Using transaction and activity data from TTP Today's fraud intelligence stream, we will explore insights into fraud targeting UK businesses in Q1-Q3 2024. Actionable intelligence, including high-risk products and fraud methods, will be shared to help enhance your current fraud protection systems.
This report was made by TTP Today's Threat & Fraud Analysts using our Q1-Q3 2024 data.
Fraud continues to plague businesses in 2024, with the National Fraud Intelligence Bureau receiving over 405,939 reports this year alone, resulting in reported losses exceeding £2.4 billion. However, this figure barely scratches the surface, as fraud is estimated to cost businesses a staggering £158 billion annually, reflecting the vast scale and devastating impact of the issue.
At TTP Today, we analysed our fraud intelligence data stream containing activity and transaction data from Q1 to Q3 2024, to uncover actionable insights and emerging trends. This report highlights the current fraud landscape, dives deep into attackers’ methodologies and offers businesses practical steps to mitigate fraud risks - particularly as we approach the high-stakes holiday season.
Four industries have been heavily impacted by fraud activity, collectively accounting for 93% of incidents tracked by TTP Today:
Together, these four industries make up 93% of the total incidents. The remaining 6.7% of fraud activity is given to GiftCard, the smallest category observed.
These sectors continue to face relentless attacks due to their high transaction volumes, popularity, and inherent vulnerabilities to common fraud techniques.
Key insights:
Diving deeper into our Fraudulent Transaction Data, we explore each sector to identify actionable insights along with attackers tools, techniques and procedures (TTPs) used to aid in attacks.
We observe 33% dedicated to the E-commerce & retail fraud category so we will start digging into the high-risk products in this category.
E-commerce remains a prime target for fraud due to several key characteristics that make it especially vulnerable to such attacks.
These include:
Given these factors, e-commerce and retail sectors have become primary focuses for fraudsters, who can leverage various attack vectors - such as account takeover and unauthorized card transactions - to exploit these vulnerabilities efficiently.
Pictured : Attacker places multiple orders in quick succession for Macbook, Airpods and iPhone, which have high demad and offered quick resale potential
Fraudsters target high-value, high-demand products that are easy to resell.
Fraudsters prefer fast-delivery options, which offer a higher chance of success in completing fraudulent transactions before detection. This makes preventative protection measures critical. We extracted the purchased items from our transaction data to identify high-risk products in their respective categories. As the holiday season approaches , we expect the trends observed to continue and further fraud related to these items in the future.
The Ecommerce and Retail category encompasses many well-known brands and products. If your business deals in these items, it's crucial to give special attention to transactions involving the following high-risk products.
Based on observed trends in our data, some of the most frequently targeted E-commerce and Retail categories and their products include:
Actionable Intelligence-driven insights such as these can be used to enrich merchant and fraud protection rules, having a significant monetary impact to your business
High-Value, High-Risk Items Drive Targeting : Consumer electronics, luxury goods, and digital assets like gift cards remain prime targets due to their high resale value and liquidity potential
The Takeaway & Food Delivery sector remains one of the most targeted industries, accounting for 27% of all observed fraud attempts observed by TTP Today. This trend may correlate with broader socio-economic factors, such as the rising cost of living and inflation, which have increased consumer demand for discounted or fraudulent transactions in this sector.
A large amount of Food Delivery Fraud is observed using known delivery services. Often times it is indistinguishable from regular transactions without applying advanced, pre-emptive threat intelligence techniques and methods of data identificaton and collection.
We observed a range of methods such as carding, bin attacks and stolen credentials.
The average order size observed is low; attackers use stolen accounts and cards to place multiple low-value orders to bypass existing security measures at both the retailer and the bank level of the transaction.
Pictured: attacker places multiple low value orders in quick succession to bypass existing security controls
They also use BIN attacks to identify BINs (Bank Identification Numbers - the first 6 digits of your card) which do not trigger additional verification, frequently traded and sold in black market cyber crime communities and used to boost attackers success.
