Online shopping is becoming more popular every year — total retail ecommerce sales are expected to pass $1 trillion in the U.S. alone by the end of 2022. That’s a lot of Crocs. (People are still buying Crocs, right?)
However, with this increase in popularity also comes an increase in cybercrime and fraud. In a 2021 survey of ecommerce merchants, online stores received an average 824 attempted fraud attacks per month, more than double the rate in 2020. And that number shoots up exponentially the larger the business.
It doesn’t matter how many customers you have — at some point, scammers will take aim at your site. As the store owner, you’re responsible for not just keeping your business safe, but keeping your customers protected from scams too. Otherwise, you risk damage to your profits, your customers, and your reputation.
In this post, we'll discuss:
- what ecommerce fraud is
- the different types of ecommerce fraud
- how to avoid ecommerce fraud
- the best software available to protect your business from fraudulent transactions.
That’s a lot of important stuff to cover, so let’s dive right in.
What is ecommerce fraud?
Ecommerce fraud, also known as payment fraud, is any deceptive activity that takes place during a transaction on an ecommerce platform. Ecommerce fraud can include anything from stealing credit card information to identity theft. There are many different types of ecommerce fraud, but all aim to turn a profit at the expense of the merchant.
The rise of ecommerce has made it easier than ever for anyone to launch an online store. Unfortunately, it’s also made things much easier for scammers, who no longer need physical payment cards in their possession to complete transactions.
Nowadays, it’s relatively easy to purchase stolen credit cards through illegal online marketplaces. Scammers have also found loopholes in everything from the protocols credit card companies use to issue refunds, to the weak passwords customers use to access their accounts. And, if done well, fraudsters can carry out these schemes for years without being caught.
The worst part of this is that, ultimately, it’s online businesses that take the biggest hit from ecommerce fraud. If customers think they’ve been scammed, they can request a refund from their credit card provider. This means the business loses its inventory without getting its money back.
As if that’s not bad enough, successful scams break the trust between the retailer and its customers. If you’re a victim of a scam on a website, you’re much less likely to visit that site again, let alone purchase from it. Why would you trust a website that allowed you to be scammed?
To better understand what ecommerce fraud actually looks like, let’s next look at some of the most common tactics used by scammers today.
Types of Ecommerce Fraud
Ecommerce fraud comes in many forms, with new strategies and iterations continually being developed to exploit ecommerce sites and their customers while outsmarting security measures.
Still, there are some long-standing, tried-and-true methods that continue to work. Here are some of the main types of ecommerce fraud you should be aware of, so you know how to spot them.
Account Takeover Fraud
In an account takeover attack, a fraudster gains access to your online account and uses stored payment information to make unauthorized purchases. This is a form of identity theft and a frequent go-to for online scammers.
Scammers can access your online account in a variety of ways, but most attempts involve tricking customers into willingly handing over their account credentials. One common tactic is phishing, in which a hacker impersonates a reputable company or individual in order to trick someone into providing them with private information.
Phishing attacks are usually conducted through email or text messages. In these messages, a hacker could pose as a customer support representative and ask for credentials or credit card info. Or, they could email customers a link to a fake login page and prompt customers to input their username and password. They may even send a link to a website that contains viruses or malware.
A phishing email that impersonates a real company might look something like this:
Besides phishing, customer information may be acquired on the black market, by guessing a password, or, in rarer cases, online store credentials may be leaked to the public by a cyberattack.
Whatever the method, the goal of account takeover fraud is to get into a user’s account and make purchases with it. Scammers will also change the account credentials after a successful login so the real account holder can’t intervene.
What happens if an online order arrives damaged, or simply doesn’t arrive at all? In these cases, a customer can file a chargeback with the credit card provider to receive a refund on their purchase. If the chargeback is approved, the customer’s purchase is reversed and the merchant must refund the order.
Chargeback fraud occurs when scammers take advantage of this system. In this type of fraud, a scammer makes a purchase, then later files a chargeback falsely claiming that their order was not delivered, that the order was faulty in some way, or that the purchase was unauthorized. Or, they may cancel their order immediately after it ships and file a chargeback when it arrives. The scammer then gets both their item and a full refund.
Chargeback fraud is also called “friendly fraud” when committed by an actual customer instead of a criminal. In friendly fraud, a customer files an illegitimate chargeback while believing it to be legitimate.
