U.S. consumers spent around $861.12 billion with U.S. online stores in 2020, up an amazing 44% year over year.

 

This is excellent news if you own an e-commerce business. However, with this boom in online shopping comes a downside –the rise of online fraud. On average, online stores are victims of a mind-boggling 206,000 web attacks a month, something that resulted in an estimated $12 billion loss this year in the U.S. alone. Of course, it’s not just financial havoc that these schemes cause, the damage to a brand’s reputation can be devastating as well.

 

The definition of fraud is the “deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage.” With online e-commerce fraud, this happens when someone attempts to scam or steal from an e-commerce business or its customers, through often illegal and shady practices.

 

Unfortunately, when online fraud is conducted through your e-commerce business, it’s often you who will end up having to absorb the costs.

 

 

Online fraud is extremely varied, and it can be difficult to spot. In this article, I’ll take you through the common types of fraud, and show you how to recognize it within your business. We’ll also look at some strategies (from the experts!) that you can implement to prevent fraudulent transactions.

 

 

Types of E-Commerce Fraud

 

Online fraud isn’t just about someone stealing credit card information and purchasing items. There are varying types of fraud.

 

Here’s a look at some of the more prevalent ones:

 

 

Friendly Fraud

 

Friendly fraud can also be known as chargeback fraud. A chargeback is when a bank or credit card provider demands that the retailer refund a charge being claimed as fraudulent.

 

People usually do this to avoid paying and get a free product.

 

 

With this type of fraud, someone will make a purchase, receive the goods or services, and then call their credit card provider to dispute the transaction. The bank issues the person a refund and asks for a chargeback to the retailer.

 

The retailer needs to refund the amount back to the bank, along with fees and fines that can be up to two-and-a-half times the original transaction value.  

 

According to Forbes, between 40% to 80% of all fraudulent transactions can be attributed to friendly fraud.

 

Refunds are different from chargebacks because, with refunds, customers resolve any issues directly with the seller.

 

 

Credit Card Fraud

 

Credit card fraud is a generalized term for any fraudulent payments made with a credit or debit card. There is card-present fraud, which is less common today as it requires the thief to have a physical card with them when making in-person purchases. What is more prevalent due to the rise in online shopping is card-not-present fraud.

 

How does a fraudster get the card details? They can place “skimmers” at gas pumps or ATMs and read the card numbers when the card is swiped at the payment terminal. They could also infect computers with malware to record card information when someone goes to pay online.

 

It could even happen through lapses in website security where credit card numbers are hacked and then sold on the dark web. Criminals can buy and use them to make purchases in online stores.

 

While the transaction initially hits the person whose card details were stolen, the online store owner will eventually lose the most, as they have to refund the bank and pay hefty fees on top of it.

 

 

In the first half of 2019, more than 23 million credit and debit card numbers were up for sale on the dark web. And nearly two out of three cards were from the U.S.

 

Phishing and Account Takeover

 

As an e-commerce store, your clients may have a customer account with their personal information, purchase history, and credit card details stored. If the online store isn’t secure enough, cybercriminals can hack into the website and steal this information.

 

From there, criminals try to phish (send out emails and create a website that looks like they’re from the e-commerce store) for a customer’s username and password. They then change the customer’s password and purchase goods using the client’s account.

 

 

Triangulation Fraud

 

This type of fraud is a bit more tricky and has a few steps. It can go undetected for an extended period of time because the original purchase doesn’t raise suspicions from the victim. 

 

With this method, criminals create a fake online storefront that offers popular items for very low prices. The goal of this is to steal personal information from unsuspecting customers.

 

 

The fraudsters then go to the real online store, purchase the same items the customer ordered, and have them shipped to the customer.

 

 

With all the details of the victim on hand, the thief will purchase more products from the store and have the goods shipped to themselves.

 

The Red Flags of Fraudulent Activity

 

 

With fraud up across the board right now, even with fraud mitigation in place, some slip through the cracks. What can you do to protect your e-commerce business?

