7 Types of E-Commerce Fraud & How to Prevent Them
Exploring E-Commerce Fraud
E-commerce fraud is an umbrella term for any type of online fraud that is attempted against an e-commerce business/store/platform, which can come in many forms.
While e-commerce, and online transactions in general, have gained some popularity throughout the past two decades, COVID-19 has led even reluctant online shoppers to finally adopt e-commerce transactions. In fact, it is projected that e-commerce sales worldwide will continue growing to reach $6.4 trillion by 2024.
Unfortunately, the rising popularity (and profitability) of e-commerce has enticed cybercriminals to take advantage of new adopters, online shoppers, and popular e-commerce platforms. Throughout 2020-2022, there have been major increases in e-commerce fraud.
E-commerce fraud can take many forms: account takeover (ATO), card testing, triangulation fraud, and more. And defending against the various types of attacks is increasingly challenging for e-commerce businesses.
This guide will share all you need to know about stopping online fraud attacks, including:
What is e-commerce fraud?
E-commerce fraud is the subset of online fraud specifically targeting e-commerce platforms.
For example, when a cybercriminal uses stolen credit card information (and a stolen identity) to make a purchase in your e-commerce store, it is e-commerce fraud. Unfortunately in such cases, the e-commerce business ends up absorbing the cost of the fraud, which affects revenue.
A unique characteristic of online card fraud (involving stolen credit card information) is that the card does not need to be present for the transaction to go through. Instead, the fraudster will simply enter the stolen credit card information (name, billing address, card number, expiry date, and CVV number), and the e-commerce store treats it as a valid transaction.
There are many other types of online fraud targeting e-commerce businesses. Account takeover (ATO) fraud, for example, occurs when a cybercriminal has taken hold of a legitimate customer’s login credentials on an e-commerce platform and uses the account to purchase goods.
It’s crucial for online businesses to understand that e-commerce fraud is becoming even more sophisticated by the second. Cybercriminals continue getting smarter, leveraging more advanced methods over time.
Why is e-commerce fraud common?
Online fraud targeting e-commerce businesses is common for three main reasons:
1. Effectiveness
E-commerce fraud is relatively effective considering the resources needed to launch an attack.
To perform “offline” fraud, a fraudster might first need to steal someone’s wallet or break into a victim’s home to obtain their credit card physically. On the other hand, performing online fraud feels relatively easier and less risky to cybercriminals. In fact, criminals today can simply purchase stolen credit card information available on the dark web for cheap.
2. Evasion
Prosecution for e-commerce fraud is still quite rare. It can be challenging for relevant authorities to gather evidence, and cyberattacks can be launched from countries outside the victim’s jurisdiction. Typically, the amount of money involved in online fraud attacks is relatively small compared to other types of crimes, so from authorities’ point of view, the resources needed to pursue an online fraudster might not be justified.
3. Ease
Online fraud is also common because it is quite easy, compared to traditional fraud. The perpetrator doesn’t have to break into a house, car, or store, or risk getting physically captured. Attackers can commit online fraud from home with fairly minimal resources—basically a computer (or even a smartphone) and an internet connection. Due to the easy accessibility, many “beginner”criminals tend to attempt e-commerce fraud as their first crime.
With that being said, e-commerce companies can’t rely on governments and authorities to protect them from online fraud. Instead, businesses should be proactive in implementing appropriate defense mechanisms, especially fraud detection technologies.
Implementing an e-commerce fraud prevention solution is now a necessity for any e-commerce business.
7 Different Types of E-Commerce Fraud
There are numerous different types of online fraud that can be launched against e-commerce platforms, but here are the top threats:
1. Classic Online Credit Card Fraud
The most common type of e-commerce fraud and is typically performed by beginner fraudsters.
In this type of attack, the fraudster obtains stolen credit card information in one way or another (e.g. purchasing stolen credit card credentials from the dark web or gaining access to someone’s credit card and noting the credentials), and then uses the acquired credit card credentials to purchase a product from an e-commerce store.
The fraudster may use various tricks to ensure they can retrieve the goods (e.g. sending the goods to reshippers), and may also use various techniques (e.g. residential proxies) to mask their identity.
2. Card Testing Fraud
A little bit more advanced than straightforward credit card fraud, card testing has become popular in recent years. Card testing is when a fraudster has gained access to some, but not all, stolen credit card credentials. It could be just one card, or it could be hundreds if not thousands of cards.
Attackers who attempt card testing fraud typically don’t know two things:
- Whether the card is still valid (not blocked yet) and can still be used to successfully complete a transaction.
- The limit of the credit card, or the maximum amount of money they can use on the card to purchase goods.
To find out, the fraudster will then test the card by making small purchases on e-commerce sites. Once a transaction has been approved, the fraudster will then move on to making bigger purchases and will try to get as much value as possible from each card.
