Ecommerce Fraud Prevention & Detection Best Practices for Businesses

Ecommerce fraud prevention is a key factor in running a successful digital business. Online merchants are a huge target for fraud simply because it’s easy for fraudsters to commit scams and get away with them — which is why being proactive about fraud is a necessity in today’s digital marketplaces.

What is Ecommerce Fraud?

Ecommerce fraud is an umbrella term for fraud schemes that specifically target ecommerce businesses. And each type of fraud can have serious consequences for your business — such as revenue loss, poor customer experiences, reputational damage, and inventory loss.

9 Types of Ecommerce Fraud

No matter what type of ecommerce business you run, you could experience any of the following types of online fraud.

1. Unauthorized transactions
Unauthorized transactions are any purchases made that are not approved by the cardholder. For example, when a fraudster uses a stolen credit card to make an online purchase, that would be an unauthorized or fraudulent transaction.

In addition to buying merchandise for resale or their own personal gain, fraudsters will also commit this type of fraud during a card testing attack — making dozens of small, unauthorized purchases to test the validity of stolen payment information.

2. Friendly fraud
Friendly fraud occurs when consumers use the chargeback process incorrectly.

In some cases, consumers have malicious intent. They will buy something with a premeditated plan to later dispute the purchases so they can have goods or services for free. But more often, consumers call their banks to dispute charges they don’t recognize or don’t realize were made.

For example, a son might use a mom’s card without her knowledge. Or the cardholder might forget about a subscription purchase.

3. Account takeover (ATO) fraud
ATO fraud happens when a fraudster forcefully gains access to customer accounts. Once in an account, the fraudster can steal personal and payment information, change account details, or drain any loyalty points or gift card balances.

4. Promotion fraud
Promotion fraud or promo abuse occurs when a customer or a fraudster exploits sales or promotions for personal gain. For example, they might open multiple new accounts with fake email addresses to obtain multiple free trial subscriptions — a practice known as new account opening fraud.

5. E-gift card fraud
E-gift card fraud is a scheme where a fraudster buys digital gift cards with stolen payment information then uses or resells them. Essentially, it’s a way for fraudsters to get cash for free.

6. Refund fraud
Refund or return fraud are schemes to get goods or services without paying for them. A fraudster or opportunistic customer exploits gaps in order fulfillment or shipping processes to get refunds without returning items.

Customers sometimes even hire professional refunding services to get refunds for large-dollar items.

7. Retail arbitrage fraud
Retail arbitrage fraud occurs when a fraudster purchases large quantities of discounted or limited edition items and then resales them on a different marketplace for higher price.

Often, fraudsters will use bots to override web protocols that place limits on the amount of items one buyer can purchase — gaining an unfair advantage over legitimate customers.

8. Triangulation fraud
Triangulation fraud occurs when fraudsters build fake online stores that advertise low prices on goods. When customers make purchases on the fake site, the fraudster collects their payment information, then forwards the legitimate transaction to the real merchant. The customer is then charged a second time — often resulting in a chargeback for the legitimate merchant.

9. Interception fraud
Interception fraud is a scheme where fraudsters attempt to intercept a customer’s order and obtain goods.

Interception fraud typically involves taking over a customer’s account to access order and shipping details. Then, the fraudster would use social engineering tactics to get the shipping address changed on an order.

Industry Best Practices for Ecommerce Fraud Detection

Despite the many threats facing your business, there are ways you can help prevent fraudulent activities.

Analyze customer data

Data analysis is a key component in a successful fraud management strategy.

Recognize high-risk orders

Part of stopping ecommerce fraud is about knowing when it is happening to your business. Most high-risk orders have certain characteristics in common such as:

  • Buying high-priced items
  • Ordering multiples of the same thing
  • Placing larger-than-normal orders

Check out this blog article about high-risk orders to learn more.

If you notice any of these details on a transaction — especially multiple red flags on a single interaction — you might want to block it.

Monitor chargeback and refund data

Monitor your chargeback and refund data so that you have a better understanding of who is interacting with your brand and why fraud has happened in the past.

Once you have that data, you can choose to either block or accept customers that have engaged in bad behavior — such as filing disputes or committing refund fraud.

Evaluate things like customer lifetime value (CLV), your chargeback rate, fraud ratios, and online reputation before you make those decisions.

Check IP addresses

An IP address is a unique set of numbers assigned to each internet or network device. It allows devices to communicate with one another. Monitoring IP addresses can help you detect fraud a couple different ways.

First, IP addresses are location specific. If the IP address doesn’t match the same geographical area of either the billing or shipping address, a fraudster could be at work. Second, multiple purchase attempts from a single IP address could mean a fraudster is testing multiple cards.

Track fraud by country

An IP address is a unique set of numbers assigned to each internet or network device. It allows devices to communicate with one another. Monitoring IP addresses can help you detect fraud a couple different ways.

