Ecommerce Fraud Protection for Online Merchants: The Ultimate Guide
Get The Print Version
Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.
A link to download the PDF will arrive in your inbox shortly.
The news for online merchants is good and bad.
The good news is that ecommerce sales are expected to grow to more than $6.5 trillion.
The bad news? This growth in online sales will be matched by a growth in ecommerce fraud.
Online retailers currently deal with around 206,000 attacks on their stores each month. As the popularity of online shopping grows, so does the opportunity for cybercriminals and unscrupulous consumers to scam online businesses.
If you own or operate an online store, you must protect yourself against fraudsters who steal from you, wreck your online reputation, alienate your customers, damage your brand, and hurt your profits.
This comprehensive guide tells you everything you need to know about ecommerce fraud protection—what it is, how it works, and what you must do today to protect your online store from the growing threat of online fraud.
Let’s get started.
Before you can protect yourself against ecommerce fraud, you need to understand what it is. So, let’s define our terms.
When we talk about ecommerce, of course, we’re talking about commercial transactions conducted electronically over the Internet, typically through an online store. These transactions are usually made from desktop computers, laptops, tablets, and phones. When we talk about fraud, we’re talking about criminal deception intended to result in financial or personal gain.
Ecommerce fraud, then, is criminal deception conducted during a commercial transaction over the Internet with the goal of financial or personal gain of the fraudster while negatively affecting the bottom line of the merchant. Ecommerce fraud is also called payment fraud.
Two things to remember about ecommerce fraud are that the target is an online merchant and the deception is intended to remain undiscovered.
Online payment fraud takes place for several reasons, some of them historical, some of them geographical and some of them legal.
Before the Internet, fraudsters generally had to steal physical credit cards and make purchases with them. Breaking into homes and cars and robbing people on the street with the aim of obtaining credit cards was a risky business in itself. Occasionally, fraudsters were lucky enough to obtain credit card slips that a store had carelessly discarded and would use those card numbers to fraudulently order merchandise over the phone.
Today, fraudsters have it much easier. They simply visit a website on the dark web and buy as many stolen credit cards as they need. During the first half of 2019, there were at least 23 million stolen credit cards for sale on the dark web.
Payment fraud is also popular because it is conducted unseen. The fraudsters don’t have to walk into a store, say a word to anyone, or risk getting captured on store cameras. All they need is a computer and an Internet connection. They can operate from any location, at any time of day, unseen.
Online fraudsters typically create fake email accounts and rent post office boxes using aliases that reveal no personally identifiable information about themselves.
Ecommerce fraudsters know that police departments do not make ecommerce fraud a priority. For one thing, the amounts of money involved in each fraudulent transaction are typically small relative to other types of crimes. Plus, online fraud is increasingly conducted across international borders, making it hard for the police to locate and prosecute online criminals in other countries.
When you hear the term “ecommerce fraud,” you likely think of stolen credit cards being used by criminals to buy products from online stores. But credit card fraud is just one of the most common types of fraud. Here are the top six.
Credit card fraud is the umbrella term for fraud that is committed using a credit card or debit card. In the context of ecommerce fraud, credit card fraud is also known as card-not-present fraud and payment fraud. In credit card fraud conducted online, the fraudster uses stolen credit card information to purchase products or services from a web merchant.
In a typical scenario, a criminal visits a site on the dark web that sells stolen credit cards. The criminal buys the card data and visits an online store, using that stolen card number to buy a product or service. This initial transaction defrauds the cardholder whose card was stolen. But eventually it defrauds the store owner, who must refund the purchase (and sometimes pay a chargeback fee to the bank that issued the card). Merchants can also become victims to card testing scams, where multiple credit cards are attempted to test which are still active and will allow for purchases. These types of purchases are usually small, low-risk orders, but can add up to a big hit on a merchant’s bottom line.
Affiliate fraud is illegal activity intended to generate affiliate commissions. In affiliate marketing, online merchants pay affiliates a commission for sales that affiliates refer. The merchants give affiliates a unique, trackable web link that points shoppers to the merchant’s store pages. When a shopper clicks on one of these links and makes a purchase, the merchant rewards the affiliate for the referral by giving the affiliate a commission (typically a percentage of the sale price).
In affiliate fraud, criminals game the system and defraud the online merchant using fake activity to either generate commissions or to increase the amount of the commissions.
A common form of affiliate fraud is “typosquatting,”in which a criminal registers domain names that match commonly mistyped versions of an online store’s legitimate URL. The fraudster then redirects that domain name to the merchant’s website—but with an affiliate link.
