Retailers are no stranger to theft. But while shoppers can’t physically shoplift inventory from a shop floor, fraudsters still target online shoppers and the merchants they buy from.
In 2021 alone, approximately$20 billionin ecommerce losses were reported in the US due to online payment fraud. Countries in Asia-Pacific are most vulnerable to ecommerce fraud, with lost revenuestotaling 4%of a brand’s overall turnover. But no country is safe; fraud is on the rise globally, with North American merchants seeing a68% increasein fraud attempts throughout the COVID-19 pandemic.
This guide shares how to identify ecommerce fraud, handle the problem, and use software to help both you and your customers prevent major financial losses.
Table of Contents
- What is ecommerce fraud?
- What is ecommerce fraud prevention?
- How to identify fraud on ecommerce websites
- 9 ecommerce fraud prevention strategies
- Ecommerce fraud prevention software
What is ecommerce fraud?
Ecommerce fraud is when scammers intercept a commercial transaction on an ecommerce store with the goal of personal or financial gain. Also known as payment fraud, it’s a criminal act in which scammers steal money from either the customer, the merchant, or both.
With global ecommerce sales tipped to reach$5.55 trillion2022年,佛有充足的机会r scammers to hijack customer data and commit fraud. Let’s take a look at the seven types of ecommerce fraud you’re likely contending with on your online store.
Friendly fraud
Friendly fraud happens when customers buy something through your ecommerce website and later file a chargeback with their bank. Shoppers illegitimately claim their purchase wasn’t delivered, looked different from what they ordered, or canceled their order shortly after placing it. A complaint to their bank prompts an investigation, causing2.9% of enterprise brands’ecommerce orders to result in a chargeback.
This type of chargeback fraud is rife inAustralia and Canada, though39% of global fraud attacksare friendly fraud.
“运营成本等间接成本,成交方式代码表tion fees, and so on are included in chargeback processing,” says Dan Lee, head of marketing atSealions。“And if the merchandise is sold to a fraudster, the merchant has a slim chance of recovering it. This results in a drop in revenue as well as the loss of a customer. As a result, ecommerce companies must take precautions to safeguard themselves and their consumers from fraud.”
Card testing fraud
Card testing is a tactic fraudsters use to determine whether a stolen credit card works. Scammers often make a small, low-value purchase so the fraudulent transaction goes under the radar of the card holder. Once the card is verified to still work, they go on to make more expensive purchases using the stolen card.
Card testing is thesecond most populartype of ecommerce fraud for all merchants. Not only is it frustrating for customers, but should most of your online payments be blocked due to card testing fraud, your business will be subject to extra fees and disputes.
Refund abuse
Refund abuse is a type of ecommerce fraud where customers return broken, damaged, or stolen items to a retailer in exchange for a refund.
While many merchants have strict return policies that determine what qualifies for a refund, it’s still a costly problem.The National Retail Federationfound that retailers lose $5.90 for every $100 in returned merchandise due to this type of fraud. It’s the type of online fraud that saw thebiggest increase, with merchants reporting a 60% uplift in refund abuse last year.
Online payment fraud
Online payment fraud happens when scammers steal another person’s payment details and use them to make purchases through your ecommerce store.
Sometimes known as credit card fraud, it can also happen if scammers create duplicate versions of your website and encourage customers to unknowingly purchase items through a fake website. Hijackers recoup their cash and store their credit card number for future scams.
Retailers worldwide suffer from online payment fraud, though it’s most prevalent in Mexico, where merchants sawa 77% increasein online payment fraud last year.
Account takeover fraud
Account takeover is a type of fraud that happens when scammers break into a customer’s online account and use stored payment cards to make fraudulent purchases.
Some23% of brandsexperienced account takeover fraud last year, with scammers accessing customer accounts that use weak passwords, phishing emails, or malicious software on the device used to purchase.
Promo, affiliate, or loyalty abuse
Ecommerce brands use promotion, affiliate, and loyalty programs to attract new customers and engage existing ones. But their popularity means promotions attract scammers who rinse your business of cash through fraud using tactics like:
- Affiliate fraud.Affiliate marketing gives customers who refer friends a percentage commission on their order. However, some affiliates bend the rules. They send spam traffic to the website or use stolen credit cards to get paid out—even though the customers they’ve referred aren't legitimate.
