E-commerce fraud prevention and detection best practices for businesses
E-commerce fraud has evolved and increased with the rise in online commerce accelerated since 2020. By 2024, e-commerce merchants may lose an estimated $24 billion to online payments fraud. . While e-commerce fraud increases are nothing new, bad actors are launching more sophisticated fraud attacks.
It’s more important than ever to take proactive steps to detect and prevent e-commerce fraud. Investing in the right e-commerce fraud prevention solutions can make a big difference in customer safety and financial results.
We’ve identified the top 12 types of e-commerce fraud, 10 signs of e-commerce fraud, and nine industry best practices for detecting e-commerce fraud.
12 e-commerce fraud types
- Payments fraud
- Friendly fraud
- Account takeover (ATO) fraud
- Retail arbitrage fraud
- E-gift card fraud
- Refund fraud
- New account opening (NAO) fraud
- Subscription billing fraud
- Buy now, pay later (BNPL) fraud
- Promotion or coupon fraud
- Triangulation fraud
- Interception fraud
1. Payments fraud
Payments fraud occurs when bad actors use stolen credit cards to purchase goods and profit by reselling items.
Card-not-present (CNP) transactions are most at risk for this type of fraud because the bad actor doesn’t have to present the card at the point of purchase. Businesses that don’t proactively prevent payments fraud risk losing money to chargebacks, false positives, and operational inefficiencies.
2. Friendly fraud
Friendly fraud occurs when a consumer makes an online purchase and then disputes the charge with their bank. These disputes often end in chargebacks for the merchant.
In some cases, the consumer has malicious intent to dispute the payment and keep the goods or services. But more often, consumers call their credit card companies or banks to dispute charges they don’t recognize.
Usually, friendly fraud isn’t attributed to criminal enterprises, but it can still damage profits and affect inventory. However, businesses and merchants can prevent friendly fraud, resolve disputes, and avoid chargebacks with a real-time chargeback prevention solution.
3. Account takeover (ATO) fraud
Account takeover fraud occurs when a human, bot, or botnet uses stolen credentials to access customer accounts. Once they have access, bad actors can drain monetary funds or loyalty points, steal customer data, or purchase goods or services.
Beyond lost revenue, account takeover fraud damages brand reputations and can permanently erode the trust of good customers.
The rise in this type of non-financial credentials fraud is due to the dark web demand for stolen email addresses, passwords, and other private personal information.
When a bad actor discovers the right combination of username and password, they can access and exploit genuine customer accounts.
4. New account opening (NAO) fraud
New account opening fraud occurs when a bad actor creates new accounts to take advantage of offers and services. The bad actor creates the account using bits and pieces of real identity data.
This makes it hard for the merchant to determine if the account belongs to a legitimate customer. Without e-commerce fraud detection methods, this can lead to identity fraud and illegitimate purchases online.
5. E-gift card fraud
With e-gift card fraud, a bad actor steals a consumer’s payment information and buys an e-gift card. From there, the bad actor may resell the e-gift card online. When another consumer buys it, the bad actor pockets the consumer’s money and payment information.
Meanwhile, the original consumer whose payment information the bad actor used to buy the e-gift card calls their credit card company to dispute the charge. The dispute ends in a chargeback for the merchant.
E-gift card fraud is difficult to trace because bad actors don’t have to ship cards to an address. So when it comes to resolving e-gift card fraud, merchants take a significant financial hit. Luckily, there are several ways businesses and merchants can avoid e-gift card fraud.
6. Refund fraud
Refund fraud is a big problem for any company that ships goods or accepts returns. Essentially, refund fraud happens when bad actors exploit gaps in logistics or fulfillment processes or carry out social engineering attacks to turn a profit or get goods for free.
There are several kinds of refund fraud, including did-not-arrive (DNA), empty box or partially empty box, and fake tracking ID (FTID). Some bad actors are part of larger, more organized groups that abuse refund policies or provide refunding services to consumers.
But not all bad actors are in those bigger groups. Some are opportunistic customers. In fact, a recent Kount survey on social engineering trends revealed 40% of consumers have used social engineering tactics to coerce customer service representatives into issuing refunds.
Saying the item was broken or damaged was the No. 1 coercive tactic, followed by threatening to cancel services and disputing the purchase. Unfortunately, refund fraud happens without a chargeback or a traditional dispute to alert the merchant, which makes it hard to detect.
7. Subscription billing fraud
Adopting a subscription business model is a great way to drive recurring revenue and deliver ongoing value to new and existing customers. But adopting a new billing model exposes businesses to new criminal and friendly fraud activity.
Fraudsters and customers may use false credentials to obtain multiple free trials, new-user perks, and referral discounts. A subscription billing fraud solution that identifies good products and assesses transaction risks can curb that activity.
8. Buy now, pay later (BNPL) fraud
Buy now, pay later (BNPL) models can help customers access the products and services they need now by offering flexible payment options.
Unfortunately, the more e-commerce businesses that offer this option, the more choices fraudsters have to carry out card testing and other schemes. A BNPL fraud solution can reduce card testing and other fraud risks for new BNPL transactions and anytime customers change payment methods.
9. Promotion or coupon fraud
Businesses depend on promotional sales and lead-generating promotional campaigns to acquire new customers and keep loyal customers happy. In promo abuse fraud, a bad actor abuses a business’s coupon or promotional policies.
Bad actors may attempt to defraud a business by using promotional codes multiple times or abusing coupon policies to obtain goods for free. Referral programs and sale-saving tactics like cart-abandonment and apology vouchers are most at risk for this type of fraud.
10. Retail arbitrage fraud
Retail arbitrage fraud occurs when malicious bots allow a single buyer to purchase large quantities of discounted items for resale on a different marketplace.
This type of fraud can quickly undercut revenue and profits, drain inventory, and steal discount-conscious customers away. Retail arbitrage fraud can result in dramatic price differences across marketplaces and poor customer experiences that can reflect poorly on brands.
Bots are evolving, so malicious bots are becoming harder to detect and block with perimeter security, web application firewalls, and content delivery networks. A bot protection solution can accurately block high-velocity attacks from bots and other malicious activities.
11. Triangulation fraud
Triangulation fraud occurs when bad actors build fake online stores to sell items at cheaper prices. The fake store has a single purpose: to steal credit card data.
After the bad actor collects a consumer’s credit card information, they forward the legitimate transaction to the real merchant. The real merchant charges the customer a second time, which leads to chargebacks. If the consumer doesn’t realize their credit card information was compromised, the bad actor may keep the stolen information and make purchases elsewhere.
12. Interception fraud
With interception fraud, bad actors attempt to intercept a customer’s order and obtain goods for resale. To do this, the bad actor will contact a vendor’s customer service partner to have the order’s shipping address changed to their own.
Bad actors may also approach the shipping company directly and ask them to reroute a delivery to an alternative address so they can intercept it. Interception fraud requires taking over a customer’s account to access order and shipping details.
10 signs of e-commerce fraud
Establishing digital identity trust is the best way to prevent e-commerce fraud. Manual reviews alone will be unsustainable when online orders increase. But there are 10 signs of e-commerce fraud all businesses and merchants can watch for:
- Customers create new email addresses to make purchases.
- Customers place higher- or lower-than-average orders.
- Customers place multiple orders in quick succession.
- Customers pay more for expedited shipping.
- Customers ship items to unusual locations.
- Customers order a product in large quantities.
- Customers use multiple shipping addresses.
- Customers use shipping or billing addresses that don’t match their IP address.
- Customers use multiple cards from a single IP address.
- Customers ship multiple orders to the same address using different cards.
1. Customers create new email addresses to make purchases
It’s not uncommon for consumers to use the same email addresses for many years, so customers registering new email addresses may indicate fraud.
Knowing an email address’s date first seen, for example, can help establish identity trust, especially for businesses that use e-commerce fraud prevention tools like Email Insights. If an email address has an age of zero, it may indicate that a bad actor created the email address on the day for fraud.
Meanwhile, the email address’s date last seen can indicate how long it’s been since a customer used that email address. An email address that hasn’t been seen in several years, for example, may have been accessed through account takeover fraud.
2. Customers place higher- or lower-than-average orders
If a good customer suddenly places an order that’s significantly higher than average, they may be a victim of fraud.
The same goes for good customers who place lower-than-average orders, as they may be the victims of account takeover fraud. A business’s products, services, or industry standards may determine what behavior is normal or risky. But, generally, purchases that are too high or too low may be cause for suspicion.
3. Customers place multiple orders in quick succession
If a business finds that customers place multiple orders in rapid succession in small denominations, a bad actor may be card testing.
Bad actors use card testing to validate stolen credit cards. Once they confirm which credit card numbers are live, they can make larger fraudulent purchases. With card testing, a bad actor may place multiple small orders at once or within a short time frame on one or many credit cards.
Essentially, they’re weeding out canceled or invalid numbers. Quick-service restaurants, in particular, are prime targets for card testing because they offer low-dollar-value items. It’s not atypical to fulfill a series of inexpensive purchases.
4. Customers pay more for expedited shipping
Bad actors may expedite shipping on fraudulent purchases to decrease the chances that a merchant will manually review the order.
They know stolen cards have a short lifespan, so they’re more likely to pay for faster, more expensive shipping. After all, it’s not their money the bad actor is spending. This sign of e-commerce fraud goes hand in hand with orders that are significantly higher than average.
A recent Kount survey revealed customer confidence statistics that show free shipping can increase their confidence in e-commerce purchases. Knowing what inspires confidence can help flag an influx of expedited shipping orders. So it’s a strong indicator if merchants see it with other items on this list.
5. Customers ship items to unusual locations
Mismatched shipping and billing addresses may be an indicator of fraud, especially if the discrepancy is several states or countries apart and not marked as gifts. If a business predominantly sells domestically, an unexpected uptick in international orders may also indicate fraud.
6. Customers order a product in large quantities
If a business receives orders for higher-than-average quantities of one product, the orders might be fraudulent.
As other circumstances on this list highlight, bad actors tend to expedite large orders, knowing victims can cancel stolen cards at any time. If a large order for the same product comes through, consider following up with the customer to confirm and clarify purchase details.
7. Customers use multiple shipping addresses
Sometimes bad actors place orders to multiple shipping addresses with several stolen cards, each placed under different names. If a customer’s account has multiple shipping addresses attached to it, this is a red flag.
8. Customers use shipping or billing addresses that don’t match their IP address
The benefit of e-commerce stores is that businesses can track the most granular details of a customer’s order: from their billing and shipping addresses to their IP address at checkout.
If these don’t match, it should raise a red flag. For example, if an IP address and a shipping address are different from an order’s billing address, the transaction may require more scrutiny.
9. Customers use multiple cards from a single IP address
If customers place orders from the same IP address but several cards, this could indicate a problem. Although it’s not unusual for customers to have more than one card, several cards — especially used at the same time — should be considered suspicious.
10. Customers ship multiple orders to the same address using different cards
This is a sign of lazy e-commerce fraud, yet it happens. Often, bad actors won’t steal information from a single card but will use multiple cards. Then they’ll attempt to place fraudulent orders with different cards and ship them to the same address. If a customer ships multiple orders with different cards to the same address, whether over one transaction or several, it could be fraud.
9 industry best practices for e-commerce fraud detection
The following industry best practices can help prevent e-commerce fraud, whether used individually or in conjunction with other behavioral indicators.
- Implement AI and machine learning.
- Link fraud signals from a data network that’s larger than your own.
- Implement risk-based or step-up authentication.
- Implement card security code requirements.
- Invest in Address Verification Services (AVS).
- Partner with a reliable third-party payment processor.
- Follow PCI standards.
- Train customer service reps on fraud.
- Keep fraud prevention software updated.
1. Implement AI and machine learning
The best way to detect and prevent e-commerce fraud is to not rely on human decisioning alone. AI fraud prevention simulates the work of experienced fraud analysts but without human error. It weighs the risk of fraud against the customer’s value on a faster and more scalable basis than a human.
AI can weigh fraud risks with the help of supervised and unsupervised machine learning. Supervised machine learning detects emerging fraud attacks, and unsupervised machine learning accounts for past decisions.
E-commerce businesses that use AI don’t just detect and prevent fraud. They accept more good orders, reduce manual reviews, and have more control over business outcomes.
2. Link fraud signals from a data network that’s larger than your own
A single sign of fraud or purchase-related red flag isn’t enough to indicate fraud. Businesses and fraud analysts should link identity elements from the fraud signals listed to better establish identity trust. And leveraging a robust data network can help them do it.
A data network that accounts for billions of digital interactions from industries across the globe can help analysts determine if a purchase is legitimate or suspicious. The more data an e-commerce business has, the faster and more accurately it can detect fraud.
3. Implement multi-factor authentication (MFA) protocols
Implementing strong password requirements on your customer accounts can reduce fraudulent activity. The better the password, the harder it will be for a bad actor to break into a customer’s account. But safety isn’t guaranteed, and friction is easy to increase by stringent password requirements.
