By Gayathri Somanath, Signifyd’s vice president of product, discusses what retailers can do to stop the rise of rapid-fire fraud and scalping

When put to use for good, automation and artificial intelligence provide powerful ways to help businesses become more efficient and more powerful.

Smart machines, for instance, are paving the way for significant growth in the retail sector. But with that potential comes risk.

For the very same reasons businesses are adopting machine learning, online fraud rings are too. Bot attacks on ecommerce enterprises are on the rise – according to Javelin Strategy & Research up to 70% of traffic to ecommerce checkout pages is now generated by malicious bots.

Rapid-fire fraud and scalping

Two common types of bot powered fraud in the retail sector are rapid-fire fraud and scalping. While they have similar intent and use similar technology there are key differences. Scalping is not expressly illegal, whereas rapid-fire fraud is, by definition, a crime.

Rapid-fire fraud targets the entire online payment journey that a legitimate customer would typically make — from account creation and credit card authorisation, to final credit card verification at checkout.

The seeds of rapid-fire fraud are planted on the Dark Web where fraud rings can buy thousands of stolen usernames and passwords, among other personal identifiers. The fraudsters use these credentials to launch a variety of online attacks – creating many fake accounts or user profiles at once, launching credential stuffing attacks to take over accounts in bulk, conducting card testing and a fusillade of fraud.

The number of such attacks is increasing dramatically – Signifyd has tracked a 146% increase in rapid-fire attacks in the past year, and the lightning-fast speed of the attacks makes them potentially devastating.

Scalping is more formally known as unauthorised reselling. Thousands of buyers have recently experienced this, being unable to buy a PlayStation 5 for Christmas. Scalping rings in the United States and UK scooped up thousands of Sony PS-5’s on the day they were released. Then they posted photos of their caches on social media and marketplace sites, where the consoles were selling for up to 10 times their RRP.

The practice lives in a grey area. It’s not illegal, though there is a movement in the UK to outlaw it. But it does violate some retailers’ policies, and it is certainly detrimental to business.

While the sale might have been made, shoppers are upset with the retailer they turned to and perhaps resorted to paying twice the price (or more) on a marketplace. The retailer is seen as unable to control its inventory and helping to create a black market for a sought-after product.

Sony’s brand has also been tarnished because its product is being sold for a ridiculously high price. Both Sony and the retailer have lost control of the customer experience and the opportunity to build a relationship with the buyer.

What retailers need to do

Traditional fraud detection methods will likely fail when it comes to detecting scalping schemes. Identity based signals— like phone, user account name and email address — will indicate that a cardholder is making the purchase as bots have set up accounts designed to do this.

Detection tools need to look at a different set of attributes. An anti-scalping solution should focus on device activity, especially high activity coming from the same device, behavioural trends or patterns that indicate non-human activity like click and typing speeds and high velocity purchases across a high sample size.

These anomalies must be detected at lightning speed in order to foil the scalpers. The only way to confidently spot the worrisome patterns is to look across a broad network of merchants. Fraudsters typically launch these attacks across multiple sites simultaneously in order to snatch as many of the highly coveted products as possible.

All that calls for machine learning and a powerful data platform that can, for example, aggregate the accounts created from a single device across thousands of merchants in the last 30 seconds. Ideally, brands and retailers will want to combine a robust fraud solution that can differentiate legitimate from fraudulent transactions across the buying journey with a flexible tool that can understand and monitor complex business policies.

With the proper flexibility, a retailer can dictate under what circumstances extra steps should be taken to confirm that a human is doing the buying. And depending on the situation, the retailer can prescribe what extra steps are required — a captcha or call to customer service, for instance. That sort of technology can ensure that an army of bots is not about to clean out the one product that everybody wants.

While the scalpers and fraudsters are no doubt plotting more work-arounds as you read this, rest assured that they are not the only ones hard at work on the next new thing. The good news is that the technology to help with scalping and rapid-fire fraud is available — and effective.