- Loyalty fraud.Research suggests that$1 billionin rewards value is lost every year to fraud. It happens when customers join your loyalty program, earn points through stolen credit cards, and resell them for a percentage of their value on the dark web.
- Promotion fraud.Almost halfof ecommerce businesses have experienced a rise in promo abuse since the start of the COVID-19 pandemic. It happens when scammers find loopholes in a retailer’s promotions to claim products for free.
Triangulation fraud
Ecommerce businesses that sell through various sales channels often fall victim to triangulation fraud. It happens when:
Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price.
- Fraudsters list your products for sale onmarketplace such as eBay or Amazon
- Customers purchase the lower-than-RRP item from the scammer using their legitimate credit card
- The scammer uses a separate fraudulent credit card to buy the real product from your store using the customers’ shipping address
- The customer receives their order but their credit card information is compromised
Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price.
What is ecommerce fraud prevention?
Ecommerce fraud prevention is the strategy that online merchants use to prevent, detect, and solve online fraud. Almost90% of global merchantssay it’s important to their business strategy not just for customers’ safety, but for avoiding lost profits.
How to identify fraud on ecommerce websites
Ecommerce fraud is an expensive problem, both in terms of lost revenue from intercepted online orders and customer loyalty. Shoppers are unlikely to return to your website if they were a victim of fraud the last time they purchased through it.
Here are seven red flags to spot fraudulent activities happening on your website.
- Higher order volumes.Scammers using stolen credit cards often purchase high-ticket items since the cash they’re spending isn’t their own.
- Low value orders.“Be on the lookout for low value transactions, especially if they’re only around $1,” says Ben Hyman, CEO and co-founder of rug brandRevival。“Fraudsters will purchase low value products to see if their stolen card works.”
- Different credit cards.It’s a warning sign when one customer makes several purchases, each using a different credit card. Scammers often do this to test whether stolen credit card details work.
- Repeated declined transactions.Fraudsters might not have the information they need to make purchases from a stolen card. If a payment declines repeatedly due to security code errors, for example, it’s unlikely to be an honest mistake from a genuine customer.
- Unusual IP locations.Look out for several orders from the same IP address, or suspicious orders from an IP address in a location that isn’t familiar. If most customers are in the US, for example, an attempted high-value order from an IP address in Indonesia is a warning sign of ecommerce fraud.
- Different billing and shipping addresses.This is especially common with triangulation fraud, where fraudsters use stolen card details to ship items to legitimate customers.
- PO box shipping addresses.While this type of shipping location is popular with businesses, PO boxes allow scammers to ship online orders to an anonymous location. Be wary of shipping too many orders to a single PO address.
A purchaser that uses multiple shipping locations, a sudden change to a PO box, or several orders coming from a region or country that you had never received orders from before are all signs that ecommerce fraud could be occurring.”
—Yuvi Alpert, founder and CEO ofNoémie
9 Steps to prevent ecommerce fraud and protect your business
- Manually review risky orders
- Limit order quantities
- Collect proof of delivery
- Be PCI compliant
- Show clear policies on your website
- Be vigilant around peak shopping seasons
- Use verification software
- Build a blocklist
- Use IP fraud scoring tools
The ecommerce fraud detection market will beworth $69.13 billionby 2025, with enterprise companiesspending 10%of their annual ecommerce revenue on payment fraud management.
“If you do experience fraud, it's important to have a system in place for dealing with it,” says Kristin Stump, marketing manager atMy Enamel Pins。“This might involve working with your payment processor to cancel the transaction and refund the customer, or contacting the customer directly to resolve the issue.”
Here are nine fraud prevention strategies to minimize the likelihood of fraud happening through your website.
1. Manually review risky orders
Ecommerce software exists to flag risky orders. Manually review orders that raise a red flag, reaching out to the customer for further information if you’re unsure whether it’s legitimate.
