Ecommerce fraud is becoming an increasingly common threat to online stores worldwide, particularly to small and medium-sized businesses. During the COVID-19 pandemic, rates of ecommerce fraud rose higher than ever. At the same time, record numbers of customers continue to buy products online.
So, what can your business do in terms of ecommerce fraud prevention? What kind of ecommerce fraud best practices are out there to give you the best shot at beating the fraudsters?
We’ve done our research to give you some pointers on how to protect your business, and your customers, from ecommerce fraud.
Before we learn how to protect yourself against ecommerce fraud, let’s understand what it is.
Ecommerce fraud includes any kind of action aimed at exploiting online stores for personal or financial gain. When a scammer tries to intercept a commercial transaction on your online store, they may look to steal money from your customers, your business, or both.
Credit Card Fraud
When a fraudster makes a purchase with a stolen credit card number, the store processes the payment, and then the real cardholder initiates a chargeback after noticing a strange transaction. This results in you, the merchant, having to refund the payment. You lose the sale, and end up paying an expensive admin fee to the card company. This type of fraud is also called transaction fraud or card not present (CNP) fraud.
Another type of ecommerce fraud is phishing. This is when scammers create near-identical copies of your online website, and encourage customers to buy items. These hackers then steal customer credit card numbers to use in future scams.
Another method of phishing is via email. Fraudsters send emails to customers to try to trick them into revealing personal data like usernames and passwords. They then log into the customers’ accounts, change their passwords, and make unauthorized purchases. Criminals often use bots to steal confidential information, making the fraud very difficult to trace.
Transaction fraud is not only carried out by professional fraudsters. Sometimes, a chargeback is initiated by someone whose card hasn’t been stolen. This is also called first-party fraud or ‘friendly’ fraud – though there’s nothing friendly about it! It’s called this because it usually involves genuine customers rather than professional scammers. These customers either accidentally request a chargeback on transactions they don’t recognize, or deliberately do so to avoid paying for the item at all.
Ecommerce stores make use of promotion, affiliate, and loyalty programs to attract new customers and engage existing ones. But this also leaves open avenues for scammers to exploit.
In affiliate marketing, online merchants pay affiliates a commission for each referred sale. Criminals seek to defraud the merchant by either generating fake commissions or increasing the number of commissions.
Triangulation fraud uses a three-step method to defraud online merchants. Firstly, the scammer creates a fake online store to steal names, addresses, and credit card details from unsuspecting customers.
Next, fraudsters use stolen customer details to buy the exact items the customer bought from the fake store and have the items shipped to them.
Lastly, the scammers use the stolen information to buy other online purchases for themselves. This type of fraud tends to go undetected for quite some time because the original purchase (from the fake store) raises no suspicion.
For more information on the biggest challenges of running an ecommerce website, read our list.
So, with so many types of ecommerce fraud out there, how do you spot when it’s happening to your online store? There are a few tell-tale signs to look out for:
- Inconsistent order data: Is there some information in the order that doesn’t add up? Pay close attention to the city and ZIP code – do they match?
- Unusual location: Your regular customer always makes their purchases from the same IP address, but this time it’s different. Could this be something to look into?
- Multiple shipping addresses: A buyer makes several purchases under the same billing address, but items are shipped to multiple locations.
- Multiple declined transactions in a row: The customer makes several attempts to pay with a credit card without getting the details correct.
Let’s take a look at 10 ecommerce fraud prevention best practices for your online store.
Find any flaws in your security before criminals do! This is a must for any online business to be robust against scammers. When conducting a security audit, ask yourself these questions:
- Are your shopping cart software and plugins up to date?
- Is your SSL certificate current and working?
- Are your passwords for your admin accounts strong enough? It’s good practice to review and change these every month or so.
- Are you scanning your website regularly for malware?
For more information on setting your site up for success, check out our article on best practices for ecommerce stores.
Advice from the Experts
Top tip: There are a bunch of anti-fraud software solutions out there to help with auditing, managing, and maintaining your security systems. You can choose which software suits your purpose and budget. Solutions range from basic anti-fraud tools, such as those integrated into ecommerce platforms, or more comprehensive tools which offer a wide variety of functions.
If your website accepts credit card payments, it has to be PCI (Payment Card Industry) compliant. This is a set of security requirements that ensures your business meets the technical and operational guidelines in order to protect customer credit card data.
PCI compliance is a continuous process that requires regular evaluations of your current security systems and practices. Take a look over the latest set of security standards to check if your online store is PCI compliant – many platforms, like Shopify, take care of this for you!
