7 types of e-commerce fraud and what to do about them
During the vacations, the busiest shopping period is both online and physical stores. In 2021 in have increased the number of fraudulent e-commerce transactions by 25% compared to the previous year. There is no denying that e-commerce is an easy target that is for fraudsters, and thus like to attack there. The truth is that e-commerce fraud is a threat that we must recognize and address.
If you are a small business or a start-up e-commerce company, you are especially vulnerable to e-commerce fraud. You may not have the security measures in place to protect your data. Or maybe you're not familiar with data security best practices.
Anyway, if you have an online shop, you should do everything you can to tighten up your online security. We'll tell you why, but first the basics.
Understanding fraud in eCommerce
E-commerce fraud is an intentional act of deception in which a cybercriminal or a fraudulent customer defrauds you during your sales transactions. Such fraudulent activities will certainly cause you financial loss, but can adversely affect your reputation, brand image and customer relationships.
The scam must remain undetected to be successful, at least until after the transaction. However, it may be difficult to prosecute the fraudster even when you discover his activities.
Unlike physical stores, scammers can commit e-commerce fraud without even using a debit card to make a transaction.
The amounts involved in individual incidents are usually not significant. It also takes a lot of time and effort to gather evidence and prove criminal intent.
But that's exactly the line of activity you shouldn't follow. Here's why.
The value of fraudulent card transactions was $32.04 billion worldwide in 2021 and is expected to reach $38.5 billion in 2027. Closer to home, the true cost of e-commerce fraud to merchants is $3.60 for every $1 lost to fraud due to back booking fees, penalties and loss of customer trust.
So it's important to devote resources to preventing e-commerce fraud rather than incurring large losses that affect your bottom line. But that's premature. Before we talk about how to prevent fraud, let's look at why it happens in the first place.
Why is e-commerce fraud so common?
There is no denying that the Internet is helping online business owners like you reach larger markets and level the playing field. But it has its vices that fraudulent customers or cybercriminals use to their advantage.
In fact, e-commerce fraud is very widespread because:
It is easy to cheat online
Fraudsters need do absolutely nothing physical to carry out their nefarious plans. They don't need to steal credit cards or dive into garbage dumps to obtain discarded ATM bills and use them later.
E-commerce fraud only requires access to credit card information, which a fraudster can obtain from the dark web. Considering that in early 2019 23 million stolen credit cards were for sale on the dark web, you can estimate how serious the problem is.
An online store that unknowingly conducts transactions with stolen cards will likely receive chargebacks from the credit card company.
It is always unseen
Because all fraud occurs with online shops, fraudsters enjoy anonymity in their schemes. They work unseen and can carry out their activities at any time and from any place.
Typically, a fraudster creates a fake email account and uses mailboxes for their addresses. These do not contain any personally identifiable information, so they can be sure that the act cannot be traced back to them.
It is almost never prosecuted
Most ecommerce fraud involves relatively small amounts, so it may not be a priority for law enforcement to investigate. Collecting evidence also takes time and effort, much less proving intent.
This is especially true when a tracking investigation shows that the crime was committed in another country. Fraudsters count on that, so it makes them bold.
You are essentially on your own when it comes to e-commerce fraud. You also bear the responsibility of securing your customers' information from unseen bad actors.
Different types of fraud in eCommerce
E-commerce fraud takes many forms, and some are easier to detect than others. Find out what the most common types of fraud are and how they occur. This can help you develop strategies to prevent them, which we will discuss later.
Credit Card Fraud
When someone uses a stolen credit/debit card to make online purchases, it falls under what we call Credit Card Fraud. Also known as card-not-present fraud, it is the most well-known form of e-commerce fraud.
In most cases, the fraudster obtains cardholder information including name, account number, billing address, Card Value Verification (CVV) code and expiration date through the following methods:
From the dark web
Via a phishing attack
Or by hacking your customer database
Once you complete the transaction, the amount is credited to the legitimate cardholder's account. At some point, if the cardholder disputes the transaction or the issuing bank deems the transaction fraudulent, you will eventually have to issue a refund.
Not only do you lose money for the product or service, but you are also liable for chargeback fees and other penalties.
Testing credit card fraud
You can also fall victim to credit card test fraud or card cracking. This happens when fraudsters use multiple cards using bots or scripts to figure out which ones are active. In most cases of credit card test fraud, the purchases are so small that it does you little good to file reports against them to find them.
Fraudsters test the validity of the card using this method. They do not make purchases.
If you as a merchant allow the transaction, the fraudster will use that card to make as many purchases as he can until the card is completely empty or the bank blocks the card.
Fraud by cracking bank cards can be quite costly. One study estimates that bank card cracking accounts for about 16% of all e-commerce fraud.
Friendly fraud
The next point we will discuss is "friendly fraud" or "chargeback fraud." This is when a customer makes an online purchase with a credit card and then disputes it as an invalid transaction.