If you’ve received a low-value order from an unusual IP location, conduct a manual review and reach out to the customer for further verification. Failing to hear back means there’s a strong chance that the order was made using a stolen credit card.
Similarly, consult a customer’s purchase history to determine whether a risky transaction is ecommerce fraud. It’s likely not a cause for concern if a shopper who usually makes orders from the US makes one purchase from an IP address in Spain. But there’s a strong chance their account has been compromised if they’re making orders bigger than usual, using a different credit card, from a different location.
Be vigilant when it comes to new customers. Take a closer look at orders from new customers, and be prepared to cancel or refund them if something looks suspicious.”
—Susan Carin, marketing manager atDr.Sono
Enterprise brandsreject3.3% of domestic orders and 5.5% of international orders. But it’s important to get right. Customer experience is at risk if you approve a false positive—a genuine customer who’s been incorrectly flagged as fraud. If an online order has been declined,18%of shoppers will avoid trying another time before moving to another merchant. One in five won’t place an order with that retailer again.
2. Limit order quantities
High order quantities is a red flag for scammers using stolen credit cards to make fraudulent purchases on your ecommerce store.
Limit the likelihood of these orders going through by limiting the number units a customer can buy. Analyze previous sales data to understand your “normal”—the average number of units you sell each day. Automatically block orders that superseded this volume to restrict the chances of people committing fraud through your online store.
3. Collect proof of delivery
Return fraud often happens when customers say they haven’t received their order. It’s a$25.3 billionproblem online retailers face, largely exasperated by lazy shipping orthird-party logistics (3PL) partners。
Combat the problem, and be sure that customers only claim when they legitimately haven’t received their delivery, by working with trusted shipping carriers or 3PLs that supply proof of delivery. Customer signatures or photos of a delivered parcel act as evidence they have received the item they’re illegitimately claiming a refund for not receiving.
4. Be PCI compliant
All ecommerce businesses need to meetPayment Card Industry Data Security Standardsif they’re processing online payments safely. ThesePCI compliancestandards include:
- Changing the default password for software and systems
- Encrypting cardholder data across open, public networks
- Using antivirus software to prevent malware attacks
- 限制哪些员工可以访问持卡人data
- Regularly testing online security systems
“Having a firewall between your internet access and any system that stores credit card details is one way to ensure PCI compliance,” says Sina Will, co-founder ofFoxbackdrop。“Therefore you must verify that you are adhering to the appropriate PCI requirements to avoid sanctions or penalties.”
5. Show clear policies on your website
Policies are pages on your website that explain how your business works. Aside from blanket terms and conditions, showcase clear policies on your website to crack down on ecommerce fraud. That includes:
- Strong password policy。It’s easier for scammers to commit account takeover fraud if a customer’s login details are easy to crack. Alongside two-factor authentication, Stephen Light of mattress brandNolahrecommends a password policy because, “While some customers find password requirements tedious, it makes it much harder for any fraudsters to hack into our customers’ accounts if their passwords are complex.”
- Return policy.Build your case against customers requesting chargebacks or refunds with a solidreturn policy。documen解释才恢复tation needed, and how it’ll be processed (such as a cash refund, exchange, or store credit).
- Promotions and rewards policies.From limited order quantities to prohibiting the sale of reward points, this type of policy backs up any ecommerce fraud that goes against the terms and conditions of your promotion.
Avoid merchant errors like unclear billing descriptions or confusing return policies that can end up frustrating legitimate customers.”
—Zarina Bahadur, founder of123 Baby Box
6. Be vigilant around peak shopping seasons
Black Friday Cyber Mondaywas the biggest retail season on record: $15.2 billion in sales—a 24% increase from 2021.
Lily Will, founder and CEO ofNia Wigs,says you should be extra cautious around these dates since “customers are likewise focused and busy, and they often disregard safety measures. Many fraudsters depend on merchants being too preoccupied or distracted to identify possible fraud during these months.”
Increase your investment in fraud prevention solutions around these peak shopping times—be that through specialist software or extra cybersecurity staff who manually review risky orders. It’ll go a long way in protecting both yours and your customers’ finances during peak fraud season.