Pictured: Attacker selling list of tested BINs for popular services and products
Once a BIN is confimed to be exploitable, attackers will obtain stolen cards of that type, example BIN known to allow low-value food orders with no protections:
BIN analysis can be an incredibly effective defense tool and an example of how our intelligence dataset can enhance your existing anti-fraud rulesets
Compromised credentials often play a part, obtained by methods including InfoStealer infections & credential stuffing.
Attackers often purchase stolen credentials from info-stealer services who have infected a wide range of accounts. These credentials are then tested aganst various services to determine which are valid. While bank card information is frequently saved to accounts to enable a better user-experience, this practice - along with weak/misconfgured CVV verification - can provide attackers with opportunities to compromise accounts and place orders using the existing banking information.
In addition to this, credential stuffing is used to take large numbers of emails and passwords from prior data breaches and test them for valid accounts on a service. This technique is far more effective than traditional password brute-force, as attackers can test a large volume of accounts in a short timeframe using credentials that are already known to work. They often leverage anonymous proxies and VPS services to launch large-scale attacks, further obscuring their activity
These advanced techniques are employed to bypass existing 2FA mechanisms and merchant security protections.
The Electronics category remains one of the most targeted sectors for fraud coming in at 15% , due to the high resale value and demand for devices from top-tier brands. Fraudsters consistently exploit this sector, taking advantage of weak spots in merchant protection systems and leveraging stolen credentials or cards to complete their orders. Apple hardware , gaming and a novel Ninja Air fryer showing culinary trends can affect the rate of fraud against a popular item.
High-Risk Electronics Items Observed In Our Data:
3.1.3: Popular methods observed in Electronics fraud : DNA/LIT/CARDING
DNA (Did Not Arrive): This method is particularly prominent in the electronics category due to its simplicity to execute. Fraudsters target expensive, single-item electronics such as MacBooks, AirPods, PS5s, Xbox consoles, and smartphones. They falsely claim that the purchased item never arrived at its destination to secure a refund or replacement. This tactic is especially effective when the sender lacks robust delivery verification processes or when delivery drivers (often rushed for time) take photo proof of a closed door as confirmation. In such cases, the buyer is often sided with, as retailers prioritize customer satisfaction, making it easier for fraudsters to exploit gaps in delivery tracking systems.
LIT (Lost in Transit): This method targets the shipment process, making it particularly effective for high-value electronics such as laptops, gaming consoles, and smartphones. Fraudsters intercept packages while they are en route to the buyer, often exploiting weaknesses in shipping systems. Common techniques include redirecting deliveries to alternate addresses through phishing or social engineering, collaborating with insiders at courier services, or using stolen tracking information to claim or reroute packages. Since these items are marked as "lost" in transit, the fraudster benefits from either obtaining the item or triggering a refund or replacement from the seller, capitalizing on gaps in shipment verification protocols.
Carding: This method involves the use of stolen, compromised or purchased credit card information to make unauthorized purchases, often targeting high-demand electronics such as smartphones, gaming consoles, and laptops due to their high resale value. Fraudsters test stolen card details by making small, low-risk transactions to ensure the card is still active before moving on to larger purchases. Electronics retailers are frequent targets because these items can be resold quickly for significant profit in a small amount of transactons.
7. Transportation.
The data we obtained in the 'Transportation' category allowed TTP Today's intelligence analysts to demonstrate the curated and unique nature of some of our intelligence streams.
The Rail Delivery Group trade association has previously reported that approximately £240 million is lost each year due to fare evasion on Britain’s railways.
A significant portion of this loss appears to be related to retail fraud, and investigations into fare dodging and enforcement efforts may have been misdirected.
Our data reveals that the most fraudulent ticket purchases occur on routes between Birmingham and London. Other frequently targeted routes include Leicester, Manchester, and Nottingham.
This trend highlights a preference among fraudsters for longer-distance, higher-cost travel options over local, shorter trips.
