Whether a retailer has a physical store or is solely online, they are still vulnerable to theft and eCommerce fraud. Even though shoppers cannot physically shoplift products from an online store, online retailers are still vulnerable to fraudsters who target not only shoppers but also merchants or, in some cases, both.
So, what is eCommerce fraud? How can retailers deal with the problem to try and prevent it, and what can customers do to protect themselves?
What is eCommerce fraud?
Ecommerce fraud occurs when scammers/hackers intercept payments made on your online store. Scammers will hijack transactions and steal money from the customer, the retailer, or both.
Not only can scammers hijack a transaction as it happens, but they can also steal customers’ personal data and commit fraud with their credit card information. There are seven types of eCommerce fraud that your online store could potentially experience.
Friendly Fraud/Chargeback Fraud
Friendly fraud/Chargeback Fraud happens when legitimate customers buy your product on your website and then go to their bank and file a chargeback. Customers claim that the product wasn’t delivered, it looks different from what they ordered, or they claim that they canceled their order after they placed it (when they didn’t).
Once a customer files a complaint with their bank, that prompts an investigation and causes about 3% of eCommerce orders to end in a chargeback where you lose those profits. Friendly Fraud is a fraudulent activity because the customer did get their product, which they keep, yet still get their money back.
Refund Abuse
This is another type of fraud that involves the customer themselves. For example, customers will return broken, damaged merchandise or a stolen product and then get a refund for that product.
Even though most retailers have strict return policies to prevent incidents like this from occurring, it can still be a very costly problem for retailers.
Card Testing Fraud
Card Testing fraud is something that fraudsters use to determine if a credit card will work. Generally, they make a small purchase that will seemingly go unnoticed by the cardholder. Once the fraudster realizes that the card works, they will go on to make more expensive purchases.
Card testing affects not only the cardholder but also your business as well. For example, if a fraudster/scammer makes a purchase on your site using this method, your business may be subject to more disputes and extra fees.
Account Takeover Fraud
Account Takeover occurs when a scammer breaks into a customer’s account and uses the credit card information stored on a site to make fraudulent transactions.
Scammers can access customers’ accounts easily if they use weak passwords, phishing emails, or malicious software on the device used to purchase products.
Promo/Affiliate/Loyalty Abuse
Loyalty, Promos, and Affiliate Programs are great for eCommerce brands to attract customers and actively engage with existing ones. But, while they are popular with customers, they are also attractive to scammers.
Affiliate Fraud: You know when you refer a friend to a site and you either get a percentage off your purchase or get a small commission on their order? Some scammers send spam traffic to your website using a stolen credit card to benefit from the rewards, even though the’ referred’ customers aren’t real customers.
Loyalty Fraud: This type of fraud occurs when scammers join your loyalty program to earn points through stolen credit cards and then resell them for a percentage of their worth on the web.
Promotion Fraud: This type of fraud has been on the rise, especially since the beginning of the COVID-19 pandemic. Scammers will find loopholes in merchants’ promos, and then they will get products for free.
Triangulation Fraud
This type of fraud occurs when a business sells its products through a number of sales channels. This is an issue for both merchants and customers.
There are multiple steps the scammer has to go through to achieve triangulation fraud.
- Fraudsters will list your products for sale on different sites such as eBay or Amazon.
- Customers will purchase the item from the scammer using their credit card.
- The scammer uses a different fraudulent card so they can buy the product from your website using the original customer’s shipping address.
- The customer will receive their order, but their credit card information ends up in the fraudster’s hands.
Shoppers don’t know that their credit card information has been stolen, and retailers process fraudulent orders and overlook the middleman in between using stolen cards and pocketing the difference between the marketplace price and the real product price.
What is eCommerce fraud prevention?
Online merchants can use eCommerce fraud prevention to prevent fraud, detect it, and solve the problem. It is necessary because it protects customer information and helps you avoid lost profits.
How do you identify fraud on eCommerce websites?
Ecommerce fraud is not only an expensive problem in monetary value, but it can also be damaging to your site’s reputation. For example, if a shopper is the victim of fraud after purchasing something on your website, they are not as likely to return to your site.
The good news is that there are multiple red flags that you can be on the lookout for to help detect fraudulent behavior on your website.
- Higher-Order Volumes: Scammers are more likely to purchase large ticket items using stolen credit cards since they are making a purchase using stolen money.
- Low-Value Orders: This is what generally happens during card testing fraud. If the purchase is around $1, a fraudster could be testing out a stolen credit card.
- Different Credit Cards: If you have one customer that makes many purchases, all using different credit cards, this is a red flag. Scammers will test out whether the stolen credit cards work.
- Repeated Declined Transactions: Sometimes, fraudsters don’t have all the information to place an order no matter how hard they try. If a payment declines on your site repeatedly, primarily due to a security code issue, it is unlikely to be a mistake from an actual customer.
- Unusual IP Locations: Be on the lookout for several orders from the same IP address suddenly or suspicious orders from an IP address that doesn’t match the customer’s usual location. For example, if a customer is routinely from Canada, an attempted order for a large sum of money from across the country is a huge red flag.
- Different Billing and Shipping Addresses: This is most common with triangulation fraud because fraudsters use stolen credit card details to ship the items to actual customers.
