Table of Contents

Naughty or Nice?
In 2022, Holiday Shoppers Look for Bargains, Fraudsters Look for Steals

Entering a store on Black Friday feels exhilarating for millions of dedicated holiday shoppers who arrive early to snag the best bargains. But the hustle and bustle are not for everyone. Personally, I relish shopping for gifts on my laptop while lounging at home (no shoes required). More and more holiday shoppers are doing the same. From October through December 2022, ecommerce is expected to rise 15.5% while in-store sales are projected to grow a paltry 0.9%, says Insider Intelligence.

Given the state of inflation, inventory shortages and interest rate hikes, it’s an optimistic outlook. Can we really outperform 2021 — the strongest retail growth in 20 years? With so many economic variables at play, the 2022 snow globe looks a bit cloudy.

Acutely aware of market pressures, retailers are looking for creative new ways to profit. The problem is: fraudsters are too. In this article, we’ll look at retail trends that are growing more popular among shoppers and attackers. Most importantly, you’ll learn what retailers can do to prevent fraud both online and off.

Account takeovers top the naughty list

In 2021, retail data shows Cyber Monday was the biggest day for online sales, climbing to $10.90 billion, exceeding Black Friday sales of $9.03 billion.

Insider Intelligence

When more people transact online, cybercriminals see big profit potential, especially when it comes to taking over customer accounts. Account takeover (ATO) fraud jumped 148% across all industries in 2021, making it the most common form of identity fraud today, says Imperva. In retail, 1 out of every 5 logins are ATO attempts, not just during the holidays but year-round.

Fraudsters use the same old tricks: phishing, smishing, credential stuffing, credential cracking and man-in-the-middle attacks. With cracked, stolen or purchased credentials, they simply log into customer accounts. When you combine these tried-and-true ATO methods with emerging retail fraud trends and more advanced attack tactics, you get a combustible holiday mix:

  • Buy Now, Pay Later ATOs – One of the newest trends in retail fraud involves Buy Now, Pay Later (BNPL) plans from lenders like Affirm or Afterpay. Cybercriminals are targeting accounts that are set up with this popular payment method to make fraudulent purchases — an easy win with growing potential. A 2022 survey by Lending Tree shows 43% of consumers have used BNPL plans this year.

    BNPL comes with added risk since the cybercriminal can take over one of two accounts: the BNPL account that’s set up with the lender or the customer account established with a retailer. Either way, they’ll be able to authorize purchases via BNPL.

  • Evasive bots – First, it’s important to note, all types of bots are hitting retailers harder than other industries. 62% of attacks on retail websites use bots to automate and speed otherwise tedious or time-consuming tasks. This is much higher than the general trend across all sectors, where only 28.4% of attacks are automated by bots.

    What’s more alarming is the majority of these bad bots now leverage sophisticated tactics to slip through the cracks of disconnected defenses in perimeter and application security as well as risk detection systems. After they infiltrate an account, they go to great lengths to remain undetected and anonymous.

    In 2021, 33% of all attacks on retailers masked their origin. An anonymous proxy or framework hides the IP address so the perpetrator’s true location is difficult or impossible to trace. Evasive bots not only switch IP addresses or appear anonymous, they try to simulate human behavior, use device spoofing and change or hide their identity in any way possible.

  • Grinch bots – Worthy of their own blog post (coming soon), Grinch bots buy goods in high demand, gobbling up inventory at discounted prices in order for the fraudster to resell it all at a markup price.

    Granted, retailers are selling out their inventory, but it hurts customer satisfaction and lowers the chances of bringing in new customers who want to buy that special gift. Customers can’t compete with lightning-fast bots and will be forced to buy that must-have item from a competitor or the fraudsters themselves. Besides, retailers must protect their brand reputation. They can’t turn a blind eye to market manipulation and price gouging.

  • Inventory shortage phishing – Stockouts, whether caused by Grinch bots or manufacturing shortfalls, create desperate shoppers who are prime targets for phishing. This holiday season, we can expect fraudulent emails that falsely notify retail customers that popular items are, “Back in stock!” Shoppers will fall for it, typing in their credentials on a fake website without thinking twice.

