eCommerce fraud prevention and detection best practices for businesses
eCommerce fraud has evolved and increased with the rise in online commerce accelerated by COVID-19. By 2024, eCommerce merchants may lose an estimated $24 billion to online payments fraud, according to a study by Juniper Research. While eCommerce fraud increases are nothing new, bad actors are launching more sophisticated fraud attacks.
It’s more important than ever to take proactive steps to detect and prevent eCommerce fraud. Investing in the right eCommerce fraud prevention solutions can make a big difference in customer safety and financial results. We’ve identified the top 10 types of eCommerce fraud, 10 signs of eCommerce fraud, and nine industry best practices for detecting eCommerce fraud.
10 eCommerce fraud types
- Payments fraud
- Friendly fraud
- Account takeover (ATO) fraud
- Retail arbitrage fraud
- New account opening (NAO) fraud
- eGift card fraud
- Refund fraud
- Promotion or coupon fraud
- Triangulation fraud
- Interception fraud
1. Payments fraud
Payments fraud occurs when bad actors use stolen credit cards to purchase goods and profit by reselling items. Card-not-present (CNP) transactions are most at risk for this type of fraud because the bad actor doesn’t have to present the card at the point of purchase. Businesses that don’t proactively prevent payments fraud risk losing money to chargebacks, false positives, and operational inefficiencies.
2. Friendly fraud
Friendly fraud occurs when a consumer makes an online purchase and then disputes the charge with their bank. These disputes often end in chargebacks for the merchant. In some cases, the consumer has malicious intent to dispute the payment and keep the goods or services. But more often, consumers call their credit card companies or banks to dispute charges they don’t recognize.
Usually, friendly fraud isn’t attributed to criminal enterprises, but it can still damage profits and affect inventory. However, businesses and merchants can prevent friendly fraud, resolve disputes, and avoid chargebacks with a real-time chargeback prevention solution.
3. Account takeover (ATO) fraud
Account takeover fraud occurs when a human, bot, or botnet uses stolen credentials to access customer accounts. Once they have access, bad actors can drain monetary funds or loyalty points, steal customer data, or purchase goods or services. Beyond lost revenue, account takeover fraud damages brand reputations and can permanently erode the trust of good customers.
The rise in this type of non-financial credentials fraud is due to the dark web demand for stolen email addresses, passwords, and other private personal information. When a bad actor discovers the right combination of username and password, they can access and exploit genuine customer accounts.
4. Retail arbitrage fraud
Retail arbitrage fraud occurs when malicious bots allow a single buyer to purchase large quantities of discounted items for resale on a different marketplace. This type of fraud can quickly undercut revenue and profits, drain inventory, and steal discount-conscious customers away. Retail arbitrage fraud can result in dramatic price differences across marketplaces and poor customer experiences that can reflect poorly on brands.
Bots are evolving, so malicious bots are becoming harder to detect and block with perimeter security, web application firewalls, and content delivery networks. The latest generation of bot protection solutions can accurately identify and classify even the most sophisticated bots. They can block malicious bot activity, allow good bot activity, and verify questionable bot activity with step-up authentication.
5. New account opening (NAO) fraud
New account opening fraud occurs when a bad actor creates new accounts to take advantage of offers and services. The bad actor creates the account using bits and pieces of real identity data. This makes it hard for the merchant to determine if the account belongs to a legitimate customer. Without eCommerce fraud detection methods, this can lead to identity fraud and illegitimate purchases online.
6. eGift card fraud
With eGift card fraud, a bad actor steals a consumer’s payment information and buys an eGift card. From there, the bad actor may resell the eGift card online. When another consumer buys it, the bad actor pockets the consumer’s money and payment information. Meanwhile, the original consumer whose payment information the bad actor used to buy the eGift card calls their credit card company to dispute the charge. The dispute ends in a chargeback for the merchant.
eGift card fraud is difficult to trace because bad actors don’t have to ship cards to an address. So when it comes to resolving eGift card fraud, merchants take a significant financial hit. Luckily, there are several ways businesses and merchants can avoid eGift card fraud.