In the world of credit card transactions, a chargeback is a demand that a credit card provider makes to a retailer to refund a fraudulent or disputed transaction.
In the online commerce world, chargeback fraud occurs when an online shopper makes a purchase with their credit card, receives the purchased goods or services, but then requests a refund from the credit card company, who pushes that through the issuing bank (the bank that issued their credit card, also known as the card issuer). Commonly referred to as “friendly fraud,” this type of fraud results in the payment processor demanding that the retailer refund the purchase amount to the issuing bank. When a bank demands a chargeback, the online merchant is responsible for refunding the purchase.
In a typical scenario of chargeback fraud, a shopper makes a purchase from an online store. After receiving delivery of the goods or services, the criminal waits weeks or months, then contacts their bank and disputes the transaction, claiming it to be unauthorized or fraudulent. The fraudster hopes that the merchant lacks the time and resources to dispute the claim, or simply gives them the benefit of the doubt.
Most ecommerce stores provide customers with accounts that store personal information, financial data, and purchase history. Cybercriminals hack into these accounts through phishing schemes. In one of the most common tactics, fraudsters send emails to trick customers into revealing personal data like usernames and passwords. They then log into the customers’ accounts, change the passwords, and make unauthorized purchases. Social media logins are a common way that shoppers can create accounts easily on ecommerce sites, but if that information is hacked, it can be devastating. Criminals are also using bots to steal confidential information, resulting in customers being plagued by the fallout of identity theft.
In interception fraud, fraudsters use stolen credit cards to make online purchases, ship the goods to the address that’s on file for the credit card at checkout, but then intercept the package before it is delivered. For example, a criminal will visit an online merchant such as Amazon and use a stolen name, address, and credit card to purchase an item. After the transaction is completed, the criminal calls customer service before the item has shipped and changes the delivery address to the criminal’s desired pickup location.
Triangulation fraud uses three steps to defraud online merchants. In the first step, criminals create a fake online storefront, typically one that offers popular brand-name goods at bargain-basement prices. The only goal of the site is to steal names, addresses and credit card numbers from unsuspecting shoppers.
In the second step, the fraudsters use the stolen customer credentials and credit card numbers to visit a legitimate online store, buy exactly what the victim purchased from the fake store, and ship it to the customer.
The third step is the payoff for the fraudsters. They use the stolen customer data to make additional online purchases that they ship to themselves. This type of fraud typically remains undiscovered for a longer time than other types of online fraud because the original purchase (from the fake site) raises no suspicions on the part of the victim.
As an online merchant, you can spot ecommerce fraud in a number of ways. Just remember that the success of ecommerce fraud depends on the skill and ingenuity of the fraudsters. As merchants increase their defenses against online criminal activity, online crooks also up their game and devise cunning ways to defraud their targets. Here are the most common red flags to look for:
Inconsistent order data: The zip code and city entered don’t match. Or the IP address of the shopper and their email address don’t match.
Larger than average order: The order is far larger than your customer typically spends. Other red flags include multiple units of the same SKU in one order, and expedited shipping (the crook wants to receive the order before getting caught).
Unusual location: Your customer always purchases from an IP address in North America but suddenly makes a purchase from an IP address in an unusual location (Nigeria, for example).
Multiple shipping addresses: The buyer makes multiple purchases under one billing address but ships the products to multiple addresses.
Many transactions in a short timeframe: The fraudster makes multiple purchases back to back—and it’s not the holiday season.
Multiple orders from many credit cards: Someone makes multiple purchases using multiple credit cards (either in one day or over a longer period.
Multiple declined transactions in a row: The purchaser makes not just one or two attempts (honest shoppers make mistakes, after all), but four, five, six, seven, eight or more attempts without getting the card number, expiry date, and card security code correct.
Strings of orders from a new country: You’ve never received a single order from the Kingdom of Bhutan, and then you suddenly receive 11 orders from that country in the space of a week.
The key to protecting your online store from fraudulent credit card transactions, affiliate fraud and other types of ecommerce fraud isn’t just recognizing these activities when you see them—it’s taking preventative measures that will reduce your fraud risk in the first place.
You have several tools at your disposal for fraud detection and prevention: some technical, some non-technical, some based on software and some based on good-old-fashioned know-how. Here are the steps you can take today to implement ecommerce fraud prevention strategies for your online store.
Want to discover flaws in your security before criminals and fraudsters do? Conduct security audits—often. Ask yourself these questions:
Are our shopping-cart software and plugins up-to-date?
