Ecommerce fraud is big business for cyber criminals, and a big problem for ecommerce businesses. In 2023 alone, ecommerce fraud (a.k.a. payment fraud) cost online merchants an estimated $38 billion in losses — a figure that doesn’t include the negative effects on customer loyalty and the brand’s reputation. The good news is that fraud management tactics and tools are making it easier to prevent, catch, and combat ecommerce fraud.

Today we’re going to examine some of the more common types of payment fraud, and the tactics and tools that ecommerce brands can use to stay ahead of the problem.

Common Types of Ecommerce Fraud

As ecommerce sales have soared, cyber crime has followed. Here are some of the most common types of ecommerce fraud.

Credit Card/Identity Fraud

Scammers obtain payment information from unsuspecting users using phishing, pharming and whaling schemes, then use the stolen credentials to purchase items from ecommerce stores. In other instances, fraudsters create a fake website that closely mimics an existing online store, and collect payment information from unsuspecting customers who order products they will never receive.

Friendly Fraud (Chargebacks)

So called friendly fraud is committed by actual customers using a legitimate credit card to place what appears to be a normal order, but who fraudulently claim that the order was never received, not what they ordered, or canceled shortly after ordering. Rather than going through your online business to initiate a refund or exchange, they file a claim with their bank or credit card company, which refunds their money and demands a chargeback from the ecommerce business. As a result, the ecommerce business has lost the product and the revenue from the sale, plus associated fulfillment costs, shipping costs, and chargeback fees. Friendly fraud accounts for 18% of all ecommerce fraud.

Card Testing

Fraudsters purchase stolen card details in large quantities on the dark web, or obtain them illegally using phishing or spyware. In order to make this profitable, they must identify the active accounts, weeding out those that have been canceled. To do this, they employ botnets to place small orders, often $1 or less, using the stolen card numbers. If a purchase is approved, the fraudster has not only found a valid credit card but has also located an ecommerce business with weak security. They can use the validated credit card to make far more expensive purchases, or they can resell the card credentials for a profit on the dark web. The ecommerce business must pay authorization fees and chargebacks. It may even be shut down by its bank for excessive fraudulent charges.

Account Acquisitions and Takeovers

Scammers infiltrate a customer’s account on an ecommerce website or app by means of phishing emails, weak passwords, or malware on the customer’s phone, tablet or laptop. The scammer then has access to the stored payment cards for that account and can use them to make fraudulent purchases.

Coupon/Loyalty/Affiliate Fraud

Scammers take advantage of promotional offers, loyalty programs, and affiliate or referral programs. They might abuse a coupon loophole to obtain free products, earn points by making multiple purchases with stolen credit cards which they can later resell, or demand payouts for customer referrals using stolen credentials or traffic that is spam.

Triangulation Fraud

This scam involves a fraudster selling products on Amazon or eBay at attractively low prices. An unsuspecting customer orders a product from the scammer using a valid credit card. The scammer then uses a different stolen credit card to order the product from a legitimate ecommerce seller and has it shipped directly to the customer. The customer gets the order, but has unwittingly handed over their credit card details to the scammer. The owner of the stolen credit card is charged for the item but can contest this charge with their bank. The legitimate ecommerce business must then absorb the chargeback. The scammer collects the original payment as well as the customer’s credit card information, which they can use to continue the scam.

How to Prevent Ecommerce Fraud

Ecommerce fraud occurs when hackers gain access to private, financial information one of two ways: either by gaining access to the customer’s credit card information through phishing or weak passwords, or by hacking into records stored by an ecommerce business with weak cyber security practices. You don’t want to be one of those businesses. To be clear, the blame lies with the hackers and criminals, but if a data breach or you approve an unauthorized transaction, the customer is going to blame your business. So, in order to protect your customers, your brand, and your bottom line, ecommerce businesses must engage in ecommerce fraud prevention.

Work with Trusted Partners

Any third-party that exchanges data with your business, whether customer-related information or business financials, should be as committed to security as you are. As a logistics and fulfillment provider, ShipMonk takes data security seriously and is committed to staying up-to-date on the highest levels of security certifications, including SOC Compliance with our SOC 2 Type I Certification.

Know the Warning Signs

If you know what to look for and have the technology to collect and examine the data, there are several red flags that may indicate ecommerce fraud.

• Inconsistencies in customer data such as a new name on an existing email address, or a street address that doesn’t match the city or ZIP code.
• Credit card information that doesn’t line up, such as a billing address that differs from a shipping address
• A sudden change in shopping behavior, such as a suspiciously large order from a customer that usually orders one or two items at a time, or multiple orders being sent to different addresses.
• Orders from multiple IP addresses using the same credit card, or multiple credit cards from the same IP address
• Frequent returns or chargebacks by the same customer

A red flag is not proof of fraud, however. Once flagged, the ecommerce business must decide how suspicious transactions are handled. They may be looked into manually, automatically declined, or ignored and approved.