First, IP addresses are location specific. If the IP address doesn’t match the same geographical area of either the billing or shipping address, a fraudster could be at work. Second, multiple purchase attempts from a single IP address could mean a fraudster is testing multiple cards.

Use available tools and resources

There are several available tools and technologies that can help prevent fraud.

Implement risk-based or step-up authentication

One way to keep out bots and fraudsters is to require authentication steps for suspicious interactions on your site. This authorization step could mean adding a CAPTCHA before checkout for orders under or over unusual amounts to ensure a user is not a bot. You could also implement secure multi-factor authentication protocols for suspicious logins.

Selective authentication requirements means you only challenge suspicious behavior and don’t add unnecessary friction for good customers. This keeps your experience safe yet user friendly.

Request card security codes

The card verification value (CVV) is typically a three- or four-digit code printed on a card. It’s meant to add a layer of security to online purchases and mitigate credit card fraud.

Businesses can’t store CVV codes, so it’s unlikely fraudsters will have that information if they obtain card numbers from data breaches. If a business requires the CVV at checkout, fraudsters with just the card numbers won’t be able to complete the purchase.

Sign up for address verification services (AVS)

Address verification service (AVS) compares a customer’s billing address provided during checkout to the billing address on file with the customer’s financial institution. If the addresses don’t match, the shopper probably isn’t the cardholder. If that happens when you run an AVS check, you might want to cancel the order.

Use 3D Secure 2.0

3D Secure 2.0 is a tool to help verify a shopper’s identity to reduce the risk of fraud. When a cardholder makes a purchase, the merchant sends real-time information — such as shipping address, the customer’s device ID, or order history — to the customer’s bank (called the issuer or issuing bank).

The issuer reviews the information to determine the likelihood of fraud. New information that differs from past attributes could indicate fraudulent activity. Based on the assessment, the transaction can either be approved, declined, or challenged with further authentication steps.

It’s important to note that 3D Secure 2.0 provides a guarantee. If a transaction is fully validated with 3DS2.0, a chargeback is blocked.

Partner with a reliable payment processor

Make sure you partner with a reputable payment processor. You don’t want to put your business at risk. Do your research and know who you’re working with before you sign up for services.

The benefit of working with a reliable processor — in addition to safely being able to accept payments — is that they can help you put security systems in place like CVV and AVS checks to minimize fraud.

Keep your site safe

Your website is one of our greatest assets. But if managed improperly, it can also be one of your biggest liabilities.

Set up firewalls

A firewall is a network security device that monitors incoming and outgoing network traffic. It can allow or block traffic based on a defined set of security rules.

Setting up a firewall can improve your network security by blocking unauthorized access to your site. Plus you can better monitor your traffic and identify suspicious interactions — such as abnormal, high velocity activity from bots.

Follow PCI standards

PCI-DSS is the global security standard for all businesses that store, process, or transmit sensitive cardholder data.

Maintaining compliance can help you create long-lasting relationships with customers, acquirers, and payment processors. Not maintaining compliance can lead to data breaches, law suits, damaged reputation, and a host of other problems.

Keep your website and software up to date

Fraud is constantly evolving, which means your website and fraud software needs to be continually updated to keep pace. Outdated technology can leave you vulnerable to attacks.

Use HTTPS

HTTP is a protocol that allows data transmission via the web. HTTPS is HTTP but is more secure. It uses TLS (SSL) to encrypt normal HTTP requests and responses. This means that any information you transmit — like passwords or credit card numbers — will be difficult for anyone to intercept.

Implement procedures and protocols

Take the necessary steps to ensure your internal teams and processes are secure.

Train employees on fraud

Training can play a crucial role in preventing fraudulent activity and should be offered to your whole team. Anti-fraud training can help employees identify and respond to potentially fraudulent inquiries more effectively.

For example, you can train each department on the following fraud practices.

  • Fulfillment team – Train your fulfillment team to look for empty boxes that should have returned merchandise. Also, equip your fulfillment team to identify returns that involve counterfeit merchandise.
  • Marketing team – Help your marketing team understand the importance of monitoring and analyzing ad traffic. With the marketing team’s help, you can detect and discontinue campaigns attracting fraud and promo abuse.
  • IT team – Make sure your IT team is aware of emerging fraud threats so that they can respond appropriately. That includes keeping software up to date, installing firewalls, and setting up any other technologies that can stop potential threats.
  • Customer service – Teach your customer service agents about social engineering and refunding services — these are some of the biggest threats your agents face. Also encourage agents to answer emails and calls promptly to maintain positive customer relationships.

Create custom fraud policies

Policies are the foundation of fraud detection software and prevention strategies. You need to establish rules about who you do and don’t want to do business with. However, these policies aren’t one-size-fits-all.

What works for another merchant in your industry might not work for you. And the way you handle one customer might be different for another. You need to be able to create policies that can block suspicious behavior on your site while still accepting the maximum number of customers possible.

