The Rising Threat of Disposable Email Addresses in Payment Fraud
Disposable email addresses are temporary email accounts that can be easily created and discarded. While they have legitimate uses, they pose a threat to online merchants as they enable payment fraud and abuse.
The current digital era leads online merchants to increasing challenges from growing customer expectations, fierce marketplace competition, and the rising security threat wrought by hackers. Amidst all these, payment frauds consist of one of the oldest yet constant hazards that not only lead through chargebacks to revenue losses but also undeserving reputation damage.
Payment fraud refers to any fraudulent or illegal transaction that possibly could occur through an online platform. Such fraud by an attacker may involve the use of stolen credit cards, identity theft, account takeover, phishing or malware.
This loss in the payment of fraud is expected to rise from $22 billion in 2018 to $48 billion by 2023, as per Juniper Research.
What are disposable email addresses?
Disposable email addresses are also known as temporary email addresses, throwaway email addresses, or burner email addresses. They are email accounts which users create and later forget after they have fully served their purposes. These are normally issued via free online services to randomly generate email addresses using different names but unique in thousands of domains. Some of the popular disposable email services include: TempMailo, Mail.tm, Temp Mail.
One can create a disposable email address with just a single click of a mouse and an inbox for actions like confirming account verification or getting confirmation emails. The user can as well delete the email or wait for it to get obsolete after a certain period.
Legitimate Use Cases of Disposable email addresses
- Protecting personal privacy and avoiding spam
- Testing web applications or softwares
On the other hand, however, disposable email accounts are commonly used by hackers in coming up with spurious accounts for initiating fraudulent activities. Their temporary nature makes disposable email accounts an advantage to hackers since it only takes them some seconds to come up with some arbitrary email address and get rid of it afterwards. This makes it harder for merchants to track and identify them.
How do disposable email addresses work?
Disposable email addresses work by using a combination of random characters and domain names to generate unique email addresses. For example, a user can create a disposable email address like this: "[email protected]".
The user can then use this email address to sign up for an online service or make a purchase on an e-commerce site. An inbox can be accessed either through the service provider's website or keying in the email address directly on a web browser.
He can then get emails from the online service or the merchant and he can go ahead to take the action required, such as verifying his account or confirming his order. It might be necessary for the user to send emails from that disposable email address as well.
Why are disposable email addresses a threat to online merchants?
Disposable email addresses are a threat to online merchants because they enable payment fraud and abuse in various ways, such as:
- Stolen credit card fraud: These disposable email addresses are the way for the fraudsters to create fictitious accounts and to place orders with stolen credit card information. They can hence close that particular disposable email address before either the merchant or the cardholder notices this fraudulent transaction.
- Chargeback fraud: The fraudsters can also make their separate purchases with the use of their credit cards while later asking for chargebacks from the banks after collecting the goods or services. They may state that they did not authorise the transaction or that they have not received the ordered products. They could also afterwards remove the disposable email address so they would not be further contactable by either merchant or bank regarding their actions in question.
- Account takeover fraud: The fraudsters can use disposable email addresses to overtake the existing accounts of legitimate customers by resetting their passwords or changing details in their personal information. Then they will use the accessed accounts for fraudulent purchases or accessing sensitive data. After maintaining the stolen data into his account, he may delete the disposable email address.
- Free trial fraud: Fraudsters then sign up under the temporary email accounts to join free trials or promotions that require an email verification. This will enable them to enjoy those trials or benefits without any expenses involved and sometimes without being detected of their real identities. They can also create multiple accounts with different disposable email addresses to abuse the trial or promotion.
- Refund fraud: Fraudsters can use the disposable email addresses to claim refunds for goods or services not procured or which may be prearranged. In the same regards, they can close a disposable email address so that no one traces them or enquires on whatever it was that they ordered.
These types of fraud and abuse can result in significant losses for online merchants, such as:
- Revenue loss: Merchants miss out on revenues in fraudulent transactions, chargebacks with refunds and free trials. Besides that, merchants incur extra costs for processing fees, fraud prevention tools, and customer care.
- Reputation damage: Unhappy customers cause damage to the reputation of a merchant using inappropriate reviews and poor ratings. The merchants who gain the trust and loyalty of the customers may ensure long-term growth and profitability.
- Legal liability: From the authorities that apply regulations, card networks and banks they deal with in case of not complying with compliance rules and security standards. Lawsuits may also be derived by the customers or partners in case of a breach of contract or data protection.
How to block disposable email addresses effectively?
Blocking by use of the disposable email addresses is one of the most efficient ways to reduce payment frauds and abuse on online platforms. Yet, it's not an easy task because the disposable email services are an eternal process of advancement of new domains and email creation addresses.
Some of the common methods that merchants use to block disposable email addresses are:
- Blacklisting domains: Merchants are able to list down all the known disposable email domains and reject any emails from an email address using such a domain. Unfortunately very little will be achieved from the list due to a high number of disposable email services that could produce new ones in volumes beyond what merchants can update on their blacklist. Moreover, such a method can hinder some legitimate email addresses which by coincidence include the same domain as a disposable email service provider.
- Whitelisting domains: A merchant can keep a list of trusted email domains and just accept email addresses which are from one of those domains. However, this was quite exclusive as many legitimate customers do use free or personal providers. Moreover, this method can also allow fraudulent email addresses that use spoofed or hacked domains.
- Verifying emails: Merchants can also send confirmation emails or use third-party tools to confirm the emails' validity and deliverability. However, this doesn't work too well because even such mechanisms are subscribed to by disposable email services which reply to the confirmation mails too. Additionally, this method also tends to irritate the real customers who have to go through extra steps so that they can authenticate their emails.
A better way to block disposable email addresses would be using a dedicated service that could detect and filter these in real time. For example, Greip is a service exclusively aimed at helping online merchants keep their payment fraud and abuse at the lowest by blocking disposable email addresses along with other key risk factors. You can refer to the documentation page for more information about blocking disposable emails using Greip API.
Greip APIs work by using advanced algorithms and machine learning to analyse the characteristics and behaviour of email addresses. It can identify disposable email addresses based on various factors.
To sum it up, throwaway email addresses bring about an urgent danger to online sellers. They add to the ever-growing concern of fraudulent payments. Although there are different tactics to block these emails, utilizing specific services such as Greip brings immediate, workable answers.
Stay in the Loop: Join Our Newsletter!
Stay up-to-date with our newsletter. Be the first to know about new releases, exciting events, and insider news. Subscribe today and never miss a thing!