Compared to the high street, you’d think online retail should be less susceptible to crime: thieves can’t physically touch the merchandise, and therefore it should be difficult to steal from online retailers. Sadly, this isn’t the case. Online fraud has grown at startling pace over the last few years, and ecommerce companies need to be highly aware of the many sophisticated tactics criminals use to target themThis guide covers the three key areas of fraud anyone working in ecommerce should know about: types of ecommerce fraud, signs to spot potential illegal activity, and a guide to preventing ecommerce fraud overall.
Read through the insights and pointers below and find ways to apply them to your business.
What is online fraud how is it carried out?
“Online fraud” can most succinctly be defined as illegal activity wrought by a cyber-criminal on a website. It results in unauthorized or otherwise fraudulent transactions, stolen merchandise, and/or wrongful requests for a refund.
Here are some of the most common types of fraudulent activities that plague online merchants everywhere.
Identity theft is the most well-known form of ecommerce fraud, and it’s a highly concerning one for many retailers.
Identity theft results in a cyber-criminal stealing another person’s sensitive data and using it to conduct transactions on ecommerce sites as the victim. These transactions are typically paid for by the retailer, as the credit card companies will initiate chargebacks on behalf of the victim. This leaves a retailer without the original merchandise and without the money to cover the loss. It is highly unusual to recover the stolen merchandise or prosecute the criminal.
Identity theft often takes place through the retailer as well. As the 2013 Target hack showed, hackers will often opt to steal the sensitive data from retailers or their vendors (rather than say, banks) because these companies have less security than financial institutions.
How do hackers steal people’s identities? Here are a few ways:
- They can engage in pagejacking — an activity in which a cyber-criminal can redirect a customer from your site to an illegitimate website where the customer will leave their login or other information.
- A hacker may be able to gain access to communications between the customer and the merchant about their sensitive data.
- A hacker may also gain access through any third parties that the retailer does business with. For instance, in Target’s case, the hackers were able to get into the system by using the credentials taken from a heating and air conditioning subcontractor that worked at a number of Target stores.
Chargeback fraud is one of the simplest forms of fraud and does not necessarily involve identity theft. A customer orders items from the website using a payment method that can easily be pulled (think credit or debit card). Once the items are safely shipped or otherwise out of the retailer’s control, the customer initiates a chargeback, stating that their identity was stolen. They then keep the merchandise for free. Many times, the customer is using their own, legitimate credit card.
One example of an online store that has to deal with multiple cases of chargeback fraud is Organize.com, a company that does around $10 million a year in online sales.
John Rampton, the former owner of Organize.com wrote about the company’s experience with this type of fraud. In an article on Inc he said:
“What happens is a customer orders products from our store, then, on the last day to return, files a claim with Visa or a similar card service. The customer claims that the product was never received (though we have proof through shipping tracking). The case is filed, and we have to give proof. It’s a bit of work, and hurts our merchant account every time this happens. Typically, funds are put on hold as well, which can really hurt a company if it’s having cash-flow issues. It’s our word versus the customers, which means the customer typically wins.”
Note: Rampton refers to this type of fraud as “friendly fraud” in his article. For this guide, though, we have a slightly different definition of friendly fraud. More on this below.
Friendly fraud is nearly identical to chargeback fraud, except that it is done without malicious intent. In the case of friendly fraud, the transaction was placed by a true customer, and the chargeback is initiated for something innocent like believing their package to be stolen or not recognizing the merchant’s name on their credit card statement. Subscription retailers face this type of fraud often with customers who didn’t understand there would be recurring charges.
A cyber-criminal perpetrating clean fraud uses a stolen credit card in such a way that they are able to avoid alerting the fraud detectors. Often this is because the criminal has stolen enough information about the credit card holder that they can easily pass the transaction off as legitimate. As an ecommerce vendor, this type of fraud can be hard to spot because the data is so clean, hence the name.