Is our store PCI-DSS compliant (Payment Card Industry Data Security Standard)?
Are we backing up our online store often enough?
Are we using strong passwords for admin accounts, hosting dashboards, CMS, database, and FTP access?
Are we scanning our website regularly for malware?
Are we encrypting communication between our store and our customers and suppliers?
Have we removed inactive plugins?
If you operate an online store that accepts credit card payments, you must be PCI compliant. PCI stands for Payment Card Industry. PCI standards for compliance are developed and managed by the PCI Security Standards Council to ensure the security of credit card transactions in the payments industry. PCI compliance means your online store and your businesses processes meet these PCI standards. If you operate a SaaS-based ecommerce store, your platform will typically provide this compliance.
Bricks-and-mortar stores hire fraud prevention officers to catch shoplifters. You can protect your online store against fraudulent transactions by monitoring your store for suspicious activity. Monitor your accounts and transactions for red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers. Use tools that track customer IP addresses and alert you to any addresses from countries known as a base for fraudsters.
Credit card processors and issuing banks will usually offer an Address Verification Service to detect suspicious credit card transactions in real-time and prevent credit card fraud. The Address Verification Service checks the billing address submitted by the card user (the customer) with the cardholder’s billing address that’s on file with the issuing bank. This check takes place as part of the merchant’s request to the payment processor for authorization of the credit card transaction. When addresses don’t match, the system either declines the transaction or flags it for investigation.
The three-digit security code on the back of VISA®, MasterCard® and Discover® credit and debit cards and the four-digit security code on the back of American Express® credit and debit cards is called the Card Verification Value (CVV) or Card Security Code (CSC). By requiring all purchasers to supply this code for every transaction, you ensure that customers have the physical credit card in their possession. This helps to keep you safe and reduces fraud.
HTTPS is the secure version of HTTP, which is the primary protocol used to send data between a customer’s web browser (like google) and your online store. HTTPS encrypts this data to protect sensitive information, such as customer names, addresses and credit card numbers. Using HTTPS prevents your online store from having its transactions broadcast in a way that’s easily viewed by hackers, cybercriminals, and fraudsters. You use HTTPS by buying an SSL certificate.
One way to protect your store in the event of a data breach or hack is to collect and store as little customer data as possible. Hackers can’t steal what you don’t have. So only collect the data you need to complete a transaction and ship the product. Avoid collecting Social Security numbers, birth dates and other unnecessary sensitive customer data.
Based on your order and revenue trends, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. This reduces your exposure to a minimum should fraud occur.
When it comes to detecting and preventing online fraud, there are a variety of software solutions to suit your needs and your budget. Additionally, the tools you select may vary widely when it comes to how much work is involved in installation and ongoing management. Some may prefer a more hands-on solution, while others would rather leave it in expert hands.
Rudimentary anti-fraud tools perform a specific, single function. They are typically integrated into online shopping carts and ecommerce platforms. These tools use machine learning algorithms to identify fraudulent transactions through IP geolocation, validate email addresses, conduct device fingerprinting, and verify addresses.
Mid-level anti-fraud tools offer a wider variety of functions, including chargeback guarantees, auto declining of high-risk orders, protections against new account fraud and account takeover protection.
Top-level anti-fraud tools offer everything the other tools offer plus outsourced case management, expertise working with large merchants, loyalty fraud management, policy abuse protection, automatic decisions, and manual review of suspicious transactions, ensuring that no good order is mistakenly declined by the software.
Every order placed on your online store comes from a unique, public IP address (a string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over the Internet). From the IP address, you can generally detect the city or region of the world where the purchaser is making the purchase. If this city or region does not match the address of the credit card being used, that’s a red flag.
Fraudsters commonly avoid detection by protecting their physical address, preferring to use a PO box or other anonymous location. After all, the police can’t come knocking if there’s no door to knock on.
If you are an online merchant, and if you want to prevent this type of fraud, never ship online orders to PO boxes and other virtual addresses, such as those of freight forwarders. You can spot addresses that belong to freight forwarders because they have a container number in the address, such as 726 Dock Road Suite 300 #KXQ-582899328.
Yes, fraudsters are getting more sophisticated in how they attack online merchants. And the number of attacks on web stores is increasing as ecommerce grows in popularity. But ecommerce merchants are also getting more sophisticated in how they detect and deter online crooks.
Once you understand what ecommerce fraud is and why it is so prevalent, and once you learn how to detect online fraud, you are empowered to take the necessary steps to prevent fraud on your online store.
Rafael Lourenco is Executive Vice President and Partner at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen. The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives.