‘Tis the Season to Be Cautious: Holiday Scams & How Retailers Can Prevent Them

As the holiday season approaches, retailers gear up for the busiest shopping period of the year. According to OnlineDasher, global online holiday spending in 2023 is expected to go up by 4.5% from 2022, reaching a total of around $1.2 trillion. Not surprisingly, AI technology is set to be a significant driver, contributing to an estimated $194 billion in online holiday sales.

However, this flurry of festive activity also prompts a surge in scams, targeting both consumers and retailers. Just earlier this month, Bricklink, a Lego marketplace that allows users to trade Legos, announced it had experienced a serious cyberattack. Bricklink suspects the criminals used credential stuffing, reusing stolen login credentials to access seller accounts so they could sell Lego assets at substantial discounts, fraudulently accepting payment from buyers without sending them their order. 

With the rise of sophisticated online fraud methods, understanding these kinds of scams becomes crucial for both shoppers and retailers to ensure a safe and enjoyable holiday season. This blog post will explain what scams to watch out for and offer insights on how to guard against them. 

With these tactics, fraudsters can be a real Grinch!

Ever since online shopping became the norm, the holiday season’s high transaction volume has provided fertile ground for scammers. This year, the cyber fraud arena has evolved with the significant advancements of generative AI and deepfakes, adding a new layer of complexity to sophisticated scams, including: 

• Loyalty Point Fraud – Hackers access and exploit customer reward points by conducting account takeovers (ATO). This form of fraud spans over countless industries and millions of customers. Airline loyalty point fraud, for example, surged by more than 30% in 2022 alone, impacting over 75 airlines. To execute this kind of fraud, fraudsters take over customer accounts to drain them of reward points that are redeemable for products, services or cash. Reward programs, created to entice and keep customers, are notorious for being poorly secured. And with over 15 billion login credentials for sale on the dark web, millions of online accounts, including those associated with loyalty programs, are at risk of unauthorized access.

• Buy now, pay later (BNPL) scams – Cybercriminals gain unauthorized access to a victim’s account on a platform like Affirm or Afterpay, often obtained through phishing attacks or by using previously leaked credentials. Once inside the account, the fraudster can then use the victim’s pre-approved BNPL facility to make unauthorized purchases. Since these transactions are charged to the victim’s account, the fraudster receives the goods or services without any immediate financial cost, while the victim is left with the unexpected debt and the complicated task of disputing fraudulent charges.

• Bot attacks – Bots disrupt inventory management and online sales, leading to financial losses and customer dissatisfaction.
  • Registration bots involve automated scripts or programs used to create a large number of fake accounts on a platform or service. These fraudulent accounts are then exploited to establish new credit lines, obtain loans, execute unauthorized transactions, launder funds, and perpetrate various illegal activities. According to a Javelin report, $7B was lost to account opening fraud in 2021.
• Brute force bot attacks make it easy and fast for an attacker to systematically check all possible passwords or passphrases until the correct one is found. With an eight-character password — for example — a hacker would take at least 7 million years to crack it if we assume that one attempt takes a second. But using brute force bots, these hackers can crack the same password in a few seconds. 

• Scams using generative AI and deepfakes – Generative AI has enabled the creation of highly realistic digital content, complicating the task of distinguishing between legitimate and malicious communications. Phishing attacks have increased by 1265% between the fourth quarter of 2022 and the third quarter of 2023, largely attributed to generative AI, according to SIliconAngle.

Deepfakes have further escalated the issue, as scammers can now use AI created media to convincingly alter or fabricate images, videos and audio. By manipulating facial and voice recognition systems, fraudsters can gain unauthorized access to accounts and bypass security measures to conduct malicious activities. 

Industry reports reveal a staggering 3,000% increase in deepfake fraud incidents from 2022 to 2023, indicating the volume and level of sophistication shoppers can expect to face. 

Take back the reins with end-to-end account security

In response to the increasing sophistication of online fraud, especially those employing AI and deepfakes, a range of effective solutions is necessary.

Enhanced authentication

Arguably the most important step in reducing ATO fraud is utilizing strong authentication methods, which means getting rid of passwords. Phishing resistant credentials with a fingerprint or face ID, passkeys, magic links and one-time passcodes (OTPs) are all solutions less susceptible to manipulation. 

Transmit Security is revolutionizing authentication processes by providing alternatives to passwords and outdated multi-factor authentication (MFA) methods, whether through a phase-out or full switch. FIDO-based credentials such as passkeys, which utilize fingerprint and facial biometrics, are the most secure way of confirming the user’s identity based on their unique physical attributes. FIDO-based authentication employs public key cryptography (PKI) to safeguard customer biometric data, providing phishing-resistant credentials that eliminate the risk of server-side attacks. Transmit Security further enhances passkeys security at each stage of the customer lifecycle. 

AI-based identity verification and fraud detection

Beyond traditional identity verification, it’s important to employ techniques that can detect forged documents and deepfake manipulations. This includes using AI-driven tools that analyze the authenticity of identity documents and detect the subtle signs of digital alteration, making them more effective than traditional rule-based systems, which can not adapt quickly enough to prevent sophisticated AI-assisted fraud.

Transmit Security uses AI to detect adversarial attacks and other AI-based fraud tactics and provides a natively integrated platform set of services to simplify identity security. With it, businesses can strengthen their protection against deepfakes and consolidate identity security with: 

• Detection and Response Services leverages ML and AI to perform device fingerprinting, behavioral biometrics and anomaly detection. Context-aware security runs in the background at all times, triggering step-up authentication or identity verification to stop suspected fraud or remove friction for trusted customers. 
• Identity Management that enables a holistic view of users and consolidates user data  
• Identity Orchestration Services to simplify user journeys and automate step-ups and other responses to user anomalies  

Prioritized customer experience

While security is the first priority, customer experience is a close second. Transmit Security’s risk-aware authentication and journey-time orchestration prioritize both, adapting the login experience in real time. To achieve this, AI-driven fraud detection runs in the background throughout the login process, examining risk, trust, fraud, bots and behavior to formulate a recommendation: Allow, Challenge or Deny. Orchestration then triggers the appropriate user flow. 

For example, if a user logs in with an OTP or password (a single factor), there’s an elevated risk. But if Transmit Security’s fraud detection engine determines there are no signs of aberrant behavior, and it’s the user’s known device, typical network and a trusted IP address, it could meet your risk tolerance and recommend “Allow,” granting user access while removing friction.

Have a happy, fraud-free holiday

The holiday season presents both opportunities and challenges in the digital retail space, but as online shopping continues to rise, it’s vital for both consumers and retailers to be vigilant against the rising tide of sophisticated online scams. From BNPL scams to loyalty point fraud and advanced bot attacks, the landscape of online fraud is evolving rapidly, driven in part by the proliferation of generative AI and deepfakes. These AI-driven scams are not only increasing in number but also in complexity, making it more challenging to distinguish between legitimate and fraudulent activities. 

To combat these threats, a multi-faceted approach involving enhanced authentication and AI-based fraud detection, while also prioritizing customer experience, is essential. The move towards passwordless and multi-factor authentication methods, such as biometrics and passkeys, is a significant step in reducing account takeover fraud.

Transmit Security’s innovative solutions, which eliminate outdated authentication methods, offer a more secure and low-friction user experience. Additionally, the integration of AI in identity verification and fraud detection systems is crucial in identifying and responding to AI-assisted fraud tactics. By adopting these advanced security measures, both retailers and consumers can safeguard their online activities and enjoy a safer, more secure holiday shopping experience.