- PO Box Shipping Addresses: Yes, these shipping locations are popular with businesses; but they also let scammers ship online orders to different anonymous locations. Be on the lookout for shipping many orders to a single PO Box address.
Ecommerce Fraud Protection Strategies and Best Practices
Scammers are finding new ways to scam customers and merchants out of a lot of money. But, there are specific prevention strategies to prevent fraud from happening through your website hopefully.
Go through and manually review orders that seem risky
Ecommerce software helps flag orders that seem risky. You can quickly go in and manually review orders that trigger a warning. You can also reach out to the customer directly to gather more information to determine whether or not the purchase is a real and legitimate purchase.
If you also notice an order, low or high value from an unusual IP address, it is best to conduct a review and contact the customer. If they don’t respond, it is highly likely that it was a fraudulent purchase.
You can also look at a customer’s history to determine if they usually make large purchases, small purchases, or only use one credit card. If a customer’s account information ends up in the hands of scammers, you can generally see that if they are making orders that are larger than usual, using a different credit card, or they are purchasing from a wildly different location.
Limit the order quantity By customer
Higher-order quantities are a huge red flag that scammers are using stolen credit cards to make purchases on your site.
You can prevent this by setting a limit to the number of units of one product that a customer can buy. By looking at previous sales data for your store, you can generally identify the average number of units you sell per day. Then you can automatically block orders that exceed that amount to reduce the chances of scammers committing fraud.
Collect proof of delivery
Collecting proof of delivery can help prevent return fraud. For example, when a customer says they haven’t received their order, you can quickly identify that they have received their order.
You can collect proof of delivery by working with shipping carriers that you trust that request proof of delivery in the form of customer signatures or photos of the delivery package.
Be PCI compliant
Ecommerce businesses need to meet the Payment Card Industry Data Security Standards if they are processing online payments safely. These compliances are:
- Change the default password for software and systems
- Encrypting cardholder data across public networks
- Using antivirus software to prevent malware attacks from happening
- Limiting the employees that can access cardholder data
- Testing online security systems regularly
Show policies on your website clearly
Policies are a straightforward way to show customers how your business operates. Not including terms and conditions and establishing clear policies on your website can help crack down on eCommerce fraud. Some policies that you can have are:
- Strong Password Policy: Scammers can hack into account information if a customer’s login details are easy to figure out. On top of two-factor authentication, password policies (special characters, upper case and lower case letters, numbers, etc.) make it harder for fraudsters to hack into accounts.
- Return Policy: Setting up what qualifies for a return, the documentation you need, and whether the customer will get store credit, a refund, etc, can prevent return fraud from happening.
- Promotions/Rewards Policy: By limiting order quantities and prohibiting the sales of reward points, this policy can push back any eCommerce fraud pertaining to rewards that go against the terms of the policy.
Invest in verification software
An easy way to detect e-commerce fraud is when a customer’s billing address, shipping address, or credit card details, such as a security code, don’t line up correctly. You can automatically get an alert to orders that raise a red flag using verification software.
You can request the Card Verification Number (CVN) – the three or four-digit pin on the back of the card – to prevent fraudsters from being able to complete a purchase. Scammers only usually need to see the front of the card to make fraudulent purchases. So, requesting the CVN number adds an extra layer of protection and security.
Also, using the Address Verification System (AVS) helps verify a customer’s billing address against their card. For example, if a fraudster uses multiple cards to make purchases to one address, an AVS will catch that and flag it.
Build a Blocklist
Even though you may catch a scammer once, that doesn’t mean they won’t come back under a different name, shipping address, or credit card, hoping that you won’t notice. A blocklist can prevent offenders from continuously committing fraud through your website. This document contains names, credit card numbers, IP addresses, and shipping addresses known to be a fraud risk.
Use IP Fraud Scoring Tools
One fraudster may be able to commit several different types of fraud using the same computer. You can detect these serial fraudsters with IP scoring tools that detect IP addresses that have been flagged for fraudulent behavior in the past.
They use different signals such as their location, whether they are using a VPN to disguise their actual location, and the type of internet service provider (residential or public connection).
Ecommerce Fraud Prevention Software: Shopify Protect
You can protect your store with eCommerce fraud prevention tools that will help check, flag, and block high-risk orders on autopilot.
The one to use for your Shopify eCommerce store is Shopify Protect.
Businesses that use Shopify already have access to a world-class fraud algorithm that uses data from stores across the whole Shopify network to identify fraudulent eCommerce orders.
Shopify Protect can add an extra layer of protection that secures your business against fraudulent chargebacks. But, it only protects orders that contain physical items that require shipping. Orders that have digital products are not eligible for protection with Shopify Protect.
Orders must be fulfilled within seven days of the order date and the order must be in transit to the customer within ten days to be eligible for protection. Shopify Protect doesn’t prevent someone from placing an order, but if an order isn’t eligible for Shopify Protect, it will say on the orders page “Not protected by Shopify Protect.”
Any of the Shop Pay transactions that Shopify Protect has cleared are safe to fulfill. If a chargeback does happen to a protected order, Shopify will cover the total cost and the chargeback fee, and they will deal with the dispute process on your behalf. Shopify Protect is free for Shopify Merchants.