Just as it has impacted nearly every other aspect of our lives, COVID-19 is now altering the unofficial start of the holiday season. In an attempt to capitalize on shifts in consumer behavior created by the crisis, this year brands across industries — from big-box retailers to e-commerce giants — are starting their holiday season push earlier than ever before.
While this is the busiest time of the year for many brands — the holiday season is also big business for fraudsters. According to a National Retail Federation survey, theft and fraud cost retailers $62 billion in 2019, up from $51 billion the previous year. However, armed with massive amounts of personally identifiable information (PII) gathered during a rash of fraud that followed the first stimulus package, the scams and schemes we are likely to see over the coming weeks and months threaten to be far more sophisticated and deleterious than years prior.
It’s The Most Wonderful Time of Year…for Fraud
One of the most reliable ways to anticipate a rise in fraud is during periods of predictably-irregular behavior by consumers. Fraudsters emulate this behavior to maximize the breadth and depth of their schemes without appearing anomalous in ways that would typically arouse suspicion. The holiday shopping season is a perfect cover because consumer behavior temporarily becomes spontaneous and unpredictable. Unlike any other time of year, it’s easy to imagine a typically frugal spender springing for higher-priced items with greater frequency if the purchases are gifts, or because some flash deals and discounts are just too good to pass up for themselves. Customers might add new shipping addresses to their profile to avoid having to mail gifts to friends and relatives. There is a noticeable surge of in-store pickups and a flurry of returns for unwanted gifts. Consumers also use all forms of payment, including gift cards and co-branded credit cards. Customers open new accounts, lines of credit, and even request credit increases to take advantage of privileged discounts and rewards programs. All of these actions are perfectly reasonable for real customers, but it also means that fraudsters can steal more expensive items or order gift cards, ship them to new locations or pick them up in-store, return stolen items for cash or store credit, or open up new lines of credit– all under the radar of suspicion.
And while bad actors are adept at hiding from their corporate and consumer victims, they’re surprisingly open to sharing strategies, tactics, and their greatest weapon: customer information, with their criminal counterparts. Specifically, the PII already available on the dark web for millions of consumers, but now bolstered by opportunistic phishing attacks that exploited individuals and their accounts during the early days of the pandemic. We reported in May that these early waves of fraud may have just been a precursor to long-term criminal schemes. For example, a fraudster who gained access to a bank account in March or April may have initially only made subtle changes (like adding a new email or mailing address to an online profile) or gathered specific information (like confirming the answers to security questions) needed to make an upcoming fraud event seamless and lucrative.
As consumers face life-altering health and financial situations, fraudsters have been quick to concoct diabolical schemes designed to use desperation as a means of distraction. In moments of weakness or confusion, individuals are revealing even the most sensitive data like one-time passcodes. This privileged information ensures that a criminal can bypass corporate security in mere seconds to complete the fraud. And when equipped with the right information, even the best contact center agents have no reliable means of identifying impersonators.
The near-endless new vulnerabilities are making it difficult for businesses to keep up. Consider the rapid shift to work-from-home environments for employees with sensitive access to consumer information and business systems. The personal tech devices of those employees were instantly transformed into access portals for hackers that now only need to phish information from individuals to bypass an entire security infrastructure.
In sum, fraudsters will use unpredictable buying behavior and massive amounts of compromised consumer data to cash in this year. COVID will only make it worse.
The COVID Impact
If chaos is the proverbial playground for fraudsters, COVID-19 has enabled a historically long recess. Collectively, we have never been so vulnerable to fraud. The unrelenting, ubiquitous impact of the virus on our daily lives has created new cover for criminals who rely on sustained chaos and confusion. Economic stressors and constantly changing circumstances have caused consumers to bombard contact centers with requests and concerns at unprecedented levels. The sheer volume of legitimate interactions from customers, and the myriad issues they are now calling about, make it difficult for call center agents to consistently apply the diligence and discretion needed on every call to stop well-prepared, savvy impersonators.
Compounding the problem this year is a variety of new factors. For starters, many retailers are proving eager to capitalize on a booming e-commerce market by starting the season early. And, it’s not difficult to see why. New or changing circumstances may have actually expanded the buying power for some Americans, but more broadly they have made online shopping preferable, if not necessary, for most. But, starting early also ensures that these new challenges will last longer. The resulting, sustained volume of online or phone-based buying, mixed with the unpredictable behavior itself, will stress-test the people and automated systems designed to detect and respond to threats for months to come. Businesses that are solely focused on driving revenue also risk propping open the flood gates for a costly wave of new fraud.
Finally, we must consider COVID-19’s unmistakable influence on commerce itself. It changed the ways we shop, perhaps for good. Prior to COVID-19, mobile use and e-commerce were already on the rise. Many find digital conveniences preferable to the in-store mania of years past. With the crisis forcing everyone indoors and online, the number of consumers shopping digitally is expected to grow dramatically. Naturally, fraud will be hiding in the shadows not far behind.
