Ecommerce is fast-paced, competitive, and at times challenging. The last thing you want to worry about is how to deploy a RiskOps or fraud prevention system.
And yet, as we’ve seen time and time again, every online store owner soon realizes that they must protect themselves against fraudsters. In fact, the COVID-19 pandemic has greatly accelerated this need, as fraud rates skyrocketed by 70% during the health crisis.
This is why, in this article, we’ll go through the most common attacks on online stores, and we’ll give you pointers on how to defend yourself.
Now let’s get started with some basic definitions.
What Is Ecommerce Fraud?
Ecommerce fraud includes any kind of malicious action designed to exploit online stores. The most common attacks are related to fraudulent transactions, made with stolen credit card numbers. However, ecommerce fraud increasingly takes the form of account takeover or return fraud, among other methods.
While ecommerce allows retailers to access a global audience, it also opens the door to bad agents who can impersonate customers to attack online stores. Using false information and stolen credit cards, they can purchase goods and services in order to resell them.
One of the most impactful consequences of ecommerce fraud are chargebacks. Having a high-chargeback rate due to ecommerce fraud can fray your relationship with card networks, which could qualify you as a high-risk commerce with higher credit card fees.
7 Types of Ecommerce Fraud
Here are seven examples of how fraudsters may target your ecommerce in order to exploit it:
1. Transaction Fraud
Transaction fraud happens when bad agents make purchases with stolen credit cards. This is also known as credit card fraud, or CNP (card not present) fraud.
When this happens, you will have to accept that you lost a sale, and issue a refund to the legitimate cardholder when they ask for a chargeback.
To make matters worse, if too many chargebacks are requested on your site, the card network may put you in a high fraud target category, where the fee you pay for processing each payment will increase.
2. Friendly Fraud
Friendly fraud, or first-party fraud, tends to fall into three categories:
- Innocent or accidental requests: The refund request is made by customers who do not recognize a purchase made with their own credit card.
- Opportunistic friendly fraud: Refunds are increasingly weaponized by opportunistic and dissatisfied customers. This could be because of a store policy they disapprove of (e.g. offering travel credit instead of refund), or simply because they feel buyer’s remorse.
- Malicious friendly fraud or chargeback fraud: some buyers know in advance that they’re going to request a chargeback. These bad customers have every intention to receive an item, claim it never arrived, and ask for their money back.
These attacks also result in chargeback fees, so the problems are essentially the same as with standard transaction fraud – with the added challenge of having to prove the cardholder’s bad intention when disputing the chargeback.
3. Return Fraud
Another booming trend sees fraudsters abuse online stores’ return policies, often in combination with transaction fraud. Here are ways in which they attempt to exploit online merchants:
- Receipt fraud: Using reused, stolen or falsified online receipts to return merchandise for profit. Alternatively, returning goods purchased on sale or from a different store at a lower price, with the intention of profiting from the difference.
- Switch fraud: Purchasing a working item, and returning a damaged or defective identical item that was already owned or has been purchased with a stolen credit card for this purpose.
- Bricking: Purchasing a working electronic item and deliberately damaging or stripping it of valuable components, thus rendering it unusable, then returning the item for profit without informing the merchant that it no longer works.
- Open-box fraud: Purchasing an item from a store and returning it opened with the intent to re-purchase it at a lower price under the store’s open-box policies. A variation of price-switching.
- Inventory depletion: Purchasing an entire shop’s inventory so that consumers are more likely to buy the same items from the fraudster’s own store. The items are later returned for a refund, within the rights of the policy.
While it is a from of both return fraud and friendly fraud, it is worth highlighting the exploit known as wardrobing.
It is one of the most common return fraud tactics in the world and it happens when users purchase an item of clothing with the intention of wearing it for a short period of time and returning it later. This used to be a problem for brick and mortar shops, and it’s even more frequen with online purchases, where the buyer does not have to lie to a shopkeeper in person.
A report by the Retail Technology Review claims that wardrobing costs retailers £1.5bn ($1.89bn) per year.
