Persistent online fraud is here to stay.
At least that's according to data from Forter, an e-commerce fraud-prevention company, in its annual Fraud Attack Index 2017. CNBC got a first-look at the report, which is to be released Thursday.
Online fraud attacks have leveled off in the past year, after spiking in prior years. Just over 2 percent of domestic transactions were at risk of fraud, according to the report. Repeat fraudsters are shifting to new hunting grounds, ordinary people are getting in on the action and the world is starting to see the effects of massive data breaches — like the hack of information on 145 million people at credit reporting firm Equifax earlier this year.
The stability of online fraud is a good thing, but it's still above what used to be expected. Across industries and fraud attack methods, the "new normal" means companies need to be vigilant, according to Michael Reitblat, CEO of Forter.
"[Fraud] has been here forever and it's probably going to remain forever," he said. "Every time you close one breach, they migrate somewhere else."
Forter is a venture capital-backed cybersecurity firm that specializes in real-time fraud detection. It teamed up with the Merchant Risk Council to publish the annual report after analyzing millions of transactions, both successful and attempted.
Forter's clients are companies like Delivery.com and Fiverr, that have e-commerce operations. As a middleman, Forter uses anonymous shopper data and aggregates it to find patterns of fraud that are applicable to many different clients. Machine learning allows the system to react quickly and evolve as different methods of fraud gain prevalence.
When a shopper clicks "complete transaction" on one of Forter's client's sites, Forter's system runs through some 6,000 data elements — things like what device is being used, who the buyer and seller are and where the item is being shipped — to estimate the risk that the transaction isn't above board. It then tells the system whether or not to allow the transaction to go through.
The relative stabilization of e-commerce fraud is a good thing, but it's an ongoing battle, the report says.
Preventing online fraud can be a game of cat and mouse with fraudsters, the report suggests. After attacks increased on luxury and apparel merchants' sites in recent years, those retailers fought back and increased their fraud prevention. In response, fraudsters shifted their focus to other areas like electronics and food.
Fraud attacks declined in luxury goods by 32 percent in 2017, the report says. In digital goods and apparel, it was down 26 percent and 11 percent, respectively. In food and beverages, fraud attacks more than doubled in the past year, while fraud in electronics was up 55 percent.
Electronics, like apparel, have a ready-made marketplace for resale, making them attractive targets for fraudsters. Fraudulent food and beverages on the other hand are more likely to be "card testing," the report says, low-cost attempts to see if a stolen payment card is working.
The stereotypical fraudster might be a dark-web denizen, taking over a stranger's accounts and ordering giftcards or gamer gifts on the unsuspecting party's account. But increasingly, it's regular consumers misusing promotions and committing what Forter calls "policy abuse." That's when so-called "friendly fraudsters" engage in coupon abuse, referral abuse, etc. As regular consumers get more comfortable with technical methods, the company has seen people turn to virtual private networks and proxy settings to circumvent prevention traps.
Anytime a consumer sets up a burner email address to take advantage of a first-time-buyer promotion for the second time, that's committing policy abuse.
Still, for the online retailer losing business to fraudsters isn't always a bad thing. For one thing, an e-commerce business that has such stringent security as to have completely eradicated fraud could be losing a sizable portion of business as well.
A company might think it has no fraud problem at all, but a secure but cumbersome system can drive away actual customers, thus hurting the bottom line.
"Losing business, especially in the [United] States, is a far greater cost to them than a little bit of fraud," he said. "A little bit of fraud helps. As long as it's controlled, it's ok. It's the cost of doing business."