In most cases, the buyer waits weeks, even months, after receiving the products or services before challenging the transaction with his bank, citing one of the following arguments:
Never received the item/service
Returned the item to the seller
The order cancelled
Received the wrong article
The scammer hopes you won't have time to challenge the dispute or give him the benefit of the doubt. In either case, the issuing bank deposits the disputed amount back into the account, so the fraudster gets the product or service and his money back.
In the meantime, the credit card provider will send you a chargeback, which means you'll have to pay back the money for that transaction. Don't forget that you'll probably have to pay chargeback fees as well.
Enough friendly fraud can break any e-commerce business's back. That's not so friendly, is it?
However, not all friendly fraud is intentional.
For example, a customer may dispute a transaction because the delivery was so delayed that it was no longer needed. Another common reason is that the description of the purchase on the credit card is unclear, leaving the cardholder confused and thinking it was not a valid purchase.
Whether intentional or not, friendly fraud costs merchants like you a lot of money and effort.
Refund Fraud
Return fraud is a little more complicated than regular credit card fraud. The fraudster uses a stolen card to make an online purchase. After he receives the item, he contacts you to say he wants to return the item and ask for his money back.
However, the trick is that they ask you to send the refund to another account. This is because the credit card they originally used is no longer active. The result is that you end up paying twice: once to the fraudster and a refund to the legitimate cardholder.
Although you will usually get back the item the fraudster purchased, such unscrupulous activity will still cause you financial loss.
Account Takeover Fraud
Online shops usually require customers to create an account with their personal and transaction information. In account takeover fraud, a hacker gains control of these accounts through phishing emails. In these emails, your customers are tricked into handing over information such as their usernames and passwords. The fraudster logs into the account, changes the passwords, withdraws money and buys stuff.
You can do virtually nothing to prevent account takeover fraud if customers fall for phishing scams or use the same password for all their accounts. However, you remain responsible for refunds, chargebacks and fees.
Intercept Fraud
Intercept Fraud is very similar to credit card fraud. But instead of using a PO Box or other anonymous location as the delivery address, the scammers have the items delivered to the address of the legitimate credit card holder. Then they intercept the package before you can ship it.
A common tactic is to call your customer service, marketplace (e.g. Amazon) or courier (e.g. FedEx) and ask to change the delivery address. Some may even physically intercept the package if they are in the same area as the cardholder, by going to the address and signing for it.
Triangle Fraud
Triangle fraud, like "bait and switch," involves a legitimate buyer, a real web shop and a fake "storefront." The scammer operates "the shop window" and sells expensive items at ridiculously low prices. Shoppers are attracted to the bargain and end up buying these goods with a credit card.
The scammer, now armed with his customers' credit card information, buys items from the web shop at normal prices and ships them to his customers. The fraudster can also buy items to send to himself.
The legitimate cardholder often does not discover the fraud until later because he expects the purchase to show up on his account statement.
The result is that the customer gets the item at a low price (they think), the fraudster profits from the goods they ship to themselves, and you, the merchant, pay for chargebacks to the stolen cards. It is always the merchant who loses in these stories.
Identifying e-commerce fraud
Given the many ways you can become a victim of fraud, it would be in your best interest to recognize these deceptive practices. Keep in mind that there's not much you can do; fraudsters are pretty cunning. However, you can minimize the low-hanging fruit by carefully investigating the following:
Inconsistencies in zip code, city, IP address and email address
Significantly larger or frequent purchases by an existing customer relative to his usual buying behavior
Rush orders with multiples of one SKU
Change of location, especially different countries
Shipping to different addresses
Back-to-back purchases, but not in high season
Multiple purchases with many different credit cards
Multiple unsuccessful attempts to enter card information, resulting in declined transactions
Multiple purchases from an unusual place in a short period of time, for example 20 orders from a country, from which you have never received an order before
Preventing e-commerce fraud
As a small online business owner, you may think that you are of no interest to cybercriminals. On the contrary, fraudsters target small businesses because you are less likely to have e-commerce credit card fraud prevention, security protocols and the resources to prosecute a fraud case.
Recognizing fraud when it occurs is helpful, but it is much better if you prevent fraud altogether.
There are many ways you can prevent fraud, and some you can implement immediately at little to no cost. Others may require a little more investment, but they are worth it if they can minimize fraud on your site.
Implement fraud prevention solutions
Those who commit e-commerce fraud are getting smarter by the day. Protecting your business from this requires advanced e-commerce fraud prevention measures and techniques.
Automated fraud detection and prevention solutions can help you nip scams in the bud.
Shopify includes, for example, an e-commerce fraud detection tool that analyzes trends to help webshops detect potential fraud. It also supports third-party apps for fraud protection, some of which are free to screen up to 500 orders per month. If you have a Shopify store, we encourage you to sign up for one of these apps pronto!
Other e-commerce marketplaces or website hosting platforms may also offer integrations with fraud prevention solutions. WordPress, for example, has numerous fraud prevention plugins.
