By Nir Maayan, Head of Risk
Card-not-present (CNP) fraud is a growing problem. Insider Intelligence predicted in January that in 2023, CNP fraud would account for $9.49 billion in loss — an increase of 8.5% compared to 2022. That would put CNP fraud at about 73% of card payment fraud loss, up from 57% in 2019.
There’s no denying that this is a serious risk that merchants need to invest in mitigating. It’s equally important to understand what’s going on and appreciate that while this is important, it’s a cause for strategic planning, not panic.
CNP Fraud Grows Alongside CNP Transactions
This growth in CNP fraud isn’t new. It’s a pattern that’s generally been keeping pace with the growth of online commerce. Fraudsters follow the money; as more commerce shifted online over the last decade, more fraudsters inevitably shifted their focus to the online channel as well.
U.S. retail digital commerce sales grew by 36.4% in 2020, and CNP fraud loss increased by 31.2% in the same year. As digital commerce normalizes, so will CNP fraud — the two are inextricably linked. So while fraud pressure isn’t growing but rather keeping pace with overall growth, in terms of dollars attacked, it’s an ever-growing issue — and something every merchant feels.
The more legitimate business happens online, the greater the incentives for fraudsters to carry out attacks online. It’s easier to hide their activities in the bustle, and there’s more variety to the personas and behaviors of active consumers due to the sheer amount and diversity of people buying digitally, which makes it more challenging to pick out the abnormal signs that could indicate suspicious activity.
None of this is a disaster, though. It’s just a natural evolution of an organically growing online ecosystem. Fraud fighters need to remain aware but not alarmed.
What About ChatGPT/Generative AI/Bots?
A discussion about the growth of CNP fraud inevitably includes speculation about AI generally, and the role ChatGPT and generative AI might play. These tools give fraudsters fresh scope for scale and sophistication; we have already seen them in use in the wild.
An important distinction is worth making in this context between bots intended for direct human communication and bots that are machine-to-machine. In the first case, I’d think of use cases such as social engineering, phishing, etc. In the second, you see the possibilities of malware, checkout attacks, etc. In both cases, AI’s increasing sophistication and ubiquity are essential — as these changes happen, they naturally open new avenues for fraud and abuse.
Several areas are immediately striking as places for AI to make a difference in terms of CNP fraud attacks, including:
- The increased use of bots for brute force attacks, enabling credential stuffing, password spraying and card testing at unprecedented levels
- The expansion and increased personalization of phishing attacks
- The evolution of bot and malware creation that does not require technical expertise since generative AI can do a lot of the necessary “hand-holding” for amateurs who have a fundamental concept in mind and just need help iterating to find an efficient and effective version
These things will all play a role in the increased growth of CNP fraud. Why don’t I think panic is necessary? Because at the same time, fraud prevention is also starting to employ the same generative AI technology in identifying and blocking fraud attacks. It’s a new phase in the arms race — but it’s still the same old war.
PSD2 Shows that the Rise of CNP Fraud Can Be Mitigated
Given my in-depth focus on the EMEA market for several years, I’m particularly sensitive to the lessons that PSD2 has for us when we’re thinking about the direction of CNP fraud. The PSD2 regulation is not perfect, and the proposed PSD3 regulation is encouraging in addressing some of its weaknesses, but even so, PSD2 has had a notable effect on fraud within EMEA.
The European Banking Authority has found that the share of fraud by value is three times higher for payments authenticated without Strong Customer Authentication (SCA) compared with payments authenticated with SCA. Merchants often fail to appreciate the significance of this trend because of the pain they feel from the friction customers experience due to SCA.
The friction often involved in SCA is problematic; I don’t want to minimize that. It can even be ROI negative; the negative impact on conversions, even after margins are accounted for, can be greater than the amount saved in chargebacks.
The key thing to understand about it, though, is that it’s very often unnecessary. One of the most satisfying things about my job is being able to help customers understand the nuances of PSD2 and SCA so that they can keep friction for customers to the absolute minimum while maximizing approvals and remaining fully compliant without exposing themselves to any substantial increase in fraud risk. Frictionless 3DS can be a great asset to a business overall if used appropriately — it’s one of the advantages of PSD2. Once merchants understand this is possible, they can reap the benefits of SCA without taking the hit.
In that context, we can appreciate the value of PSD2 and the reasonable, tailored use of tools like 3DS. There’s the potential for a significant impact on CNP fraud, opposite to the impact of trends like increased digital commerce and generative AI. Alongside the increasing sophistication of fraud prevention, this is a critical balancing factor to the rise of CNP fraud.
The Lesson of PSD2: Look Beyond Transactions
SCA or 3DS can be powerful tools in limiting the increase in CNP fraud. At the same time, it’s essential to understand that this impact is only at the point of transaction and only on cards. Since fraudsters are endlessly creative and motivated to steal, making fraud more difficult at the point of transaction does not discourage criminals. It simply encourages them to shift their focus elsewhere.
In EMEA, we have seen that play out with an increased fraudster focus on non-transaction vulnerabilities such as account takeover, loyalty points attacks, refund claims abuse, promotion abuse, etc. These types of attacks can also represent a severe loss to a business, particularly when they operate at scale, but it can take time for a company to realize the extent of the damage.
Increasingly, as reflected in many of the findings of the 2023 Fraudology Fraud Benchmarking Survey, fraudsters are shifting their attention from checkout to the entire customer journey. Fraud fighters need to do the same.
Don’t Panic — Plan
CNP fraud is rising and will probably continue to do so, driven by the growth of digital commerce generally and the sophisticated ecosystem and technology available to online criminals.
Mitigating factors mean that I don’t think any of this is a cause for panic. The growth of online commerce is good for many businesses, and success in this area means the availability of more resources for fighting fraud. The scale, efficiency and sophistication that benefit fraudsters also benefit fraud fighters.
While I don’t advocate panic, I do think planning is vital — as a matter of priority. Strategic thought is required to ensure that fraud teams understand the challenges of evolving trends like generative AI, bot usage in and against digital commerce, and the expansion of fraud attacks to encompass other payment methods (have you started working with BNPL?), and to include the entire customer lifecycle.
Take the time to look at the broader picture of your business in this context; you can’t look at a single pipe in the system to understand where water will start to leak if you put more pressure elsewhere. A single pipe won’t show you why your water pressure is too low. Look at every “pipe” — every aspect of your customer journey, its possible flows, and the backend processes that make it possible — and how they fit together.
The picture of the business as a whole and how new trends affect that will impact every business slightly differently, but some of the effects may be profound — and they are not things you want to be surprised by when it’s too late. That really would be cause for panic.