As online commerce grows in popularity and more money is exchanged on these platforms, fraudsters flock to take advantage wherever they can.
Unfortunately, eCommerce platforms create an appealing avenue for fraudsters that don’t have to visit a location in person or show their face. For online marketplaces and retailers, eCommerce fraud prevention efforts are a must.
To help organizations combat eCommerce fraud on their platform, we’ll cover the following:
To start, let’s dive into what eCommerce fraud is and the common types criminal use.
eCommerce fraud is any form of fraud conducted on an eCommerce platform or online marketplace. Both customers and the merchant themselves can be victimized. Common examples of eCommerce fraud include identity theft, the use of stolen credit cards, impersonation, and affiliate fraud.
The eCommerce retailer or payment processor - whoever authorized the purchase - typically absorbs the cost of this fraud. Because of this, it’s incredibly important for online marketplaces, eCommerce retailers, and payment processors to protect against eCommerce fraud properly.
It is one of the most common types of fraud due to the number of online stores and virtual shopping experiences established in the past decade. Around $41 billion was lost to eCommerce fraud just last year. These fraudulent transactions are conducted using phones, laptops, or any electronic device which can be used to make purchases.
Why eCommerce Fraud is so Common (and on the Rise)
There are a number of reasons that eCommerce fraud is a method of choice for modern fraudsters, and much of it comes down to ease of access and the fraudsters' belief that they can’t be caught.
Below, we explore the three main things that draw criminals to eCommerce fraud:
- Anonymity: Since eCommerce fraud is conducted entirely online, fraudsters never have to perform this act in person; so there’s no face or voice to put to the criminal. They never have to visit a store, interact with staff, and can’t be recorded by security cameras. Add the ability to obscure their identity (through VPNs and other tools) and use entirely fake identities, and fraudsters can maintain a level of anonymity through online transactions that they can’t otherwise obtain.
- Opportunity: eCommerce fraud is more accessible and simple than ever; stolen credentials and software tools that help with falsifying identities, malware and phishing scams, and more can be purchased online. Fraudsters don’t have to leave the comfort of their own homes to commit this fraud. Ultimately, it’s accessible to anyone with access to the internet.
- Evasion: As fraudsters don’t have to commit fraud in person, there is a lower risk of being caught and a higher likelihood that they will be able to commit the crime undetected. On top of this, it’s much harder to track down and prosecute this type of crime; so some fraudsters just believe they’ll be able to avoid any real penalties or punishment.
eCommerce fraud can be conducted in a variety of ways. To adequately protect against the attacks your organization faces, you’ll need to know what threats you face and combat them head on. Below, we cover some of the most common types of eCommerce fraud.
Online Payment Fraud
Online payment fraud, often in the form of credit card fraud, occurs when fraudsters access another person's payment information and use it to make purchases through an eCommerce platform. The fraudster may employ different strategies, including the use of P.O. boxes or fictional names to conceal their identity.
This not only defrauds the customer whose credit card information was compromised, but also the merchant, who is required to provide reimbursement and sometimes pay a chargeback fee to the bank that issued the card. This is often one of the most common forms of fraud facing companies, and certainly one of the most malicious and targeted. While other forms of fraud can be performed by amateurs, typically more skilled, intentional fraudsters perform payment fraud.
eCommerce stores will want to do as much as they can to protect against this, including controlling user onboarding, authenticating purchases, and monitoring transactions for suspicious activity and behavior. Teams will need to pay special attention to the transactions themselves, but should also monitor other user activity for signs of potential fraud.
Card Testing Fraud
Before criminals max out stolen credit cards, they often need to check a couple of things. First and foremost, they need to make sure that the stolen credentials work and that they can actually use the stolen card to make a purchase. Next, they need to know the daily limit and maximum limit of the card. When the criminal doesn’t have this information, they will make a series of tests to check that the card works and what those limits are.
While card testing fraud is essentially a form of online payment fraud and credit card fraud, the distinction is important for organizations trying to detect and prevent this type of fraud. Unlike payment fraud, which is often short spurts that amount to large sums, card testing is a series of smaller payments meant to test that the stolen credentials will work.