Manually Review Risky Orders

Manual review is seen as a necessary evil because it is reliable but labor intensive and costly. Globally, merchants screen nearly one in five orders they receive, and decline about one in seven. For this reason, many businesses focus their fraud prevention efforts at trying to reduce the number of transactions that are flagged for manual review. Some limit manual reviews to orders headed for certain countries, or those that contain only certain products. Others invest in fraud prevention tools (see below) that help them approve or decline more transactions automatically.

Meet PCI Compliance Thresholds

The Payment Card Industry Data Security Standard is a minimum set of protocols that online merchants should put in place to ensure the security of customer transactions and stored data. If your payment systems do not meet PCI compliance standards, they should be upgraded. If you work with a modernized 3PL for fulfillment and logistics, their warehouse management software systems will likely meet PCI thresholds.

Choose Payment Systems Carefully

Limit your customers to payment systems that offer built-in security features, like fraud protection. At the same time, you can utilize tools like intelligent payment routing to speed up transactions and reduce false declines.

Require Better Passwords and 2-Factor Authentication

Help your customers protect themselves by requiring them to create more complex passwords at signup, and some form of 2-factor authentication at login.

Limit Order Quantities

One simple way to avoid fraud is to limit order quantities. This not only limits credit card testing, but also stops payment fraud or account acquisition schemes before they get out of hand.

Collect “Compelling Evidence”

The best way to fight friendly fraud (chargebacks) is to work with reliable shipping companies and major credit card companies to provide compelling evidence that the package was delivered. Around nine out of ten disputes can be resolved by requiring a signature or a photo as proof of delivery and making use of the credit card brands’ recent updates to compelling-evidence rules.

Block Repeat Offenders

By collecting the names, credit card numbers, IP addresses and shipping addresses of your customers, you can isolate those known to be fraud risks. You can then create a blocklist to automatically block orders that match this information.

Conduct Preventive Maintenance

This includes making frequent and recommended software updates, conducting malware scans, requiring that employees regularly change passwords, and conducting regular security audits. When upgrading software, look for partners that prioritize data security.

Clearly State Your Policies

If you have any hope of winning a dispute over refund abuse or coupon/loyalty program/affiliate abuse, you need to clearly post your refund policy, coupon exceptions, and detailed program rules where your customers can easily find them. If you choose to limit order quantities or prohibit the sale of rewards points, this should be noted in the rules. Have an attorney view the fine print to make sure that your rules are defensible, and that you’re not missing any loopholes.

While many of these methods for fraud prevention can be handled internally, there are many tools that use machine learning and AI to automate the approval process and reduce the need for manual reviews.

Fraud Prevention Tools

The average ecommerce business in North America spends 10% of their annual revenue managing payment fraud, and has an average of five fraud detection tools in their arsenal. Below are the tools most frequently used by ecommerce businesses, listed in order of their popularity.

• Credit card verification services
• Identity verification services
• Two-factor phone authentication
• 3D Secure authentication
• Internal customer order history / website behavior analysis
• Geographic indicators and comparisons
• Credit history checks
• List management
• Biometric indicators
• Company specific fraud scoring models
• Device-based results
• Multi-merchant purchase velocity / identity morphing models
• Order velocity monitoring
• Search engine results
• Social networking sites

Source: 2023 Global Ecommerce Payments and Fraud Report

Track Your Progress

You can’t know how well your fraud prevention methods are working if you don’t start tracking the incidence of fraud. Here are some of the most commonly tracked KPIs in ecommerce fraud management.

Payment KPIs

• Payment success rate
• Revenue
• Cost of payment
• Refund rate

Fraud Management KPIs

• % of domestic ecommerce orders that turned out to be fraudulent
• % of international ecommerce orders that turned out to be fraudulent
• % of ecommerce orders that led to chargebacks (due to fraud)
• % of ecommerce revenue lost to payment fraud globally
• % of ecommerce revenue lost to payment fraud from domestic orders
• Order rejection rate for domestic orders
• Order rejection rate for international orders

Next Steps

We hope this article has helped you better understand the causes of payment fraud, the harm it can do to your ecommerce business, and the tools and practices you can use to prevent it. By implementing simple measures like multifactor authentication, educating your customers on the need for strong passwords, monitoring unusual activity, and staying on top of website security, you can go a long way towards reducing ecommerce fraud.
Follow our blog for more tips on managing your ecommerce business and improving your customers’ shopping experience. And, as always, drop us a line if we can answer any of your fulfillment and logistics questions!