Read “The State of Fraud” report
Risk intelligence teams that fight ecommerce fraud are like black-clad ninjas who spy, pounce, strike and rescue merchants from the tapping claws of cybercriminals. The problem, however, is that the bad guys they’re fighting have also become ninjas, and with both sides armed with the unleashed power of AI, their battle has become a daily brain race.
“They [fraudsters] have the same kind of mindset — and it really is kind of a battle against each other,” says Xavier Sheikrojan, senior risk intelligence manager for Signifyd. “So they’re not better, but I would also not underestimate them.”
Identity theft has reached a new level
An elevated form of AI, generative AI (GenAI), has upped the challenge by giving criminals even better tools: With GenAI, fraudsters can create synthetic identities with deep fakes that include not only images, but voice cloning. Customer service representatives may think they took a phone call or FaceTime order from a regular, loyal client, but did they? Was that really Mr. Miller they spoke with?
Generative AI gives fraudsters new powers
Signifyd CEO Raj Ramanand talks with CNN’s Julia Chatterley about how GenAI has changed the fraud landscape.
“We recently had a fraud attack where fraudsters were calling into customer service reps to place extremely high-value orders – I’m talking above $20,000, $30,000 on a single order — and to make it sound legit, they cloned the voices of their victims,” Sheikrojan said.
“When the fraudster calls in, they take over the whole identity and not only the credit card details, not only the email, not only the phone number, but also the face, the voice and also even the pauses and the tone of voice. Everything goes into that fake account creation.”
Jujutsu: It’s AI vs. AI
With AI becoming cheaper and more sophisticated, fraudsters can access the same tools that companies use in fraud prevention. One of a fraudster’s main purposes in ecommerce is to commit fraud by taking over accounts with stolen personal and financial information. And to the delight of fraudsters, merchants encourage shoppers to create accounts rather than use guest checkout. The accounts allow a more seamless customer experience, but they also mean that there’s more information out there for the taking, which leads to a wealth of customer logins, passwords and credit card numbers in marketplaces on the dark web.
GenAI has also elevated chatbots: By amassing a large amount of data, such as texts and emails, fraudsters recreate genuine text conversations that appear so real they avoid the tell.
“It’s not a human versus AI anymore,” Signifyd CEO Raj Ramanand said at Collision 2023 in Toronto. “It’s now AI vs. AI.”
Fraud is a business: detection and protection is key
About $41 billion in ecommerce fraud was lost by merchants worldwide in 2022 and studies projected losses in 2023 to top out at $48 billion. Between now and 2027, $343 billion in fraud losses are expected to accrue globally.
“Now, it’s much easier to be a bad actor than it’s ever been before,” said Kelley Andersen, Microsoft director of product, payment fraud and risk. “Bad actors use AI; they use large language models; they use bots. They have entire staffs. It’s a business and it has to be treated as a business I think at this point.”
Fraudsters are staging their own digital transformation
Microsoft’s Kelley Andersen talks about the growing sophistication of criminal fraud rings preying on ecommerce and online brands.
Fraud rings, of course, are adversarial businesses, so merchants need to view them similarly to how they view their competitors in the market, Andersen said.
Fraud-detecting machine learning scenarios
AI involves machines that are taught to “think” and act as humans. Machine learning is a subset of AI that uses algorithms to gather data and use it to learn more. It can identify new and emerging fraud tactics and detect patterns in large data. Essentially, machine learning models make predictions by processing data, rather than from explicit programmed instructions.
Signifyd’s AI and machine learning is what gives its risk teams the edge in detecting a bad actor and stopping fraudulent action in real time. It even discerns the good customer that, because of the circumstances — buying from a foreign country, using a new device, shipping to an unfamiliar address — may look like a bad actor.
Allowing more good orders to be shipped optimizes revenue and improves customer experience, leading to improved customer lifetime value.
False positives cause good revenue to be left behind
In retail, 1% of all traffic turns out to be fraudulent, but retail turns away about 10% to 15% of traffic to protect the 1%.
“And that’s a pretty big problem if you’re doing that online, because at scale, that’s a lot of lost revenue,” Ramanand says.
In other words, allowing more good orders to be shipped optimizes revenue and improves customer experience, leading to improved customer lifetime value.
