Gig Economy Fraud: The Hidden Threat of the 2020 Holiday Season
The end of the year is always a particularly busy and often stressful period for fraud fighters, and this year that’s more pronounced than ever. The 2020 holiday season presents fraud prevention teams with a lot of additional challenges on top of those that are usually present at this time.
There are more new shoppers online than ever, buying more online than ever before – providing the ideal cover for fraudsters hiding in the crowd. Phishing attacks have hit record levels this year, resulting in a wealth of stolen data for ATO attacks. Gift cards, always a risky prospect for fraud fighters, are enormously popular.
There’s another aspect which is increasing risk this year, though, which is often overlooked. It’s the rise of “gig economy” fraudsters.
The Rise of Gig Economy Fraudsters
The gig economy has touched so many aspects of our lives, from ridesharing to graphic design, from running errands to SEO needs and much more. Now that model has come to fraud as well.
Increasingly, people all over the world are willing to take on small jobs which ultimately contribute to a fraud scam. Placing orders, picking up packages, reshipping, setting up accounts, beating CAPTCHAs and other bot detections – any part of a fraud scheme which can be easily outsourced, doesn’t require criminal expertise, and can be presented as a (typically low paying) job is now open to a dark gig economy.
There are even more dubious uses of the gig economy – such as the money-mules who lend their own bank accounts for money movement/money laundering… in return for keeping 20% of the proceeds.
Of course, this isn’t a new trend in itself, but the pandemic has lifted it to a new scale. It’s now global. Fraudsters can easily find helpers anywhere in the world, giving them far greater geographical scope to play with.
Due to the economic downturn and uncertainty people are experiencing, they’re far less discerning about what kind of job they take. Many don’t know – or won’t let themselves see – that they’re helping commit fraud, and the jobs are often phrased in a deniable way. The fact is many people are desperate for work they can do from home. And this fits the bill. Fraudsters, as we know, will always take advantage of any vulnerability they can identify and exploit.
Outsourcing the Fiddly Bits of Fraud
For the professional fraudsters who are using these gig workers to scale their operations, it means that some of the smaller annoying details they used to have to handle themselves can now be outsourced. Unfortunately, this can make them harder to catch.
For example, that means that you may well be seeing IPs from areas which are a rough match for the billing address placing fraudulent orders – not because there’s IP trickery at play, but because these gig workers really are physically in the right place.
You may also be seeing a more sophisticated approach to setting up and aging accounts on your site or app. Gig workers sometimes take on the job of creating accounts and then visiting them periodically, using them to browse products and generally building up the appearance of a legitimate user. They may even slowly add shipping or payment details.
Of course, when the fraudster behind the gig worker does come to use these accounts, they’ll be harder to catch than usual, because the resemblance between these accounts and legitimate ones is much stronger than fraudsters have typically created in the past. And when they’re choosing a shipping address, it can be one a close match for the billing address (AVS only looks at numbers, remember) or within close proximity to the billing address (only this one will belong to their mule).
Fraudsters are about ROI; they want the maximum benefit for the minimum possible effort. Their time is valuable. The time of a low-paid gig worker, not so much. If it’s going to result in a higher level of successful thefts, then it’s worthwhile paying for some gig work.
Since some of the standard methods of detecting fraudulent accounts and orders, such as IP or address negative lists, may be less effective against this threat, it’s worth investing in alternative approaches. For example, deepening your collaboration with other merchants – particularly in the same space as you, since they’re likely to know which users you should trust, and which ones may be fraudsters – may well be beneficial.
If you work together leveraging Privacy Enhancing Computation (one of Gartner’s top tech trends for 2021) you can collaborate directly to pool knowledge of which users to trust without ever sharing any personal user data. Using this kind of identity validation early on in the account creation process, rather than waiting for checkout, will also help guard your site from this risk.
Riding the BOPIS Trend
Buying online and picking up in store – or, rather, at the curbside – has seen a huge surge during 2020, with the more distanced and convenient form of purchase making people feel safer during the pandemic.
Over the Thanksgiving holiday weekend, a survey from the International Council of Shopping Centers found 52% of shoppers said they would be using these services. And Adobe noted that retailers offering curbside pickup had a 31% higher conversion rate of traffic to their sites. It’s clearly in retailers’ interests to provide this service where possible.
From the fraud prevention perspective, BOPIS is a challenge – and it’s one that’s exacerbated by the rise of gig economy fraud. Fraudsters now have a wide range of gig workers they can use, increasing the area they can target via BOPIS fraud.
As well as the BOPIS trend, be aware that standard mule work – receiving, repackaging and reshipping stolen goods – continues to be a favorite trick among the criminal fraternity, and is still something to watch out for. That said, you’ll need to be able to distinguish this from legitimate cases of companies handling holiday gift giving from their homes rather than their offices.
A Shift in the Geographical Landscape of Fraud
The geographical landscape of fraud has shifted with the rise of gig economy fraud. The main fraudsters and fraud rings you’re facing are probably ones you’ve faced in the past. But their physical presence has expanded. Their tendrils are potentially global. Physical location has become more complex than it used to be.
The growing availability of gig workers makes it increasingly easy for fraudsters to avoid many common fraud detection techniques. They can easily use new IPs with good location match, have access to many new devices every day, and do not need to rely on bots or proxies that can be detected by counter-fraud technologies.
Working together with other teams of fraud fighters has become more important than ever. Whether it’s collaborating directly to directly share knowledge via Privacy Enhancing Computation, or meeting to discuss trends and share tactics, fraud teams are far stronger together than working separately.
Fraudsters are increasingly part of a global network which supports and informs their activities. Fraud professionals who don’t have an equivalent network supporting their work will be always on the defensive.
Fraud fighting methods will need to bear that in mind both this holiday season, and in the year ahead.