Triangulation fraud is an exciting name for a complex form of fraudulent activity that involves three different steps.
For the first step, the hacker sets up a fake online store to collect a customer’s full data. Once the victim has “placed an order,” the hacker then commits clean fraud on an ecommerce store’s site to ship the desired item to the customer, frequently using a different victim’s card information.
Many criminals use eBay to commit triangulation fraud. Here’s how some of them do it: The fraudster would create an auction to sell an item they don’t own yet. A customer unwittingly purchases the item through eBay, thus giving the “seller” (i.e. the fraudster) their information.
The criminal then use stolen credit card information to purchase the item from an ecommerce site (i.e. the victim) and ship the item to the eBay shopper, leaving the merchant to absorb the loss.
One fast-growing ecommerce merchant (it was part of InternetRetailer.com’s Top 500 online retailers for 2 years) who wanted to remain anonymous, told Brian Krebs in 2015 that it was hit with multiple fraudulent transactions because of triangulation fraud. According to KrebsonSecurity:
“The company was hit with over 40 orders across three weeks for products that later traced back to stolen credit card data. The victimized retailer said it was able to stop a few of the fraudulent transactions before the items shipped, but most of the sales were losses that the victim firm had to absorb.”
Affiliate fraud is one of a number of fraudulent activities that do not focus on a payment method. Affiliate fraud means that a cyber-criminal manipulates the data collected by the affiliate link given to them by a retailer to make the retailer pay them far more than they are owed. This can be done through an automated process or it can be accomplished by real people using fake profiles. Frequently, the criminal uses a variety of methods in order to avoid setting off any red flags.
Merchant identity fraud
Merchant identity fraud is rather simple: the cyber-criminal sets up an online store and entices a victim to purchase something, which they typically list for an impossibly low price. Then they disappear and never ship the item.
While merchant fraud is mostly something individual consumers should be wary of, it can affect ecommerce stores as well. Hackers will occasionally run this scam in the wholesale industry to target businesses, and these kinds of scams also erode the trust consumers have in legitimate online retailers.
Advanced fee and wire transfer scams
This is the classic “Nigerian Prince” scam. The cyber-criminal asks for money upfront, in return for a lot more money later. While the Nigerian Prince scam is formulated to specifically target individuals, scammers have come up with a practice that targets businesses, specifically ones that provide services.
The general formula is that the scammer reaches out to the business via email as a prospective client. They say they want an impressive amount of work from the business, but first, they’re working with a third party company who they need to pay and, for some reason, can’t. These reasons may even sound legitimate: they’re overseas and have a limited number of international transfers, for instance. They’ll ask you to send the third party business some money, which they assure you will be paid back and far more.
Are there more ecommerce fraud problems with international transactions?
Research shows that ecommerce fraud does seem to be more common overseas. Indonesia has the highest rate of fraudulent purchases, with over 30% of Indonesian online purchases have proved to be fraudulent. Venezuela is a close second, and South Africa sees about 25% of purchases as fraudulent. Brazil and Romania round out the top five. Ten percent of purchases made in those countries are illegal.
In terms of continents, Africa represents the highest level of false purchases followed by South America. Asia and North America represent the median level of ecommerce fraud, while Europe is the safest continent for online sellers.
While none of this information means that you should or shouldn’t sell to people in a particular location, it does mean that you may choose to be more vigilant about some places over others.
The Signs of Ecommerce Fraud
Is ecommerce fraud easy to detect? That depends on the skill and ingenuity of the cyber-criminal. That said, there are many common signs of fraud that you and your staff should know about and continually watch for.
Inconsistent order data
A basic and major red flag for fraud is inconsistent data within an order. This contradictory information could be that the zip code and city don’t match up, or that the IP and email addresses don’t line up. While a real customer can certainly make typos, it’s far more likely that a cyber-criminal will make a mistake by guessing wrong information.
As exciting as it is to get a new customer, scammers typically appear as first-time customers. They don’t often return to victimize the same company more than once, so as to avoid generating suspicion. While being a first-time shopper alone should not necessarily attract your attention, you may want to ensure that your security features carefully monitor your first-time buyers.
Customers who make multiple orders from different credit cards
Most consumers have no more than three credit cards, so you should be suspicious of shoppers who use more than three cards when shopping on your site — especially if they try to use those cards one after another. If a customer puts in multiple orders on many different credit cards, whether in one sitting or over a long period of time, you could be dealing with a cyber-criminal.
Variations on this sign include:
- Multiple transactions under the same billing address going to different shipping addresses.
- Multiple transactions under the same billing address going to different shipping addresses.
- Multiple credit cards used on the same IP address, even if they are not billed or sent to the same person.
- Multiple transactions on the same card in a short period.
Unexpectedly large orders (especially those that contain duplicates of products)
Scammers are known to drop significant amounts of money when they make fraudulent purchases – usually, far more than any of your typical customers would spend. A large order may be exciting at first, but you’ll certainly want to look into it. If they have paid for expedited shipping on that large order, that’s even more of a red flag. It indicates that the scammer is interested in getting their hands on the goods before they get caught.
Any data that’s clearly fake
This probably sounds obvious, but you want to watch out for any data that seems made up. It’s not that difficult to catch fake email addresses (has [email protected] ever been a real address?), and fake phone numbers can even be found by sight alone. For instance, any number with the area code “555” is a fake.
Multiple declined transactions to the same customer
Again, while people do make typos during a transaction, one person attempting to use the same card while inputting the numbers wrong several times can indicate someone who’s trying to guess at a few of the numbers.
How to prevent Ecommerce fraud
With so many different types of fraud existing (with more being added every day), how do ecommerce vendors prevent fraud from happening in the first place? Here are some best practices you should be utilizing for your online store:
Be PCI compliant
The absolute bare minimum that online retailers not only should do, but are required to do by law, is be PCI compliant. PCI stands for the Payment Card Industry Data Security Standard. Meeting PCI compliance is not very difficult, as it requires online retailers do such things as changing the factory default passwords on all network equipment and establish firewalls around their customers’ sensitive data.
It’s important to note that many hosted ecommerce solutions meet PCI compliance without you having to do anything. If you are currently in the market for a new ecommerce solution, be sure to opt for one that is PCI compliant already if you don’t want to worry about that.
Implement fraud prevention policies
Executing fraud prevention policies can be an effective safety measure when it comes to weeding out less committed or amateur criminals. The “right” policies will depend on your store, products and customers, but here are few you may want to consider:
- Require buyer signature upon receipt of the shipment.
- Don’t accept payments from unconfirmed and/or unverified PayPal or other mobile wallet accounts.
- Limit the number of declined transactions you’ll run for a customer.
- Consider not accepting credit cards from certain locations (give shoppers from these locations an alternative mode of payment, such as PayPal)
If you encounter customers who are unwilling to accept these policies, you can refuse to sell to them.
Never stop monitoring
You can and should employ both automatic and human monitoring to catch fraudsters.
Ensure that your software is using fraud protection filters that will alert you if any of the following happen:
- Orders where the billing name does not match the address name.
- Multiple orders from the same customer using different credit cards.
- Expedited shipping on huge orders, particularly ones that contain duplicates of products.
- Fake phone numbers and emails.
- Address information that doesn’t all match up.
- The IP and email addresses don’t line up.
Now, software is just one line of defense. See to it that your employees are also on top of fraud prevention. Humans can offer spot oddities that your software missed, so train all of your team members to recognize suspicious activity as they’re receiving and handling orders.
If you determine that an order seems fishy, there are few actions you should take:
- Google the address and make sure it’s real. If it comes back with a vacant lot, you’ll know you have a scammer on your hands.
- Send a message to the listed email to address to confirm that it’s real
- Google the customer and check out their social media sites to see if everything is lining up. And look up their phone number while you’re at it.
- Call up the customer to ask some verification questions.
- If all else fails, delay the shipment for 48 hours to see what happens. If they’re a legitimate customer, they will contact you to ask about the holdup. (If they’re upset, offer a discount on the merchandise to offset their anger.)
Have a secure web shopping experience using HTTPS
If your checkout page (or any of your pages) ever switch from “HTTPS” to “HTTP,” your site is at risk for pagejacking.
It should be noted that if you discover you’ve been pagejacked, make sure to take a screenshot of the page. Unlike other forms of fraud, you can actually sue pagejackers for copyright infringement, and these scammers may be easier to find because they have to lay claim to the domain they’re using.
Use AVS and CVV
Using AVS (Address Verification Service) and CVV (Card Code Verification) are excellent ways to help prevent fraud.
AVS can ensure that the billing address entered matches the billing address that the credit card company has on file. AVS is already used by most ecommerce vendors.
CVV is the security code printed somewhere on the physical credit card. For most cards, it is the three numbers on the back of the credit card, although American Express prints four on the fronts of their cards. CVV is used less frequently by online stores, though it’s becoming more common. CVV is particularly useful because it’s a code that is purposely not stored in data holds nor is it printed on receipts. Because of this security measure, it just about requires having seen the physical card to know the CVV.
Work with a reliable third party payment processor
While third party payment processors do take a percentage of your sales, their whole job is to provide a secure payment experience for your customers. Taking payments and protecting sensitive data is all they do so they’ll be better at it than you could ever be.
Using a third party payment processor can also keep your customers’ most sensitive data out of your hands, which means you’re unlikely to compromise them. Remember, hackers can’t steal what you don’t have. And that brings us to our next point…
Do not store customer data unless necessary
Don’t collect or keep information that you don’t need. Storing sensitive customer data puts both you and your customers at risk. Target lost millions of dollars because they stored customer data. A group hacked in and had a field day. By keeping payment data between a customer and their bank, you can be sure that you won’t experience fraudulent activity on customer accounts, and you can avoid an embarrassing and potentially business-destroying data breach.
Keep your software up-to-date
Keeping your software, especially your shopping cart software, up-to-date will do a great deal to help you. Many times updates are released exclusively to provide a new level of security that hackers aren’t able to breach yet. Out-of-date software is often much easier for a hacker to take down.
Use protection services
Should these efforts not be enough, there are tools and services that can help ecommerce retailers avoid fraud. These can be quite costly, so you’ll have to do your research to see if they cost less than what you lose to fraud each year.
These services will be far more extensive than the basic automated monitoring you’ll be running through your ecommerce software. For instance, a specialized service will be able to monitor mobile sales as well. You can also put the company’s badge on your website to help customers feel safer purchasing from you — and to deter fraudsters.
You’ll want to be sure to layer your methods. The more methods you employ, the safer and more secure your site will be. And always, always use your human staff as the last line of defense no matter what.
Train your staff to protect their own data
Training your employees on how to spot fraudulent transactions is a must. But be sure to go beyond that, by educating your team on how to protect their own data and devices (especially if those devices are being used for work).
Teach them how create strong passwords and how spot phishing attempts. Also make sure they know how to stay safe when browsing the internet.
Many hackers are able to work their way into a company’s system using the organization’s employee credentials. Take, for instance, the big eBay hack of 2014, which affected 148 million active accounts. Apparently, the hackers were able to break in when they got their hands on “a small number” of eBay employee login information.
Learn from eBay’s story. Invest ample resource in security training for your staff — doing so will not only benefit them, but it could just save you from a large security disaster.
Is mobile at a higher risk for online fraud?
Mobile commerce is relatively new, but represents the fastest growing sector of ecommerce. Because selling on the small screen is so new, hackers target it specifically to avoid the more established desktop security.
Between 2011 and 2015, mobile commerce fraud rose by 81%, and currently, twice as much online fraud happens via mobile devices than desktop. One theory behind why mobile is so much more likely to be compromised is that merchants are rushing to bring their mobile commerce to stay competitive and overlook many security features. This can be particularly true with mobile apps. An insecure app can quickly become a fraud magnet.
How do you prevent mobile fraud?
While you should certainly use all the usual methods to try and prevent fraud from mobile devices, there are some other mobile-specific methods you should use as well. Again, these methods should be layered together to create the most secure system you can. These are also to be used in addition to the previously discussed desktop methods, as those will work for mobile sites and apps, as well.
Use phone number authentication
When your customers log in or attempt to purchase using a mobile method, you can send an authentication code to the phone number they give you via a separate non-internet channel like SMS. This allows you to be sure they are using the mobile device they claim to be coming from, as phone numbers are expensive to fake. If the scammer is able to get past this, it’s at least because they actually have the phone in question.
Phone number authentication can further be made stronger by giving the one-time password an expiration of minutes or hours, which prevents hackers from gathering old passwords to use. Using phone number authentication in addition to a regular password is another option to allow for more security.
Endpoint authentication, also known as device authentication, is very similar to phone number authentication. It is used to tell whether the device in question has completed successful transactions with you in the past. It can also do the opposite – it can tell you if the device has been used to attempt fraudulent purchases previously.
Employ mobile geolocation
Mobile geolocation allows you to pinpoint where the mobile device actually is – which you can then check against the addresses and IP addresses given to you by your customer. Any mobile device with a location that doesn’t line up with the given addresses can be denied. Despite the fact that this is a relatively easy automated check to run, as of 2014, only 3% of ecommerce sites were utilizing mobile geolocation as a security feature.
Biometric security features
One security feature that’s largely unique to mobile is the ability to add a biometric feature. You can require a fingerprint, for instance.
Facial recognition technology is nearly ready to come to market. Engineers are even currently working to make iris scanning technology. Irises all have their own unique patterns, like a thumbprint. But unlike a thumbprint, an iris’ pattern cannot be altered without incurring significant damage to the owner of the iris.
Phone companies intend for biometrics to replace multi-step authentications. They are making their biometrics features extremely hard to fake or hack. Regardless, though, as of 2017, if you choose to use biometric security features, you should still at least consider using multi-step authentication in addition.
What ecommerce prevention should tools you look into?
There are many, many ecommerce fraud prevention tools on the market, but here are a five that you should consider looking into.
Signifyd protects over 5,000 stores today from online fraud. They’re an excellent option for stores of all sizes, including small ones because they even offer a free level of service that’s perfect for smaller stores. They also offer easy plugins for the major ecommerce solutions, including Shopify and Magento.
Signifyd runs in your store’s backend, scoring purchases for fraud likelihood. When fraud is detected, you have the choice of dealing with it in-house, or letting the team at Signifyd handle it. Furthermore, Signifyd gives you chargeback insurance, so if it does miss any fraudulent purchases, you will receive your money back. The free version provides access to resources that help you score your purchases yourself — it does not score them automatically. It also gives store-owners the ability to selectively submit purchases for chargeback insurance if they believe the purchase to be risky.
Sift Science is best for medium to large stores, as it’s quite pricey. The base plan starts at $500 and covers up to 7,500 “billable events” per month. A billable event includes when the solution detects payment fraud, an account takeover, or a fake account. What’s great about it — and makes it very, very worth it for the stores that can afford it — is that while you only pay by billable event, you get all the features of their software included. This means a medium size store, for $500/month, can run device “fingerprinting,” score purchases, check for affiliate fraud, etc. etc.
Simility is a device “fingerprinting” tool. It can measure the “fingerprint” of both mobile and desktop devices. Simility measures device “fingerprints” by checking all the data associated with that device, down to even battery power. It can then determine if two devices are the same. Simility has several solutions for different industries and its ecommerce solution is partially built to provide specific support for ticket sellers.