7. Refund fraud
Refund fraud is a big problem for any company that ships goods or accepts returns. Essentially, refund fraud happens when bad actors exploit gaps in logistics or fulfillment processes to turn a profit or get goods for free. There are several kinds of refund fraud, including did-not-arrive (DNA), empty box or partially empty box, fake tracking ID (FTID), and refund as a service. Some bad actors are part of larger, more organized groups abusing refund policies.
But not all bad actors are in those bigger groups. Some are opportunistic customers. And, unfortunately, refund fraud happens without a chargeback or a traditional dispute to alert the merchant, which makes it hard to detect.
8. Promotion or coupon fraud
Businesses depend on promotional sales and lead-generating promotional campaigns to acquire new customers and keep loyal customers happy. In promotion or coupon fraud, a bad actor abuses a business’s coupon or promotional policies. Bad actors may attempt to defraud a business by using promotional codes multiple times or abusing coupon policies to obtain goods for free. Referral programs and sale-saving tactics like cart-abandonment and apology vouchers are most at risk for this type of fraud.
9. Triangulation fraud
Triangulation fraud occurs when bad actors build fake online stores to sell items at cheaper prices. The fake store has a single purpose: to steal credit card data. After the bad actor collects a consumer’s credit card information, they forward the legitimate transaction to the real merchant. The real merchant charges the customer a second time, which leads to chargebacks. If the consumer doesn’t realize their credit card information was compromised, the bad actor may keep the stolen information and make purchases elsewhere.
10. Interception fraud
With interception fraud, bad actors attempt to intercept a customer’s order and obtain goods for resale. To do this, the bad actor will contact a vendor’s customer service partner to have the order’s shipping address changed to their own. Bad actors may also approach the shipping company directly and ask them to reroute a delivery to an alternative address so they can intercept it. Interception fraud requires taking over a customer’s account to access order and shipping details.
10 signs of eCommerce fraud
Establishing identity trust is the best way to prevent eCommerce fraud. Manual reviews alone will be unsustainable when online orders increase. But there are 10 signs of eCommerce fraud all businesses and merchants can watch for:
- Customers create new email addresses to make purchases.
- Customers place higher- or lower-than-average orders.
- Customers place multiple orders in quick succession.
- Customers pay more for expedited shipping.
- Customers ship items to unusual locations.
- Customers order a product in large quantities.
- Customers use multiple shipping addresses.
- Customers use shipping or billing addresses that don’t match their IP address.
- Customers use multiple cards from a single IP address.
- Customers ship multiple orders to the same address using different cards.
1. Customers create new email addresses to make purchases
It’s not uncommon for consumers to use the same email addresses for many years, so customers registering new email addresses may indicate fraud. Knowing an email address’s date first seen, for example, can help establish identity trust, especially for businesses that use eCommerce fraud prevention tools like Email Insights. If an email address has an age of zero, it may indicate that a bad actor created the email address on the day for fraud.
Meanwhile, the email address’s date last seen can indicate how long it’s been since a customer used that email address. An email address that hasn’t been seen in several years, for example, may have been accessed through account takeover fraud.
2. Customers place higher- or lower-than-average orders
If a good customer suddenly places an order that’s significantly higher than average, they may be a victim of fraud. The same goes for good customers who place lower-than-average orders, as they may be the victims of account takeover fraud. A business’s products, services, or industry standards may determine what behavior is normal or risky. But, generally, purchases that are too high or too low may be cause for suspicion.
3. Customers place multiple orders in quick succession
If a business finds that customers place multiple orders in rapid succession in small denominations, a bad actor may be card testing. Bad actors use card testing to validate stolen credit cards. Once they confirm which credit card numbers are live, they can make larger fraudulent purchases. With card testing, a bad actor may place multiple small orders at once or within a short time frame on one or many credit cards.
Essentially, they’re weeding out canceled or invalid numbers. Quick-service restaurants, in particular, are prime targets for card testing because they offer low-dollar-value items. It’s not atypical to fulfill a series of inexpensive purchases.
