The global acceptance of eCommerce, particularly fueled by the COVID-19 pandemic, has accelerated its growth, with projections placing eCommerce sales at $6.4 trillion by 2024. However, this surge in popularity and profitability has also attracted cybercriminals, who exploit new and existing online shoppers, along with prominent eCommerce platforms. With heightened chances to mimic legitimate businesses through counterfeit websites or breach customer data, eCommerce stores face growing threats unless they prioritize security. In this article, we delve into eight prominent types of eCommerce fraud and explore preventative strategies.
Table of Contents
- What Is eCommerce Fraud?
- Why Is eCommerce Fraud Common?
- Different Types of eCommerce Fraud
- eCommerce Fraud Red Flags to Look For
- How to Fight Back Against These Types of eCommerce Fraud
What Is eCommerce Fraud?
In order to effectively guard against eCommerce fraud, a clear understanding of the concept is crucial. Let’s unpack the terms involved.
eCommerce fraud refers to any type of deceptive practice that takes place during online commercial transactions. It involves the theft of personal information, credit card data, or manipulative tactics used to deceive online businesses. eCommerce fraud is also commonly referred to as payment fraud.
Consider a scenario where a cybercriminal uses hijacked credit card details (along with stolen identity) to execute a purchase on your eCommerce platform – this is a classic case of eCommerce fraud. Regrettably, the eCommerce business usually bears the brunt of the fraud, impacting revenue negatively.
A distinctive aspect of online card fraud (with stolen credit card data) is the absence of a need for a physical card during the transaction. The fraudster simply inputs the hijacked credit card details (including name, billing address, card number, expiration date, and CVV number), and the eCommerce platform processes it as a legitimate transaction.
eCommerce businesses are targeted by numerous other types of eCommerce fraud. For instance, Account Takeover (ATO) fraud happens when a cybercriminal gains control of a valid customer’s login details on an eCommerce platform and uses the account to buy goods.
It’s imperative for online businesses to acknowledge the rapidly evolving sophistication of different types of eCommerce fraud. Cybercriminals are constantly improving, utilizing increasingly advanced techniques over time.
Why Is eCommerce Fraud Common?
eCommerce fraud is common for several reasons.
One of the primary reasons eCommerce fraud is common is the relative easy-to-do with which it can be carried out. In the pre-Internet era, committing fraud was a much more daunting task. It often required physical theft of credit cards, be it through house or car break-ins or street robberies, which carried inherent risks. Sometimes, opportunistic fraudsters would stumble upon carelessly discarded credit card slips from stores, which they would exploit to make unauthorized purchases over the phone.
However, the digital age has simplified this process for fraudsters. Online transactions are typically completed without any face-to-face interaction or physical verification of identity, making it significantly easier for fraudsters to impersonate someone else or use stolen payment information. This level of anonymity, combined with the vast scale and automated nature of eCommerce transactions, provides a conducive environment for fraudulent activities.
Online transactions occur across international borders, making it difficult for law enforcement agencies to track and prosecute offenders. Fraudsters can operate from countries with less stringent cybercrime laws and enforcement, making it easier for them to avoid detection and punishment.
In addition, the complex, interconnected nature of online transactions, often involving multiple parties, can make it difficult to trace fraudulent activity back to its source. These factors combined make eCommerce an attractive target for those looking to commit fraud with a lower risk of being caught.
In the digital realm, fraudsters have access to sophisticated technologies and methods, such as bots, phishing schemes, and data breaches, that allow them to carry out fraudulent activities on a large scale with relative ease.
Moreover, the vast amount of personal and financial data circulating online offers ample opportunity for identity theft and other types of eCommerce fraud. The speed and anonymity of online transactions also allow fraudsters to quickly use stolen information before it’s detected, making eCommerce fraud highly effective and attractive for criminals.
Payment fraud is prevalent largely due to its covert nature. Fraudsters can conduct transactions without having to physically enter a store, interact with anyone, or be exposed to surveillance cameras. All that’s required is a computer and an internet connection, granting them the freedom to operate from any location, at any time, out of sight.
Moreover, online fraudsters often establish counterfeit email accounts and lease post office boxes under pseudonyms. These tactics allow them to conceal their true identities and avoid leaving any personally identifiable information, further aiding their fraudulent endeavors.
Different Types of eCommerce Fraud
The most effective approach to combating fraud is to understand its causes and then devise countermeasures to prevent and guard against such threats, thereby securing your eCommerce site. Initially, it’s important to determine the types of eCommerce fraud impacting your platform and directly address it.
Although fraudsters employ a myriad of schemes, it’s critical to be aware of the most prevalent types of eCommerce fraud. These tactics have successfully targeted eCommerce websites of all sizes. Early recognition can help protect your platform from falling prey to such strategies.
Credit Card Fraud
Classic Online Credit Card Fraud
Credit card fraud, also known as card-not-present or payment fraud in eCommerce, involves the unauthorized use of stolen credit card information to purchase goods or services online. The typical modus operandi involves cybercriminals buying stolen credit card details from the dark web and then making purchases from online retailers.
To ensure successful retrieval of the purchased goods, the fraudster may employ a variety of tactics, such as directing shipments to reshippers. They may also use techniques like residential proxies to conceal their identity, making it harder to trace the fraudulent activities back to them.
The initial victims are the cardholders whose information was stolen. However, the ripple effect extends to the merchants who, unaware of the fraudulent transaction, fulfill the purchase. Eventually, they must issue refunds and may also face chargeback fees from the issuing bank, turning them into victims as well.
Additionally, merchants can fall prey to card testing scams. These involve cybercriminals making small, seemingly low-risk purchases to test the validity and activity of multiple stolen credit cards. While each transaction may be small, the cumulative financial impact on the merchant can be significant.
Protecting against these types of eCommerce fraud requires vigilance and robust security measures, including secure payment systems and comprehensive fraud detection protocols.
Card Testing Fraud
Card testing, slightly more sophisticated than direct credit card fraud, has gained traction in recent years. This type is where criminals use online stores to test the validity of stolen credit card details.
In a typical scenario, a fraudster obtains a list of stolen card numbers from the dark web or other illicit sources. They then use automated software or bots to make small purchases or donations on various eCommerce websites. These transactions are often so small that they may go unnoticed by the cardholder.
If the transactions go through successfully, the fraudster confirms that the card details are valid and can be used for larger, more significant fraudulent purchases or sold on the black market. This type of fraud not only causes direct financial losses for cardholders and businesses but can also lead to increased transaction costs due to higher rates of chargebacks.
This type of fraud is particularly harmful to eCommerce businesses because each failed attempt still incurs a transaction cost for the merchant, and an influx of testing attempts can quickly add up to substantial losses. Moreover, merchants can face penalties or even the revocation of credit card processing privileges if their site is identified as a testing ground for stolen cards.
To prevent card testing fraud, merchants should consider using tools to detect and block suspiciously high volumes of transactions, especially if they originate from the same IP address or follow a discernible pattern. They can also set up security measures like CAPTCHAs to prevent automated bot activities.
Identity fraud or identity theft takes place when scammers obtain customer details, either by buying them or hacking into the user’s account, and then deploy their phishing tactics.
Account takeover refers to a form of identity theft where a fraudster illegitimately gains access to a user’s eCommerce account. This can be done through various methods such as phishing, malware, or using data acquired from a data breach.
This unauthorized access enables them to perform transactions or execute other fraudulent activities. Businesses with customer accounts like online retailers or subscription services are common targets. The fraudster can alter shipping addresses, conduct purchases, or even sell the compromised account details to other criminals.
In a widespread tactic, scammers send tricky emails to entice customers into disclosing personal details like usernames and passwords. Once they access the customers’ accounts, they alter the passwords and make unauthorized transactions. Consumers often employ social media logins for the convenience of creating accounts on eCommerce sites, but such information, when hacked, can lead to catastrophic results. Criminals are also deploying bots to pilfer confidential data, leading to victims grappling with the repercussions of identity theft.
Synthetic Identity Theft
Synthetic identity theft is one of the most complex types of eCommerce fraud where a criminal invents a fabricated identity by blending legitimate personal details (like stolen social security numbers) with invented information. They then use this concocted identity to apply for credit cards, essentially creating a synthetic persona.
The scammer meticulously establishes good credit for this synthetic identity over an extended period, paying merchants for all transactions and coming across as an exemplary credit card user.
However, once the credit limit of the synthetic identity reaches a substantial sum, the fraudster maxes out all the credit cards and vanishes without paying the bills. When the concerned bank or merchant attempts to collect the debt, they realize there’s no real individual tied to the debt.
Here are the steps a fraudster typically follows in synthetic identity theft:
- The fraudster acquires the name and Social Security number of a genuine person.
- They establish a valid, but hard-to-trace address (often a P.O. Box).
- This amalgamated identity and address are used to apply for multiple credit cards under the synthetic persona.
- The synthetic persona progressively builds a strong credit history over time, thereby increasing its credit limits.
- Once a considerable credit limit is achieved, the fraudster maxes out all the credit cards and abstains from paying any bills.
- The fraudster then abandons the synthetic persona, leaving the financial institution with no real individual to recover the debts.
Chargeback fraud, also known as friendly fraud, takes place when a customer makes an online purchase using their credit card and subsequently disputes the transaction with their card issuer after receiving the product or service.
Here’s how the process unfolds:
- The customer makes a purchase from an online retailer using a credit card.
- Once the product or service is received, the customer contacts their credit card issuer to dispute the charge, claiming it was unauthorized or the product was not received.
- The credit card issuer then initiates a chargeback, removing the charge from the customer’s account and charging it back to the merchant.
- As a result, the customer receives a refund from their credit card company and retains the product or service they purchased, essentially getting the item for free.
The damaging aspect of chargeback fraud for eCommerce companies lies in the double loss they suffer – both the product and its corresponding payment. On top of that, they often bear additional fees charged by the card issuer related to the chargeback process. Fraudsters exploit this scheme, anticipating that merchants may not have the resources or time to dispute every chargeback claim.
Refund fraud is a form of deceit where a customer exploits an eCommerce store’s return policies to illicitly obtain a refund. This type of fraud is becoming increasingly common due to the growth of online shopping and the generous return policies that many online retailers have in place to maintain customer satisfaction.
Refund fraud manifests in a few ways:
- Returning Stolen or Counterfeit Items: An individual might steal or acquire counterfeit goods and return them to the retailer for a refund, with the retailer potentially issuing the refund oblivious to the fact the item is stolen or fake.
- Claiming Non-Existent Purchases: An individual may claim they need a refund for a product they never actually bought or received, possibly by providing a fabricated receipt or order confirmation.
- Returning Used or Damaged Items as New: An individual may exploit a product or damage it, then return it as if it were new for a refund. The retailer might issue a refund unaware that the product has been used or damaged.
- Double-Dipping Refunds: An individual may claim a refund from both the retailer and the credit card company for the same transaction. This can be executed by claiming that the purchase was fraudulent and then returning the product for a refund.
In some instances, fraudsters may use counterfeit receipts or manipulate online systems to make it appear as though they’ve made a purchase when they haven’t. Refund fraud results in financial losses for businesses, and it can also damage their reputation if not handled properly.
Affiliate fraud is an illicit practice intended to exploit affiliate marketing systems to illicitly earn commissions. In this marketing scheme, online retailers reward affiliates with a commission for each sale made through the affiliate’s unique, trackable web link, which directs shoppers to the retailer’s web pages. If a shopper clicks on this link and completes a purchase, the affiliate receives a commission, usually a percentage of the sale price, from the retailer.
However, in affiliate fraud, scammers manipulate this system, thereby defrauding the online merchant. They generate bogus activity to either earn commissions or inflate the value of these commissions.
The fraudulent methods can include:
- False Advertising: The affiliate uses false or misleading advertising to attract clicks and generate sales. For example, an affiliate might promote a product or service that doesn’t actually exist.
- Cookie Stuffing: The affiliate forces a cookie onto a user’s device without the user’s knowledge or consent. This can result in the affiliate getting credit for sales they didn’t actually refer.
- Typosquatting: The affiliate registers domains that are typographical errors of popular websites. When users accidentally visit these sites, they’re redirected to the affiliate’s referral link.
- Self-Dealing: The affiliate uses their referral link to make purchases, thereby earning a commission on their own purchases.
Affiliate fraud not only causes financial harm to the businesses running affiliate programs but also hurts legitimate affiliates by devaluing the program and decreasing the pool of available commissions. It’s thus important for businesses to monitor their affiliate programs for any signs of fraudulent activity.
Triangulation fraud is a complex scheme that involves three entities: the victim, the scammer, and an unsuspecting eCommerce store. Here’s how it plays out:
- Scammers kick off by setting up a bogus online store or storefront on a reputable eCommerce platform, typically offering in-demand goods at exceptionally attractive prices.
- An unwary customer, enticed by these low prices, proceeds with an order and inputs their payment details, which the scammer promptly acquires.
- Now equipped with the stolen payment information, the scammer heads to a legitimate eCommerce store to purchase the same product, arranging for the goods to be shipped directly to the initial customer.
- The customer, receiving the ordered product, remains oblivious to the fraud, under the impression that they’ve snagged a fantastic deal.
- Meanwhile, the scammer keeps the original payment made by the customer, and the person whose credit card details were used in the illegitimate transaction eventually identifies the unauthorized charge and initiates a chargeback. Consequently, the legitimate eCommerce store ends up absorbing the chargeback cost, and the scammer walks away with the profits.
In the end, both the real credit card owner and the eCommerce store become victims, while the customer gets caught up in a deceptive transaction.
eCommerce Fraud Red Flags to Look For
In the realm of eCommerce, the capacity to spot potential fraud is vital. The effectiveness of fraudsters depends on how well they can deceive your systems, while your capacity to fend off these cybercriminals hinges on the speed at which you can recognize fraud attempts. To identify such attempts, you need to understand the common red flags of fraud, which include:
- Numerous orders using multiple credit cards: If an account (or different accounts sharing similar characteristics, such as the same IP address) makes multiple purchases with various credit cards, this is a strong warning sign of potential fraud, especially card testing.
- Data inconsistencies: Any mismatch, however minor, can be a cause for concern. For instance, if a shopper inputs a zip code that doesn’t match the city, or if a shopper with a Singapore IP address uses a credit card with a US billing address.
- Unusual purchasing behaviors: If a customer isn’t a first-time buyer, their purchasing history could reveal suspicious activities, such as an order significantly larger than their typical spend.
- Unexpected location activity: If a recurring customer who typically makes purchases from the United States suddenly places an order from Macao, this should raise a red flag.
- Multiple orders from unusual locations: Receiving multiple orders from a location where you typically don’t do business (for instance, if your business has never received orders from Indonesia but suddenly gets more than ten orders from there) can be a sign of fraudulent activity.
- Multiple shipping addresses: It’s unusual for a buyer to make multiple purchases with one credit card but ship the products to various addresses. Any request to ship goods to an address that differs from the card’s billing address should be treated with suspicion.
- Declined transactions: While legitimate shoppers might occasionally forget their PIN or exceed their card’s limit unknowingly, an account that attempts more than five transactions without entering the correct credit card credentials warrants further scrutiny.
- Quick, consecutive transactions: While back-to-back purchases from a single customer can occur, they could also indicate a fraudster is testing cards on your site.
Being alert to these red flags can help you spot and prevent fraudulent activities in your eCommerce business.
How to Fight Back Against These Types of eCommerce Fraud
The foundation for safeguarding your online shop from deceitful credit card transactions, affiliate fraud, and other types of eCommerce fraud isn’t merely the ability to identify these activities, it’s adopting preemptive measures to decrease your susceptibility to fraud in the first place.
Various resources are available for fraud detection and deterrence: some are technical, others are non-technical, some rely on software, while others leverage traditional expertise. Here are the actions you can undertake immediately to put eCommerce fraud prevention strategies in place for your digital storefront.
Audit Your Site Security Regularly
The crux of online fraud lies in cybercriminals exploiting system weaknesses that you’re unaware of. If you manage to spot these vulnerabilities before they do, you’re already a step ahead. eCommerce security audits can be fairly comprehensive, but here are some crucial aspects that should be regularly examined:
- Prompt Updates: Ensure all components of your platform are up-to-date, especially when new security patches are released.
- SSL Certificate: Regularly confirm your website’s SSL certificate (HTTPS) is functioning correctly. If you haven’t installed HTTPS yet, it’s vital to do so.
- Encrypted Communications: Double-check that all communications and data transmissions between your business and your customers are encrypted end-to-end.
- PCI-DSS Compliance: Make sure your eCommerce platform is consistently PCI-DSS compliant, adhering to the standards for securing cardholder data.
- Regular Data Backups: Implement a system that backs up your data regularly to prevent significant losses in case of any cyber attack.
- Malware Scanning: Use reliable antivirus/anti-malware solutions to regularly scan your eCommerce website for any potential threats.
- Bot Monitoring: Keep an eye on the activities of malicious bots, blocking them promptly to ward off account takeover threats and other bot-associated risks.
Try Adequate Anti-fraud Solutions
Depending on your specific requirements and budget, there is an array of software solutions available to detect and prevent online fraud. The choice of tools can greatly differ based on the level of installation and continuous management they entail. While some might prefer a more direct approach, others might opt for an expert-managed solution.
Basic anti-fraud tools perform specific, singular functions and are usually integrated into online shopping carts and eCommerce platforms. They leverage machine learning algorithms to identify fraudulent transactions through features like IP geolocation, email address validation, device fingerprinting, and address verification.
Intermediate anti-fraud tools offer a broader range of functionalities. These include guarantees against chargebacks, automatic rejection of high-risk orders, and protections against new account fraud and account takeover.
Advanced anti-fraud tools provide all the functionalities offered by the lower-level tools, along with outsourced case management and proficiency in dealing with large merchants. They also cover loyalty fraud management, policy abuse protection, and automatic decision-making capabilities. Additionally, they manually review suspicious transactions, ensuring that no legitimate order is incorrectly declined by the software.
Require CVV Numbers for All Transactions
It’s now a common procedure for any online transactions to necessitate the use of CVV (Card Verification Value) numbers.
The CVV numbers consist of a three or four-digit security code located on the back of the credit card. They serve as a two-factor authentication method for online purchases. By asking online shoppers to provide the CVV number, you can acquire an added assurance that the shopper truly possesses the physical credit card. This method can significantly lessen the risk of eCommerce fraud.
Utilize an Address Verification Service (AVS)
Typically, credit card processors and issuing banks provide an Address Verification Service to instantly identify and thwart potential credit card fraud. This service compares the billing address given by the card user (the customer) with the address the issuing bank has on record. This verification occurs during the merchant’s request for credit card transaction authorization. If there’s a mismatch in the addresses, the system will either decline the transaction or mark it for further scrutiny.
Set Limits on Total Purchases
Consider your store’s average revenue and establish a limit for the number of purchases (both in terms of items and monetary value) that an account can make in a single day. By doing so, even if a fraudster manages to breach your preventive measures, the potential damage can be minimized, safeguarding your business from significant financial loss.
Avoid Collecting Too Much Customer’s Sensitive Information
A viable strategy to safeguard your store from potential data breaches or hacks is to minimize the amount of customer data you collect and store. Cybercriminals can’t steal what you don’t possess. Therefore, only gather the essential data required to process a transaction and deliver the product. Refrain from collecting unnecessary sensitive information such as Social Security numbers and birth dates.
Ensure Your Site Using HTTPS
HTTPS stands as the secure version of HTTP, the primary protocol used to transfer data between a customer’s web browser (such as Google Chrome) and your eCommerce site. This protocol encrypts the data to safeguard sensitive details such as customer names, addresses, and credit card numbers. Implementing HTTPS ensures that your online store’s transactions are not easily accessible or visible to hackers, cybercriminals, and fraudsters. To employ HTTPS, you’ll need to acquire an SSL certificate.
Fraudsters are becoming increasingly crafty and intricate in their assaults on online vendors. As eCommerce continues to gain popularity, the frequency of attacks on web-based stores is also escalating. Nevertheless, eCommerce merchants are equally improving their sophistication in detecting and fending off these cyber criminals. Gaining an understanding of common types of eCommerce fraud and its pervasiveness, along with learning to recognize signs of online fraud, equips you with the tools necessary to implement measures to prevent fraud in your online store.
In case you encounter any eCommerce fraudulent situation and don’t know how to protect your online store from it, you can contact our cyber-security specialists right away! At Magenest, we do not only have experienced developers but also online security experts, who are always ready to help you build the border and protection for your site.