merchant with a rules set that checks a shipping or billing address against a negative list. And let’s say a noted fraudster has an address of 123 Main Street that is on that list. Therefore, any transaction with a shipping or billing address of 123 Main Street will be blocked by rules.
Fraudsters found an easy workaround. They simply write a variation of the address during checkout that evades the rules but can be easily understood by FedEx, UPS, or any other delivery company. For example, 123 Main Street becomes One-two-three Main Street or 123 Maain Street.
This should be simple to identify and block in theory. Still, fraud managers were frustrated that rules-based solutions — even those that applied artificial intelligence to speed rules application — struggled to spot this manipulation. During the Black Friday rush, more than one vendor threw up their hands and admitted they had no way to stop this tactic effectively. And as a result, fraud teams with these solutions had to manually review a growing queue of transactions.
With the growing presence of marketplaces to exchange goods, fraudsters are using triangulation more. Think about this as ‘stolen to order’ (instead of made to order). A fraudster posts a sought-after item for sale on a marketplace; in 2022, some of the most popular items for triangulation were high-end ‘cozy’ blankets, sneakers, gaming systems, and other electronics.
When a consumer buys an item from a fraudster on the marketplace, the fraudster then steals the item from a merchant. They input a shipping address for the marketplace buyer at checkout, which typically evades address verification checks. The marketplace buyer gets their item; the fraudster gets their money; the merchant gets penalised, and the marketplace is entirely unaware.
Fraudsters prefer triangulation because they don’t make any effort until they have a buyer — they never have to worry about stealing something they can’t sell, and they never have to touch the merchandise (further reducing their operating costs).
Emboldened cheaters are attempting more brazen tactics. A prime example of that is double-dipping — while this is not new, we did see more attempts (especially from amateurs and previously good consumers) to double-dip in 2022.
Double dipping can take any form where a bad actor wins twice. For example, the bad actor makes a purchase and has the product shipped. They tell the merchant the item was not received and simultaneously file a chargeback with their issuer. Since it may take hours or days for the issuer to inform the merchant of the refund request, the communication gap can mean the bad actor receives money back from both entities and keeps the product.
We’ve also heard examples of bad actors buying and receiving an item, then filing a return, yet failing to return the item. Instead, they send the merchant back a package with rocks (or something else weighted). In one particularly devious example, a bad actor filled a bag with dry ice, which evaded a weight check by the delivery company, and then arrived at the merchant as an empty package.
The best-known form of friendly fraud is chargeback fraud when a customer makes a purchase and receives it but files a fraud chargeback claiming that the purchase was made by a fraudster. This form of friendly fraud has been growing dramatically in recent years. Less recognised is that other forms of friendly fraud — which can also be labeled policy abuse — are increasingly serious.
For example, a consumer buys a sweater as a final sale. When it arrives at their doorstep, they realise it doesn’t fit as they’d hoped. Disappointed, the (previously good) consumer contacts the merchant to claim the sweater never arrived (code = Item Not Received) and demands a refund. The consumer now has the item they can wear (hey, at least the fit is close) or resell on a marketplace for profit.
Friendly fraud can also surface as returns abuse (returning items worn or outside of store policies), promotions abuse (re-using new customer discounts or other voucher codes), and more.
Friendly fraud is difficult to stop since it is often perpetrated by good consumers — they don’t appear on negative lists or fail basic rules. But professional fraudsters get in on the same acts, industrialising the consumer problem by increasing its scale and professionalism significantly. To increase their odds of success, they have gotten pretty systematic about this form of fraud. For example, on the dark web, fraudsters have shared the exact language to use when calling specific large merchants or issuers to nearly guarantee a refund or chargeback.
Parting Thought: The Power of Identity
The above tactics that fraudsters used with some success in the past year generally exploit gaps in rules-based systems (deployed by the merchant and/or offered by a fraud solution provider). These tactics don’t work when you can pinpoint the identity behind an interaction.
When you can be statistically confident that the identity entering an address of “One-two-three main street” is associated with fraud, it doesn’t matter what they enter in the address field; their transaction attempt is blocked. When a known fraudster is attempting to put an item up for sale on a marketplace or purchase an item with a net new shipping address, you stop them. And when they try to re-use promotional codes repeatedly, you reject the attempt.
You cannot pinpoint an identity with rules — instead, you need a massive graph of online identities and as much data as possible on each. While fraudsters always manipulate aspects of their identities, they cannot mask thousands of data points. Next-generation fraud solutions that use machine learning to augment human expertise can pattern match and pinpoint identity.
And to build the largest identity graph, you need a consortium of the largest merchants — collectively, they will ‘know’ the vast majority of online identities. And in this model, an identity — a bad actor or a good customer — known to one merchant is immediately known to all merchants.
And that is why the final trend for 2023 will be merchants abandoning rules-based systems at an increasing rate. That includes the rules-based fraud solution providers masquerading as machine learning (but really just speed up the application of rules). To combat more sophisticated fraudsters, merchants will make decisions based on identity. They will seek out the largest identity graph in order to achieve superior results.