A Signifyd analysis shows that when it comes to loyal customers — those that have had at least three previous orders approved — a false decline is followed by a 65% drop in the number of orders placed by that customer and 27% of those customers leave the merchant altogether.
Ramanand argued at FLOW that what really has to change are solutions that rely on hard-coded rules. They don’t work in the long run, he said.
“You need to be able to tie together thousands of different pieces of intent and behavior and transaction and device and everything else that is touched on, and that gives you the ability to say this transaction is actually good, and therefore you don’t have to put friction in it,” he continued.
“And it’s not about the identity as much as the individual and the behavior and the patterns across the network that give it a certain value of what’s good and bad.”
Artificial intelligence models and a vast network help stop bot attacks
Signifyd relies on a Commerce Network of thousands of online merchants and AI-driven models to determine the identity and intent behind online orders. It helps detect the signs of evolving bot attacks and provides the intelligence to recognize sophisticated bad actors who develop schemes that don’t use bots. It’s alerted if the same credit card is being used at many different stores in quick succession, for instance.
“This is where the power of Signifyd’s network comes in, and how you can leverage link analysis in that because you see the same card number, you see the same patterns,” Sheikrojan says. “But as a merchant, you don’t have information on how the card is being used outside of your walls.”
Fraud patterns reflect a digital transformation
A decade ago, you had the very basic fraudster trying to scam the system with a stolen credit card, or a prepaid card. Bots were scattered here and there. Then fraudsters took a step up, and instead of using a stolen card to buy only the most valuable items, they started buying less valuable items and making up for it in volume. And fraud was mainly focused on the moment of checkout.
“When I started working in fraud you could really see what fraudsters were going after,” Sheikrojan said of his start 10 years ago. “It was a quick hit – they had a stolen credit card and tried to target the large dollar items and maximize their stolen credit card as quickly as possible.”
Then the mindset changed, and while fraudsters still maximize the stolen card, now they do it by purchasing items from different merchants all in a short time frame. Ecommerce fraud moved from the checkout button into other aspects of the customer purchase process, including account takeover, which happens earlier in the process, and refund and returns schemes, which target post-purchase interactions.
Fraud protection still relies on detecting patterns
Another trend Sheikrojan sees with readily available AI is the scale at which fraudsters try to game the system. Before it was one stolen card or maybe 100, and one guy purchasing items online. Now, with AI, they rely on thousands of stolen credit cards and use bots, so the attacks are quicker and larger.
“Signifyd does the analysis and our machine learning kicks in and says, ‘Hey, we identify automatically the patterns, and here’s where we then decline the bad traffic that saves the merchants from financial impact and also from sending their merchandise to the bad guys. And here’s how we can help our customers combat AI-generated fraud.”
With AI, even the little guys have become more sophisticated.
“In one word if someone would ask me how do you summarize the fraud I’ve seen the last 12 months, for me it’s ‘scale’,’’ says Sheikrojan. “Whether it’s the big criminal enterprises or that single fraudster committing fraud from their dark garage, they do it at scale, not going into a single bank account and stealing all of the money, but going into thousands of accounts based on the code that they write.’’
Copious data points build a bulwark against credential-stuffing and fraud
These massive schemes are often in the form of a credential-stuffing attack, where fraudsters match different types of usernames and passwords of consumers stolen from one website and rapidly attempt to unlock the accounts of the same person on hundreds or thousands of other websites. Success relies on the common, but ill-advised, practice of using the same username and password combination on multiple sites.
“They’re credential-stuffing with a single query, a single code, where they can simply edit the different lines and input whatever they want,” Sheikrojan explains. “ So even the single person is out there. But he’s acting at scale.”
Says CEO Ramanand: “The most valuable application from an AI perspective is to help retailers leverage the power of data to identify what is good and what is bad, to be able to sort through those and identify the level of friction you want to put, if any, to be able to let a particular transaction through.
‘’That’s where we apply at Signifyd the ability to tell them that, but also the innovation around offering them a complete liability protection, or a guarantee on that, is the icing on the cake.”
Photos by Getty Images
Want to know more about AI and fraud protection? Let’s talk.
Latest posts
