Identity, Vulnerability Management

Time for retailers to focus on the digital-physical curbside crimewave

Today’s columnist, Kevin Lee of Sift, offers some idea on how security teams at retailers can prevent fraud around the buy online, pick-up in store trend where fraudsters take over accounts online, then pick up the merchandise at the physical stores, often reselling it for a profit.

Reports of the retail industry’s death have been greatly exaggerated. While COVID-19 ravaged the hospitality, travel and leisure industries, retail has escaped total calamity through plucky entrepreneurialism and the ability to adapt. But with new innovation comes fresh vulnerability. It might have dodged death by pandemic, but now retail faces assault from a virtual curbside crimewave.

Barred from browsing and disappointed by delays in home delivery, shoppers have flocked to curbside pickup. Nearly 70 percent of American consumers made click-and-collect purchases in the past six months according to Business Insider Intelligence. But fraudsters are lining up at the curb just like the rest of us.

Taking advantage of buy online, pick-up in store (BOPIS), these scam artists impersonate customers with stolen account information to make a purchase online, then step out from behind the screen and into the actual pickup line to complete the con. By hopping between the digital and physical worlds, they abuse flaws in newfound fulfillment methods to cause severe financial and reputational risk. And the criminals are just getting started. 

With the third wave of COVID-19 running rampant, most people will avoid in-person shopping for the next few months. Doorbusters will make way for Curb Busters, causing account takeovers (ATO) and associated BOPIS attacks to surge. The confluence of fresh and increased opportunity means retail will need to adapt yet again to prevent fraudsters from walking away with a buy-one-get-one-free on merchandise and customer data.

An opportunity for fraudsters

BOPIS offers a unique opportunity for bad actors to leverage credentials from successful ATO without traditional security checks, such as proving identification, a signature or even a physical delivery address. Fraudsters use stolen account credentials, place an order online, either using a customer’s stored payment information or through newly-stolen payment details, and simply pick it up curbside. They then either keep the items, or resell them for a profit.

Without needing to produce a delivery address that matches known customer data, and nothing but the account login to overcome, criminals can easily stroll up to any curbside pickup point and, literally, walk away with their prize.

That kind of fraud doesn’t just cause financial loss. It can shake the confidence of retailers and customers alike, who had their identity misappropriated. When online fraud meets in-person impersonation, it’s more tangible and potentially catastrophic for customer trust and retention.

And there are more opportunities than ever to take online fraud out into the real world of retail. Our research shows that general ATO attacks rose by 282 percent between 2019 and 2020. This surge of ATO means that there are more consumer credentials available for fraudsters to leverage than ever. It’s a short hop from here to an increase in BOPIS fraud.

Retailers really need to increase the scrutiny applied to BOPIS orders at the curbside, adding additional customer protection and forming a last line of defense before merchandise takes a walk. Here are some ways to prevent these attacks:

  • Trust, but verify.

It’s possible to head off stolen credentials from successful ATOs before a criminal even gets close to the curb. You may, for example, associate a cookie with the stored credit card, and if that cookie isn’t present when the payment method gets used, ask the user to re-enter the card number or the verification code. Another method for companies that ship physical goods is asking users to re-enter their payment information if their shipping addresses are not the same as when the payment method was first stored.

  • Rethink data.

Many signs of ATO are contained in subtle behavioral patterns across all of a user’s activity. Today, usual activity has changed. Customers are doing more online shopping at different hours from more places and with different devices than before the pandemic. Businesses need to balance fraud prevention with customer experience by building automated and adaptive defenses. Advanced velocity checks can detect changes in typical user behavior, whether through purchase volume, changes in device, address or payment method. By constantly evolving, these velocity checks allow for natural changes in customer behavior, while protecting against fraud.

Retailers also overlook post-mortem analysis. Analyze all of the users who have deactivated their accounts. A post-mortem on a sample, or each one (depending on volume), can identify patterns and commonalities connected with BOPIS fraud.

  • Look outside silos to find new clues.

BOPIS fraud omits a piece of data usually crucial to e-commerce: the delivery address. Instead, store location becomes critical. While the models to detect such crime are being written right now, they are likely to depend on new clues such as these. Speed of pick-up or commute time between the customer’s known location and pickup store are equally important. By looking beyond typical customer data and building these new types of indicators into behavior models fraud prevention teams can find new ways to detect suspicious activity, heading off the combination of digital and physical fraud before it has a chance to become successful. 

  • Operate at the speed of the thieves.

Automate the detection of these warning signs. Curbside fraudsters move too fast and too frequently for humans to keep pace. Real-time alerts and automated responses are the answer, but fraud prevention teams should not operate on a “set and forget” mentality. Manual reviews are vitally important to ensure automated risk assessment and keep pace with real customer behaviors.

Fed by large and diverse sets of data, a well-resourced review team can adapt automated defenses, and offering a backstop to questionable orders, keep customers safe without resorting to fully-automated solutions.

Retailers have spent much of 2020 scrambling to protect customers – and their bottom lines – from the impact of the COVID-19 pandemic. While the rise of BOPIS fraud should concern retailers as we move into 2021, it shouldn’t lead to paralysis. Beating back this new fraud vector requires an understanding of how fraudsters operate and then implementing the right strategy to stop them before they drive away with stolen merchandise.

Kevin Lee, digital trust and safety architect, Sift

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.