If you’re running an online store, there’s a good chance you have been targeted by fraudsters.
Ecommerce fraud is growing, and it’s getting harder to stay abreast with hackers’ new methods to dupe the system. In 2022, ecommerce owners lost almost $41 billion to fraud, and it’s not just a North American problem.
Online merchants from Latin America lost about 3% of total revenue to ecommerce fraud alone, followed closely by merchants from the Asia-Pacific region.
In this article, we’ll go over the types of ecommerce fraud, how they’re carried out, preventive measures, and tools you can use to protect your online business.
What Is Ecommerce Fraud?
Ecommerce fraud is the illegal interception of online payments or the abuse of the systems that run online storefronts, leading to financial and reputational loss for victims.
The global ecommerce market was worth $16.6 trillion in 2022, and it’s expected to grow at 27.43% in the next five years—meaning criminals will have more opportunities to attack than ever before.
– Source: IMARC Group
Most of the attacks are payment related, while some are focused on phishing and identity theft. Another is chargeback fraud, also known as friendly fraud. Whatever the method is, the consequences are always devastating for small businesses.
Why Prevent Ecommerce Fraud?
Preventing ecommerce fraud is essential for both online merchants and consumers. Fraudulent transactions can cause financial losses, harm personal information security, and damage trust in online shopping.
Here are several reasons for preventing ecommerce fraud:
- Protecting the business’s financial health by reducing the risk of chargebacks, refunds, and financial losses due to fraudulent transactions.
- Safeguarding customers’ personal information, such as their credit card numbers, addresses, and contact details, from falling into the wrong hands.
- Building and maintaining customer trust by ensuring a safe and secure shopping experience.
- Maintaining compliance with legal and regulatory requirements related to data privacy and security.
- Avoiding negative publicity and damage to the brand’s reputation that can result from fraud-related incidents.
- Avoiding disruption to business operations that can occur due to fraudulent activities, such as order cancellations, inventory mismanagement, and shipping issues.
By preventing fraudulent activities, the ecommerce industry can ensure a secure and trustworthy shopping experience, leading to increased sales and customer satisfaction.
Fraud Attack Rankings by Source
The Chargebacks911’s ecommerce fraud attack rankings provide valuable insights into the different types of fraudulent activities affecting the ecommerce industry and the sources that are responsible for them.
– Source: Chargebacks911
Types of Ecommerce Fraud
Here are the most common types of ecommerce fraud and what you can do about them:
|The fraudulent use of someone’s personal information
|Use two-factor authentication, monitor suspicious activity
|The act of testing stolen credit card information
|Limit the number of transactions, use fraud detection tools
|Unauthorized access to a customer’s account
|Implement strong password policies, monitor login activity
|Scams that trick customers into giving away personal info
|Train employees and customers to identify phishing attempts
|False chargebacks issued by customers to receive a refund
|Provide detailed product descriptions and customer service
|Fraudulent activity specifically targeting WooCommerce users
|Implement fraud protection plugins and monitor suspicious activity
Let’s now learn about them in detail to be aware of these types of fraud and take appropriate measures to prevent them.
1. Identity Theft
Identity theft is the process of carrying out criminal activities by impersonating someone else’s identity. This is done by collecting victims’ Personally Identifiable Information (PII) such as SSN, credit cards, medical reports, address, age, and employment documents.
For example, if a criminal gets hold of a victim’s credit card information, they can use it to place large orders from your online store to their address. After discovering the ruse, the victim may file a chargeback with their bank, making them lose money and goods.
On the business side, criminals can commit merchant fraud by taking over real merchant accounts and using transaction laundering.
– Source: FTC
Identity theft is so effective because criminals can steal different types of PII in multiple ways. And once they pull off an impersonation, they can access more critical information.
Here are the best ways to prevent identity thefts from impacting your business:
- Improve your Know-Your-Customer (KYC) process by documenting and double-checking customer authenticity, frequently used devices, and location.