Check the site regularly
Criminals are constantly looking for holes in the fence to exploit you. Keep them out by checking the following regularly:
Shopping cart and plugins updates
SSL Certificate Validity
PCI-DSS (Payment Card Industry Data Security Standard) compliance.
Backups
Password strength for backend access, FTPs and databases
Scans for malware
Data encryption
Inactive plugin status (remove them)
Ensure PCI compliance
E-commerce stores that accept credit cards must comply withPCI-DSS standards. Compliance means that you avoid fines, costs and possible lawsuits. It also means that your webshop and business processes ensure the security of credit card data.
There are 12 requirements for PCI-DSS compliance. These include:
Install and maintain firewalls to protect cardholder data
Changing vendor-provided default values for system and security passwords
Protecting cardholder information
Encrypting cardholder data sent over public networks
Use of updated antivirus software
Develop and maintain secure applications and systems and uses
Restricting access to cardholder data
Assign unique IDs to anyone with access to stored cardholder data
Limiting physical access to cardholder information
Tracking access to network resources
Regular testing of security processes and systems
Maintaining information security policies for contractors and employees
This may seem like a lot of work, but some e-commerce platforms, like BigCommerce, are PCI-compliant by default. That means most of the work is already done for you. Some web hosting sites also offer PCI-compliant options.
Check regularly for suspicious activity
You can't walk down the aisles of your online store like you would at a physical store. But you can keep an eye out for fraud such as strange IP addresses, incorrect billing and delivery addresses, or multiple delivery addresses for the same accounts.
You can also use speed monitoring tools to track buyer behavior to detect unusual activity. Check regularly, especially during busy buying seasons like the holidays. That's when fraudsters come out of the closet. They count on their transactions being lost in the crowd.
Go for the address verification service
Most card issuing banks and credit card companies offer their merchants an address verification service (AVS) for a small fee (usually between 0.01 and 0.10 cents per transaction).
Through this process, the bank compares a credit card's billing address with the data they have stored with them. This is all part of their authorization process. If the addresses do not match, the bank stops the transaction.
You may choose not to use AVS, but that may not be a good idea. Such a nominal fee is well worth the security it provides you.
Ask about the CVV
The Card Verification Value (CVV) is usually the three- or four-digit security code etched on the back of a credit card. You can require your customers to add this value with all online purchases. While it is an extra step, it can help you verify the legitimacy of a transaction.
Like AVS, you can choose not to ask your customers to enter the CVV for their online purchases. Unlike AVS, there is no cost associated with asking for a CVV, so it makes perfect sense to ask for one.
Using HTTPS
You probably already know that you should choose to open sites with HTTPS (Hypertext Transfer Protocol Secure) because it offers better data security than HTTP. But did you know that you don't automatically get HTTPS when you build your web shop?
For example, for a WordPress site, you need to secure a Secure Socket Layer (SSL) certificate and follow a few steps to enable HTTPS for yourself.
Use HTTPS for your site to encrypt data from your webshop when a public network is involved. It is an excellent way to stop fraudsters.
Limiting the collection of customer data
Do not collect unnecessary personally identifiable or sensitive financial information from your customers, such as birth dates and Social Security numbers.
Collect only what you need to complete a transaction to reduce your risks if someone hacks your database. If you don't have it, they can't get it.
It is fine to collect as much information as possible about your customers about their preferences and annoyances to use for your ad marketing.
Blacklist of potential fraudsters
Finding customers is hard, but you should take a tough stance if you think a customer is committing fraud on your site. Put them on a reject list. It's not a perfect solution, but it will prevent them from making transactions with your company.
Fraudsters can always come back with a new identity, but it helps to have a record.
Imposing a purchase limit
Does that sound counterintuitive? Let us explain. You can set boundaries based on your customers' expected behavior. This will help you smell any suspicious behavior.
For example, if customer A is between €100 and €150 of products per month, you can set a limit of €200. On the other hand, if customer B usually buys between €1,000 and €1,500 per month, your limit would be €2,000.
Always ask for a physical address
You can refuse to execute transactions if the delivery is to a PO Box or virtual addresses, such as those of freight forwarders (if you see a container number like #ABC-1234567, that's a freight forwarder). In fact, you should.
Most fraudsters use such anonymous addresses to avoid revealing anything personal, such as their actual address.
Keep e-commerce fraud at bay
E-commerce fraud is the Achilles' heel of all online sellers, but that doesn't mean you have to take it lying down. It's almost impossible to avoid e-commerce fraud if you're an online merchant. But you can minimize it by being aware and knowing what steps you can take.
It won't be easy, but it will be worth the effort to make your web shop as secure as possible.
A web shop has distinct advantages over a physical store, not the least of which are lower operating and overhead costs. But it is not without its drawbacks. One is that more people are making purchases online, doubling sales for many retailers, but the number of cases of Fraud also increases by 69% per year. In 2019, online retailers faced more than 200,000 attacks on their stores every month.
Even if only a few are successful, the consequences can still be severe.