Given the popularity of online shopping, it’s no surprise that eCommerce stores are a prime target for cybercriminals. Ecommerce fraud is so common that retailers are expected to lose $20 billion to fraud in 2021, with some of the biggest threats including identity theft, chargeback fraud, and account takeovers.
Ecommerce fraud was already out of control in 2020, with research indicating that 9 in 10 merchants lost revenue due to payment fraud, with 55% of merchants reporting higher chargeback levels.
However, while eCommerce fraud is a significant threat to eCommerce sites, a substantial proportion of retailers are poorly prepared to confront the reality of modern fraud. Javelin Strategy & Research has identified that only 34% of businesses are investing in fraud prevention and mitigation, which limits the level of support they can offer to customers in cases of identity theft.
As a result, in this eCommerce fraud guide, we’re going to highlight some of the most common tactics that fraudsters are using to steal customers’ identities and credit card details and examine what consumers and businesses can do to protect themselves against fraudsters.
What is eCommerce Fraud? Six Types of eCommerce Fraud
eCommerce fraud is a term that describes any type of fraud that takes place on an eCommerce site. This includes everything from a fraudster stealing a victim’s credit card details to buy a product on a legitimate site to trick users into clicking on fake affiliate ads to scam listings or even creating phony eCommerce sites.
We’re going to look at some of the most common types of eCommerce fraud below:
1. Credit Card Fraud
Credit card fraud is one of the most common forms of eCommerce fraud, where a criminal obtains the victim’s credit card details and uses them to make a fraudulent purchase on an eCommerce site. According to the FTC, credit card fraud was the second most commonly reported type of identity theft in 2020.
Most credit card fraud occurs when a fraudster obtains a customer’s credit card, either by harvesting the details from a publicly leaked database or snooping on the victim’s physical mail.
While there are anti-fraud tools that retailers can use to detect credit card fraud, these solutions can still miss illegitimate purchases. It’s often better to use an Address Verification Service (AVS) to check if the customer’s address matches the card’s billing address and block transactions where this isn’t the case.
Preventing credit card fraud is also difficult for consumers because it’s challenging to identify when someone’s stolen your details. However, you can make it easier to detect credit fraud by checking your credit report more regularly or signing up for an identity theft protection and credit monitoring service that will notify you when your details are leaked or used.
2. Chargeback fraud (Friendly Fraud)
Chargeback fraud is another common type of eCommerce fraud. A customer or fraudster purchases an item or service online and then requests a chargeback from their bank instead of requesting a refund from the merchant.
While many consumers request chargebacks without ill intent, fraudsters will often commit chargeback fraud by checking out with items and contacting the payment processor to claim that the goods never arrived. The merchant is then left with the cost of processing the chargeback and the lost value of the product and shipping charges.
The best way for merchants to address chargeback fraud is by using a chargeback management tool. Charge management software can catch fraudulent purchases at checkout to reduce chargeback fees and the amount of time you spend resolving fraud cases.
3. Account Takeover Fraud
Account takeover fraud is where a malicious entity gains access to a user’s online eCommerce account and then uses the victim’s payment details to complete fraudulent purchases. Many ways account takeover fraud can take place. Standard methods include credential stuffing, harvesting the login details from the victim with a phishing scam, or obtaining their details online from a leaked database.
Many eCommerce providers struggle to detect account takeover fraud because attackers often use VPNs and proxies to mimic the victim’s location to avoid raising any red flags.
The best way to combat account takeover fraud is to use fraud management filters, which you can use to automatically decline suspicious transactions and set minimum and maximum amounts of purchases. Two-factor authentication also makes it harder for attackers to brute force users’ login details.
Consumers can protect themselves from account takeover fraud by selecting solid passwords to make their credentials harder to brute force and avoiding clicking on links and attachments in emails from unknown senders to stay protected from phishing scams.
4. Interception Fraud
Interception fraud is a type of fraud where a criminal will create a fraudulent order on an eCommerce site using someone else’s payment details, with a billing and shipping address that matches the victim’s actual address, so they can attempt to intercept the package on the way.
During an interception fraud attempt, the fraudster will either ask a customer service representative or shipper to change the address post-checkout or physically wait to intercept the package before the victim.
One of the most effective ways for eCommerce brands to combat this type of fraud is to advise customer service representatives not to change addresses post-checkout unless necessary. While this won’t completely stop the problem, it does make interception fraud harder to pull off.
5. Card Testing Fraud
Card testing fraud is a type of fraud where cybercriminals will test the validity of stolen payment details by making a small test purchase on an eCommerce site to check that the details are correct before making larger purchases on other sites.
This is a popular form of fraud because even if the card is declined, the criminal can use the content included in the failure message to identify which piece of information was incorrect.
For example, a fraudster may create a small test purchase in which the merchant responds to an email message saying the card was declined because the billing address was incorrect. The criminal now knows what information they need to change to complete a fraudulent purchase.
Combining AVS testing with CVV testing and requesting customers to enter the three-digit security code on the back of their card can help make it more difficult for fraudsters to commit card testing fraud. In addition, implementing CAPTCHA challenges and limits on the number of transactions permitted over some time can also help.
6. Triangulation Fraud
Triangulation fraud is a type of fraud where a fraudster sets up an online store on a platform like Amazon or Shopify and proceeds to sell goods below market value to acquire new customers.