7. Use verification software
A telltale sign of ecommerce fraud is when a customer’s billing, shipping, or card details don’t line up correctly. Automatically identify orders that raise this red flag using verification software, such as:
- Card verification number (CVN).Scammers only need to see the front of a credit card to make fraudulent online purchases. Add the three or four digit PIN (CVN) as a required field on your ecommerce checkout as an added layer of security. It’s the most popular fraud detection feature used bymore than halfof merchants.
- Address verification system (AVS).This verifies a customer’s billing address against the card they’re using. As Stephen Light, CEO and co-owner of Nolah says, “Many fraudsters will use multiple cards to make purchases to a single address, so an ASV can catch them out.”
8. Build a blocklist
Catching a scammer once doesn’t mean they won’t become a repeat offender. Fraudsters can try to trick merchants by changing their name, shipping address, or credit card in the hopes that fraudulent orders will fly under the radar.
Used by almost aquarter of merchants, blocklists prevent repeat offenders from committing fraud through their websites. It’s a document that contains names, credit card numbers, IP addresses, and shipping addresses known to be a fraud risk. Any new orders with information that matches the blocklist are automatically blocked.
While blocklists can block fraudulent orders before they’re processed, use them with care. A legitimate customer might use a credit card previously flagged as fraudulent without realizing. Blocking their order without explanation will cause confusion and frustration—two things bound to put them off future purchases once their request to be removed from a blacklist has been approved.
9. Use IP fraud scoring tools
One person can commit several types of fraud using the same computer. Detect those serial fraudsters with IP scoring tools such asSEONorScamalytics。Each detects an IP address that’s been linked to fraud in the past, using signals like:
- Their location (and whether it matches the country the card is registered in)
- Whether they’re using a VPN to disguise their true location
- The type of internet service provider, such as a residential or public connection
Orders placed from an IP with a high fraud score are highlighted, ready to manually review risky orders or automatically block them.
Ecommerce fraud prevention software
The likelihood of fraud happening on your ecommerce platform scales as your business does. Protect your store with ecommerce fraud prevention tools that check, flag, and block high-risk orders on autopilot.
Shopify Protect
Shopify merchants already have access to a world-class fraud algorithm that uses machine learning and data from stores across the Shopify network to identify fraudulent ecommerce orders.
Shopify Protectprovides an extra layer of protection that secures your business against fraudulent chargebacks—the friendly fraud thatcosts retailers $191each time.
Any Shop Pay transaction that’s been cleared by Shopify Protect is safe to fulfill. Should a chargeback happen on a protected order, Shopify will cover the total cost, the chargeback fee, and handle the dispute process on your behalf.
Price: Free for Shopify merchants.
Signifyd
Signifydis an ecommerce fraud prevention software that integrates with Shopify stores. It uses machine learning, big data, and expert reviews to identify fraudulent transactions happening through your ecommerce store. Should fraud occur, Signifyd has a financial guarantee. You won’t lose out on revenue if its software approves a fraudulent transaction.
Signifyd also provides account takeover protection for your customers. Block suspicious login attempts and avoid takeover chargebacks to prevent ecommerce fraud on your website.
Price: $1,500/month. 14-day free trial available.
NoFraud
NoFraud’s protection software vets ecommerce transactions to identify fraudulent transactions. Once a customer places an order through your website, the software automatically passes or fails this test. Choose to automatically cancel those transactions or flag them for internal review.
NoFraud使用自营和第三方系统to examine order details, such as email longevity, device history, geolocation, IP address, household income, home value, and social media to identify the person behind the transaction and the likelihood of them being the legitimate cardholder.”
—Isaac Gurary, CEO of NoFraud
Price: Free to install. Additional charges may apply.
Protect your ecommerce store with Shopify Protect
We know how much fraud can eat away at merchants’ time and profits. So today, we’re excited to share that Shopify Protect, Shop Pay’s free and built-in fraud protection, has launched in early access. The next time a merchant experiences fraud, we’ve got their costs covered.
Shopify Protect is now available to 50% of eligible merchants in the US and will roll out to 100% of merchants with Shop Pay active at the end of May.Learn more about Shopify Protect。