- Protect your personal information by making social media accounts private and following security best practices.
- Look for anomalies such as new credit card registration, unusually large orders, unfamiliar locations, and account details mismatch.
2. Card Testing
Let’s assume hackers have their hands on a bunch of credit cards—either by identity theft and shoulder surfing or straight up buying them off the dark web. They need to test these cards’ legitimacy by running small transactions or trials before they can target big. This is called card testing.
This is a nightmare for ecommerce owners. Hackers often automate tens and hundreds of card testing by placing very small orders, but when the victims discover the fraud, they ask for refunds.
If you’re late, you might pay extra chargeback fees and lose your products. On top of that, the unusual card authorization attempts may force your payment processor to increase your fees or deactivate your account temporarily.
Preventing card testing is a difficult task. But here are some ways you can stay ahead:
- Monitor transactions every day and use a CAPTCHA to stop scripts.
- Add rate limits to specific IP addresses and minimum payment acceptance rate, and make sure the volume isn’t coming from unusual locations.
- Conduct frequent audits of your business security and plug loopholes.
3. Account Takeover
Instead of going for the payment system, criminals might seek access to user accounts with Account Takeover (ATO) fraud.
From banks to email, social media, business phone services, and ecommerce—any account that contains sensitive information can be targeted. According to Sift, 2022 saw a 131% increase in ATOs than the previous year.
– Source: Sift
Hackers try various ways, such as phishing, SIM swapping, MitM attacks, and malware injections, to steal the login credentials of users who are lenient about online security.
It’s difficult to detect account takeovers instantly because criminals hide behind familiar login patterns and online behaviors, but a close reading gives them away.
As an online merchant, here are the steps you can take to prevent ATOs from impacting your business:
- Use AI-based fraud monitoring and detection tools to catch ATO attempts in real-time. A web application firewall can also protect you from unknown and malicious traffic.
- Make customers use an MFA login prompt that they only know and is not tied to their accounts.
- If you or your employees are victims of ATOs, quickly change passwords, alert the IT team and bank, and sandbox the affected accounts.
4. Phishing Scams
Phishing is one of the oldest tricks in a cybercriminal’s handbook and is at the center of ecommerce fraud today. Phishing involves impersonating a trusted entity or a sender to manipulate the victim to share confidential information.
This can be anything from urgent-sounding emails asking you to log into your account or an SMS pushing you to share the MFA code. Either way, the goal is to gain your trust by mimicking someone you trust and stealing your data.
When executed poorly, it’s just an annoying spam text, but when done right, it can be a cleverly planned social engineering attack that can dupe even the most security-aware person.
According to the Internet Crime Complaint Center, more than 300,000 reports of phishing were registered in 2022 alone. This scam undermines personal security, compromising any business attached to the victims.
– Source: IC3
But you can do a few things about it:
- Use MFAs internally in your company and make it mandatory for customers to verify their identity with MFAs. But make sure you don’t fall prey to MFA fatigue attacks.
- Keep a fixed channel of communication and educate your customers about it. Establishing your IPs and brand signs that are hard to mimic is important.
- Look out for brand impersonators online. Be it a social media account or spam links—monitor your online presence and take action against malicious agents.
- Check email address validity to determine whether the email address is associated with a real company domain name.
- Besides, on your end, choose only the trusted email service providers.
5. Chargeback Fraud
Chargeback fraud is when a cardholder reverses a payment without returning the goods back to the merchant. It’s a consumer-friendly step originally designed to instill confidence in credit and debit cards. But just like any good thing, it can be misused—especially for card-not-present (CNP) transactions.
Chargebacks (or friendly fraud) happen for two reasons: either a customer finds an unknown order in their statement and requests a chargeback, or the customer files a chargeback despite receiving the product. In the second case, the cardholder abuses the system, but in both cases, the merchant loses.
