The Merchant’s Guide to eCommerce Fraud Prevention
For merchants, ecommerce fraud remains a costly and challenging problem that can sap revenue and damage customer relationships. As more and more consumer activity shifts to the online sphere, fraudsters keep pace by looking for new opportunities and vulnerabilities to exploit.
With so many different fraud schemes to educate yourself about and multiple attack vectors to worry about protecting, merchants have their work cut out for them when it comes to mounting effective defenses. How many different types of ecommerce fraud are out there, and what can merchants do to identify their signs and prevent themselves from being victimized?
The problem of ecommerce fraud is growing more expensive and more frequent for merchants, and the COVID-19 pandemic has only made things worse.
Widespread shutdowns led many people to try online shopping for the first time and motivated many brick-and-mortar merchants to expand their ecommerce operations, presenting fraudsters with a surge in inexperienced victims to prey upon with time-tested attacks like phishing and credential stuffing.
At the same time, sophisticated fraudsters are adapting to the changing landscape of ecommerce with innovative new scams.
Chargebacks protect consumer confidence in ecommerce by providing them with an effective remedy against fraud, but this comes at a high cost to merchants, who are financially liable for chargebacks. When fees, lost revenue, and operational costs are factored in, the average chargeback costs two and a half times the amount of the original disputed transaction.
Merchants who are unable to get fraud under control not only suffer these financial losses, but their reputations suffer as well—fairly nor not, consumers tend to hold merchants partly responsible for fraud.
Perhaps most concerning of all, merchants with excessively high fraud and chargeback rates may be dropped and blackballed by their acquirers and payment processors.
It is imperative that every merchant understand the scope of their fraud problem and develop a plan for preventing fraudulent transactions and fighting fraudulent chargebacks.
What is eCommerce Fraud?
Any criminally deceptive act involving an online transaction, in which the fraudster is seeking to benefit at somebody else’s expense, falls under the umbrella of ecommerce fraud.
The form of ecommerce fraud most commonly encountered, and most relevant to online merchants, is when a fraudster makes a purchase at an online store using a payment method that belongs to a victim who is unaware that the transaction is being made without their authorization.
Not every act of ecommerce fraud involves credit cards, but most of them do. Credit cards are the most commonly used payment instruments in ecommerce and many merchants store partial or complete sets of credit card credentials in a format that can be copied and stolen in the event of a data breach.
Stolen data can be sold and traded in bulk on the dark web, making compromised credit card numbers widely and cheaply available to even the lowliest cybercriminals.
Fraudsters know that ecommerce fraud is easy to get away with. It can be carried out with near-total anonymity, it is rarely investigated or prosecuted, and the potential rewards are quite high considering the minimal risk involved.
What are the Different Categories of eCommerce Fraud?
eCommerce fraud can present itself in a number of different ways. Not every type will be applicable to all merchants.
Credit Card Fraud/Payments Fraud
The “classic” form of online fraud in which the fraudster uses stolen payment card credentials to make a purchase with a card-not-present merchant. The fraudster may keep the goods for their own use or attempt to resell them on a secondary market. Gift cards are often involved, as these provide the fraudster with an easy way to extract the full cash value of a fraudulent purchase.
Chargeback Fraud/Friendly Fraud
When a cardholder makes a purchase with a merchant, then files a false or illegitimate dispute in order to get a chargeback, this is known as chargeback fraud or “friendly” fraud (although the latter term is sometimes also used to describe situations where a cardholder disputes a charge out of honest confusion or forgetfulness).
Account Takeover Fraud
This type of fraud occurs when a fraudster hacks into a customer account on a merchant’s website. Account takeover is sometimes used to store data or funds, but usually it just provides a means for the fraudster to commit credit card fraud with the payment credentials saved to the account.
Triangulation fraud is a more complicated scheme wherein the fraudster sets up a fake online storefront to solicit orders for heavily discounted goods. They will then “fulfill” those orders by using stolen credit cards to make purchases with real merchants and keep the money paid to them by their customers as pure profit.
Any scheme in which the fraudster obtains a refund they aren’t really entitled to can be considered refund fraud. For example, the fraudster might place an order, receive their goods, and then claim that they never arrived and demand a refund.
New Account Fraud
Fraudsters may use stolen or synthetic identities to create fake bank or credit card accounts that cannot be traced back to them. They can then use those accounts to make online purchases until they are discovered and shut down.
What are the Indicators of eCommerce Fraud?
Merchants who know their customers and their shopping patterns are in the best position to detect fraud. When something seems “off” about an order, whether it’s the size, the shipping address, or something subtle and specific, it’s worth looking at it more closely or contacting the customer to verify the details.
While the different ecommerce fraud types listed above all have different telltale indicators, here are some things every merchant should watch out for:
- Changes to existing customer accounts, such as new email or shipping addresses.
- A sudden increase in transaction volume. This may be a sign of card testing—multiple small purchases intended to determine whether a stolen card is still active and usable.
- Unusual delivery requests, such as changes to the shipping address after the order has been placed.
- Shipping addresses that don’t match the customer’s known location (based on their IP or billing address).
How Can Merchants Prevent eCommerce Fraud?
The most effective prevention methods will depend on the types of attacks being used, so good fraud defense always starts with a careful analysis of your fraud and chargeback data to determine the nature and sources of your fraud.
However, most merchants will benefit by following these general guidelines:
- Require AVS and CVV matching on all transactions.
- Implement 3-D Secure anti-fraud technology.
- Insist on strong passwords and two-factor authentication for customer accounts.
- Use anti-fraud tools that employ risk scoring, machine learning, and other advanced technologies to detect and block fraud.
- Train your staff to recognize fraud indicators.
- Review suspicious orders and contact the customer directly to resolve questions or concerns.
- Fight fraudulent chargebacks with compelling evidence and a concise cover letter.
Fraud inevitably leads to chargebacks for merchants. True fraud chargebacks, which are filed in accordance with the intent and spirit of the Fair Credit Billing Act, cannot be fought—they’re legitimate chargebacks and all merchants can do is accept them and try to find ways to stop true fraud from happening in the first place.
Fraudulent chargebacks, on the other hand, can be fought and won, but only if merchants have the right evidence and an understanding of how to navigate the chargeback representment proce
Fraud is a complex problem, and dealing with it requires a multilayered approach.
Any strategy for reducing chargebacks must include plans for countering all of the various forms of ecommerce fraud that the merchant might experience.