Determine if manual reviews are best practice

Manual reviews means that one or more team members manually evaluates different data points to find fraud patterns.

Some businesses like to do some manual reviews to deliver better customer service or supplement older fraud solutions. However, manual reviews can be time-consuming, inaccurate, and ineffective at fighting fraud. And some businesses simply don’t have the time to manually review suspicious orders.

The decision to manually review transactions is something only you can decide. Maybe you want to review everything flagged as suspicious. Maybe you only review some. Or maybe you don’t review any at all.

Here are some things to consider:

  • Return on investment (ROI) – Will you save more than you’ll spend in manual labor? Potentially losing $1,000 for a designer purse might warrant $10 in labor costs.
  • Time – Can you afford delays in the checkout process? If you’re selling something that a customer expects to receive right away — such as a digital download or food order — you don’t have time to review orders.

Have clear policies for refunds, returns, and cancellations

Make sure your policies are written clearly on your website and placed in a location that is easy for customers to find. Consider having customers check a box that says they agree to your policies before checking out. That way, when a customer tries to exploit a policy, you can point back to their original consent.

Reevaluate your thresholds around busy shopping times

Certain times of the year are usually busier than others. That might mean you want to accept a little more risk during the holidays to maximize profits. Maybe you change your refund and return policies to be more lenient or lower risk thresholds. Perhaps you pause manual reviews.

Whatever you decide, just make sure you reevaluate your strategy once the busy time has passed.

Audit your merchandise

Certain merchandise can be more appealing for fraudsters. For example, if you mostly sell high-dollar items, fraudsters may target your low-dollar items so that they can use your business for card testing. Other items might be targeted for resale fraud — such as collectables or limited edition merchandise.

Keep track of items that attract fraud and consider removing them from inventory if they cause issues.

Protect multiple points of sales

Fraud can happen through mobile apps, websites, phone orders, and more. Make sure your fraud systems protect different sales methods if you offer multiple ways to pay for merchandise.

Adjust the customer experience

The customer experience is always evolving. Make sure you balance expectations with safety.

Set purchase limits

Setting limits on the number of items a customer can buy or the minimum amount they need to purchase can help you avoid card testing fraud and retail arbitrage.

Require accounts

It may seem extreme, but unless you implement fraud prevention software, don’t allow guest checkout.

The more customer information you have, the better you can verify if the cardholder is the actual shopper. Plus, the extra work of opening an account may dissuade fraudsters from attacking your business.

Consider collecting proof of delivery

One way to avoid return fraud and friendly fraud is by requiring your shipping and delivery department to take photos of orders once they have been delivered. This kind of proof can be extremely difficult for a customer to protest.

Implement friendly fraud prevention tactics

There are a variety of reasons for friendly fraud. For example:

  • Buyer’s remorse
  • Kids or a spouse making purchases without the cardholder’s knowledge
  • Restrictive return policies

There are lots of things you can do to reduce the risk of friendly fraud. Generally, the more robust your strategy, the greater your protection. Here are some best practices that can get you started:

  • Write clear product descriptions and include images so that customers know what they are getting
  • Use a clear billing descriptor
  • Don’t use bait and switch marketing
  • Wait to charge the card until you are ready to ship merchandise
  • Remind customers of recurring transactions before charging the card
  • Share policies before completing transactions and require customers to accept the policies before finalizing purchases
  • Offer great customer service when a customer has an issue

Some customers will still file disputes despite these protocols. For those cases, you can use chargeback prevention tools — such as prevention alerts, order validation, and RDR — to reduce the negative impacts disputes can have on your business.

Require strong passwords

Account takeover fraud happens so frequently because most customers use the same easy-to-guess password on multiple accounts. Setting password requirements will help with account protection and reduce ATO attacks.

For example, some password requirements you can implement include:

  • Minimum length of eight characters
  • Combination of letters and numbers
  • Mix of upper and lowercase letters
  • Use of special characters

Additionally, you can encourage customers to regularly update their passwords for stronger protection.

Payment Fraud Prevention Solutions for Ecommerce

Different fraud types require different solutions. You can use multiple vendors to solve each problem or build a solution yourself. However, you might waste a lot of time and effort trying to manage fraud that way.

A smart option would be to use an all-in-one solution that not only mitigates all types of fraud, but also improves business efficiencies. And our partner Kount can help.

Kount has decades of experience in ecommerce fraud and have helped hundreds of businesses just like yours. We recommend you check them out!

Ready to Start Preventing
& Fighting
Chargebacks?

analytics-imac

Set up your
demo experience.

analytics-imac@2x analytics-imac

Sign up for
news & updates.

©2023, Equifax Inc., All rights reserved. Equifax and the Equifax marks used herin are trademarks of Equifax Inc. Midigator is a trademark of Equifax Inc. Other product and company names mentioned herin are the property of their respective owners.

Top