According to Chargebacks911, by the end of this year, 60% of chargebacks will be friendly fraud, and the average chargeback cost is expected to be $190. The industry standard for chargeback is a maximum of 1%. Ideally, you’d like to keep it as low as possible.
– Source: Chargebacks911
If a customer is a victim of financial fraud, they will request a chargeback the moment they realize it. If criminals have access to the victim’s bank account, they might file a chargeback themselves to take out extra cash.
On top of that, if customers file chargeback and refund requests simultaneously and you’re not too careful, you might end up paying twice. Considering the processing fee, chargeback fee, marketing cost, loss of revenue, and other factors, ecommerce owners might pay almost 2x the order value.
Here are the steps you can take to mitigate the risks of chargeback fraud:
- Stay on top of credit card fraud to ensure criminals don’t abuse the system. This includes monitoring tools and using authorization tools (AVS, CVV, 3DS2, VAU, etc.) for each transaction.
- Address verification service (AVS) matches the address and postal code of the bank account with the data entered during purchase. On the other hand, card verification value (CVV) relies on the card processor to signal whether the buyer has entered the correct CVV.
- 3D secure is another security layer that protects merchants by requiring a one-time password in a small window for a transaction to go through.
- Improve your customer service and communicate with customers immediately. This includes order confirmation emails, recurring payment reminders, order tracking, and easy-to-understand transaction details.
- Align your marketing to reduce the risks of “item not as described” returns.
- Document your customer conversations to have all the proof needed during order disputes.
- Clearly define shipping and return policies on your website. Encourage buyers to contact you regarding an order issue before filing a chargeback.
6. WooCommerce Fraud
WooCommerce is a popular ecommerce platform used by millions of online stores, but it is not immune to fraud. Online merchants must know potential threats and take necessary measures to prevent fraud.
One common form of WooCommerce fraud is ATO, which occurs when a fraudster gets weak or reuses a customer’s account passwords and makes unauthorized purchases. To prevent this, store owners should encourage customers to use strong and unique passwords and implement two-factor authentication.
Payment fraud is another form of WooCommerce fraud, where fraudsters use stolen credit cards to make unauthorized purchases. Online merchants should use fraud detection tools to identify suspicious transactions, such as purchases with high-value items or multiple transactions from a single IP address or billing address.
Fraudulent chargebacks are also a concern for online merchants using WooCommerce, where customers claim they did not authorize a purchase or did not receive the product. Merchants should provide clear refund and return policies to prevent chargebacks and maintain detailed customer interactions and transaction records.
After implementing fraud detection tools, encouraging strong passwords and two-factor authentication, maintaining detailed transaction records, and using a reliable hosting provider, online merchants using WooCommerce can help protect their businesses and customers from ecommerce fraud.
Try Cloudways for secure and reliable ecommerce solutions.
With advanced security features, real-time monitoring, and 24/7 support, Cloudways offers reliable protection against ecommerce fraud and ensures your business remains secure.
Other Prevention Measures
Apart from all the steps mentioned above, you can try a few more preventive measures to save as much money as possible.
1. Biometric Authentication
Most smartphones and laptops have some sort of biometric security (fingerprint, face ID, etc.) in-built to keep the device secure. You can use the same tools to ensure only the real customers are ordering from your business. Biometrics are seamless, which improves customer satisfaction, and since they’re unique, you are less likely to deal with fraudsters.
2. Two-Factor Authentication
Implementing two-factor authentication (2FA) can add more security to your ecommerce transactions. 2FA requires users to provide two forms of identification, such as a password and a one-time code sent to their phone, before completing a purchase.
This significantly reduces the risk of unauthorized access and fraudulent transactions, as hackers would need access to both forms of identification to complete a transaction. By implementing 2FA, online merchants can help prevent fraud and protect their customers’ sensitive information.
3. Use of Encryption and Tokenization
Both encryption and tokenization mask card details during payment authentication, but they differ in application. With tokenization, you assign random tokens to the data and use them to validate a payment, whereas encryption rearranges the value and requires a decryption key to access the right data. According to a Visa study, tokenization can reduce fraud by 28%.
