From hot tubs and laptops to phones and watches – stolen customer details used to buy and sell retail products online

• Fake brand emails, texts and websites remain ‘go-to’ impersonation tactics 

• Bots deployed to dupe victims as criminals sell products quickly to avoid detection 

• Facility takeover now second greatest fraud threat to online retailers 

The online retail industry faces a huge battle as cases of facility (account) takeover filed to the National Fraud Database (NFD) surged by 142% during the first half of 2024, data from UK-leading fraud prevention service, Cifas, has revealed. 

Fraud-risk data filed by Cifas members show that facility takeover – when a criminal utilises compromised personal data to hijack an existing account or product – more than doubled between January-June this year compared to the same period in 2023. 

With a treasure trove of customer data at a criminals’ fingertips – such as payment and personal details and purchase history – consumers’ online accounts have been taken over swiftly, changing security and personal information to lock them out. In some cases, they have added Google and Apple Pay accounts before attempting to make purchases that can be sold on quickly through online marketplaces with little risk of detection. Popular high-end products include phones, watches, laptops, bikes and even hot tubs.  

Phishing attacks remain a favoured fraudulent tactic for the criminals and continue to cause problems for the online retail industry, suggests Cifas intelligence. Criminals have been creating high-quality fake websites, texts, emails and social media content of well-known brands to lure innocent people into clicking on malicious links and sharing sensitive details. 

Cifas online retail members have also reported an increase in bots being used for ‘credential stuffing’ – a technique were criminals steal details, such as usernames, email addresses and passwords, to gain unauthorised access to consumer accounts. Once in, they then place orders for products to be delivered to alternative addresses. Cifas intelligence shows perpetrators are even slowing down bots to appear ‘more human’, so they are not flagged as suspicious on online retail platforms. 

Consumers aged between 30-50 account for 56% of the more than 13,700 facility takeover fraud filings made to the NFD during the first six months of 2024, suggesting criminals may be attracted to their more established credit profiles. 

Overall, facility takeover is now the second greatest fraud for Cifas’ online retail members to combat after online payment fraud. 

Simon Miller, Director of Communications at Cifas, said: ‘Facility takeover fraud has been causing chaos for both retailers and shoppers for many years. When criminals attack online, they can access high volumes of consumer accounts exploiting sensitive information and moving on swiftly before being detected. 

‘Cifas intelligence shows these organised crime groups are increasingly aware of the account takeover fraud controls deployed by some retailers to keep their customers safe and are regularly changing their tactics to get ahead. The sharing of multi-sector data and intelligence not only helps retailers to combat this growing threat but means we can all take collective steps to mitigate risks.’ 

Tony Neate, CEO at Get Safe Online, said: ‘It takes only a few snippets of information for cybercriminals to piece together everything they need to transact online as if they were you. That’s why we all need to be so vigilant in spotting fraudulent attempts to gain your financial and other personal details, and not sharing information which a fraudster could use to commit facility or account takeover in your name.’ 

Seven ways consumers can protect their online accounts 

1. Destroy unwanted documents including bills, bank statements or post that is in your name, preferably by using a shedder. If possible, arrange for paperless bills and statements. 

2. Request copies of your personal credit report from a credit reference agency on a regular basis to check for any entries you do not recognise. 

3. Provide as little personal information about yourself on social media as possible and only accept invitations from people you know. 

4. Never divulge private information data in response to an email, text, letter or phone call unless you are certain that the request is from a genuine source. 

5. Do not share account information with friends, family or other people. 

6. If a company which has your confidential information is hacked, make sure you change your password as soon as possible. 

7. Use a redirection service when moving to a new home such as the one provided by the Royal Mail as well as informing your bank, card company and other organisations you have accounts with of your new address. 

Overall, a record number of fraud-risk cases were filed to the NFD in the first six months of 2024 – more than 214,000 in total – resulting in a 15% increase compared to the same period in 2023. View the latest 2024 data in Cifas’ Fraudscape six-month update. 

Cifas continues to develop products and services to help tackle fraud and financial crime. Through its innovative ‘Vision’ solution, retailers and other organisations can identify potential fraud in their existing customer base by providing real-time alerts – helping to prevent fraud losses and ensure they are aware of any changes in a customer’s behaviour. Enquire about Vision here. 

For further information on being secure, safe and confident on the internet, visit www.getsafeonline.org 

ENDS 

Notes to Editors 

For more information, please contact Hayley Paterson, Cifas Press and PR Manager, on 020 4551 7072 or press@cifas.org.uk. 

About Cifas 

Cifas is the largest not-for-profit fraud prevention service in the UK. It has more than 750 members who represent various industries including banking, retail, insurance, and telecoms. Cifas protects businesses and individuals from fraud through effective and secure data and intelligence sharing between the private, public and third sectors. Additionally, the independent organisation offers a range of products and services to help businesses prevent fraud and delivers specialist training for counter-fraud professionals through its Cifas Fraud and Cyber Academy. 

Cifas’ data is included in the Office of National Statistics England and Wales Crime Statistics of police recorded crime and it works alongside law enforcement agencies in tackling fraud. In 2023, Cifas members prevented more than £1.8bn of fraud losses. 

Website | LinkedIn | X 

Fraudscape 

Fraudscape is Cifas’ annual report which combines data from its National Fraud Database (NFD) and Insider Threat Database (ITD), alongside intelligence provided by Cifas members, partners, and law enforcement. 

Contact us at press@cifas.org.uk