Savvy crooks make card not present fraud a risk without end

Card not present fraud is on the rise, and so is the sense of impunity that fraudsters seem to feel about their activities.

Fraud against e-commerce merchants is growing faster than the rate of e-commerce sales, and Juniper Research projects that retailers will lose $130 billion to CNP fraud between now and 2023.

Why is CNP fraud growing so fast? It’s no longer a matter of post-EMV migration from POS to online fraud. What we’re seeing now is brazen, organized cybercriminals leveraging technology and traditional business strategies to commit more fraud faster.

Today’s CNP criminals network online, and not only in the far recesses of the dark web. RSA recently reported that fraudsters are using the popular global messaging app Telegram in new ways to grow their criminal enterprises. Although they used to use the app for group chats to share knowledge and stolen data, RSA has found they’re also now using Telegram channels to sell their services to other would-be criminals. The new bot feature in Telegram is also being used by fraudsters to automate sales of stolen data, provide fully outsourced fraud-as-a-service and sell subscriptions to compromised card numbers and card-testing services.

Telegram isn’t the only social tool crooks are using to organize their fraud schemes. Any social network or messaging tool has the potential to be abused by fraudsters looking to share information and make sales. For example, in April 2018, security blogger Brian Krebs tipped off Facebook to the existence of private groups on the platform devoted to cybercrime with more than 300,000 members in total. The most popular topics were “the sale and use of stolen credit and debit card accounts.” These groups were actively recruiting, according to Krebs, until Facebook shut them down.

As fraudsters take more technologically complex approaches to fraud, they’re also, ironically, making it easier for just about anyone to become a CNP fraudster. Card brands are keeping an eye on the growing trend of fraud-as-a-service that is growing on the dark web and beyond. Visa Chief Risk Officer Ellen Richey recently wrote that “the black market for cybercrime has also evolved to enable individuals of all skillsets to participate as long as they have the desire.”

In addition to the scams-for-hire available through messaging sites and social media, scammers also offer phishing services for as little as $150 per attack or a percentage of the scam’s proceeds. The result? More stolen credentials and payment data, and more fraud.

As fraudsters get more sophisticated, better funded and increasingly connected, it’s clear that the fight against fraud will be ongoing, not a battle with a clear end. None of these trends mean that fraud-fighting is hopeless. In fact, you could argue that the lengths criminals now go to show that it’s getting harder for them to commit fraud. But these trends do show that going it alone, relying on last year’s fraud detection tactics and hoping for the best are no longer enough. It’s up to everyone in the e-commerce ecosystem to keep up with fraud trends, follow current fraud detection and prevention best practices, and share information to counteract the networking practices that fraudsters have learned to leverage.