Ecommerce Fraud Protection for Online Businesses: The Ultimate Guide

Editor's note: We recently updated this article with new data and insights.

The news for online businesses is good and bad.

The good news is that ecommerce is expected to surpass US$2 trillion by 2028.

The bad news? This growth in online sales will be matched by a growth in ecommerce fraud.

The cost of fraud to online retailers is expected to reach over US$40 billion by 2027. As the popularity of online shopping grows, so does the opportunity for cybercriminals and unscrupulous consumers to defraud online businesses.

If you own or operate an online store, you must protect yourself against online fraudsters who steal from you, wreck your online reputation, alienate your customers, damage your brand, and hurt your profits.

This comprehensive guide tells you everything you need to know about ecommerce fraud protection — what it is, how it works, and what you must do today to protect your online store from the growing threat of online fraud.

Let’s get started.

What Is Ecommerce Fraud?

Ecommerce transactions are typically made from smartphones, tablets, laptops, desktop computers and gaming devices — and even in the metaverse. When we talk about fraud, we’re talking about criminal deception intended to result in financial or personal gain. Ecommerce fraud is typically conducted by a single fraudster, a crime ring, or an AI bot, also with the intention of a financial or personal gain. 

Two things to remember about ecommerce fraud are that:

• The target is an online business, and
• The deception is intended to remain undiscovered.

Why Does Ecommerce Fraud Take Place?

Online payment fraud takes place for several reasons, some of them historical, some of them geographical and some of them legal.

Ease: 

Anonymity: 

Evasion: 

Ecommerce Fraud Statistics

Juniper Research reports that worldwide ecommerce fraud is expected to reach US$206 billion by 2025, and businesses have the potential to lose more than US$343 billion to online fraud through 2027. 

Additional ecommerce fraud stats from these reports include:

• Synthetic identity fraud is expected to cost businesses US$14 billion by 2025.
• North America and Europe have been the most impacted by ecommerce fraud, with expected losses of US$50 billion and US$35 billion, respectively, by 2025.
• The Asia-Pacific region is expected to experience ecommerce fraud losses of US$54 billion by 2025
• The digital goods and money transfer industry is one of the most vulnerable to online fraud, with anticipated losses of US$60 billion by 2025.

Common Types of Ecommerce Fraud

Every day, fraudsters are coming up with new ways to steal from consumers and businesses. Here are the most common types of fraud happening now.

Most common types of ecommerce fraud

• Card-not-present (CNP) fraud:
  Card-not-present (CNP) fraud happens anytime a fraudulent purchase is made online. CNP transactions are susceptible to fraud because the cardholder isn’t physically present when the order is processed, making it easy for fraudsters to use stolen credit card information. And because so many purchases are now made online, criminals have even more opportunity to defraud the cardholder whose card was stolen and the store owner, who must refund the purchase (and sometimes pay a chargeback fee to the bank that issued the card).
  
  
• Chargeback fraud:
  A chargeback happens when an online shopper makes a purchase with their credit card, receives the purchased goods or services, but then requests a refund from the issuing bank (the bank that issued their credit card). This results in the bank demanding that the retailer refund the purchase amount to the bank. When a bank demands a chargeback, the online business is responsible to refund the purchase.
  Chargeback fraud happens when a customer makes a legitimate credit card purchase, receives the product or service, and intentionally files a chargeback through the credit card company with the goal of receiving a full refund and keeping the product. 
  
  
• Account takeover (ATO) fraud:
  Account takeover (ATO) fraud has been a growing concern for years and accounted for every fifth login attempt and 13% of U.S. ecommerce fraud costs in 2021. Unsecured mobile devices, easy-to-guess passwords and unencrypted transmissions have opened a world of possibilities for hackers to steal sensitive data and payment credentials. In 2020, the Federal Trade Commission logged 393,207 official reports of identity theft via credit card fraud. 
  Cybercriminals have also perfected malware that targets mobile devices to gather data, take control of the devices and modify their settings. Using this information, cybercriminals can hack into these accounts, change the passwords and make unauthorized purchases. ATO fraud can lead to high chargeback rates.
  
  
• Triangulation fraud:
  Triangulation fraud uses three steps to defraud online businesses. In the first step, criminals create a fake online storefront, typically one that offers popular brand-name goods at bargain-basement prices. The only goal of the site is to steal names, addresses and credit card numbers from unsuspecting shoppers. In the second step, the fraudsters use the stolen customer credentials and credit card numbers to visit a legitimate online store, buy exactly what the victim purchased from the fake store, and ship it to the customer. In the third step, fraudsters use the stolen customer data to make additional online purchases that they ship to themselves. 
  
