Last year Experian reported that 2016 e-commerce fraud attack rates were on pace to surpass the 2015 totals.
At the time, the fraud attack rates for the first half of 2016 appeared to be at least 15% higher than the 2015 total. That percentage turned out to be much higher as e-commerce fraud increased to 33% in 2016 compared to 2015 according to Experian data.
Experian analyzed millions of e-commerce transactions from our 2016 client data to identify fraud attack rates for both shipping and billing locations across the United States. The data reveals the increase of e-commerce attacks in 2016, the geographical differences, and whether a credit card has been stolen or personal credentials have been compromised. Fraud attack rates represent the attempted fraudulent e-commerce transactions against the population of overall e-commerce orders.
The 2016 e-commerce fraud attack rate data shows:
- Miami, FL., is where the riskiest ZIP™ Code comes from for both shipping and billing e-commerce fraud. Miami accounted for 17 of the top 100 ZIP™ Codes for shipping fraud and 20 of the top 100 for billing fraud.
- 70% of e-commerce billing fraud came from three states – Florida, California and New York – based on the sum of fraud attacks
- Delaware, Oregon, and Florida were the top-ranked states for billing and shipping e-commerce fraud in 2016
- Oregon and Delaware saw an increase in e-commerce billing fraud attacks of over 200%.
Many of the higher-risk ZIP™ codes and cities are located near a large port-of-entry city or airport, making them ideal locations for reshipping fraudulent goods. This includes Miami, Houston, New York City, and Los Angeles, perhaps allowing criminals to move stolen goods more effectively. All those cities are ranked among the riskiest cities for both measures of fraud attacks.
What is driving credit card fraud trends?
The biggest component of this trend is the fact that 2016 was a record year for data breaches. There were 1,093 data breaches last year, a 40% increase from 2015, according to the Identity Theft Resource Center.
The recent Federal Trade Commission (FTC) 2016 Consumer Sentinel Network Data Book, announced a jump in consumers who reported that their stolen data was used for credit card fraud, from 16% in 2015 to more than 32% in 2016. The record number of data breaches is a signal that future fraudulent activities will take place.
This is further reflected by the increase of consumers reporting credit card fraud to the FTC in 2016. So far in 2017, that same trend continues as the total number of breaches has increased 56% compared to the same time in 2016.
Why are there geographical differences in e-commerce fraud?
Most e-commerce merchants have basic controls in place to validate that transaction billing information matches a particular account holder using things like the address verification service. So from a billing or victim perspective, attackers typically leverage the legitimate cardholder billing details in a fraudulent order.
In order to maximize successful fraud attacks, they need to make the transaction appear as normal as possible. But from a shipping perspective, those same fraudsters often can’t rely on shipping to the cardholder’s address and trying to intercept the package. To acquire the proceeds of their fraudulent transactions, this is where attackers get creative, often using re-shippers or shipping “mules”, freight forwarders, or delivery addresses that do not raise suspicion but are nearby international ports or airports so the fraudulent order can be quickly picked up and shipped to its final destination (often overseas).
That’s why we see such a big disparity between attacks by a victim or billing address being mostly evenly spread across the country vs. shipping attacks, which are mostly concentrated in coastal states with major port cities and airports.
Delaware and Oregon are two exceptions to this flattening of victim attacks, as both states saw a more than 200% increase in billing attacks with only modest increases in shipping attacks. From a shipping perspective, 10 states saw at least a 100% increase in fraudulent orders, having a significant impact on the overall population attack rate.
Has the EMV switch affected fraud e-commerce rates at all?
The increase in e-commerce fraud follows a similar trend pattern from countries that previously rolled out EMV cards – UK, France, Australia, and Canada – that also saw gradual increases in card-not-present fraud.
Experian suspect that the EMV liability switch and increased adoption by merchants of chip-and-PIN enabled terminals have had a profound impact on driving up e-commerce attacks. Fraudsters that typically relied on committing counterfeit fraud have shifted their focus to the digital channels where they could have more success.
As more fraud attackers enter a rapidly growing mobile and online commerce space, that makes it even more difficult for merchants to differentiate their good customers from the sophisticated fraud attackers.
Our annual fraud attack rate data brings to light the increase of e-commerce attacks over the last year across the US. This latest data is a strong indicator that other types of fraud have already occurred and can help businesses understand how to better protect themselves and their customers. Whether a credit card has been stolen or personal credentials have been compromised. Businesses need to expect an increase of e-commerce fraud over time and to be prepared.