Let’s look at some common red flags that will help you spot potentially fraudulent activity in your online store.

 

 

• • • Watch out for any large orders of the same item, especially if it needs to be shipped as quickly as possible. Fraudsters want to exploit the most in a short amount of time before the card gets canceled, and they don’t care if they have to pay high next-day shipping fees (as they’re not paying anyway).

 

 

• • • Beware of orders where the credit card billing details do not match the shipping address. For example, if the credit card is from the U.S., but the goods are being shipped internationally.

 

 

• • • Multiple orders to the same shipping address but with different credit card numbers is another red flag.

 

 

• • • Multiple transactions to a country where you’ve never had clients previously are something to keep an eye on. For example, if you haven’t had customers from the Netherlands before and suddenly you get 15 transactions in the same week from there, I would track where those sales are coming from.

 

 

• • • The same “customer” trying several card numbers in quick succession until one processes through is a warning sign. This is because when they bulk buy credit card numbers from the dark web, they don’t know which ones have been canceled, and are just going through them until they find one that works.

 

Protecting Your E-Commerce Store from Fraud

 

 

As well as keeping an eye out for the red flags mentioned above, here are steps you can take to protect yourself and combat fraud.

 

 

• • • Store the minimum amount of sensitive data about customers that you need for refunds or chargebacks. The less you have, the less of an incentive there is for cybercriminals to breach your online store.

As well as this, the Payment Card Industry Data Security Standard organization (PCI DDS) has strict compliance rules to follow regarding customer information safety. Failing to comply can result in fines for your business.

 

• • • Use an e-commerce platform that is already well established, so you have less to worry about. Shopify, Stripe, and Wix are a few examples.

 

 

(Source: Shopify)

 

• • • If your online store was built from the ground up, be careful if it’s open-source! Open source allows anyone to see the codes behind a website, and hackers can find gaps in the code to exploit.

 

• • • Ask for credit card security codes. These are usually the three or four-digit numbers located at the back of the credit card. This ensures the buyer is in physical possession of the card as this number is not printed on any receipts. During processing, the card issuer requires a response code that will either confirm or reject the number.

 

• • • Have tracking numbers for all orders to minimize chargeback fraud and the fees and fines associated with it. Knowing that a product has been delivered to the customer is a way to contest the chargeback. Think about including a signature upon delivery as well.

 

• • • Use Hypertext Transfer Protocol Secure (HTTPS) to secure your website when sensitive data is being transferred from your customer’s browser to your online store. HTTPS encrypts the information so that there is less chance of cybercriminals intercepting it. During payments, that little padlock icon in the web browser will give customers (and yourself) peace of mind. I’ve gone in-depth about HTTPS and how to set it up here.

 

 

• • • Be wary of shipping to anonymous locations. While it may not always be the case, fraudsters often use PO Boxes, drop-ship addresses, or mail-forwarding services to get away undetected. Flag the order for review just in case.

 

• • • If your customers see that you value their safety and privacy, your brand identity and relationship with them will grow. If you have customer service follow up with a few high-ticket sales just to confirm their validity and authenticity, you are not only protecting your business but also your customer. It may also be helpful to have a process in place to follow up with declined cards (since higher security levels will end up triggering declined cards).

 

• • • It’s also worth implementing a system that has additional checkout steps, such as connecting to a Verified by Visa identification page, to ensure that any high-value purchases are authentic and headed into the real hands.

 

• • • If you regularly sell high value items or large orders, it is also helpful to add an additional step during the checkout process. This should be a page or a note that tells your customer that they should inform their credit card company ahead of time that they will be making a large purchase.

 

• • • Audit your e-commerce site often and make sure you are up-to-date with the latest plug-ins and software updates, that there’s no malware, and there’s proper encryption between you, your customer, and even your supplier. You should consider implementing software directly in your e-commerce store that sends you an alert if it detects any suspicious activity.

 

• • • Consider hiring a security auditor to see if there are any weak points in your website.