According to Retail Dive, mid-to-large retailers that offered mobile commerce services saw fraud volume spike from 1,319 fraud attempts in 2018, to 3,085 fraud attempts in 2019. More recent findings show that the E-commerce fraud attempt rate rose by 13% in April alone. We can expect to see a much greater spike over the coming weeks and months. These shifts in consumer patterns and behaviors that have made fraudsters particularly successful of late. And while the full extent of the effectiveness of their attacks won’t be known for some time, it’s been reported that Americans have already lost $145 Million to COVID-19 fraud. This does not even begin to factor in the cost of and lost opportunity from PPP loan scams, which account for hundreds of millions more.
Businesses looking for consumers to take responsibility for their accounts or take proactive steps to protect their information may be surprised to find that most are doing neither.
Consumers Are Exposed & Flat-footed
Recently, the team at Next Caller commissioned a study to over 1,000 Americans, the findings of which suggest that greater trouble is on the horizon this holiday season.
Amongst the findings was the startling reporting of 55% of Americans who believe they’ve already been targeted by COVID related fraud. Based on previous Next Caller reports, data shows that this percentage has gone up with every passing month since the onset of the crisis. In our ‘Week 4 and 5’ report, 32% of Americans surveyed believed that they’d been targeted by COVID related fraud. By Week 8, 37% of Americans said the same.
Of course, this significant jump is concerning in its own right, but what’s arguably more worrisome is the fact that 59% of Americans say that they have not taken any additional precautions to protect themselves from these attacks.
The lack of personal accountability on the part of individuals is music to fraudsters’ ears. For the financial institutions and retail brands charged with protecting them, it sounds more like crashing cymbals.
For the consumer, becoming a victim of fraud in the midst of such extreme circumstances would surely be devastating, if not untenable. In the next section, we’ll discuss what to expect and how Americans can take steps to avoid becoming a victim.
Preventative Steps for Consumers
While the reasons given for consumers not taking precautionary measures are logical: ‘not having time’ or ‘having bigger concerns’, additional findings such as only half of Americans report checking their accounts for fraud more than once or twice a month are frightening when weighed against the increase in fraudulent activity around the corner. In fact, just keeping track of one’s accounts and personal information is one of the simplest, yet most effective ways to prevent being victimized. This includes regularly logging into your online accounts and reviewing every piece of information stored in your profile. Confirm that every phone number, mailing address, email, and credit card number stored was added by you.
Besides the basics, there are other measures consumers can take to defend themselves against fraud this holiday season.
- Phishing & Spoofing
By now, most of us are aware of what phishing and spoofing are: emails, phone calls, social media, or websites that appear to be legitimate, but are in fact well-designed attempts to collect useful identifying information like your social security number, address, or credit card number.
You can expect phishing attempts around new gadgets and other in-demand products or services. For example, Amazon Prime Day, Amazon’s annual retail event that normally takes place in mid-October, will most likely attract hackers looking to use Amazon’s logos to lure online shoppers into phishing scams. In this case, hacker’s fake Amazon sites will try to trick unsuspecting consumers into engaging with them. COVID has offered lots of new opportunities for exploitation, with criminals offering any number of products and services claiming to be treatments and cures, or even fake checks, loans, credits, or discounts to relieve financial hardship.
A good rule of thumb to avoid falling victim to a fake website is to always check for an “S” in the URL. A website with a URL that starts with “https” indicates a secure site. If you are ever in doubt, opt to search for a source yourself instead of clicking a link sent to you. Are you waiting on your next stimulus or unemployment check? Go to the appropriate government website directly instead of responding to an email.
But most importantly, never, EVER give out passwords, one-time codes, pins, or your social security number to anyone who calls you. You can always call an officially listed number back to speak with a representative about the issue. Often times, a criminal will pretend to call from a business or agency by spoofing their phone number (which means the caller ID will display any number the fraudster wants you to see), while simultaneously submitting a request to reset or change your account information with that actual business or agency while you are on the line. Since their action may trigger a passcode that only you have access to in that moment, the criminal just needs you to provide them with it in real-time to instantly complete the fraud. However, if you refuse to give away the code over the phone and insist on calling the business back yourself to sort out the issue, you will stop the scheme in its tracks.
Remember, if anything feels strange or suspicious, do not feel bad about simply hanging up. Most criminals look for the path of least resistance. If you deny them the opportunity, chances are they will just move on to an easier target. Don’t feel bad about saying “no” if you aren’t sure.
