As people increasingly shop online, fraudsters are targeting weak points in the e-commerce ecosystem.

Losses from digital payments fraud in e-commerce are set to exceed $20 billion this year, according to a study by U.K. research firm Juniper. Malicious actors have targeted insecure fraud mitigation practices on online channels, especially those set -up by merchants new to online commerce and unfamiliar with advanced security practices.

“Credit card information came up frequently as a particular type of information that was regularly targeted, but what was evident was that all types of data were available for criminals,” Nick Maynard, lead analyst at Juniper, told Bank Automation News. Since the primary aim for fraudsters is financial gain, the report found that payments systems are the, “ideal target” and cybercriminals use a mix of social engineering techniques and technological know-how to circumvent fraud checks.

The study analyzed trends emerging in the online payments fraud space and the challenges presented by new attack vectors, including the use of synthetic, or partially fictional) identities and use of deep-fakes to fool know-your-customer systems. Compiled using interviews with fraud detection and prevention vendors, the report also carries a capacity and capability assessment for 17 major vendors including Microsoft, NuData and Lexis Nexis Risk Solutions.

Additional data compiled by the Federal Trade Commission shows that consumers reported nearly 1.4 million instances of identity theft in 2020, wherein a malicious actor appropriates identifying information, like a Social Security number or credit card , to commit fraud or theft. Reports of such fraud have risen exponentially with a rise in e-commerce usage, registering an uptick of more than 50% since 2019, according to the FTC.

Stolen credentials are also made available for sale on dark web marketplaces for prices ranging from $15 for a cloned Mastercard to $550 for a U.S. driver’s license, according to the Juniper study. BAN found one such listing on World Market, a popular darknet marketplace, that advertises stolen PayPal accounts for as little as $1.49, with the description noting that the account can be used for online shopping but, “We [the seller] are not responsible for [two-factor authentication]. There are plenty of guides available to get a successful login without triggering security questions,” the ad notes.

While fraud in digital payments appears to be a growing headache for e-commerce vendors, machine learning techniques may offer an alternative to rules-based procedures that adversaries have learned to circumvent. “By using machine learning, vendors can reduce the massive number of false positives associated with traditional rules-based systems, which is very helpful for merchants,” Maynard said.

Some banks, like the Toronto-based Scotiabank, have already started to use AI-powered behavioral biometrics to clamp down on online fraud. The systems monitor customer behavior during onboarding and flag anomalies, such as the device they’re using or keystroke input patterns, which indicate that they might be using fraudulently obtained information. Scotiabank uses machine learning models called “watchdogs” to flag suspicious customers.

“We have analyzed and we have trained these watchdogs to identify those customers that are fake,” Pablo Vidales Calderon, head of the $1.2 trillion Scotiabank’s AIDOX program, told BAN.

Although machine learning and AI-powered systems can offer some respite from fraudulent activity, loading up the payments process with too many security measures can also drive away customers.

“Friction in the checkout process can take many forms, such as having to confirm details repeatedly,” Maynard said, but if the users don’t have the information handy, it can also become a hurdle. “Users will be generally supportive of security processes, as long as they are not too onerous and are clearly labeled as such,” he added.

Loraine Lawson contributed to reporting.