Address Verification Service (AVS) is a service offered by credit card processors and issuing banks to check that the billing address submitted by the credit card user matches the billing address held by the bank. If the addresses don’t match during the authorization process, the transaction is either declined or flagged for investigation.
The AVS check is done automatically, but it’s the merchant’s responsibility to accept or decline the sale based on the AVS code provided. Check out the different AVS codes and what they mean for your business.
You know that three- or four-digit number on the back of your debit or credit card? Well, it’s important. The Card Verification Value (CVV) or Card Security Code (CSC) adds another layer of security to online transactions by ensuring that customers have the physical card in their possession. Asking for a CVV or CSC number with each transaction will help keep your business safe and prevent fraud.
A good way of protecting your store from a data leak or hack is to hold onto a minimal amount of customer data. Only collect data needed for the transaction and shipping. After all, you want to attract customers to your online store, not put them off with unnecessary questions. Plus, hackers can’t steal what you don’t have. Reducing the amount of customer data you have on file will minimize the risk of criminals targeting your business or your customers.
Hypertext Transfer Protocol Secure (HTTPS) is a system that securely sends data from a customer’s web browser to your online store. Using HTTPS is a standard way to make sure transactions on your website aren’t easily viewed by hackers, cybercriminals, or fraudsters.
Advice from the Experts
If you don’t already have one, get set up with an SSL certificate and keep it up to date!
Set limits on the number of purchases and total dollar value that you’ll accept from one customer in a single day. You can use your order and revenue trends to understand what limits would be appropriate and know what to sell online exactly. This will reduce the risk of transaction fraud by minimizing potential openings in the system that could be exploited.
Advice from the Experts
Top tip: Avoid non-physical shipping addresses! Scammers will often seek to avoid detection with this strategy. If you want to prevent this type of fraud, never ship orders to PO boxes or other virtual addresses, such as those of freight forwarders.
Peak holiday seasons are usually pretty hectic for online stores, but this is when you need to be on your toes the most! Fraudsters often target stores during this busy time, and transaction fraud in particular can be easy to miss with orders stacked up. Make sure to leave enough time to continue security audits, and process all transactions securely.
Make sure your employees are clued up on ecommerce fraud prevention, and how to look out for it. Consider doing some workshops with your staff, and establish best practices for your business to follow when it comes to fraud.
Double-check that every transaction’s IP address matches the city or region that the credit card has been issued. This may seem like a lot of work, but it’s worth it – setting out a best practice such as this is a solid way to ensure your transactions are valid. If the IP address and credit card billing address are radically different, make sure you flag the transaction for further review.
During the COVID-19 pandemic, rates of ecommerce fraud rose by at least 70% globally. And, according to a recent study, it’s not getting any better either. By 2024, owners of online stores could lose an estimated $24 billion in profits to ecommerce fraud.
Now more than ever, it’s essential that every online store learns these ecommerce fraud best practices and understands how to combat ecommerce fraud in the most effective way. Sadly, no one – not even the biggest companies – is immune to fraud. But, if you can spot the fraud early, or reduce the risk by using our best practices above, you have a great chance of beating the fraudsters at their own game.
If you experience fraud, you will want to gather all the documentation you have on the transaction. Collect all the data that the cyber-criminal gave you during the transaction and any other data that may exist post-sale. For instance, if you got a signature on the package, you’ll want documentation on that. You may even be able to obtain camera footage of the scammer if they had it shipped to a PO box and picked it up there.
Once you’ve done that, go to the appropriate government authority to report the theft. Depending on how much money you lost, they may choose not to investigate. And unfortunately, they can’t really do much about an international scammer.
- U.S. Immigration and Customs Enforcement, Cyber Crime Division largely fights cross-state border crime.
- U.S. Secret Service fights international cyber crime.
- Federal Trade Commission, who will log your complaints.
- The FBI’s Cyber Division, which investigates internet crime such as “cyber based terrorism, espionage, computer intrusions, and major cyber fraud.”
Different states also have their own individual versions of these services set up to help you. If your store is located outside of the U.S, or you feel that the government authorities are unable to help you, there are other support agencies available too.
- The Cyber Crime Response Agency is a U.S.-based nonprofit that aids law enforcement in prosecuting cyber crime by taking the time to do in-depth investigations law enforcement does not have the time or resources to do.
- INTERPOL provides international support to law enforcement working on cyber crime cases.
- Europol provides similar support as Interpol in connecting law enforcement resources, but specifically for the EU.
You can also hand the documentation off to the credit card company involved. They may be willing to give your money back, though it’s unlikely.