4. Customers pay more for expedited shipping
Bad actors may expedite shipping on fraudulent purchases to decrease the chances that a merchant will manually review the order. They know stolen cards have a short lifespan, so they’re more likely to pay for faster, more expensive shipping. After all, it’s not their money the bad actor is spending. This sign of eCommerce fraud goes hand in hand with orders that are significantly higher than average. Expedited shipping isn’t a red flag on its own. But it may be a strong indicator if merchants see it with other items on this list.
5. Customers ship items to unusual locations
Mismatched shipping and billing addresses may be an indicator of fraud, especially if the discrepancy is several states or countries apart and not marked as gifts. If a business predominantly sells domestically, an unexpected uptick in international orders may also indicate fraud.
6. Customers order a product in large quantities
If a business receives orders for higher-than-average quantities of one product, the orders might be fraudulent. As other circumstances on this list highlight, bad actors tend to expedite large orders, knowing victims can cancel stolen cards at any time. If a large order for the same product comes through, consider following up with the customer to confirm and clarify purchase details.
7. Customers use multiple shipping addresses
Sometimes bad actors place orders to multiple shipping addresses with several stolen cards, each placed under different names. If a customer’s account has multiple shipping addresses attached to it, this is a red flag.
8. Customers use shipping or billing addresses that don’t match their IP address
The benefit of eCommerce stores is that businesses can track the most granular details of a customer’s order: from their billing and shipping addresses to their IP address at checkout. If these don’t match, it should raise a red flag. For example, if an IP address and a shipping address are different from an order’s billing address, the transaction may require more scrutiny.
9. Customers use multiple cards from a single IP address
If customers place orders from the same IP address but several cards, this could indicate a problem. Although it’s not unusual for customers to have more than one card, several cards — especially used at the same time — should be considered suspicious.
10. Customers ship multiple orders to the same address using different cards
This is a sign of lazy eCommerce fraud, yet it happens. Often, bad actors won’t steal information from a single card but will use multiple cards. Then they’ll attempt to place fraudulent orders with different cards and ship them to the same address. If a customer ships multiple orders with different cards to the same address, whether over one transaction or several, it could be fraud.
9 industry best practices for eCommerce fraud detection
The following industry best practices can help prevent eCommerce fraud, whether used individually or in conjunction with other behavioral indicators.
- Implement AI and machine learning.
- Link fraud signals from a data network that’s larger than your own.
- Implement risk-based or step-up authentication.
- Implement card security code requirements.
- Invest in Address Verification Services (AVS).
- Partner with a reliable third-party payment processor.
- Follow PCI standards.
- Train customer service reps on fraud.
- Keep fraud prevention software updated.
1. Implement AI and machine learning
The best way to detect and prevent eCommerce fraud is to not rely on human decisioning alone. AI fraud prevention simulates the work of experienced fraud analysts but without human error. It weighs the risk of fraud against the customer’s value on a faster and more scalable basis than a human.
AI can weigh fraud risks with the help of supervised and unsupervised machine learning. Supervised machine learning detects emerging fraud attacks, and unsupervised machine learning accounts for past decisions. eCommerce businesses that use AI don’t just detect and prevent fraud. They accept more good orders, reduce manual reviews, and have more control over business outcomes.
2. Link fraud signals from a data network that’s larger than your own
A single sign of fraud or purchase-related red flag isn’t enough to indicate fraud. Businesses and fraud analysts should link identity elements from the fraud signals listed to better establish identity trust. And leveraging a robust data network can help them do it.
A data network that accounts for billions of digital interactions from industries across the globe can help analysts determine if a purchase is legitimate or suspicious. The more data an eCommerce business has, the faster and more accurately it can detect fraud.
3. Implement risk-based or step-up authentication
Implementing strong password requirements on your customer accounts can reduce fraudulent activity. The better the password, the harder it will be for a bad actor to break into a customer’s account. But safety isn’t guaranteed.