- Mobile Takeover
With the rise of mobile-based payment platforms, mobile fraud is on the rise. Greater access to personal information allows fraudsters to more easily gain access to major carrier phone accounts and carry out a variety of fraud tactics. In fact, U.S. consumers are expected to spend more than 1 billion hours on Android devices alone during the fourth quarter, a 50% increase from the same time last year according to mobile data and analytics firm, App Annie. To protect yourself, don’t get lulled to sleep by convenience. Particularly when shopping or browsing on your mobile device, be careful not to quickly click pop-ups that might authorize access to your device in ways that you don’t fully understand. If a link redirects you to a new webpage, double-check the URL before you continue shopping. Don’t auto-save passwords for websites that are linked to your bank accounts or credit cards. Alway set up two-factor authentication when it’s offered.
A hacker will illegally copy a legitimate website and mimics its content in order to trick consumers into engaging with the fraudulent website. The goal for the hacker is to redirect web traffic from legitimate websites, to the cloned fraudulent ones.
Pagejacking is also directly correlated with “mousetrapping,” which occurs when a page prevents users from being able to exit a page they’re on. While this is essentially another form of phishing, it can be especially frustrating to be caught in an endless cycle of closing a window just to have it pop back up again immediately.
To avoid these scams, consumers need to be vigilant when engaging with an e-commerce site, or any other website for that matter. It’s important to always look for irregularities in text or misshapen logos. If you aren’t expecting communication from a certain business, be wary of any emails or requests for information or confirmation from that business.
- Porch Pirates
In 2019, An estimated 36% of Americans had a package stolen from outside their home at least once. As package deliveries surge during the peak holiday season, so too do the incidents of package theft.
To keep porch pirates at bay, require a signature on the delivery or route the package to a location where someone can actually accept it, rather than letting it languish on your “Welcome” mat.
As the busiest season of the year for travel and shopping, ATM machines, gas station pumps, and even the Point of Sale (POS) in retail shops pumps are prime targets for fraudsters. By planting nearly undetectable devices, criminals are able to capture financial information when a card is inserted into them. Be on the lookout for false fronts to these machines that appear to be attached on top of the device itself.
- Freeze Credit
Similar to expert recommendations after the Equifax hack of 2017 resulted in the pilfering of millions of American’s PII, individuals should consider freezing their credit if you feel you are particularly at risk, do not have the ability to check your credit, or do not plan on applying for credit in the near future. And not just your own credit; if they have children or dependents, make sure theirs are protected as well.
The Harsh Reality
While the above tips are important to follow regardless of current circumstances, the explosion of fraud surrounding COVID-19 makes us uniquely vulnerable. We can assume the dark web is ripe with the sensitive PII needed to silently and effectively fuel fraud this holiday season. Here are just some examples of how fraudsters will use PII:
- Apply for new credit cards
- Apply for unemployment or stimulus aid in your name
- Take over your personal accounts
- Take over existing credit cards
- Apply for loans: Home Equity, Student, Business, Personal
- Set up bank accounts
- Take over their SS benefits
- Get W2s to file tax returns
All of this information can also be used for more than financial crimes. A common mantra within fraud circles is “All Crime Should Begin with Identity Theft.” Once a victim’s information is exhausted for financial gain, criminals can simply use their identity to prepare future attacks.
Preventative Steps for Retailers & Financial Institutions
Consumers aren’t the only ones susceptible to threats this holiday season; retailers and financial institutions also have a bullseye on their backs, and not just from fraudsters. There’s also an expectation among consumers that brands need to do their part to protect their information. In fact, 56% of consumers believe brands are equally responsible for providing flexible and accommodating customer service and protecting personal information and accounts from fraud.
Asking for the right balance between security and service is reasonable under normal circumstances, but today’s environment is anything but normal. So, fair or not, the onus falls to businesses to figure out how to make it work while customers want their cake and plan on eating it, too. In their weakest moment, consumers expect their experience to be accommodating and free from frustration, while also expecting total protection against fraud, even if they are not doing much to prevent those attacks themselves. All the while indicating that a lifetime of brand loyalty is at stake. Perhaps Americans will be more understanding of the hiccups that come with facing a global pandemic, even if it involves a more friction-filled, perhaps even less secure interaction with their favorite brands. But, brands would be wise not to rely on their patience for long. Here’s what brands can do to protect themselves and their customers:
- Follow Physical Protocols
Brick and mortar retailers are often overwhelmed during the holiday season — especially during Black Friday and other holiday-themed sales events. During these times, customer service representatives and cashiers become the last line of defense and are frequently targeted. This year things are even more complex, once again because of the crisis.
To meet customer needs, retailers increasingly offered omnichannel customer service options such as Buy Online, Return in Store (BORIS). Fraud attacks exploiting these policies increased 55% compared to H1 2019, as merchants offering frictionless experiences are less likely to ask for customer identification. As fraudsters will increasingly target and exploit these services, employees must remain informed of and committed to process and protocols.
