The impact of ecommerce fraud rises year after year. Losses from payment fraud have more than tripled in the last ten years, and it’s expected to cost companies across the globe $40.62 billion in 2027.
Why is it so prevalent? The anonymity of the web makes it easy for cybercriminals and the average consumer alike to scam money from a business. So don’t bury your head in the sand. Take action now to prevent your online store from falling victim to ecommerce fraud. Learn how ecommerce fraud works, the most common types to look out for, how to identify the signs of fraud, and how to prevent incidents going forward.
How Does Ecommerce Fraud Prevention Work?
Ecommerce fraud involves anybody misusing an ecommerce store for their financial gain. There are two main types of fraudsters.
Cybercriminals use underhanded means to steal personal data, place orders under another identity, and the like. On the other hand, consumers may also attempt to game the system by falsely claiming they haven’t received an order to get a freebie or payout.
Both instances can have a severe financial impact on your ecommerce store. Companies actually spend $3.60 for every dollar lost to fraud, given the added expenses of replacing merchandise, interest, chargeback fees, and redistribution.
And that’s not even considering the knock-on effects on your brand. Nobody wants to buy from a store they can’t trust with their personal data, making the potential financial impact even graver.
Ecommerce fraud prevention entails putting certain measures into place to prevent this from happening to you. That ranges from basic storewide policies like order limits to technological solutions like identity verification at the checkout page. Vigilance also plays its part. You must understand the types of fraud and be able to identify red flags to stop scammers in their tracks.
What Are the Most Common Types of Ecommerce Fraud?
Let’s break down the full array of ways ecommerce fraud manifests so you can better understand your web store and business’s threats and vulnerabilities.
First, there’s payment fraud, which usually dovetails with identity theft. Cybercriminals use stolen customer details, such as financial or account information, to make fraudulent purchases. Criminals use various means to access these details, such as buying them on the dark web. This is also known as clean fraud (when it entails stolen payment information) or account takeover fraud (when it involves hacked customer accounts).
A critical red flag to look out for is card testing, which is when criminals with batches of stolen payment information test for card limits and fraud protection by making several small purchases. If it works they go on to make larger fraudulent purchases.
Triangulation fraud is an advanced form where cybercriminals make a mock version of an online store, encouraging consumers to make purchases from their fake websites. The criminal makes a purchase and has the item delivered to the consumer from the real store. Yet they’re now in possession of the customer’s personal and financial details, allowing them to make further fraudulent purchases or use them for other nefarious purposes.
Refund fraud and return fraud can happen when people try to scam your refund or return policy to get an item for free or money back. One example is switch fraud, which is when a scammer keeps a functioning item and returns a different item they already had. Sometimes, this entails a hacker taking over a legitimate customer’s account and requesting a refund, with the money sent to an account of their own.
Keep an eye out for so-called friendly fraud, too. That’s when a customer pretends they didn’t make or receive a purchase, making your store responsible for paying out a refund or chargeback to the customer’s bank or payment processor, along with a fee.
If you have an affiliate program, scammers may target that avenue for fraud. The scammer will use malicious methods such as spam popups to create the illusion they’re sending traffic to your online store, fraudulently boosting their payout from your affiliate program.
How Can I Identify Ecommerce Fraud?
So, how do you spot these bad actors on your site? There are some site behaviors that can clue you into fraudsters. Keep an eye out for these, and if you spot them, be prepared to take action to stop them before they do too much damage:
- Creating an account with a spammy email address. Keep an eye out for accounts using free or lesser-known email services that are easy to create in bulk to avoid moderation or safeguards.
- Make sure you can see customer IP addresses. That way, you’ll be able to spot when an IP address is using multiple accounts, addresses, cards and payment methods, or trying to evade detection in any other way.
- Using multiple billing or shipping addresses in a short period of time is a big red flag. The former is a clear sign of fraud (few people have payment information that isn’t all tied to a single home or work address), while the latter could be a scammer if they’re not Santa Claus himself.
- Their billing and shipping addresses don’t match. While this is common during the holidays or when a shopper buys gifts, be aware of these instances, as they can indicate that somebody other than the cardholder is making the purchase. This is particularly worth looking into if the addresses are in entirely different countries from one another.
- On that note, if you have any suspicions about the validity of an order, you can check the shipping address against the location of the shopper’s IP address. While a VPN can explain this, or they’re online shopping while away from home, it can also be a signal that a fraudster has taken over the account.
- Your inventory will dictate whether bulk or spree orders are suspicious. Unless your products are commonly reordered by customers, examine instances where someone orders multiples of the same product or makes multiple orders in short succession. They may want to snag what they can before they’re found out and flagged.
- Any high-ticket item orders should always get a second glance before you fulfill them. Scammers often try to maximize their one shot to use stolen information by buying one of the higher-priced items in a store or making a large order that amounts to a lot of money.
The key with many of these signs is that one instance might not be a red flag, but it’s suspicious when combined with other signs or unusual activities.