With multi-factor authentication (MFA), businesses can better verify that a user has access to the devices associated with an account. MFA uses two or more “factors” to authenticate a user’s digital identity before granting them access to an online account or other digital assets.
4. Implement card security code requirements
Some e-commerce activities, like card-not-present (CNP) transactions, pose a higher risk of fraud. In a CNP transaction, a customer isn’t required to present a card to complete a purchase. CNP transactions are common when customers make purchases online, via mobile app, or over the phone.
These transactions pose a higher risk of fraud because businesses and merchants can’t verify a cardholder’s identity easily. Businesses should implement card security code requirements to prevent CNP fraud. Asking for each card’s three- or four-digit code can reduce the probability that a transaction is fraudulent.
5. Invest in Address Verification Services (AVS)
Bad actors regularly ship goods to different addresses. Investing in an Address Verification Service (AVS) can help businesses establish trust in their customers.
Credit card companies provide AVS and compare the address a customer submits with their known address on file with their issuing bank. Then the issuing bank returns an AVS code to the business or merchant.
AVS codes indicate discrepancies like house or unit numbers that don’t match ZIP codes, for example. Credit card processors may charge a fee for each verification. But AVS can reduce the likelihood of fraud by helping businesses to decide to accept, reject, or flag transactions.
6. Partner with a reliable third-party payment processor
Outsourcing fraud checks to a third-party payment processor is one of the easiest and safest ways to prevent e-commerce fraud. Third-party payment processors often manage things like customer chargebacks, security compliance, and data storage.
Keeping customer data safe should be a top priority, especially if customers save their credit card details in their accounts. A third-party payment processor can keep customers’ private information secure, which can cut the number of e-commerce fraud attempts against a store.
7. Follow PCI standards
Payment Card Industry (PCI) standards help businesses protect themselves and their customers from e-commerce fraud. PCI standards include six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures. MasterCard, American Express, and Visa set PCI standards to safeguard consumer data.
The Payment Card Industry Security Standards Council enforces these standards, which are mandatory for online retailers. Most major payment processors comply with PCI standards. But businesses and merchants must do their research before choosing a third-party payment processor.
8. Train customer service reps on fraud
Training can play a crucial role in preventing fraudulent activity. With a well-trained customer support team and stringent security system, businesses are less likely to be victims of fraud. With sufficient anti-fraud training, customer service reps can identify and respond to potentially fraudulent inquiries more effectively.
9. Keep fraud prevention software updated
If a business uses software to prevent e-commerce fraud, keep that software updated.
Bad actors are constantly finding ways to avoid getting caught, and anti-fraud software providers adjust to fight them every step of the way. But software that’s out of date can leave businesses vulnerable to new fraud patterns.
Anti-fraud software relies on security patches to prevent evolving fraud behaviors and protect against new viruses and malware. Without updates, businesses risk bad actors accessing data and sidestepping measures that reduce fraudulent activity, making the case for buying versus building a solution in-house.
The good news is if a business uses a pre-built fraud solution, they may already have access to tech features that keep them ahead of software updates.
E-commerce fraud detection is easier than ever
Following basic best practices can provide some e-commerce fraud protection, but most businesses can’t do it alone. But relying on manual reviews alone is tedious, hard to scale, and prone to human error.
Businesses should invest in powerful fraud prevention software to scale e-commerce fraud detection more efficiently and accurately. With Kount’s AI fraud prevention solution, businesses can prevent emerging fraud, accept more good orders, reduce manual reviews, and control business outcomes.
Kount’s AI simulates an experienced fraud analyst by weighing the risk of fraud against the customer’s value. But it’s faster and more scalable. Plus, Kount protects the entire customer journey and creates frictionless experiences for good customers, which is essential for repeat business.
For example, Kount’s solutions helped one large retailer reduce malicious fraud by $4.9 million and minimize friction for an additional $4.1 million savings, according to the latest Forrester Total Economic Impact report.
E-commerce fraud will continue to evolve, but the technology that prevents it has never been more advanced. e-commerce businesses need to know the red flags that indicate fraud so that they can reduce fraudulent activity.
Kount’s AI-driven e-commerce fraud prevention solution can automatically identify those flags to help businesses determine risk levels for each interaction. By determining the right level of identity trust, businesses can protect revenue and customer data.