Once the fraudster lures a customer to place an order at their shop, the fraudster then harvests their credit card numbers and uses the stolen details to purchase goods from a legitimate store and has them shipped to their address.
Triangulation fraud can be challenging to detect, but one typical sign for eCommerce providers to look out for is if a customer is placing regular orders of the same products and shipping them to different addresses.
Consumers can avoid triangulation fraud by only shopping with trusted brands with an established reputation and being skeptical of less regular stores offering goods below market value.
How to Prevent eCommerce Fraud
If you’re selling goods online, then having a well-balanced and mature fraud prevention strategy in place is critical for making sure that you’re protected against fraudulent purchases.
While it’s impossible to prevent fraudsters from slipping through the net entirely, there are some simple steps you can take to reduce the likelihood of this happening considerably, these include:
Use eCommerce Fraud Prevention Software
One of the first things you should do to reduce the chance of eCommerce fraud is to use eCommerce Fraud prevention software. Ecommerce Fraud Prevention Software will enable you to manage fraud by using AI to approve legitimate transactions and block fraudulent transactions automatically.
Automated detection of malicious transactions helps to reduce instances of fraud and decrease the amount of money you’re spending on chargeback costs. It also helps to reduce the number of false positives you find when you’re looking out for fraudulent purchases.
Some of the top eCommerce Fraud Prevention tools on the market include:
Educate Employees on Phishing Attempts
As a company that holds customer credit card data, your employees are a valuable target for hackers, who may attempt to send phishing emails with malicious links and attachments, in an attempt to trick your employees into installing malicious software or handing over their login credentials so they can gain access to your internal systems and steal customer data.
Educating employees on the dangers of phishing emails and advising them on avoiding; them can considerably reduce your chances of falling victim to a data breach. Simply guiding the latest phishing scams, informing employees never to open links or attachments sent from unknown senders, and checking the sender’s address can help you avoid breaches.
Check Customer’s Card Verification Value
As mentioned above, another simple way to prevent fraud is to check the Card Verification Value (CVV) for cards used to purchase goods. The CVV is a three or four-digit number written on the back of a card helpful in verifying that customers have access to the physical credit card.
While checking the CVV won’t keep out fraudsters who have stolen a physical copy of the victim’s card, most of the time, it will prevent those who’ve harvested the card number online from making illegal purchases (unless the attacker has tricked the victim into providing the code to them).
Work Toward PCI Compliance
Taking steps to remain compliant with Payment Card Industry Data Security Standard (PCI DSS) regulations can also help prevent Ecommerce fraud by preparing you to securely store and process customer credit card information.
For example, encrypting card data in transit and at rest, regularly updating your software, and deploying an antivirus solution reduces the likelihood of hackers getting access to your customer’s data.
Of course, working toward PCI Compliance also has the advantage of reducing the chance of being fined for non-compliance. However, with fines from $5,000 to $100,000 per month, this figure can add up quickly.
Document Past Orders
In cases where fraudulent charges are made, having complete documentation of past orders, including tracking codes, sign upon delivery, shipping, and billing details, will provide you with valuable information that you can use to dispute the charges.
Including tracking numbers with orders is particularly important because it can help provide evidence that the product arrived at the customer, which can help you combat friendly fraud cases.
For example, if a fraudster or a customer claims that a package wasn’t delivered, you can use the tracking number to verify that the product was delivered and prove that the goods were delivered to them.
Encourage Customers to Use Strong Passwords
With many customers choosing to store their credit card details on their online accounts for convenience, there is a heightened risk of account takeover fraud and fraudsters using those details to conduct illegitimate transactions.
You can reduce the chance of account takeover simply by encouraging customers to select strong passwords. For instance, you can require customers to enter a mixture of uppercase and lowercase letters, numbers, and symbols to ensure the password is complex enough that it can’t be hacked easily.
Consider Using Multi-Factor Authentication
Multi-factor authentication (MFA) provides an extra layer of security against fraud. With MFA, you can request customers to provide two or more authentication factors before logging into their account.
These factors include something they know like a password or their mother’s maiden name, something they have like a phone that they can verify access to with a one-time SMS passcode and something they are such as biometric data, fingerprints, or a facial scan.
However, it’s worth considering that using MFA can decrease customer convenience, so before adopting MFA, it’s essential to consider its effect on the customer experience.
Use an Address Verification Service (AVS)
Using an AVS is critical for a merchant to compare the billing address submitted by a customer against the billing address recorded with their payment provider. Using an AVS thus enables a merchant to check that the address used by a customer is legitimate or not, so they can choose to accept or reject the transaction.
It’s important to note that AVS has a weakness if a customer has recently changed address. This is because the address they provide to the merchant may be different from the one listed with the payment processor, leading to the merchant declining a legitimate purchase.
Prepare to Catch Fraud as Early as Possible
When it comes to fraud, prevention is almost always better than a cure. Every fraudulent transaction that goes through costs consumers and providers time and money. Every case of eCommerce fraud puts a tremendous financial burden on the online provider, including the cost of disputing the chargeback and the value of the product lost.
Taking a preventative approach is vital for preventing chargebacks and ensuring that you don’t waste resources disputing fraudulent transactions. For smaller stores, this can be the difference between success and failure.