5. Triangulation Fraud
Triangulation fraud it involves a legitimate customer, a legitimate online store, and a fake online store operated by a fraudster who has access to stolen credit card details.
- A customer makes a purchase with a marketplace seller (e.g. on eBay or Amazon).
- The seller is secretly a fraudster – a fake seller. After they receive the order, they buy the same item from your legitimate online store.
- The fake seller uses a stolen credit card number to buy from you, and gives you their customer’s shipping address.
- You ship the item to the customer, who is none the wiser.
- The owner of the stolen credit card notices the payment and initiates a chargeback.
- You try to get in touch with the fake seller, but they ignore you.
- You, the legitimate store owner, have to pay the chargeback fee. The fake seller keeps the original customer’s money.
In this scenario, the initial seller receives the item they paid for. The marketplace seller appears legitimate to them. But behind the scenes, someone’s money is stolen, and it’s you, the online store, that has to refund it, despite shipping an item.
6. Account Takeover Fraud
If your online store lets customers hold store credit in their accounts, they effectively become e-wallets. This is a strong incentive for criminals to steal the accounts, which is known as an account takeover.
Account takeover fraud is extremely damaging, as it is the gateway to more fraud. For instance, once a fraudster has access to one of your customer accounts, they can mine it for personal information and commit more crimes.
It also damages your reputation as the customer is likely to complain about their account being “hacked”, shifting the blame on your security.
7. Bonus Abuse Fraud
As the online store landscape becomes increasingly competitive, retailers attempt to attract customers with coupons and bonus offers. Once again, this is a strong incentive fro fraudsters.
In order to abuse your bonus programme, they will create multiple accounts and refer themselves. This can damage your bottom line, hurt your marketing efforts, and see you lose profit on items which could have been sold at full price to a legitimate customer.
Considering new ecommerce fraud prevention software? Read our insider tips on choosing what works for you and discover impartial reviews of several options.
How to Detect Ecommerce Fraud
There are three key stages where you should focus your ecommerce anti-fraud efforts. These are the signup, login, and transaction stages. Let’s look at what works.
- Compare more data points: This is designed to spot inconsistencies that could point to fraud. For instance, an order made with a US card that ships to Croatia should raise suspicions.
- Perform a card BIN lookup: Learning more information about the payment method is a great way to mitigate risk. A card BIN lookup will let you know if the card is valid, where it was registered, and what kind it is. Pre-paid cards, for instance, carry more risks than standard credit cards.
- Check for a social footprint: Failing to confirm the cardholder’s identity using public data from social media can also let fraudulent payments slip through the cracks. The good news is that you can quickly fingerprint users based on their email address or phone number alone, using a process known as data enrichment.
- Identify card testing attempts: For most online stores, transaction fraud will appear as low-value transactions that fraudsters use to see if the card can work. Keep a watchful eye for transactions under $1, especially when they all come from the same account.
- Understand how users connect to your site: For instance, customers using VPNs, proxies, or emulators are very likely trying to spoof data. You should be extra vigilant in monitoring their ecommerce transactions.
- Assess the customer’s shipping behavior: In risk management, human behavior tends to be analyzed by using velocity rules. These are risk rules that look at actions over a specific timeframe, for instance, a high number of small transactions within one hour, or multiple failed login attempts.
- Spot connections between users: The more data you have on your shoppers, the more likely you are to identify suspicious connections. A great example is to spot multi-accounting fraudsters who try to abuse your promos and bonuses. If you can prove that they all sign up from the same IP address, it’s easier to block them.
All of the above can be implemented via the right ecommerce fraud detection software, which should include features such as risk rules, risk scoring, user fingerprinting, and even machine learning to suggest better risk-management ideas.
Triangulation Fraud: Signs to Watch Out For
Note that while some platforms like Shopify or payment gateways like Stripe offer built-in ecommerce fraud detection and prevention, their tools will not be advanced enough to flag more complex attacks such as triangulation fraud. That’s why it is key to have a robust system for online fraud detection & prevention.