  • Vishing – Voice phishing or vishing is the act of social engineering via phone. The cybercriminal may pretend to be a customer service rep with a specific retailer, calling about a special discount or an issue with their latest purchase. The goal is to gain information or manipulate the customer to take an action that compromises their account, enabling the fraudster to take it over.

  • Loyalty point fraud – Considered a ‘soft target,’ but costly nonetheless, fraudsters will takeover customer accounts to drain them of reward points that are redeemable for products, services or cash. Reward programs, created to entice and keep customers, are notorious for being poorly secured, easy to hack. 27% of all fraud attempts on ecommerce sites target loyalty programs, according to Statista. The sheer volume of attacks add up!

End holiday humbug with end-to-end account security

Strong authentication

Hands down, the best way to prevent account takeovers is to eliminate customer passwords. No password means there’s no credential to crack, phish, stuff, intercept or bypass. There are many ways to authenticate users without having to use passwords: biometrics, passkeys, magic links and one-time passcodes.

Transmit Security offers it all. Fingerprint and facial biometrics are the most secure option since they confirm the user’s identity based on unique physical attributes. Our FIDO2-certified authentication uses public key cryptography (PKI) to secure customer biometrics. Fingerprint or facial ID is used to authenticate the customer locally on the device, so the biometric and the PKI private key are never ‘in flight’ nor stored remotely.

Keep in mind, passwords cannot be used in your account recovery process or anywhere in the customer journey. This is one of many challenges we’ve solved. Transmit Security Passwordless and MFA service is able to completely eliminate passwords — whether you do it now or phase them out over time.

Real-Time Risk and Trust Assessment

Transitioning away from passwords is a great start, but the increasing sophistication of retail attacks means more fraudsters are adorned with tools and techniques designed to target the spaces between standalone detection and identity controls, even powerful ones like FIDO2 authentication.

Signs of ATO, account fraud and anonymous user attacks can be hidden in the gaps between disconnected data and tools you use before, during and after authentication. That’s why Transmit Security Account Protection continuously detects and assesses risk and trust for each user — across all their interactions, all retail apps and channels, from all customer devices.

With real-time assessments, you don’t need your own teams of in-house identity security and analytics experts to integrate tools, correlate and normalize data, or build and maintain rules. That’s a Fa-la-la-la-la if I’ve ever heard one!

Data from hundreds of telemetry types are automatically correlated in real time to each user: known or anonymous, customer or fraudster, human or bot. Continuous user profiling establishes an always-updated baseline of the specific customer’s typical behavior to identify anomalies between a user’s current and past activity.

Powered by machine learning, detection models pre-integrate advanced detection methods and telemetry including network analysis, device fingerprinting, behavioral biometrics, application activity, account changes and, of course, authentication and challenge results

Ease and orchestration tie it up with a bow

Out-of-the-box from day 1: built-in intelligence weighs multiple risk and trust indicators with the accuracy needed to trigger real-time responses. Deny, challenge, allow and trust actions can be quickly added via API to automate interdiction or alleviate friction in your applications. You can also natively orchestrate step-ups using our passwordless, MFA and ID verification services.

If you didn’t go passwordless this holiday or add real-time risk and trust assessments, we suggest making one or both part of your New Year’s resolution to prevent customer account fraud in 2023.

See why KuppingerCole named Transmit Security an ‘Overall Leader’ in 3 Leadership Compass Reports: Passwordless Authentication, CIAM and Fraud Reduction Intelligence Platforms.


  • Brooks Flanders, Marketing Content Manager

    In 2004, the same year the U.S. launched the National Cyber Alert System, Brooks launched her career with one the largest cybersecurity companies in the world. With a voracious curiosity and a determination to shed light on a shadowy underworld, she's been researching and writing about enterprise security ever since. Her interest in helping companies mitigate deceptive threats and solve complex security challenges still runs deep.