Oftentimes, these tests are done to see if a specific eCommerce site will approve the transaction with the stolen credentials. If the transaction is denied, they will go test at another retailer. Once they find a retailer they think has weak controls, they’ll exploit it as much as possible before moving on.
Organizations that can detect card testing fraud can significantly reduce fraud losses, as it will stop fraudsters before they are confident enough to make larger purchases. Strong preventative measures are a must here; if fraudsters cannot make a test purchase on your marketplace, they’ll likely pursue another site to perpetrate their attacks.
Triangulation fraud is a major issue for both online shoppers and merchants. In this type of fraud, the fraudster sets up a fake online store, where they sell goods and services. Once a customer places an order with the fraudster, they turn around and purchase that item from a legitimate marketplace using a stolen credit card, and ship it to their victim - who is none-the-wiser.
For eCommerce marketplaces to prevent this type of fraud before it happens, they have to not only examine the transactions, but also user activity that can be indicative of this type of fraud.
Risk teams can build custom rules that look for specific series of events that could signal triangulation fraud is taking place. For example, a rule could flag instances where a user purchases an item and ships the address that doesn’t match the billing address on the payment card.
Teams can then investigate further before approving, potentially saving your team the costs associated with allowing the fraudulent transaction.
Refund or Return Fraud
Criminals don’t just look to steal outright from merchants and their customers; they also look to exploit organizational policies - namely, return policies. Refund fraud - or return fraud - is any fraudulent activity that exploits a retailer's return policy. Unfortunately, eCommerce sites are prime targets for this type of fraud, as the process is often entirely online and never face-to-face.
In most cases, returns for eCommerce retailers means shipping the item back to the retailer. In many cases, the retailer reimburses the customer immediately to provide the best customer experience possible. By the time the retailer receives the returned item (and is able to investigate the case), the fraudster has gotten away.
Protecting against this type of fraud comes down to having clearly defined return policies, preferably ones that offer customers a great user experience without compromising on protective measures that keep your organization safe from malicious attacks.
Chargeback or Friendly Fraud
In chargeback fraud, also known as “friendly” or “first-party” fraud, the fraudster makes an online purchase of a product or service and intentionally files a false chargeback claim. This can take many forms, with the fraudster claiming they never received the item (when they actually did), claiming the item was damaged (when it actually wasn’t), or that they never made the purchase themselves (when they actually did).
The payment processor is then on the hook for reimbursing the fraudster the full or partial value of the items. Unfortunately, the ease of access and perceived anonymity that eCommerce platforms provide makes them a popular target for chargeback fraud. Unlike more challenging types of fraud, this can be performed by virtually anyone - and in some cases, perpetrators don’t even realize they are committing a form of fraud. This makes chargeback fraud extremely commonplace, especially on online marketplaces and retail sites.
Companies will need to have clearly defined refund policies to prevent this. If fraudsters find a site isn’t performing adequate checks, they’ll do all they can to exploit that system. Let’s look at a complicated example to illustrate. When an eCommerce retailer processes a return, they need to actually pay to get the item back to them; for many retailers, there is a certain cost associated with this that they absorb.
In some cases, retailers may find it’s easier to let a customer keep a small value item that they want to return (and simply absorb that loss), than it is to actually have the item shipped back to them. If the retailer decides to let customers keep any items below $30, it won’t be long before fraudsters catch on. Once a fraudster understands how this rule functions as part of their risk program, the fraudster will start to purchase items under the $30 threshold, and then return them, knowing they will be able to keep the item for free.
While it’s important for companies to set proper limits and thresholds to safely guard against these threats, it’s also imperative that these rules don’t become static and stagnant. They need to constantly be updated so that fraudsters can’t deduce a pattern or find a loophole that they can repeatedly exploit. If these thresholds are updated periodically to reflect the majority of incoming threats, fraudsters will struggle to find an easily exploitable pattern.
