How Retailers Can Fight Fraud and Abuse This Holiday Season

Online shopping will be more popular than ever with consumers... and with malicious actors too.

Sunil Potti, General Manager and Vice President, Google Cloud Security

November 23, 2020

4 Min Read

The pandemic has had a significant impact on retailers across the spectrum from apparel brands to grocery stores to big-box retailers. While each category of retail has faced its own specific challenges, there has been one common theme across industry: increased demand and traffic across online platforms. 

As retailers rush to meet these online demands, many have had to fast-track their digital roadmaps and establish new protocols to launch omnichannel services like BOPIS (buy online and pick-up in-store) and curbside pickup. 

Many retailers know that when it comes to reliability, just a second in lag time can mean the difference between a sale and an abandoned cart. Research shows that nearly 90% of consumers would leave a website and 30% of shoppers would think twice about being a return customer if a website was too slow. But these sudden increased shifts to online shopping have also brought attention to new surface areas that retailers must secure. 

Case in point: Since March 2020, our security service reCAPTCHA, which protects websites from fraud and abuse, has seen a 40% increase in usage. Businesses and services that previously saw most of their users in-person have shifted to online-first or online-only models. This increased demand for online services and transactions can expose businesses to various forms of online fraud and abuse. In fact, 8% of online business revenue today is lost to fraud and account takeovers. And there's no busier online shopping time than the holiday season. 

It's never been more crucial for retailers to protect their customers as they use their online services. Despite traditionally being an in-store holiday, Black Friday topped Cyber Monday in 2019 as the busiest day for online purchases with 93.2 million shoppers compared with 83.3 million. This year, many retailers have decided to close their doors on Thanksgiving and are rolling out online promotions and deals throughout November and December, to keep shoppers and employees safe. We're planning for a "peak on peak" online holiday shopping season for 2020.   

As shoppers seek to take advantage of the hottest bargains and retailers prepare for a predominantly online holiday shopping season, cybercriminals are looking to do the same with vulnerable IT systems and websites. There are several automated threats businesses must be on the lookout for to protect from brand damage and negative impacts to the bottom line. For example, attackers could use leaked credentials to hijack user accounts and stolen credit cards to make fraudulent purchases.

Elevated basket abandonment, a higher proportion of failed payment authorizations, and disproportionate use of the payment step are all possible signs of card cracking. Or denial of inventory attacks, which involves attackers taking ecommerce items out of circulation by adding many of them to a cart/basket, but never actually proceeding to checkout — which creates stock-outs, preventing legitimate buyers from making a purchase.

Just like phishing and malware target employees, users are also under attack. Imagine if infected URLs are being shared on websites or social channels to take customers to malicious pages to steal payment info or account credentials. Retailers need access to tools to prevent this kind of activity and, at the same time, need to be able to warn users before they visit sites that are known to be unsafe. 

These are just a few tricks bad actors might have at the ready this holiday season. So, how can security teams detect these emerging attack methods and reduce their customers' and business' chance of compromise or revenue loss?

One way is to deploy CAPTCHA systems on sites to prevent fraudulent activity, spam and abuse. The CAPTCHA system should leverage machine-learning and advanced risk analysis to help customers tell humans and bots apart. The CAPTCHA system should also have accurate detections to minimize false positives and offer risk scores with reason codes for security teams to take action within the context of a company's website.

For example, if the CAPTCHA system shows a low score, next steps can be to require two-factor authentication or email verification in order to allow a user to continue. Moreover, the CAPTCHA system should have enterprise-level service level agreements and terms of service.  We also recommend using an API of constantly updated lists of unsafe Web resources, which retailers can use to keep risky URLs off their sites and protect users.

This year has been one of frantic and unexpected change, but there's no reason to be caught offguard this holiday season. Security must continue to be a top business priority as attackers will always look for ways to disrupt or damage businesses during the pandemic, during the holidays and beyond. Achieving a sustainable security posture is essential to a successful business transformation. Now is the time for retailers to be proactive about securing online environments to make this new normal, a safer normal, so they can deliver holiday cheer. 


About the Author(s)

Sunil Potti

General Manager and Vice President, Google Cloud Security

Sunil Potti is General Manager and Vice President of Cloud Security at Google Cloud. In his role, he focuses on bringing the best of Google Security's practices to the GCP platform and its enterprise customers. Prior to Google Cloud, Sunil served as the Chief Product & Development Officer at Nutanix, and previously as its Senior Vice President of Engineering and Product Management. Before Nutanix, Sunil led the Citrix NetScaler business for over five years of record growth. He has a B.E. in Computer Science from Osmania University and an M.S. in Computer Science from Pennsylvania State University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights