Ecommerce fraud isn’t just some low-level scammer using a stolen credit card anymore. With online sales on the rise, cyber criminals are incentivized to develop increasingly novel ways to steal from consumers and businesses alike.
The Mercator Advisory Group estimates that by 2022, 66 million online transactions will produce “33 million disputes from fraud, authorization failures, processing errors, and consumer disputes.” This represents an enormous potential for stolen data, lost revenue, and brand damage.
This article will explore rising trends in ecommerce fraud and outline 6 types that businesses need to be aware of, as well as what can be done to avoid being compromised.
Why is Ecommerce Fraud on the Rise?
Simply put, because the economic incentives are too irresistible for cyber criminals.
Online shopping has been experiencing 209% growth year-on-year, but security and fraud detection solutions haven’t been innovating fast enough to thwart malicious actors. These failures end up costing businesses around 7.5% of their annual revenue.
6 Types of Ecommerce Fraud You Should Be Prepared To Tackle
Online merchants are responsible for ensuring that customer transactions are secure. Unfortunately, fraud is a common reality for online business owners, so it's important to be aware of the types that might affect your business and customers.
Below are 6 types of ecommerce fraud that online businesses should be aware of to protect themselves and their customers.
1. Card Testing Fraud
Card testing attacks involve cyber criminals making small charges to test whether the credit card will work for larger transactions. Also known as card cracking scams, these threats often target smaller businesses, companies that accept micro-transactions with lower authentication requirements, as well as donation-dependent organizations that lack the resources to detect this type of fraud.
These attacks can result in:
- Chargebacks where businesses lose the money outright
- Bank penalties and extra fees for fraudulent purchases
- Higher payment decline rates that may alert banks to high levels of risk associated with your business account
Since stolen credit cards are often quickly cancelled and reported, criminals may make seemingly insignificant purchases to avoid alerting the owner of any fraudulent activity. Typical signs of card testing fraud include a series of very small purchases happening in a short amount of time and an abundance of declined card notifications (e.g., incorrect expiration dates, wrong CVV numbers).
2. Chargeback Fraud
Chargeback fraud occurs when a customer makes a legitimate purchase, then reports the transaction as fraudulent to receive a refund directly from the credit card company.
In some cases, chargeback fraud can also be classified as friendly fraud, where the card owner is complicit or somehow benefits from the purchase. The card owner may want a refund because they regret their initial purchase, do not remember making the purchase itself, or possibly had their card used by a friend or family member. Other cases involve a malicious actor with no relation to the card owner.
Either way, chargeback fraud is the most common and expensive type of fraud for businesses, resulting in excess bank fees, lost inventory, bank card black listing, lost revenue, and lost time trying to resolve the issue.
Some basic ways to avoid chargeback fraud include:
- Using secure and trusted credit card verification tools
- Checking orders - some examples of fraud indications include things like many small purchases in a short amount of time or completely different billing and shipping addresses
- Automatically sending email confirmation that an order has been made. This makes it harder for customers to claim that they never made a purchase and keeps a paper trail
- Making sure transaction details clearly state your business name and inform customers how it will show up on their account
- Securing website payments against fraudulent activity/transactions before they actually happen with ecommerce fraud prevention software.
3. Triangulation Fraud
Triangulation fraud happens when an innocent customer makes a legitimate purchase on a third-party marketplace from a scammer, who in turn orders from the original retailer using stolen credit details to complete the initial transaction.
This fraud type is a complicated and increasingly common issue that's unique to online retailers, especially those with business models that involve selling on behalf of wholesalers and don’t require direct customer-supplier interactions.
The following is an example of a typical triangulation fraud incident. Three distinct parties are involved (not including the credit card owner): the fraudster, a customer attempting to make a purchase, and the merchant:
- A customer makes a purchase on a third-party marketplace (e.g. Facebook marketplace, Amazon)
- The fraudster, posing as the customer, purchases the product from the retailer using stolen credit card details
- The product is sent to the customer, as the fraudster has inserted their legitimate details in the purchase order
- The owner of the stolen card notices the fraudulent activity and requests a chargeback from their bank
- The retailer loses the money from the purchase, the fraudster pockets the customer’s money as a middle man, and the legitimate customer is none the wiser
Triangulation fraud can be difficult to identify, so it’s crucial to have systems in place that automatically detect suspicious activity. This includes implementing technology that tracks visitor behavior and bolstering payment systems to reduce the number of fraudulent transactions and chargebacks.
4. Account Takeover Fraud
As its name implies, account takeover fraud occurs when a scammer takes over a legitimate customer's account. This could also involve the takeover of employee/business accounts to gain sensitive information about customers while posing as an official account. To make matters more complicated, bots are typically used these days to automate the process of gaining brute force access to accounts.
Online merchants can implement these account takeover prevention methods to protect their customers’ accounts:
- Associate multiple login attempts from bot networks and block additional attempts from visitors deemed suspicious
- Use accurate visitor identification methods and require additional authentication from new/untrusted visitors before granting access
By protecting users against account takeover fraud, you can ensure that customers have an optimal experience as well as prevent chargebacks and penalties/fines from impacting your bottom line.
5. Interception Fraud
Interception fraud is a type of criminal activity where criminals obtain sensitive information by intercepting data passed between two parties.
Interception fraud may involve:
- Intercepting important emails (e.g., invoices, requests for information) before they get to the intended recipient, then posing as the sender to elicit sensitive details from the customer. Fraudsters will sometimes even set up filters so the original intended recipients never see the emails
- Posing as the login page of a legitimate website to trick customers into submitting their email/passwords. Criminals can then use the harvested credentials to log in to the real website and carry out fraudulent transactions
- Planting malware into websites or devices to steal sensitive information like email or account logins
- Gaining access to customer details to modify orders in progress (e.g., changing the shipping address)
Businesses can reduce the risk of interception fraud by using data encryption at all times—specifically, by enabling HTTPS on all websites and applications.
Other ways to prevent interception fraud include using a third party service rather than internal email for invoicing, requiring employees to change their passwords regularly, scanning corporate devices for malware (especially those configured for corporate email), and checking email filters for suspicious forwarding addresses.
6. Identity Theft
Identity theft occurs when a scammer uses the victim’s personal details to steal even more personal data, drain financial accounts, or commit a crime under the stolen persona. This type of fraud affects millions of people every year and leads to lost revenue, wasted time, and compromised trust for both consumers and businesses alike.
Merchants transacting online should treat identity theft prevention as an integral part of their operations, starting with stronger security measures like site-wide encryption to protect customer data/privacy. Additionally, they should use multi-faceted verification methods; this could include browser fingerprinting for detecting unique visitors, even when browsing in private. Lastly, employee access to critical systems should be restricted depending on specific job duties and requirements.
Online shoppers inherently trust the merchants they purchase from; in return, businesses need to ensure customers that their data won’t fall into the hands of cyber criminals. To this end, FingerprintJS helps online merchants stay a step ahead of fraudsters with browser fingerprinting that’s 95.5% accurate.
By uniquely identify malicious visitors and related patterns of fraudulent activity, ecommerce store owners can take proactive measures to reduce the risk of compromise. Give FingerprintJS a test drive today, it’s free for 10 days with unlimited API calls.