In this form of fraud, fraudsters intercept a purchased item, taking it for themselves. This is typically done in two ways:
- the fraudster physically intercepts the package at the delivery location; or
- the fraudster redirects the shipment of the package to a new address, one where they can collect the package themselves.
To stop the physical retrieval of packages, it’s important that the delivery service you partner with verifies the item was delivered. This can be done in a variety of ways, from an employee signature that it’s complete to a picture of the item on the customer’s doorstep. This will validate the package was delivered, and that it was delivered to the right address.
Unfortunately, criminals performing option number one can still steal the package after the delivery has been verified. To stop this, you’ll want to set limits on what items can be left on a doorstep versus what items need to have a physical receiver present. Mitigate potential fraud losses by ensuring high-value items require a receiver present.
PRO TIP: Have a receiver sign that they’ve received the package, to eliminate the chance of chargeback fraud.
For redirected orders, these controls won’t help; instead, organizations will need to leverage activity monitoring tools that look at user behavior. With proper activity monitoring tools at your disposal, rules can be set up that flag series of suspicious activity.
For example, teams can establish a rule that flags the following series of activities: (1) a user makes a purchase, (2) the user logs in from an unrecognized IP address, device, or geolocation, and (3) the user changes the shipping address on one or more orders.
Then you’ll want to implement the rule and see how it performs. If your team is finding they are pulling in too many false positives, they want to redefine the rule.
For example, we could refine the rule by stipulating that the new address has to be a non-match with the address on the payment card, or we could stipulate that the address has to be changed for 3 or more orders.
Both of these will refine the parameters, narrowing the net; ideally, this still catches true instances of fraud, while reducing the number of false positives.
Account Takeover Fraud
ATO fraud is a major threat to eCommerce sites, largely because it’s so appealing to fraudsters. Criminals love this not only because they gain access to a user's account; but because they gain the transaction records and credit history to go with it.
It’s exceedingly challenging for fraudsters to fake legitimate credit history and account activity if they create their own fraudulent account. It takes significant time and effort to build up this background, and it’s typically necessary to build up credit limits to the point that they can be exploited for serious gain.
Fraudsters that take over a user's eCommerce account get access to a profile that has preloaded credit card details and a legitimate-looking transaction history. This makes it very difficult for risk management teams to detect a threat, as there is no detectable suspicious transaction activity.
To truly monitor for this type of fraud - and stop fraudsters from taking advantage of eCommerce platforms - teams need to monitor other user activity. Risk teams can create rules that look for specific activity that signal an account takeover has occurred, and then investigators can dig deeper to either clear the account or take further action. For example, a rule could be designed to look for instances where (1) a user signs on from an unrecognized IP address, device, or geolocation, and (2) the user changes their account password, shipping address, or contact information.
This will flag this activity for investigation, and risk teams can step in before the fraudster is able to make a purchase on the account. Teams can even use control measures that will pause all account activity until the investigation is done.
Teams should also routinely check to make sure they have valid and current ID documentation on record, as well as perform systematic user authentication checks to make sure the user is still the account holder.
Loyalty Member and Promotion Fraud
Fraudsters can be incredibly crafty, and will look for potential schemes in a variety of avenues; one of which is through loyalty and promotional programs. While these are effective tools to develop retention and build brand loyalty, these can be severely exploited by adept criminals.
Ultimately, the best prevention methods are having clearly defined guidelines for how these offers can be used, as well as how they are processed. Set strict policies and guidelines for promotional offers; ones that don’t give fraudsters loopholes to extract goods, services, or cash.
Consider how fraudsters could use an offer when crafting it, and make sure to set proper rules to hinder any attempts at fraud in the first place.
Beyond this, establish clear rules for how these offers are processed, including who they are extended to, how the qualifying conditions are validated, and more. Keep in mind that code sharing will always be a problem, and fraudsters will look for ways to cash in on offers multiple times. Typically, restricting the amount of times an offer can be used is one of the best ways to prevent this.
