.svg)
The European Union Agency for Law Enforcement Cooperation, better known as Europol, has released new data showing the success of a month-long operation targeting e-commerce fraud.
Following a coordinated action across 19 countries in October, Europol was able to make 59 arrests of suspected fraudsters and obtained multiple investigative leads.
Known as the 2022 e-Commerce Action (eComm 2022), the operation targeted criminal networks thought to be using stolen credit card information to order high-value goods from online stores.
The action was coordinated by Europol’s European Cybercrime Centre (EC3) and the Merchant Risk Council, an association for e-commerce fraud prevention and payments professionals.
In a statement, Europol also said the operation received “direct assistance” from merchants, logistic companies, banks and payment card schemes.
After several months of preparation, law enforcement authorities across the 19 participating countries raided multiple locations to which illegally purchased goods had been delivered.
The suspects were then arrested and the goods confiscated. The suspects are currently being prosecuted, but investigations are ongoing in some countries and more arrests are expected in the coming weeks.
New criminal techniques
In its report on the operation, Europol said that online payments in Europe are generally “very secure”, mainly as a result of the implementation of strong customer authentication (SCA).
However, Europol also noted that fraudsters are continuously altering their techniques to unlock new ways to steal from merchants and consumers.
Following eComm 2022, Europol highlighted several key threats that should be on consumers’ and merchants’ radars going into 2023.
Looking at how stolen credit card numbers are obtained, Europol said that phishing, vishing and smishing fraud continue to be the most common methods.
Phishing is when criminals author and distribute fraudulent emails and websites designed to steal data; vishing is when criminals make fraudulent phone calls to induce individuals into revealing personal information; and smishing is when criminals use text messages to achieve the same.
Europol noted that phishing, vishing and smishing attacks will sometimes promise a reward to the victim for their cooperation and sometimes the attackers will impersonate a trusted business or government agency.
Another attack vector highlighted by Europol is account takeover fraud, where criminals gain access to an individual’s e-commerce store account.
This can be achieved through a variety of methods, including the purchase of stolen passwords, security codes or personal information on the dark web, or through successful phishing schemes.
Once an attacker has gained access to a user’s account, they can then use it to engage in further fraudulent activity.
For example, they can change the details of a user’s account, make purchases, withdraw funds or gain access to other accounts that belong to the same user.
Finally, triangulation fraud is when criminals set up fake or replica websites that appear to be selling high-value goods at discount prices.
Europol noted that sometimes these fake websites can appear in ads, or can be sent to a user’s email directing them to the website, but the goods do not exist, and if purchases are made, nothing is shipped to the customer.
#SellSafe
Following eComm 2022, Europol also announced that it has launched a #SellSafe awareness campaign in partnership with the Merchant Risk Council.
The campaign aims to help new merchants open online stores safely, while minimising the risk of cyber attacks, and aims to promote safe payment methods online.
Europol already publishes guidelines designed to help merchants sell securely, alongside a checklist of fraud-related questions that merchants should ask potential acquirers before agreeing to work with them.
Additionally, this week Europol published a guide for consumers on how to avoid becoming a victim of e-commerce fraud.