DubZapper is a software that was created specifically for the online gaming world, so it is best used for account-based ecommerce companies, like online gambling sites or perhaps subscription boxes. DubZapper’s software checks for duplicate accounts using device fingerprinting and checking customer information. DubZapper also handles the fraudulent cases for you.
Kount is a full online-fraud management tool and is best for enterprise level sites. Kount provides specialized solutions for many different verticals within the ecommerce world. It utilizes all the very latest in fraud detection technology including artificial intelligence. It is also one of the fastest solutions on the market – it can approve (or unapprove) a transaction in 300 milliseconds, so it won’t slow your customers down one bit.
What to do if you’ve experienced fraud?
Having the right prevention methods is the best thing you can do to combat fraud. Why? Well, to put it bluntly, when your site falls victim to fraud and you don’t have any prevention services in place, there’s not much you can do.
The modern world has collectively decided that it’s better for the retailer to eat the costs of fraud than it is for the consumer to incur the loss.
That said, if you experience fraud, you will want to gather all the documentation you have on the transaction. Collect all the data that the cyber-criminal gave you during the transaction and any other data that may exist post-sale. For instance, if you got a signature on the package, you’ll want documentation on that. You may even be able to obtain camera footage of the scammer if they had it shipped to a PO box and picked it up there.
Once you’ve done that, you’ll want to go to the right government authority to report the theft. Depending on how much money you lost, they may choose not to investigate. And unfortunately, they can’t really do much about an international scammer.
Additionally, choosing the right authority will depend on how much you incurred in losses, whether the criminal is local, national, or international. The United States Department of Justice provides a comprehensive list of the federal authorities you should report to depending on the crime committed. These agencies include:
- U.S. Immigration and Customs Enforcement, Cyber Crime Division largely fights cross-state border crime.
- U.S. Secret Service fights international cyber crime.
- Federal Trade Commission, who will log your complaints.
- The FBI’s Cyber Division, which investigates internet crime such as “cyber based terrorism, espionage, computer intrusions, and major cyber fraud.”
States and counties also have their own individual versions of these services set up to help you. However, if your store is located outside of the U.S. or you feel that the government authorities are unable to help you, there are support agencies that can be accessed as well.
- The Cyber Crime Response Agency is a U.S.-based nonprofit that works to aid law enforcement in prosecuting cyber crime by taking the time to do in-depth investigations law enforcement does not have the time or resources to do.
- INTERPOL provides international support to law enforcement working on cyber crime cases.
- Europol provides similar support as Interpol in connecting law enforcement resources, but specifically for the EU.
You can also hand the documentation off to the credit card company involved. They may be willing to give your money back, though it’s unlikely.
Conclusion (plus additional resources)
Ecommerce fraud isn’t going away anytime soon — if anything, the threat of online fraud is growing. Scammers steal billions of dollars a year from consumers and online companies.
But beyond the financial costs, fraud also erodes the trust shoppers have in online stores, potentially further ‘stealing’ money from the ecommerce companies.
Save yourself from all that headache and do your best to prevent fraud from happening in the first place. The onus is on you to ensure that your customers’ data is highly secured. And while you can’t do much about identity theft that occurs outside of your data centers, you can and must be vigilant to ensure that no identity thieves are making fraudulent purchases on your site.
By layering together some or all of the methods in this guide, you’ll be better protected, and more likely to stop scammers in their tracks.
Finally, if you’re interested in learning more, here are some resources put together the top payment gateways on the market today:
- Stripe’s anti-fraud support FAQ’s
- Paypal’s page on recognizing fraud
- Authorize.net’s suggestions of 31 ways to minimize credit card fraud
- 2Checkout’s fraud protection page
- First Data’s security and fraud solutions page
We hope you find all this information useful. If you need more resources or assistance with your ecommerce site, please get in touch with us.