Our data shows the most fraudulent ticket purchases between Birmingham and London.
In Q1-Q3 2024, we observed many fraudulent transactions related to many rail journeys across the UK.
Train fares in Great Britain have increased in the past four years, with some notable increases in 2019, 2023, and 2024:
In 2019, Fares increased by 2.8% in January 2019, which was the first time in four years that fares rose more than the Retail Prices Index
In 2023, fares inreased by an average of 3.8% causing the government to cap the increase below inflation to ease the pain for passengers
In 2024; fares increased by 5.0% , competed with a 4.3% increase in the Retail Price Index. Off-Peak tickets increased by 5.4% and season tickets by 5.0%
As the price of tickets continues to disproportionately rise along wih inlflaton, a growing number of passengers are resorting to fraudulent ticket purchases and refund abuse to alleviate the financial strain and continue using the services they depend on. Many people rely on trains for their daily transportation and have little choice but to bear the high costs, which may drive some to seek alternative ways to make travel more affordable.
In 2024, a range of constantly evolving and adaptive methods are being used to exploit businesses and defraud them of goods and money worth thousands of pounds every day. Among these, refund schemes such as Did-Not-Arrive (DNA), Lost-In-Transit (LIT), fake or empty boxing, and carding remain prominent tactics.
In Transport, we often observe carding and BIN attacks, in addition to compromised credential attacks.
Additionally, while Gift Card Fraud accounts for only 5% of observed fraudulent transactions, its persistence is notable. Our analysis estimates a total loss of £182,934 due to gift card fraud, demonstrating that this type of fraud remains a significant challenge - truly the "gift that keeps on giving." The figure below further illustrates the ongoing impact of this method.
8 Attack Methods&protection insights:
Carding:
Attackers using stolen cards continues to be used to process fraudulent orders. They are purchased and traded on daknet markets, or obtained via technical hacking such as malware infections and database compromises.
Identifying Carding:
Once card numbers are obtained, Fraudsters are leveraging Bank Identification Number (BIN) testing to identify which BIN ranges bypass specific merchant rules, such as Two-Factor Authentication (2FA) requirements. These attackers conduct small test transactions to validate the card details and then trade or sell “successful” BIN ranges in underground marketplaces. Certain bins are discovered from banks which lack protections entirely. This allows them and others to process fraudulent transactions on systems that fail to enforce 2FA or other protective measures.
Another prevalent method involves One-Time Password (OTP) spoofing. In this scenario, attackers impersonate the victim’s bank, calling the victim and tricking them into sharing their OTP under the guise of "fraud protection" or account verification. With the OTP, attackers can easily authorise fraudulent transactions. This can often be achieved using automated bots fed with targeted scripts depending on the victim
Pictured: Attacker uses an OTP bot to bypass verifications of crypto wallet app
Some attackers go even further, employing SIM swapping to intercept SMS-based 2FA codes. By fraudulently convincing telecom providers, or exploiting unintended functionalities in online applications, attackers are able to transfer the victim's phone number to a SIM card under the attacker’s control. They gain direct access to SMS-based verifications, enabling them to complete unauthorised purchases or account takeovers.
Fraudulent transactions highlighted here are just the most common we observed in our data set. When we start getting down to campaigns categories that come and go during the year acting on fresh intelligence is essential to plug a fraud prevention or detection gap that fraudsters will exploit until the method is stopped .
As we approach peak shopping months, businesses must remain vigilant. Fraudulent activity is expected to spike, particularly targeting high-demand items and sectors.
In order to stay protected, businesses must implement:
By leveraging timely intelligence and data-driven insights, organisations can close critical fraud prevention gaps and stay ahead of evolving attack vectors.
If you'd like to discover how TTP Today can offer continuous brand security through real-time threat and fraud intelligence via an expert threat hunting & alerting web platform (or easily integrated into your existing tooling) - book a free 30-minute consultation today!