Here are a few common data points to monitor, in order to be protected:
- New customer profiles: Keep a close watch on new accounts that immediately buy the same items regularly. They might look like loyal customers but this actually points to fraudulent sellers.
- Conflicting addresses: If the shipping address and billing address don’t match, it should increase your suspicions.
- Low-value transactions: Fraudulent sellers will try to stay under the radar by focusing on low-value goods or services.
- Invalid contact details: If you attempt to contact your customer and don’t hear anything from them, you could be dealing with a fraudster.
- Connections between users: This type of fraud tends to be committed by organized fraud rings, who rely on the same devices to connect to your store.
You have a few options here.
You can take all the above data points and perform an in-depth manual review, to confirm whether you are dealing with a legitimate customer or not. But because time is often of the essence when shipping products (especially digital goods), it’s worth combining all these data points together and feeding them through automated risk rules.
You can also perform behavior analysis, which will not just highlight suspicious data points but also flag risky customers over time.
What Ecommerce Fraud Prevention Tools Should Merchants Deploy?
For better fraud protection, your strategy should include ecommerce fraud prevention tools such as:
- Data enrichment: You can use a single data point, such as an email address or a phone number, and build a complete profile of your customers based on it. For instance, you can check if the email address is valid, whether it’s been opened with a temporary domain service or one that increases risk (no verifications during email account opening). This is particularly helpful when performing a manual review – to confirm a customer’s identity before shipping a product, for example.
- Reverse social media lookup: Thanks to data breaches and dark web marketplaces, fraudsters have access to tons of credit card numbers. What they can’t do, however, is create full social media profiles to match every name on their stolen credit cards. This is a great chance to check if a user appears legitimate or not based on their social presence. SEON can check 50+ social networks.
- Device fingerprinting: This technique looks at how customers connect to your site. It’s helpful to spot suspicious logins via VPNs, proxies or emulators, but also to spot connections between accounts. A lot of fraudsters will recycle the same devices and IP addresses, so flagging them can help you take down entire fraud networks at once.
Ecommerce Fraud Protection With Machine Learning
A good ecommerce fraud solution allows you to sift through all your customers’ data to find suspicious fraud patterns. With basic tools, that data is fed through risk rules. For instance, a rule can state that IPs from blacklisted countries will not be able to go through the checkout.
But because fraudsters adapt to your solutions and can learn to circumvent your risk rules, it’s important to anticipate new attack vectors before they damage your ecommerce.
This is why fraud detection with machine learning such as SEON’s can analyze hundreds of data points and identify connections between cases of fraud. It will then suggest rules that you can deploy to block online payment fraud, friendly fraud and other attacks as soon as possible.
SEON’s fraud prevention solution is more than just a tool. It is your business partner in fraud fighting and can keep you safe without interrupting your customers’ experience.
Ask an Expert
Ecommerce and online stores are the targets of transaction fraud attacks (paying with stolen credit card numbers), account takeovers (stealing user accounts), return fraud and more.
Detecting ecommerce fraud starts by logging as much data about customers as possible. It helps to authenticate them at login, spot suspicious information that could point to chargeback fraud, and identify customers who abuse return policies.
Detecting friendly fraud is harder than standard payment fraud. However, fraud detection tools can help you acquire detailed transaction and user data, which will enable you to dispute a chargeback request from an unscrupulous buyer.
The key to preventing ecommerce chargebacks is to create a full profile of your users based on minimal data points and with minimal friction. For instance, an email address could point to a social media profile, which lets you know the person really exists.
You might also be interested in reading about:
Learn more about:
- The Telegraph: Online store fraud rates skyrocket during pandemic
Showing all with `` tag
Speak with a fraud fighter.
Gergo Varga is SEON’s Product Evangelist. With more than 10+ years of experience in the Hungarian and international risk management sphere, he has developed an astute knowledge of RiskOps and Open Source Intelligence. He is the author of SEON’s Fraud Prevention for Dummies guide.
Sign up for our newsletter
The top stories of the month delivered straight to your inbox