Retail businesses are trying to save on shipping costs by convincing shoppers to pick up their online orders in stores, but fraudsters are increasingly exploiting this shopping method to scam people.
Shoppers chose to buy purchases online and pick them up in stores 20% more during the 2018 holiday season compared to the year before, according to ACI Worldwide, an electronic payments company. The company also found that there was a 13% uptick in scammers attempting to hack into online accounts and use them for “buy online, pick up in store” purchases between Nov. 1 and Dec. 31, 2018, compared to the same time the year before.
“Fraudsters are always looking for areas of opportunity,” Erika Dietrich, vice president of global risk services with ACI Worldwide, told BuzzFeed News. “If you have a home and you implement a security system and you have cameras and lights and motion protectors, fraudsters are going to give up breaking into your house and move into other areas.”
That new area for online orders is defrauding pick-up-in-store purchases, Bart McDonough, a cybersecurity expert and author of Cyber Smart, told BuzzFeed News.
On most online shopping portals, shoppers must reenter their credit card details if they change the shipping address for an item. But if a shopper wants to pick up an item in a store, they typically don’t need to reenter their details; they just have to select a store. Hackers can exploit this to make fraudulent purchases on someone else’s account, and then they simply present the purchase details at the store to get the item.
Suddenly, the passwords to your Target.com or BestBuy.com accounts have become much more valuable to hackers because they can easily make fraudulent purchases and pick them up in any store, said McDonough.
“Retailers have tried to introduce some brick-and-mortar [options] to combine an online experience with a retail experience,” he said. “Because they did that, they actually introduced more cyber vulnerability.”
Fraudsters tried to hack 1.5% of all “buy online, pick up in store” transactions on average between Nov. 1 and Dec. 31 last year, according to ACI Worldwide. By comparison, online orders that shipped directly to home addresses were targeted slightly less, at 1.2%.
McDonough said shoppers should not reuse the same username and password on any site to avoid being hacked. They should also enable two-factor authentication, update their phones and computers regularly, and enable phone alerts for their credit card purchases.
“Online spending and ‘buy online and pick up in store’ are here to stay,” said Dietrich with ACI Worldwide. “Consumers ... have to be conscientious to monitor their payment devices and lock their phones and computers, and have good security hygiene.”