But this means more than simply setting that rule - fraudsters don’t follow the rules. It also means establishing systems that prevent fraudsters from being capable of exploiting these offers. Rather than use a generic promotional code, use user-specific codes that can be tied to an individual user. These can be used to stop fraudsters from using the offers multiple times, or be used to track users down if they are able to find a way of exploiting the offer.
In affiliate fraud, criminals take advantage of affiliate programs. In many cases, these individuals can rack up significant affiliate earnings - without actually providing the affiliate with the promotion they’re claiming.
Again, the best way to prevent this type of fraud is to establish clear guidelines for affiliate programs - and to track partner's performance closely. Set up policies that clearly outline how the affiliate program works, and establish controls that effectively execute these partnerships so that fraudsters have very little room to exploit them in the first place.
This not only mitigates the impact of fraud by keeping fraud losses low, but deters fraudsters from targeting your affiliate program in the first place.
Given the wide range of ways eCommerce can be perpetrated, it’s challenging to stamp it out fully. As soon as you clamp down on one method, fraudsters will find a new avenue to commit fraud.
To properly prevent fraud, you’ll need to look at what types of fraud are impacting you the most. Make sure to continually look for new methods that you can integrate, and see which ones work most effectively.
Below, we cover some of the best strategies for preventing eCommerce fraud:
Use Robust Customer Onboarding Procedures
One of the best ways to stop fraud is to stop fraudsters from accessing the service in the first place. Diligent customer onboarding solutions will root out bad actors and keep the platform safe.
While it’s important to balance this with a fast, seamless user experience, it’s imperative that you perform all necessary checks related to Know Your Customer, including Customer Due Diligence checks and Enhanced Due Diligence (if required).
Unfortunately, some criminals will squeak through, so it’s important this isn’t the only component of your fraud prevention program.
Leverage User Authentication at the Point of Checkout
Despite your best efforts at keeping them off your platform, savvy criminals will still be able to access your service.
The next step is to stop fraudsters from making illicit transactions in the first place, empowering you to not just detect this fraud - but actually prevent it before it happens. After this stage, your best hope is likely recovery, as the fraud will have been committed.
Organizations should use user authentication tools at the point of purchase to make sure the buyer is the account holder (or cardholder). Features like multi-factor authentication, biometric identification, and facial recognition are all great options, as they force the user to authenticate themselves prior to initiating a transaction.
Ultimately, this added step in the purchasing process will limit how much fraud gets through, mitigating fraud losses and keeping your platform secure.
Ask for Card Verification Codes (CVV) at Checkout
Major credit card companies like Mastercard and Visa have built-in user authentication systems of their own - card verification codes (CVV). While this is essentially a form of user authentication, it’s worth mentioning specifically.
Since most online purchases are conducted using credit cards, this is a vital step for most eCommerce steps. Any time a user makes a purchase, the marketplace should ask the user to provide the CVV for their credit card.
This is crucial for merchants, as it serves as a check that they’ve done their due diligence before authorizing the transaction. Despite receiving the chargeback, the merchant won’t be penalized by the payment processor, which can happen when there are inadequate controls in place.
By ensuring all authorized credit card purchases require a matching CVV code, organizations protect themselves from liability. In many cases, this can be used to dispute chargebacks, as the company did everything expected of them to verify the payer. Liability - and the fraud losses - will then fall on the payment processor (in this case, the credit card company).
Incorporate Address Verification Services (AVS) at Checkout
Address verification services operate in the background of a checkout process, verifying the address entered at checkout matches the address on the payer’s card. While there are reasons these won’t match, this is a good indicator of potential fraud.
Suspicious cases can be paused and flagged for investigation, and then approved once the discrepancy is accounted for.
These solutions operate in the background of a checkout, so the user isn’t actually required to complete anything. The process simply validates that the addresses match. While this does add a minimal amount of processing time to each transaction, it adds immense value from a risk management perspective. As a relatively simple check, it serves as a good first indicator of potential fraud.
And the best part - it doesn’t actually bog down the user or impact the user journey in any way. This is extremely important when any additional step or barrier to onboarding is a potential reason for customers to use a different service.