For example, a customer may demand a refund for what they think was an unauthorized purchase, when in reality it was a purchase made by a family member without their knowledge. Another common instance occurs with subscription services — a customer may file a claim for a recurring charge that they didn’t realize they signed up for.
The problem with chargebacks is that it’s often difficult for credit card companies to distinguish between chargebacks from legitimate customers and chargeback fraud committed by scammers, and merchants end up losing money from both.
Triangulation is a multi-step process scammers use to obtain a customer’s purchasing info.
First, a scammer creates a fake online storefront and lists products at a higher price than they are available on legitimate stores. Next, a customer “buys” a product from this fake storefront — in reality, they’re only giving the scammer their payment information. Finally, using the stolen payment information, the scammer buys the same product from a real store at a lower price, ships it to the customer, and pockets the difference.
The biggest benefit of triangulation schemes (for the scammer, that is) is that they are hard to discover on the customer’s end. As far as the customer knows, they bought a product online and received it as expected, not knowing that they’ve overpaid. What’s worse, the customer’s stolen information can be used for future scam purchases.
Affiliate marketing allows companies to give referral credit to individuals or companies that recommend their products to buyers. Every time a purchase is made through a unique affiliate link, the owner of that link receives a commission on the purchase.
Affiliate programs are an excellent way for merchants to market their products through partners. Unfortunately, affiliate programs are another in for scammers. In affiliate fraud, a scammer will pose as a legitimate affiliate, then funnel bot traffic through their affiliate links to generate commission. Scammers may also use stolen credit cards to make fake purchases with the affiliate program.
Ecommerce Fraud Prevention Best Practices
- Look for warning signs of ecommerce fraud.
- Achieve PCI compliance.
- Require CVV on all purchases.
- Use an AVS.
- Encrypt your website with SSL.
- Require proof of delivery.
- Require strong passwords for user accounts.
- Limit order numbers.
- Conduct manual checks on suspicious purchases.
- Only collect customer data that you need.
- Regularly audit your website for vulnerabilities.
- Consider fraud protection software.
With ecommerce fraud on the rise, online stores are taking tangible steps to reduce the likelihood of scams. To prevent and discover cases of ecommerce fraud on your website, follow these best practices.
1. Look for warning signs of ecommerce fraud.
As you run your online store, you’ll hone your senses for suspicious activity on your website that sometimes (but not always) points to an attempted scam. Here are some red flags to look out for and look into if they occur on your site:
- Very large orders: Of course, you love to see large purchases. However, if a purchase is significantly larger than most others made on your site, it may be fraudulent. Also, check if the order was made with expedited shipping, as scammers want the large orders sent as soon as possible to avoid detection.
- Multiple very small orders: To test that a stolen card works, scammers start by making multiple, very small purchases. These are more likely to go undetected before the scammer moves to larger orders.
- Many back-to-back purchases: Look into any instances of multiple purchases over a short period of time from the same account or card, more than you would reasonably expect from a real customer. This could indicate bot activity.
- Multiple orders from different cards: It’s unusual for a customer to make several purchases over a short period of time (e.g., a day to a week) with different credit cards. Flag this activity as suspicious, as the same scammer may use different cards to avoid detection.
- Orders from unusual locations: This isn’t always a sure sign of a scam, but a shipping address in a city or country you’ve never shipped to before is worth looking into, especially if you see a sudden uptick in orders from that place.
- Different shipping and billing address: If the scammer is using a stolen card, that card owner obviously isn’t having the items sent to them. That’s why scammers will put a shipping address that’s different from the card’s billing address.
- Multiple failed transactions: While one or two failed transactions on a purchase is nothing out of the ordinary, multiple declined transactions in a row is a sign of a scammer trying to guess information, or trying different cards.
- PO box used as a shipping address: Again, this isn’t a sure sign of a scam — businesses often use PO boxes for shipping, for example. But, be wary of very large orders or multiple orders to a PO box with an unconfirmed owner, since scammers also use them to preserve anonymity. Consider removing the option to ship to PO boxes altogether.
- Other suspicious information provided: Sometimes, you need to go with your gut to detect potential scammer activity. Be on the lookout for dubious phone numbers, email addresses, and IP addresses. For example, you may get an order with an email address that’s a random character string, or a phone number from a location that you’ve never received an order from previously. You can also use detection software to catch these occurrences — we’ll discuss that later in this post.
