For credit card giant Visa, the holiday season is always an extremely busy time. It not only brings out millions of people using plastic to pay for gifts, seasonal food, and decorations, but also bad actors armed with ever-evolving methods to steal credit card information and separate those buyers from their money.
Visa’s research found that in the 2022 holiday season, some fraud rates were 11% higher than in others times of the year and 8% higher than the previous holiday season. In its annual Holiday Edition Threats Report this week, Visa researchers said shoppers and stores between now and January 2024 should expect more of the same, particularly with the broader use of AI capabilities by scammers and hackers.
“The holiday timeframe is expanding with consumers shopping earlier in the year, giving fraudsters more opportunities to take advantage of the busy season,” Michael Jabbara, vice president and global head of fraud services at Visa, told Security Boulevard. “Technologies like AI also play a role in creating a more sophisticated threat landscape. Our recent Fall Biannual Threats Report found that AI technologies have lowered the barrier to entry for fraudsters, enabling them to carry out their attacks more efficiently.”
Jabbara pointed to advanced language models (ALMs) that fraudsters can exploit to create more advanced and targeted phishing or vishing campaigns, adding that “ALMs make it easier to create more convincing communications that don’t have the tell-tale signs of a traditional fraud scheme.”
That follows similar findings by IT and cybersecurity companies. IBM last month reported that OpenAI’s popular generative AI ChatGPT chatbot can write phishing emails that are almost as convincing as those written by humans and do so much more quickly.
Jabbara said that ALMs and large-language models (LLMs) make it more difficult to spot scams and give scammers broader reach. Not only are they able to create more realistic spoofed phishing emails and other written communications or images, but “bad actors also use AI to target victims globally, using phishing lures, as a channel to deploy malware that’s been modified by ALMs to be capable of avoiding detection to obtain sensitive information.”
New tools like AI also are coming at a time when consumers’ buying habits continue to not only shift sharply to online but also as e-shopping options increase. Ecommerce grew exponentially during the COVID-19 pandemic and hasn’t snapped back as the health threat has abated. Another Visa study found that 78% of consumers said they changed their shopping habits in the wake of the pandemic, including shopping online whenever possible.
“And now, social media platforms are gaining traction as they enable consumers to buy goods directly within the app, using only a few taps, so we still see that the digital purchasing habits of consumers have remained sticky even in the post-COVID period,” he said.
Still, the threats facing shoppers and businesses over the next several months are varied and will include both the digital and physical realms, according to the authors of the most recent Visa report.
“Due to the rapid influx in both eCommerce activities and in-person shopping at brick-and-mortar retailers and hospitality merchants, threat actors will seek to exploit lax security protocols implemented by cardholders, issuers acquirers and processors,” they wrote.
Phishing and other social engineering schemes, and digital skimming scams will be high on fraudsters’ to-do list. Through digital skimming, cybercriminals will use customers account data from ecommerce merchants to steal information and money, and they will not only use AI to help with highly customized phishing campaigns, but also to create phishing websites that leverage malvertising and other SEO tactics on retail or service websites to get victims to inadvertently download malware.
They also will use one-time passcode (OTP) bypass schemes to get into cardholder accounts by sending victims OTP templates that appear to be associated with a legitimate purchase. There will be a rise in the uses of bots that try to imitate humans and get around such security tools as IP blockers and CAPTCHAs. Also, “bots-as-a-service offerings made it possible for anyone to easily purchase and deploy bots,” the authors wrote.
On the physical side, bad actors will try to steal payments cards or phones from consumers in crowded stores, malls, and parking lots or steal unattended bags purses. They also will use removable skimming devices on ATMs or point-of-sale (POS) systems to steal data from the magnetic stripe on the back of a credit card.
“Digital skimming, phishing, and social engineering schemes are all threats that are likely to impact consumers shopping this year,” Jabbara said. “Fraudsters are willing to play the long game, creating illegitimate merchants with accompanying websites to obtain personal information and payment account data from unsuspecting consumers via digital skimming. And with more sophisticated tools, it will be harder to spot when a deal is in fact too good to be true.”
Visa has a list of good security practices that consumers should adopt, from ensuring the reputation and authenticity of retailers, securing personal information when paying online – such as making sure the website address of the e-tailer starts with “https://”, with the “s” showing that the data is encrypted and sent via a secure connection – not buying anything online while on a public Wi-Fi network, and being cautious of deals that seem to good to be true.
Such steps are important, Jabbara said, noting that human error is involved in more than 95% of cybersecurity breaches and that waiting a beat can help keep buyers from walking into a scam.
“The first step consumers can take is to slow down,” he said. “Pausing to check that the email addresses and websites are legitimate, or using multi-factor authentication will go a long way in protecting personal information.”
Recent Articles By Author