You can set up automations in your ecommerce platform or use its security tools to automatically flag any of the suspicious activity above. Make it so flagged orders are automatically held for review and sent to the appropriate team members for analysis.
Or, you can use an IP fraud score tool. These detect IP addresses that have previously been linked to fraudulent activity and rate the risk a particular IP address poses by detecting issues. You can use the tool to then automatically block purchases from high-risk IP addresses or flag them for manual review.
How Do I Prevent Payment Fraud?
Payment fraud is the most common issue web stores will face during their existence. Fortunately, that means there are some proven means of prevention.
Verify user identities to ensure they’re not using a stolen account or card details. One way to do this is to install a two-factor authentication (2FA) app or plugin for your store. Users will need to enter a second factor, such as a security code they receive via text or email to be able to access the account. Scammers who don’t have access to the user’s device or inbox will be stopped in their tracks.
You should also add an address verification system at the checkout. This ensures the billing address matches the card being used.
Ensure, too, that your checkout form asks for a credit or debit card’s CVV number, the three digits on the back by the signature box.
These two checkout verification methods aren’t infallible, but they certainly make it more difficult for scammers to follow through with a purchase. Some scammers will just give up when they are confronted with one or both of these protection methods.
Want a greater level of security at checkout? Use the 3D Secure (3DS) protocol.
When a user enters credit or debit card details, they’re redirected to the card issuer’s website or banking app to authenticate the purchase.
They may have to log in to the app with their PIN, for instance, halting fraudsters who don’t have access to this extra information.
Using 3DS is also helpful for you because the card issuer takes liability for fraudulent chargebacks and disputes if they authenticate the payment.
However, just be aware that this extra step can also scare off customers looking for an easy checkout process. Find the right balance of protection and convenience for your customer base.
How Do I Prevent Friendly Fraud?
Friendly fraud or chargeback fraud is becoming an increasing problem. Around six in ten chargebacks will be instances of friendly fraud by 2023, and it’s currently the top fraud attack merchants today must deal with.
When a customer disputes a charge on their card, the bank or payment processor reverses the payment and charges a fee to the merchant. In cases of fraud, the merchant loses merchandise, money, or both, plus faces chargeback fees ranging from $20 to $50.
Friendly fraud is difficult to prevent. Security measures such as identity verification and flagging suspicious orders may help in the case of serial scammers. You can also use some form of delivery confirmation with shipping providers. For instance, shipping companies may take a signature or photograph as proof of delivery.
You can at least prepare for cases of chargeback fraud. Keep customer transaction and interaction records as evidence for formal disputes. You may wish to use a chargeback service that can collect and relay this evidence to banks on your behalf before the chargeback is authorized.
Many of these services help you keep chargebacks down generally, whether fraudulent or not. Sometimes disputes are accidental as the customer made a legitimate purchase but forgot or didn’t recognize the item on their card statement. This is necessary as too many chargebacks can result in payment processors labeling your store high-risk and charging higher transaction fees overall.
How Do I Make My Ecommerce Website Secure?
You must keep your servers, databases, and website secure to prevent hacks and security breaches that lead to the loss of sensitive customer information.
These things can happen. In 2013, Target suffered a data breach that affected 41 million customers’ payment information. That’s a staggering number!
Beyond installing strong security systems, scan for malware regularly. There are a number of types of malware that give hackers a backdoor to your servers and devices, allowing them to steal customer data.
Keep your online store secure with an SSL certificate. It adds HTTPS, a protocol that encrypts sensitive data such as passwords and financial information entered into your website. This means hackers can’t intercept this information.
Use your own strong passwords and authentication methods for access to software and databases that contain sensitive information. Also, limit employee access to these areas. This prevents internal threats in which people on the inside steal customer data to use or sell.
What Policies Should I Implement to Prevent Ecommerce Fraud?
Defining clear policies ensures a maintained and consistent approach to battling ecommerce fraud.
As mentioned above, scammers want to get away with as much product as possible before an account is closed down. To stop them from doing this, you may wish to decide on a sitewide order limit so you can block or manually review unusually large orders.
Adhere to Payment Card Industry (PCI) compliance policies. Not only is it a legal obligation, but it’s also an easy way to make sure you’re keeping up with security measures. Under PCI compliance, you must:
- Use antivirus software on any device that stores or interacts with card/account numbers
- Encrypt card data and transmitted data
- Update software in case of security patches
- Restrict access to card/account numbers and keep access logs
- Keep documents on equipment, software, and devices that need passwords
- Use a firewall to protect against hackers
- Regularly monitor and test network security
Also, put customer policies in place for their protection. Make strong passwords a requirement for account creation, for example. The more complex the password, the harder it’ll be for malicious parties to guess.
Finally, as a rule, you must collect as little sensitive data on customers as possible. That way, if a breach happens, customers are less at risk. As an alternative to storing card numbers, use payment tokenization. This generates a unique string of numbers (a token) in real-time to replace the card number, which cannot be used again fraudulently. Apple Pay, for example, uses this method for secure payments.