None of these occurrences are certain indicators of ecommerce fraud, but they’re worth looking into whenever possible.
2. Achieve PCI compliance.
PCI compliance is a set of security standards developed by the Payment Card Industry Security Standards Council that businesses must follow in order to accept credit and debit card payments. This one isn’t just a best practice, but a requirement for all merchants that process credit card data. If you’re unaware of PCI compliance, this one should be your first priority.
PCI guidelines ensure that all card data that you store is protected, and that sensitive information is secure throughout the transaction process. Guidelines include encrypting cardholder data across open networks, use of antivirus software, and restricting access to cardholder data to necessary personnel only.
If you use a reputable payment gateway, ecommerce platform, or payment solution like HubSpot Payments, there’s a good chance PCI compliance is already handled for you. Still, it’s worth checking to make sure if you take card payments.
3. Require CVV on all purchases.
The card verification value (CVV), also called the security code, is the three- or four-digit number printed on a payment card. The CVV verifies that customers have the physical card in their possession.
Most online transactions you make probably require you to provide your card’s CVV in addition to the card number, and your own online store should do the same. It greatly reduces the chances of a scammer successfully using stolen credit and debit cards on your website, since they likely only have access to the card number and not the CVV.
4. Use an AVS.
An AVS, or Address Verification Service, is a fraud prevention measure that checks whether the billing address provided by the customer matches the one on file with the credit card issuer. If the addresses do not match, the transaction is flagged or declined.
Be sure the credit card issuers that you accept use an AVS. It’s a zero-effort way to catch fraudulent transactions and protect your business.
5. Encrypt your website with SSL.
Secure Sockets Layer (SSL) protection is a basic security feature that all ecommerce websites should have. The SSL protocol encrypts the connection between a visitor’s web browser and a website’s server. If sensitive data sent between these two computers is intercepted by hackers, SSL prevents the data from being read and exploited.
Notice how the URLs on most websites begin not with HTTP, but HTTPS. When the “S” is included, that means the page is SSL-encrypted. If your site isn’t SSL encrypted, most browsers will give a warning to visitors telling them your site isn’t secure.
Obviously, that isn’t good for business.
To get SSL protection, you can purchase an SSL certificate for your site’s needs. Some ecommerce platforms will include an SSL certificate in their plans, which is always a plus.
6. Require proof of delivery.
Another way to verify customers’ identity is by requiring proof of delivery for large purchases — usually, this means the recipient provides a signature upon delivery, which is likely to scare off scammers who rely on identity theft or chargeback schemes. If your company ships expensive items, this protection can be well worth the fee.
Another option is requesting the delivery company take a photo of the parcel at its destination, which protects your company from liability if a scammer insists a package was never delivered.
7. Require strong passwords for user accounts.
Account takeovers can occur when a scammer successfully guesses a user’s login credentials. This isn’t a manual process — scammers typically use bots to guess thousands of common passwords very quickly.
If you allow visitors to set their own passwords without restrictions, it’s guaranteed that many of them will make theirs something instantly guessable, like “password” or “qwerty” or just their username again. It’s a hack waiting to happen, but one of the best, most basic protections you can take is requiring strong passwords for all customer accounts.
It’s actually pretty easy to generate a reasonably strong password. Check out the chart below, which explains how long it takes a typical hacker to brute-force guess a password. If you require passwords to be at least 10 characters long and include a number, an uppercase letter, and a symbol, that’s sufficiently safe.
Password requirements are an extra step for users, typically a big no-no when trying to convert. But, a few lost conversions is much better than a successful scam carried out on your website, especially now that password managers are becoming more common and make it virtually effortless to store strong passwords.
8. Limit order numbers.
Fraudsters may purchase items in high quantities from your website with stolen information. You can reduce the damage by limiting the quantity of an item a customer can purchase in a single order.
Look at how many units of an item the average customer buys, set a limit higher (but not too much higher) than that, and decline or flag orders that come in above that limit.
9. Conduct manual checks on suspicious purchases.
While it’s possible to use monitoring software to automatically deny transactions deemed suspicious, you run the risk of rejecting orders from real customers.
