Combating Fraud During the Festive Season

Mike Mimoso, Editorial Director, Flashpoint, brings some advice on how organisations should maintain security

Fraud is an inevitability within business, and one that most won't concede they're susceptible to. Yet the increase in transactions coinciding with the online holiday shopping season does come with an increase in fraud, which hardly surprises security professionals in retail and other relevant markets.

Holiday-centric campaigns often focus heavily on fraud, which has long been considered one of the most persistent and dynamic threats to retailers.

Many fraudsters are highly flexible and are known to continually adapt their tactics to circumvent new anti-fraud measures.

Consequently, mitigating fraud effectively requires abundant subject-matter expertise, unfettered access to the proper tools and technologies, and substantial resources as part of a truly systemic and cross-functional strategy. It's also not something that retailers are going to suddenly start doing better because they read an article that pitches vendor solutions or reiterates the heightened risk of fraud during the holidays.

FUD for Sale During the Holidays

Fear, uncertainty, and doubt (FUD) are heavily sprinkled throughout fraud-related campaigns from vendors targeting those in retail during the holidays; in fact, the campaigns often resemble the pattern of marketing that comes on the heels of large breach disclosures.

This approach compounds the stress the majority of retailers are already facing at this time of year in warding off fraud and cybercrime. It's also likely that those companies that have been stung by large-scale attacks and data leaks are in for another bout of naming-and-shaming and held up as examples of what not to do during the busy shopping season.

For those who might already be facing an uptick in fraudulent purchases, the deluge of holiday fraud-centric content serves as little more than a harsh reminder of what they are already experiencing.

Refund Fraud, Phishing, and Fraud-Detection Bypasses for the Holidays

Threat actors can also chip away at profits during the holidays through refund fraud schemes, phishing pages, and attempts to circumvent fraud-detection systems.

Refund fraud peaks during the holidays according to Flashpoint's dataset; it involves a threat actor making online purchases that are shipped to a drop site, for example, and then the actor claims to have never received the purchase. They are issued a refund and get the product at no cost.

Analysts evaluated seasonality effects on refund-related chatter across Flashpoint's DDW dataset; the lowest amount of chatter surrounding refund fraud occurred in September, before steadily increasing through the holiday season, after which it began to decline again in late January.

Phishing is certainly a year-round threat, but during the holidays, threat actors looking to capitalise on high volumes of consumer shopping will create fraudulent shopping sites that look legitimate.

While appearing legitimate, these sites often falsely advertise discounted products hoping to entice unsuspecting victims. Without further training and user awareness, these attacks, which take advantage of the human factor instead of technological vulnerabilities, are likely to continue.

Fraud-detection systems are also stressed during peak holiday shopping days, and threat actors have been known to try to exploit this scenario. Discussions on underground forums in the past have centred around the use of stolen payment card information during the holidays and the types of activities that may trigger a fraud-detection system.

Assessment

Although the holidays are upon us, it's important to remember that security and intelligence professionals in the retail industry are concentrating on far more than just seasonal threats. Return fraud, for example, might peak between November and January, but that doesn't mean retailers aren't actively striving to combat other types of fraud year-round.

As such, vendors seeking to generate interest and cultivate relationships with prospective customers should recognise that, regardless of season, retailers will always be susceptible to a broad spectrum of cyber and physical threats.

Rather than be dealt the usual barrage of campaigns touting various easy fixes to seasonal cybercrime, what retailers truly need is relevant, actionable intelligence that can help them gain a decision advantage over the threats and adversaries they face year-round—not just during the holiday shopping season.