3. Chargeback Fraud
Chargebackfraud happens when a fraudster purchases goods from an e-commerce store, and then requests a chargeback after the item has been received. In such cases, the acquirer bank or credit card network will refund the transaction to the “customer” (the fraudster), but the retailer must still pay the same amount to the credit card network/bank.
In chargeback fraud, the attacker makes disputes that appear to be honest claims. For example, they may argue that the item never arrived or tell the payment processor that they returned the item to the merchant (but never did).
Due to the nature of the claims, chargeback fraud is also often called “friendly fraud”. Because chargeback fraud may be attempted by legitimate credit card owners, detection can be challenging.
4. Account Takeover (ATO) Fraud
Account takeover, or ATO fraud, occurs when a cybercriminal gains access to a legitimate user account on an e-commerce store and uses the account to make a purchase.
Fraudsters can use various techniques to obtain accounts:
- Brute Force Attacks
- Credential Stuffing
- Purchasing Credentials on the Dark Web
- A Phishing Scheme Legitimate Customers
ATO fraud can cause serious damage for both the e-commerce store (retailer) and the customers. For customers, ATO may result in more serious identity theft attacks, and the customer might blame the e-commerce store. Successful ATO attacks result in long-term and even permanent damage to a brand’s reputation.
5. Refund Fraud
Refund fraud is often used when the fraudster cannot get goods delivered to their address and can’t withdraw cash from a stolen credit card.
In refund fraud, the fraudster uses stolen credit card credentials to make an online purchase, and then contacts the e-commerce store to request a reimbursement.
A common refund fraud tactic is for the fraudster to deliberately make an excess payment, then request a refund for the excess amount while requesting that the money be sent via an alternative method (e.g. by claiming the credit card was closed). This way, the fraudster can receive the “excess” amount without having the original credit card charge refunded, which could result in a chargeback when the original owner of the credit card makes their disputes.
6. Triangulation Fraud
In triangulation fraud, a fraudster will require another shopper to launch the attack. The attack involves three parties: the fraudster, a shopper, and the e-commerce store.
To perform triangulation fraud, the fraudster first sets up an e-commerce store (e.g. via Shopify) or a storefront on an e-commerce marketplace (like Amazon or eBay). A common tactic is to sell high-demand products at a very affordable price to attract customers quickly.
However, when a legitimate customer makes a purchase from the store and enters their credit card information, the fraudster will intercept the information and use it to purchase the requested goods from a legitimate e-commerce store.
The customers (that receive the goods) may think that they have gotten a bargain, but actually, they are paying the normal price, and their credit card information is now stolen.
7. Interception Fraud
Interception fraud happens when fraudsters place orders from an e-commerce store using the valid billing and shipping address linked to the card, so the transaction can go through. However, the fraudster then attempts to intercept the goods for themselves.
Attackers use various techniques for interception fraud, but here are some of the most common ones:
- Making seemingly legitimate claims to an e-commerce store’s customer service, so they change the address before shipment.
- Waiting for the delivery to arrive and attempting to physically intercept the package (e.g. when the fraudster lives close enough to the real credit card owner).
- Contacting the shipper directly to reroute the package to another address.
E-Commerce Fraud Red Flags to Look For
We can’t prevent e-commerce fraud if we don’t know they’re coming. The success of e-commerce fraud depends on how well the fraudster can fool your system.
On the other hand, how effectively you can defend against cybercriminals depends on how quickly you can identify fraud attempts. In short, you have to know the “tells”, the red flags to look for, and here are some of the most common:
- Multiple orders from multiple credit cards: When an account (or different accounts with similar signatures, like the same IP address) makes multiple purchases with multiple credit cards, it’s a clear red flag for fraud, especially card testing fraud.
- Data inconsistencies: Look for any inconsistencies, albeit small ones, like when the city and the zip code entered don’t match. Another example is when a shopper with a Singaporean IP address makes a purchase for a credit card with a US billing address.
- Unusual purchasing behaviors: If the credit card owner isn’t a first-time shopper, then you can check their purchase history and look for suspicious activities. For example, when the account suddenly makes an order far larger than what the customer typically spends.
- Unusual location: Again, if the customer has made a purchase from your business before, check for unusual activities from different locations than usual. For example, if the customer always purchases from an IP address in Japan, but suddenly makes a purchase from an IP address in Angola. It’s possible that the account owner is simply on vacation, but better safe than sorry.
- Multiple orders from unusual locations: For example, when you’ve never received any order from Indonesia, but suddenly you receive 10+ orders from Indonesia.
- Multiple shipping addresses: Another red flag is when a buyer makes multiple purchases under one credit card (one billing address), but ships the products to multiple different addresses. In general, when a shopper requests to ship the goods to an address other than the card’s billing address, you should be reasonably suspicious.