 

• • • Most of our e-Commerce brands currently use EasyPayDirect.com, a payment provider that focuses on optimizing eCommerce payments.  I asked their founder Brad Weimert for feedback on how to best control fraud.

 

Here was his response:

“Fraud has always been a challenge for eCommerce.  The 2020 pandemic has pushed sales online and resulted in an increase of fraudulent activity.

 

The key for eCommerce businesses is to balance their conversion metrics with fraud scrubbing tools that prevent fraudulent transactions from ever going through. You want to reject card testing from fraudsters that use bots (which ultimately result in business owners paying transaction fees) but make sure legitimate transactions don’t get rejected.

 

Automated fraud tools like the ones built into the Easy Pay Direct gateway help prevent mass scale fraud attacks.”

 

 

Here are some practices that Easy Pay Direct implements to help block fraud:

 

 

• • • Velocity controls:  Neither the same card number nor the same IP should be able to run several transactions within a short period of time (Easy Pay Direct defaults this to 30 seconds).

 

*NOTE* Be careful with IP addresses.  It’s a bad practice, but some shopping carts pass their own IP address to payment gateways instead of the user’s IP address.

 

• • • Block known fraudulent IP address blocks:  If you don’t sell to companies in Africa, Asia, or Russia, then block IP addresses coming from those addresses.

 

• • • Combat friendly fraud: Consider blocking repeat refunders from buying in the future.

 

• • • Cross Order Analytics: Look for the same card number or buyer name being used with multiple shipping locations. These can be legitimate transactions but are often fraudulent and help entrepreneurs identify fraud patterns.

 

• • • AVS (Address Verification System) and CVV (Card Verification Value): Use them. Most gateways allow you to either reject or simply flag transactions where the billing address isn’t correct – but simply requiring those things prevents some fraudulent activity.

 

“While additional tools like 3D Secure, reCAPTCHA and more strict requirements with address verification systems (AVS) certainly prevent fraud, they often come at the expense of conversion metrics,” explains Brad. “There are certain industries and marketing models that require more aggressive tactics, but it’s important that the benefits outweigh the costs.”

 

 

I also asked Braintree Payments, a company specializing in mobile and web payments for e-commerce businesses, for additional suggestions on mitigating fraud. Here’s what they said.

 

“While Braintree’s fraud tools are helpful to reject transactions, it won’t stop a fraudster from using a bot to test credit cards on your website.”

 

However, they did recommend some helpful additional tools and strategies that e-commerce stores can use to prevent fraudulent orders:

 

• • • Block IP addresses, recurring names, and BIN numbers of known fraudulent entities to prevent them from accessing your site.
    • Use your customer data within the bounds of your privacy policy to detect patterns and recognize suspicious behavior.
    • Build “honeypot” fields into your checkout form. These are fields that are invisible to actual customers moving through your checkout, but that will trick malicious scripts into providing a value; you’ll be able to identify scripts from legitimate customers by the presence of a value in those hidden fields.
    • Detect for botnets setting up illegitimate accounts with different IP addresses. Project Honeypot offers an HTTP Blacklist API that provides structured information about IP addresses that may be used by botnets.
    • Consider implementing ReCAPTCHA to help catch scripts running on your checkout page. (As Brad noted though, when implementing this tactic, just make sure the benefits outweigh the costs!)
    • Build internal tools to expedite reviews of potential unauthorized behavior and assist with manual transaction monitoring; these are most effective when they monitor for the common indicators of fraud, such as mismatched billing and shipping addresses, uncommonly high-value tickets, and multiple payment methods being used in quick succession under the same customer name.

 

 

With online sales booming, e-commerce is a great sector to be in. Just keep vigilant, and make sure you’re doing all you can to protect yourself and your customers. With a proactive approach, you’ll make it harder for fraudsters and criminals to access customer data and run scams; and that’s the best way to keep both customers, and your website, safe.

 

You want to reduce fraud: but some overzealous fraud-protection measures can result in legitimate orders being canceled. Download your FREE worksheet on Credit Card Declines, and see how you can help to salvage those legitimate orders.