It’s fair to say the payments ecosystem has changed more in the past five years than the previous fifty, and retailers have adapted quickly to meet the new expectations of digital-savvy consumers seeking personalised, convenient and secure experiences.
A recent report from Australia Post showed eight in ten households shopped online in 2023, with online shopping hitting $63.6 billion dollars in 2023 and 16.8% of all retail spend in Australia [1].
The growth in eCommerce and digital payments more broadly has enabled retailers to reach new Australian and global customers, drive loyalty and create operational efficiencies, but it has also created new channels and opportunities for cybercriminals. Easier access to technology such as GenAI and machine learning tools has turned hacking into a potential side-hustle for fraudsters out there, and in 2023, scam losses reached $2.7 billion, according to a report by the ACCC.[2].
Fraud and scam prevention is a monumental – and ongoing – challenge that requires the entire payment ecosystem to do their part, and as we enter this peak season for online shopping, it isn’t just consumers who need to be aware of what’s at stake. At Visa, we monitor the payment landscape to identify and combat current and emerging threats – here are some of the key threats retailers are urged to watch out for to help protect their business and customers this time of year.
Enumeration attacks: In these situations, retailers and other merchants are targeted by cybercriminals who test payment data such as the primary account number, expiry date or Card Verification Value (CVV2) with scale and speed to access consumer account information. Attackers adopt a variety of methods but mostly target online merchants that may lack adequate fraud controls, and the practice is on the rise.
In the first six months of 2023, Visa saw a 40% increase in enumeration attacks compared to the previous period.[3]
Gift cards fraud: Physical gift cards may hold no value until activated, but some fraudsters have devised methods to steal cards and make alterations before returning them to the rack. They will physically manipulate the barcode and then, when a shopper purchases the compromised gift card and loads funds, the funds are sent to the fraudster. Such threats increase the importance of physical security around gift card displays in stores – retailers are encouraged to move toward tamper-resistant packaging to prevent the physically manipulated products being returned to racks undetected.
Digital skimming: A popular tactic where fraudsters deploy malicious code onto retail checkout pages to capture sensitive payment data entered by merchants’ customers. Visa expects digital skimming attacks to increase as we approach the end-of-year holiday shopping season.
Policy abuse: This is a growing trend where fraudsters exploit retailer policies, such as lenient return or shipping practices, to make fraudulent claims or purchases. It also includes the reseller as well as promo or coupon fraud.
Account takeovers: This occurs when fraudsters gain unauthorised access to a customer’s account, often using stolen credentials, to make fraudulent purchases or steal personal information. To counter this tactic, retailers can deploy advanced authentication methods, monitor login for suspicious behaviours and educate customers on creating strong passwords.
Data breach and ransomware incidents: This continues to be a threat to the payments ecosystem, as breaches are becoming more impactful, both to the organisation breached and to the payments ecosystem as a whole. This is due to an increasing amount of data obtained by threat actors during breach and ransomware incidents, which they then use for extortion and resale.
Phishing and social engineering: It’s likely phishing attacks will only increase this time of year, with increasingly sophisticated fake websites offering discounts and sales that entice victims to enter payment details that can be captured, reused or sold. Generative AI has made it easier than ever for criminals to create highly customised phishing campaigns, and fraudsters are using SEO techniques to ‘push’ these phishing websites higher in search engine results.
Merchant sectors often targeted, spoofed and used for phishing during the holiday season include popular large retail and/or electronics merchants, airlines and other travel booking sites, hotel and hospitality sites and other travel-related customer service sites, and luxury goods retailers.
The democratisation of technology – especially AI – has emboldened cyber criminals, and it’s essential that the industry continue to invest and innovate in order to stay several steps ahead. Visa is continuously working with the industry to not only monitor threats to the payment ecosystem, but to drive adoption of secure technologies that can help identify, mitigate and combat fraud, without compromising the user experience.
For example, innovations like tokenisation, used in checkout solutions such as Click to Pay, replace a 16-digit debit or credit card number with a unique identifier, a token that has no intrinsic or exploitable value, and can increase conversion rates while reducing fraud.
Tips to protect retailers and customers this season
While combating fraud and scams is an ecosystem effort, here are few tips to help retailers protect themselves and their customers this season.
- Monitor the cyber health of your third-party providers as well as your own organisation and have a contingency plan in place in case of a data breach. Be sure to run regular updates on security software.
- Implement secure technologies such as tokenisation, authentication controls, and Click to Pay that can help your business authenticate customers and reduce fraud rates without adding friction to the payment experience.
- Protect all administrative and employee accounts with multi-factor authentication, never share administrator access accounts, and regularly audit access to remove non-essential users and enable IP-restricting access.
- Combat enumeration attacks by working with your acquiring bank or payment gateway to implement preventative measures such anomaly detection, velocity monitoring and CAPTCHAs, which are tasks that are designed to be easy for humans and difficult for bots. Next-generation firewalls can also limit the number of failed login attempts from multiple IP addresses while web application firewalls (WAFs) filter HTTP traffic for malicious traffic coming from the internet.
- Monitor for fake websites or social media campaigns that may be impersonating your brand to trick customers and report them to Scamwatch or ReportCyber.
Martyna Lazar is head of risk at Visa Australia, New Zealand and South Pacific.
[1] Australia Post, Ecommerce Industry Report: 2024 Inside Australian Online Shopping, 2024, https://auspost-report.s3.ap-southeast-2.amazonaws.com/eCommerce+Industry+Report+2024+-+Trends+in+eCommerce+section.pdf
[2] ACCC, National Anti-Scam Centre, Targeting Scams Report 2024, April 2024, https://www.nasc.gov.au/system/files/targeting-scams-report-2023.pdf
[3] Visa, September 2023, Visa Research Highlights Emerging Fraud Schemes in Retail and eCommerce