If one marketplace allows a user to make a purchase in 2 steps rather than 5, they are likely to use the simpler service. The more risk checks that can be performed in the background - without the user having to perform any additional action - the better is from a user experience perspective.
This keeps customers happy while still allowing teams to perform the due diligence required before authorizing purchases. This is by no means a stand-alone solution, but should be one component of any eCommerce fraud prevention program.
Leverage Transaction and Activity Monitoring
Transaction monitoring is an essential component of any fraud prevention strategy; after all, it’s transactions that enable fraudsters to make off with free items and cash. But monitoring transactions isn’t enough to catch the myriad of threats eCommerce marketplaces face.
Instead, organizations will need to use data monitoring tools that let them look at a variety of user activity, including logins, account changes, and more. By being able to analyze transactions alongside other indicators, teams can get a more holistic picture of their user. Risk management teams can then use this data to create robust rules that can alert teams of fraud before a transaction even occurs, allowing teams to not just act on fraud - but truly prevent it.
To effectively manage electronic purchases and retain card information, all eCommerce enterprises must adhere to Payment Card Industry Data Security Standards.
Basic security measures are mandated by PCI compliance, such as establishing a firewall between your internet service and any systems that save credit card information, limiting the number of employees who have access to card data, and conducting regular system tests.
Businesses must follow all PCI compliance requirements to avoid fines or penalties and ensure compliance with regulatory standards. This keeps user information secure and keeps teams safe from data breaches.
Not only can data breaches lead to security threats to your customers and platform, but it can cause significant reputational damage. Whenever entrusted with users’ payment information, it’s vital you take the proper precautions to safeguard it.
Set Payment Limits and Restrictions
One of the best ways to prevent eCommerce fraud is to limit how much fraudsters can get away with. This often comes down to setting restrictions on the amount that users can spend at once and within a certain period of time.
There are a couple ways you can limit transactions; set single transaction limits, daily transaction limits, weekly transaction limits, and so on. You can even set limits for specified windows of time; such as 4 hours, 12 hours, and so on.
Ultimately, the limits you place will need to make sense based on your product and service offerings and the type of fraud you face. If your limits are too low, you’ll cause too much friction for legitimate customers; but if your limits are too high, you’ll let too much fraud through.
For example, a standard clothing store may find that a daily limit of $1,000 or $1,500 is reasonable. Most customers will spend less than that in a single day at a traditional clothing retailer.
But for a high-end fashion store selling designer clothes, this daily limit may be far too low. If a single bag costs upwards of $500, you’re essentially ruining the experience of your average shopper. Instead, you’d likely need to look at daily limits in the $5,000 to $10,000 range.
Each company will need to find the right balance between preventing fraud and hindering legitimate users from having a good customer experience.
Setting transaction limits mitigate the impact that fraudsters can have by controlling how much they can realistically spend in a short period of time.
Beyond that, it actually deters fraudsters from exploiting your particular eCommerce platform; the less they stand to gain, the less appealing your platform is. In many cases, proper spending limits can effectively deter fraudsters from targeting your platform, as they stand to gain much more by exploiting someone else.
Keep Your Platform Safe with Unit21
When looking to protect your business, it’s important to remember that fraudsters target opportunities, not specific companies.
They aren't looking to harm ‘you’, they are looking for the most expedient way to perform their fraud scheme, and are seeking out the opportunities to make the most money, with the least risk. It’s important to understand how they conduct fraud - and what they target - to adequately protect against it.
Fraudsters are constantly changing their methods in an effort to keep pace with fraud prevention efforts. It’s imperative to continuously revise and update your fraud prevention strategy to stay on top of fraudsters. This is only more complicated as payment systems change at the same time—as is the case with the introduction of real-time payment services such as FedNow's real-time payment rail.
With so many avenues for fraudsters, it’s crucial to have a comprehensive risk management system that lets you view all your data in one place - shortening decision-making times and empowering better decisions.
For more information on how Unit21 can improve eCommerce company procedures and boost fraud control holistically, request a demo now.