With risk-based authentication (RBA) or step-up authentication, issuing banks apply varying levels of scrutiny to authentication processes based on the interaction’s level of risk. The higher the risk, the more rigorous the authentication process. Step-up authentication challenges experiences that present a higher likelihood of fraud.
4. Implement card security code requirements
Some eCommerce activities, like card-not-present (CNP) transactions, pose a higher risk of fraud. In a CNP transaction, a customer isn’t required to present a card to complete a purchase. CNP transactions are common when customers make purchases online, via mobile app, or over the phone.
These transactions pose a higher risk of fraud because businesses and merchants can’t verify a cardholder’s identity easily. Businesses should implement card security code requirements to prevent CNP fraud. Asking for each card’s three- or four-digit code can reduce the probability that a transaction is fraudulent.
5. Invest in Address Verification Services (AVS)
Bad actors regularly ship goods to different addresses. Investing in an Address Verification Service (AVS) can help businesses establish trust in their customers. Credit card companies provide AVS and compare the address a customer submits with their known address on file with their issuing bank. Then the issuing bank returns an AVS code to the business or merchant.
AVS codes indicate discrepancies like house or unit numbers that don’t match ZIP codes, for example. Credit card processors may charge a fee for each verification. But AVS can reduce the likelihood of fraud by helping businesses to decide to accept, reject, or flag transactions.
6. Partner with a reliable third-party payment processor
Outsourcing fraud checks to a third-party payment processor is one of the easiest and safest ways to prevent eCommerce fraud. Third-party payment processors often manage things like customer chargebacks, security compliance, and data storage.
Keeping customer data safe should be a top priority, especially if customers save their credit card details in their accounts. A third-party payment processor can keep customers’ private information secure, which can cut the number of eCommerce fraud attempts against a store.
7. Follow PCI standards
Payment Card Industry (PCI) standards help businesses protect themselves and their customers from eCommerce fraud. PCI standards include six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures. MasterCard, American Express, and Visa set PCI standards to safeguard consumer data.
The Payment Card Industry Security Standards Council enforces these standards, which are mandatory for online retailers. Most major payment processors comply with PCI standards. But businesses and merchants must do their research before choosing a third-party payment processor.
8. Train customer service reps on fraud
Training can play a crucial role in preventing fraudulent activity. With a well-trained customer support team and stringent security system, businesses are less likely to be victims of fraud. With sufficient anti-fraud training, customer service reps can identify and respond to potentially fraudulent inquiries more effectively.
9. Keep fraud prevention software updated
If a business uses software to prevent eCommerce fraud, keep that software updated. Bad actors are constantly finding ways to avoid getting caught, and anti-fraud software providers adjust to fight them every step of the way. But software that’s out of date can leave businesses vulnerable to new fraud patterns.
Anti-fraud software relies on security patches to prevent evolving fraud behaviors and protect against new viruses and malware. Without updates, businesses risk bad actors accessing data and sidestepping measures that reduce fraudulent activity.
eCommerce fraud detection is easier than ever
Following basic best practices can provide some eCommerce fraud protection, but most businesses can’t do it alone. But relying on manual reviews alone is tedious, hard to scale, and prone to human error. Businesses should invest in powerful fraud prevention software to scale eCommerce fraud detection and prevention more efficiently and accurately.
With Kount’s AI-driven fraud prevention solution, businesses can prevent emerging fraud, accept more good orders, reduce manual reviews, and control business outcomes. Kount’s AI simulates an experienced fraud analyst by weighing the risk of fraud against the customer’s value. But it’s faster and more scalable. Plus, Kount protects the entire customer journey and creates frictionless experiences for good customers, which is essential for repeat business.
eCommerce fraud will continue to evolve, but the technology that prevents it has never been more advanced. eCommerce businesses need to know the red flags that indicate fraud so that they can reduce fraudulent activity. Kount’s AI-driven eCommerce fraud prevention solution can automatically identify those flags to help businesses determine risk levels for each interaction. By determining the right level of identity trust, businesses can protect revenue and customer data.