4. Employee Training and Education
Ecommerce fraud is an ongoing battle, and your best bet against it is your employees. Train your teams to handle customer support data securely and set up VPN and MFA on their personal devices.
Conduct frequent seminars to update them on new fraud techniques, help them identify possible phishing attempts, and encourage them to practice security hygiene to ensure the business stays secure. When people know the risks, they’re more likely to pay attention to preventive measures.
Ecommerce Fraud Prevention Tools
If you’ve reached this far, you might have deduced that battling ecommerce fraud requires you to vet your customers properly, be on the lookout for unusual activities, and employ payment best practices. You might have also realized the fight is impossible without monitoring tools.
Here are five ecommerce fraud prevention tools that’ll help you stay ahead of criminals:
– Source: Aura
If you want to address identity theft and financial fraud, your safest bet is Aura. It’s a neatly designed credit monitoring, online privacy, and identity protection service that works in the background and alerts you of any unusual activity in real time. On top of that, it also extends as a VPN, password manager, and access management service.
Aura works with three credit bureaus (Experian, TransUnion, and Equifax) to investigate credit inquiries and suspicious activities. It also surfs the dark web to ensure your details are not leaked and helps you lock your credit card in case of an anomaly. It’s ideal for employees of an SMB and can help your business bank accounts stay secure. The best part of Aura is its simplified UI across devices and the $1 million identity theft insurance.
– Source: Sift
Sift offers a comprehensive fraud prevention suite for ecommerce merchants. It addresses possible risks in dispute management, payment protection, and account defense by limiting chargeback fraud and account takeover attempts. It also collates the data into a risk management dashboard and helps you make better decisions going forward. Sift works across fintech, retail, marketplaces, and digital goods industries, so there’s something for everyone.
– Source: Bolt
If you’re struggling with customer conversion and fumbling at the refund and checkout stages, you must look at Bolt. It’s a one-click checkout experience for customers that takes less time to follow but maintains the same security level. Bolt claims to help you identify 17% of guest shoppers from day 1, and it even helps in refund and chargeback requests. Its ML uses 200 signals to build cart risk profiles and gives you more insights into your checkout metrics.
– Source: Fingerprint
Fingerprint is useful for detecting and mitigating account takeover fraud. It actively looks for credential stuffing, phishing attacks, and account-sharing metrics to qualify visitors in real time. Properly vetted prospects and customers reduce the risks of chargeback fraud. If you’re running a subscription-based business online, you’ll love the account-sharing prevention feature of Fingerprint.
– Source: Signifyd
Signifyd is one of online businesses’ best fraud protection and chargeback recovery platforms. According to Signifyd, you can win 50% more disputes than the industry standard, and it helps you secure 5-9% more orders by properly authenticating customer IDs. Many of Signifyd’s services are deployed with automation, so there’s little to tinker with, and a large network of merchants backs its decision models. And just like Aura, it has a beautiful UI too.
Ecommerce fraud is not something that’s going to go away with a flick of a button. Criminals will keep trying new ways to undermine the security of an ecommerce store, its customers, and its payment system. The only way to stay ahead and secure is by implementing the above steps carefully and using ecommerce fraud prevention tools to prevent fraud attempts.
Note: This article has been published in collaboration with Irina Maltseva, Growth Lead at Aura and a Founder at ONSAAS. For the last seven years, she has been helping SaaS companies to grow their revenue with inbound marketing. At her previous company, Hunter, Irina helped 3M marketers to build business connections that matter. Now, at Aura, Irina is working on creating a safer internet for everyone. To get in touch, follow her on LinkedIn.
Passionate about technology, entrepreneurship, and marketing, Mansoor Ahmed Khan is in computing since he knows how to type on a keyboard. His daily life is rocked by his family, projects, and his screen. Probably in this order, he likes to be convinced at least. You can reach out to him at [email protected].