  
• Friendly fraud:
  

  Friendly fraud happens when a customer pays with a valid card and then claims their order never arrived, that it was damaged, or that it was substantially different from the product description on the website. Usually, friendly fraud is considered “accidental” and can happen for a number of reasons:

  • The customer forgets they made the purchase.
  • Another family member authorizes the purchase.
  • The customer forgets they agreed to recurring billing.
  • The customer misunderstands the merchant’s return policy.

  Friendly fraud accounted for 29% of U.S. ecommerce losses in 2021.

• Return abuse:
  

  Return abuse happens when criminals take advantage of an online company’s return policy, and it costs U.S. retailers more than US$12 billion each year. It is most often perpetrated by an expert fraudster who has studied a business’s policies to find their loopholes. The most common types of return abuse include:

  • Stolen merchandise returns 
  • Receipt fraud
  • Employee fraud
  • Price arbitrage
  • Switch fraud
  • Bricking
  • Wardrobing
• Gift card fraud:
  Gift card fraud happens when fraudsters access the activation codes on gift cards and use them to make purchases with little to no tracking. This can happen by stealing accounts or hacking into loyalty accounts to convert points into digital gift cards. Fraudsters also use bots to search for keywords in emails and texts that signal the transmission of a gift card. In those cases, the fraudster accesses the gift card information without the user knowing. It’s not until the customer tries to redeem their gift card that they find out the balance is no longer available.
  
  
• Coupon abuse:
  Coupon or discount abuse happens when a fraudster creates multiple accounts so they can use a promotion more than once. Medium-sized to enterprise businesses are more likely to see this type of fraud because they tend to offer coupons, discounts and other promotions with the intent of attracting more customers. Where some types of policy abuse are perpetrated by individual fraudsters, coupon abuse is often the work of large-scale crime rings and mass-registered fake accounts.
  
  
• Fraud-as-a-service (FAAS):
  

  Fraud has evolved over time to become a business model for many fraudsters. Using bots and brand impersonation, fraudsters can rent bot networks from fraud "service providers" to launch large-scale fraud campaigns against websites and to phish victims. Fraudsters simply need to plug in victims' names and financial institutions or favorite stores, and the bots handle the rest – phishing the victim for their passwords, allowing for account takeover – all for as little as 15 cents per bot call.

How to Identify Fraud Online

As an online business, you can spot ecommerce fraud in a number of ways. Just remember that the success of ecommerce fraud depends on the skill and ingenuity of the fraudsters. As businesses increase their defenses against online criminal activity, online crooks also up their game and devise cunning ways to defraud their targets. 

Here are the most common red flags to look for:

Inconsistent order data

The ZIP code and city entered don’t match. Or the IP address of the shopper and their email address don’t match.

Larger-than-average order

The order is far larger than your customer typically spends. Other red flags include multiple units of the same SKU in the one order, and expedited shipping (the crook wants to receive the order before getting caught).

Unusual location

Your customer always purchases from an IP address in North America, but suddenly makes a purchase from an IP address in an unusual location (Nigeria, for example).

Multiple shipping addresses

The buyer makes multiple purchases under one billing address but ships the products to multiple addresses.

Many transactions in a short timeframe

The fraudster makes multiple purchases back to back — and it’s not the holiday season.

Multiple orders from many credit cards

Someone makes multiple purchases using multiple credit cards (either in one day or over a longer period).

Multiple declined transactions in a row

The purchaser makes not just one or two attempts (honest shoppers make mistakes, after all), but four, five, six, seven, eight or more attempts without getting the card number, expiry date and card security code correct.

Strings of orders from a new country

You’ve never received a single order from the Kingdom of Bhutan, and then you suddenly receive 11 orders from that country in the space of a week.

10 Steps for Preventing Fraud on Your Ecommerce Store

The key to protecting your online store or mobile app from ecommerce fraud isn’t just recognizing these activities when you see them — it’s taking steps to prevent them in the first place.

You have several tools at your disposal: some technical, some non-technical, some based on software, and some based on good-old-fashioned know-how. Here are the steps you can take today to prevent fraud in your online store.

1. Conduct regular site security audits

Want to discover flaws in your security before criminals and fraudsters do? Conduct security audits—often. Ask yourself these questions:

• Are our shopping cart software and plugins up to date?
• Is our SSL certificate current and working?
• Is our store PCI-DSS (Payment Card Industry Data Security Standard) compliant?
• Are we backing up our online store often enough?
• Are we using strong passwords for admin accounts, hosting dashboards, CMS, database, and FTP access?
• Are we scanning our website regularly for malware?
• Are we encrypting communication between our store and our customers and suppliers?
• Have we removed inactive plugins?

2. Make sure your store is PCI compliant

If you operate an online store that accepts credit card payments, you must be PCI compliant. PCI stands for Payment Card Industry. PCI standards for compliance are developed and managed by the PCI Security Standards Council to ensure the security of credit card transactions in the payments industry. PCI compliance means your online store and your business processes meet these PCI standards.