- Declined transactions: Yes, even legitimate shoppers may forget their PIN or use up a card’s limit without realizing it. However, if an account makes more than five attempts without getting the credit card credentials right (number, expiry date, name, CVV), then you should be suspicious.
- Fast, back-to-back transactions: While multiple purchases back to back from a single customer may be possible, it could also be a fraudster card testing on your site.
How to Protect Your Business From E-Commerce Fraud
One of the keys to protecting your e-commerce business from online fraud is to recognize the attack as soon as possible. However, there are cases where it’s already too late once you’ve identified the attack, so it’s better to implement preventative measures to reduce or even eliminate any possibility for fraud.
Actionable Tips for Preventing E-Commerce Fraud in Your Online Store
Audit your E-Commerce Platform Security Regularly
Online fraud technically happens when fraudsters and cybercriminals find flaws in your system that you aren’t aware of. If you identify your vulnerabilities before attackers, you are already one step ahead.
While an e-commerce security audit can be a pretty deep subject, here are some important elements you should assess regularly:
- Make sure everything is up to date, ideally as soon as updates are available, especially if it’s a security fix.
- Check your website’s SSL certificate (HTTPS). If you haven’t implemented HTTPS, you should right away, and regularly check whether your SSL certificate is working well.
- Check whether all data transmissions and communications between your business and your customers feature end-to-end encryption.
- Check whether your e-commerce store stays PCI-DSS compliant.
- Make sure your data is backed up regularly.
- Scan the e-commerce website regularly for malware with appropriate antivirus/anti-malware solutions.
- Monitor activities of malicious bots and block them right away to prevent account takeover attempts and other bot-related threats.
Implement Adequate Fraud Detection Solution
To really protect your e-commerce platform from online fraud, you should implement a robust fraud detection solution that can automatically identify red flags and block suspicious user’s activity, effectively preventing the fraud from happening.
As a robust bot detection software, DataDomerapidly identifies visitor behavior on your website, app, or API that shows signs of online fraud. DataDome automatically blocks the source before attacks unfold, effectively preventing fraud from happening without negatively impacting the customer experience.
To protect against online fraud, DataDome employs a two-layer bot detection engine leveraging artificial intelligence (AI) and machine learning (ML). This allows DataDome’s algorithm to analyze billions of daily events and continuously update its protection, so it can effectively detect and prevent brand new online fraud tactics.
Require CVV Numbers for All Credit Card Transactions
It’s standard practice nowadays for any online transactions to require the CVV (Card Verification Value) numbers.
The CVV numbers are the three or four-digit security code on the back of the credit card, which acts like a second-factor authentication for online purchases. By requiring online shoppers to supply the CVV number, you can have an extra guarantee that the shopper actually has the physical credit card in possession, which can effectively reduce the risk of e-commerce fraud.
Make Sure to Use HTTPS
Make sure your e-commerce website uses HTTPS instead of standard HTTP. Using HTTPS means that the data transmission from an online shopper’s web browser to your website will be encrypted, so sensitive information like customer names and credit card numbers stay secure.
Also, if you are still using HTTP, Google may mark your site as unsecured for users that use Google Chrome, which may reduce traffic to your e-commerce store.
Set Limits on Total Purchases
Assess your store’s average revenue, and set a limit for the number of purchases (both in items and dollar value) an account can make in a single day. This way, should a fraudster succeed despite all your preventive measures, you can mitigate the impact and avoid significant financial damage to your business.
Reject Non-Valid Shipping Addresses
Online fraudsters may attempt to avoid detection by using PO boxes, virtual addresses, or other anonymous locations so their actual address isn’t recorded. It’s best to never ship any orders to virtual addresses and PO boxes.
Only Collect the Necessary Sensitive Customer Data
Any customer’s sensitive data that you’ve collected becomes your responsibility to protect. So, it’s best to avoid collecting too much sensitive data. That way, in the unfortunate event of a data breach or successful account takeover attack, you can reduce exposure to a minimum.
As a general rule of thumb, you should only collect the data you absolutely need to ship the product and validate the transaction.
Conclusion
Protecting an e-commerce site is often a challenging task, and online fraudsters are only getting smarter as they adopt new techniques and technologies. Whether your e-commerce business is a big enterprise or a small store, it will continue to be targeted for e-commerce fraud.
Be proactive in protecting your e-commerce website, mobile app, and APIs. The tips above can definitely help you build a comprehensive e-commerce fraud prevention strategy.
Most importantly, constant monitoring of your site for potentially fraudulent activity is critical. Effective automated fraud prevention like DataDome’s solution proactively monitor your incoming transactions for red flags. On autopilot, we help you prevent e-commerce fraud from happening—which protects your business and customers from potential financial, legal, and reputational damages.
*** This is a Security Bloggers Network syndicated blog from Blog – DataDome authored by DataDome. Read the original post at: https://datadome.co/learning-center/7-types-of-ecommerce-fraud-how-to-prevent-them/