- Lock Down Shipping
One of the ways that retailers are targeted comes from fraudsters purchasing items, having them shipped to the correct billing address, but then diverting the shipment to a new address at some point later in the process.
Retailers should lock their shipments down — prevent changes to delivery address — to avoid falling prey to this common type of fraud. They should also require signatures on their deliveries to avoid “porch pirates.” Porch pirates engage in some of the most brazen types of fraud and theft — they’ll order fraudulent purchases, have them shipped to the address of the victim (or even a vacant address), wait near by on the delivery day for the truck to arrive, and steal them immediately.
- Be Aware of Important Dates
While the entire holiday season can provide fertile ground for fraudsters, the time between Black Friday and Cyber Monday has historically been an especially precarious one. Research has shown significant increases in online retail credit card fraud and other scams and schemes during the busiest shopping weekend of the year, and this year will be no different.
However, with Amazon Prime Day set to kick off the unofficial start of the holiday season this year on October 13th, brands must have their defenses ready early as bad actors look to lure unsuspecting customers into fraudulent sites and carry out other scams and schemes.
- Monitor Employees
Some of the most surprising breaches have been caused by employers unknowingly opening infected emails or attachments. With employees largely working in remote environments the risk is much greater. Retailers and financial institutions should have vigilant employee monitoring in place to prevent these types of breaches from happening within their organizations.
While obvious, it’s also important to remind corporate leadership that employees are regular people, too. They face all the same financial and health-related hardships, under the same pressure to provide for their families. This can cause some individuals to take drastic, even uncharacteristic actions to make ends meet, including using their access to commit fraud or enable a scheme from the inside. But, there are ways to get out ahead of such dire circumstances. If possible, offer personal and/or financial resources to employees that desperately need it. Examples include free or partially paid counseling, child care services, or medical insurance. Offering flexible time off, opportunities to earn additional income, or even office hours just to listen are other ideas that make a difference. Going the extra mile to show that you care about their well-being can be crucial to helping steer those in desperate need away from making life-changing mistakes.
- Shore Up the Weakest Link
The call center has always been the weakest link in the fraud chain because it contains an extremely vulnerable component: humans. Over 95% of all fraud, including fraud that originates online, will involve call spoofing at some point in the process. And while certain infrastructure has advanced and evolved, much of this progression has also been counteracted by the new “normal” working from home.
Under normal circumstances, agents tend to streamline security processes to avoid damaging satisfaction ratings and angering customers. But with the busiest time of the year for consumer activity and the economic fallout from the crisis still unfolding, the risk of lapses in judgment are amplified.
Today, with typical surges in fraud compounded by the additional strains of the crisis, the pressure is on agents to accommodate customers while assuring their security, too. With stakes at an all-time high, imagine an agent dealing with a distressed mother traveling between state lines with a crying baby in the background and no access to her credit card because of anomalies flagged in a transaction. Or denying a stranded holiday traveler access to their account because they can’t access a one-time passcode from the airport. And yet, each of these scenarios is also a perfect cover for fraud. Even the best agents are susceptible to coercion, and fraudsters rely on these small oversights and mistakes to work the system.
To prevent these means of attacks, organizations must put resources behind agents and technology to secure lines and protect customers across channels. Call center agents and other team members should be cross-functionally aligned on the potential risk associated with increased fraud rates analogous with the holiday shopping season, equipped with technology that can identify and predict trends, and properly trained to handle stressful situations in order to stay vigilant against bad actors’ attacks on the call center.
Aside from keeping agents well trained, informed, and equipped, businesses should not shy away from time and cost-saving strategies to reduce their burden. In particular, the authentication process offers ample opportunity to become more efficient. For example, the ability to match an incoming phone number to an existing customer record can drastically reduce the time it takes to confirm a customer’s identity by avoiding knowledge-based questions and one-time passcodes that also make things harder on callers. Of course, matching phone numbers are only possible if you can trust the call has not been spoofed or manipulated in any way. Thus, passive call verification and ANI validation tools are an essential part of making the call operation frictionless, without compromising security. These tools also have the added benefit of detecting other criminal techniques that advance fraud success rates, including ANI trawling, IVR mapping, toll fraud, TDoS attacks, robodialing, call forwarding, number porting, and more.
With COVID-19 compounding the threats that consumers and businesses face, it’s likely that we are headed into one of the most unpredictable and combustible fraud seasons in history. The lack of preparedness among consumers is especially alarming. Unfortunately, even by following all of the advice above, there is no guaranteed defense against a powerful and pervasive fraud ecosystem. Fraudsters lay in wait to exploit every opportunity, and take advantage of anything businesses do to make life easier on their customers. However, if you take the proper, and sometimes proactive steps, it’s sure to lower the likelihood that you will become the next victim.