3. Monitor your site regularly for suspicious activity

Brick-and-mortar stores hire fraud prevention officers to catch shoplifters. You can protect your online store against fraudulent transactions by monitoring your store for suspicious activity. Monitor your accounts and transactions for red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers. Use tools that track customer IP addresses and alert you to any addresses from countries known as a base for fraudsters.

4. Use an Address Verification Service (AVS)

Credit card processors and issuing banks offer an Address Verification Service (AVS) to detect suspicious credit card transactions in real time and prevent credit card fraud. AVS checks the billing address submitted by the card user (the customer) with the cardholder’s billing address that’s on file with the issuing bank. This check takes place as part of the business’s request for authorization of the credit card transaction. When addresses don’t match, the system either declines the transaction or flags it for investigation.

5. Require Card Verification Value (CVV) numbers for all purchases

The three- or four-digit security codes on credit and debit cards are called the Card Verification Value (CVV) or Card Security Code (CSC). By requiring all purchasers to supply this code for every transaction, you ensure that customers have the physical credit card in their possession. This helps to keep you safe and reduces fraud.

6. Avoid collecting too much sensitive customer data

One way to protect your store in the event of a data breach or hack is to collect and store as little customer data as possible. Hackers can’t steal what you don’t have. So only collect the data you need to complete a transaction and ship the product. Avoid collecting Social Security numbers, dates of birth and other unnecessary sensitive customer data.

7. Set limits on purchases

Based on your order and revenue trends, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. This reduces your exposure to a minimum should fraud occur.

8. Double check that IP addresses and credit card addresses match

Every order placed on your online store comes from a unique, public IP address (a string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over the Internet). From the IP address, you can generally detect the city or region of the world where the purchaser is making the purchase. If this city or region does not match the address of the credit card being used, that’s a red flag.

9. Avoid non-physical shipping addresses

Fraudsters commonly avoid detection by protecting their physical address, preferring to use a PO box or other anonymous location. After all, the police can’t come knocking if there’s no door to knock on.

If you are an online business, and if you want to prevent this type of fraud, never ship online orders to PO boxes and other virtual addresses, such as those of freight forwarders. You can spot addresses that belong to freight forwarders because they have a container number in the address, such as 726 Dock Road Suite 300 #KXQ-582899328.

10. Try an anti-fraud solution

When it comes to detecting and preventing online fraud, there is a variety of software solutions to suit your needs and your budget. Additionally, the tools you select may vary widely when it comes to how much work is involved in installation and ongoing management. Some may prefer a more hands-on solution, while others would rather leave it in expert hands.

• Rudimentary anti-fraud tools perform a specific, single function. They are typically integrated into online shopping carts and ecommerce platforms. These tools identify fraudulent transactions through IP geolocation, validate email addresses, conduct device fingerprinting and verify addresses.
• Mid-level anti-fraud tools offer a wider variety of functions, including chargeback guarantees, auto declining of high-risk orders, protections against new account fraud and account takeover protection.
• Top-level anti-fraud tools offer everything the other tools offer plus outsourced case management, expertise working with large businesses, loyalty fraud management, policy abuse protection, automatic decisions and manual review of transactions.

Knowledge Is Power

Once you understand what ecommerce fraud is and why it is so prevalent, and once you learn how to detect online fraud, you are empowered to take the necessary steps to prevent fraud on your online store.

How ClearSale Can Help

At ClearSale, we offer a hybrid solution that includes multiple strategies to offer one of the most comprehensive fraud and chargeback prevention solutions on the market.

It starts with an AI-enabled algorithm that leverages trends, intelligence and data gathered from decades of fighting fraud in the most high-risk regions of the world. Using this technology, we can automatically approve most orders quickly.

Suspicious orders are flagged for contextual secondary reviews performed by our more than 2,000 fraud analysts who have the experience to recognize some of the hardest-to-spot fraud patterns. If necessary, our analysts may reach out to customers, but they do so in a way that demonstrates why consumers can trust your business to protect their information.

We then leverage the data gathered from those contextual reviews to help our system better distinguish valid transactions from fraud. That means our system can more easily recognize “good” transactions as we process more for the client, which increases their approval rates and revenue.

We also offer end-to-end chargeback management.

For every possibility, ClearSale has a range of chargeback solutions:

• Total Chargeback Protection allows businesses to recoup a portion of losses due to fraudulent transactions.
• Chargeback Guarantee reimburses the transaction amount plus the chargeback amount for any unauthorized transaction that’s approved.
• End-to-End Chargeback Management delivers comprehensive chargeback mitigation and resolution services, including team training, data audits and timely responses to issuers.

Original article at: https://www.bigcommerce.com/blog/ecommerce-fraud/