If you have the time and resources to do so, it’s worth instead manually checking orders flagged as potentially fraudulent. Follow-up with the customer who made the order asking for verification — if you get a response that seems legitimate, you can approve the order. If not, it’s likely a scam attempt.
10. Only collect customer data that you need.
This tip is pretty self-explanatory — scammers can’t steal information that you don’t have. In the case of ecommerce stores, limit the customer data you collect to only what is necessary to complete a transaction. If a successful scam does occur, you’ll limit the damage.
For example, while names and addresses are important, you probably don’t need to save customers’ birthdays in your system.
11. Regularly audit your website for vulnerabilities.
Security audits are an invaluable part of your ecommerce site’s security strategy, and it’s recommended that you audit your website for security vulnerabilities at least once or twice per year.
Audits may be conducted internally by you or your team, or externally by a third-party security company. Security audits will uncover holes in your defenses before scammers can leverage them — things like out-of-date software, malware checks, expired SSL protection, or failed PCI compliance.
12. Consider fraud protection software.
As you can probably imagine, evaluating every purchase for legitimacy can be inefficient or impossible if your business takes many orders a day. That’s why anti-fraud software exists — to notify you of suspicious purchase activity that needs your attention.
In the next section, we’ll cover some software tools to consider if you need help monitoring your site’s ecommerce activity.
Ecommerce Fraud Protection Tools
While ecommerce protection software covers a broad range of tools, they generally all do one main function — detect suspicious activity on your site automatically. Tools identify potential threats in different ways, and some have additional features and protections.
The right tool for you will ultimately depend on your budget, with options ranging from simple shopping cart add-ons to full-on protection platforms. The more expensive the tool, the more sophisticated its detection process will be in order to minimize false flags and maximize true ones.
Here are some of the best options available that we recommend to ecommerce merchants:
What we like: The Riskified ecommerce protection platform is one of the most popular options available. It uses AI assistance to identify potential fraud in real-time, combining many different indicators to create a single “approve” or “decline” decision.
Another draw of the platform is its pricing: Riskified only charges a fee on legitimate purchases, meaning the amount you pay is proportional to your profit, whether you’re an enterprise or a small business.
Pricing: Riskified charges a fee per transaction.
What we like: ClearSale is another acclaimed tool in the fraud protection space, detecting scams with both machine learning and a human team of specialists. The service also claims to have the highest approval rates and lowest false decline rates in its industry.
Pricing: Contact sales.
What we like: Like other options here, Signifyd is a flexible option for small and large businesses. This scalable platform offers a wide array of protection solutions across the buyer’s journey, including fraud protection, policy protection, chargeback recovery, and return abuse prevention. The service also offers account protection features to prevent account takeover cases.
Pricing: Contact sales.
What we like: Subuno offers a straightforward, affordable solution to fraud protection. When customers submit orders, Subuno checks each one against dozens of risk factors, then accepts, rejects, or saves the transaction for review on your behalf. Analyze suspicious transactions in the review dashboard, which makes it easy to evaluate orders for legitimacy.
Pricing: Subuno offers four pricing plans: Bronze ($19/month), Silver ($49/month), Gold ($99/month), and Platinum ($249/month).
What we like: Fraudlabs Pro is a more advanced fraud-protection solution for detecting illegitimate transactions and generating reports so you can learn from scammers’ activity. The service checks all transactions against over 40 factors like email and credit card info, geolocation proxy server, and its library of millions of blacklisted records.
Also, unlike other options, Fraudlabs Pro has a free version available, so you can give the service a try. The free version accepts 500 queries per month and basic validation checks, ideal for new businesses.
Pricing: Fraudlabs Pro offers five paid plans, ranging from $29.95 per month up to enterprise pricing. The most popular plan is the Medium plan for $249.95 per month. Fraudlabs Pro also offers a free plan with limited features.
Stop ecommerce fraud before it happens to you.
At best, scammers are a minor annoyance weeded out by fraud protection software. At worst, they’ll tank your business if left unchecked. Either way, they’re out there, and you’ll need to deal with them eventually if you haven’t already.
That’s why it’s best to strike first — learn the signs of fraud, pay attention to suspicious transactions, follow our best practices to protect yourself and your customers, and consider using software to do the work for you. It could mean the difference between a success story and a scam saga.