Protecting Your eCommerce Business from Fraud: Types, Risks, and Best Practices
Cyber Risks & Threats | February 15, 2023
eCommerce has revolutionized the way we shop, with businesses and customers now interacting more easily and conveniently than ever before. Anytime, anywhere, customers can purchase goods and services. Businesses gain access to a significantly larger audience, and customers gain access to products and brands that may not be available locally. Even better, online shopping can be personalized to a user based on their browsing, purchase history, and preferences.
However, there is a downside to this increased convenience. The ability to store both financial information and personal information on eCommerce platforms is appealing not only to businesses and consumers but also to cybercriminals, who target both customers and retailers alike with various forms of eCommerce fraud.
eCommerce fraud encompasses a variety of fraudulent activities, including credit card fraud, identity theft, and phishing. Sometimes eCommerce fraud can be as simple as redirecting a package to a fraudster’s address, other times it can be an entire site takeover through a compromised account. In any case, persistent fraud can result in significant losses for retailers. In 2022, the Federal Trade Commission reported a total loss of $186.1 million from online fraud–and these are just the reported losses.
In this guide, we will explain and explore the risks of eCommerce fraud, provide practical tips on detecting and handling it, and explain how to use software to prevent major financial losses.
Types of eCommerce Fraud: An Overview
The methods hackers use to infiltrate an account and access personal information are varied. While the hacker’s ultimate goal varies between each technique, it is important to note that once an account is compromised, it will likely be used again or even shared into a network of bots, making victims even more susceptible to another attack.
Below are some of the more common techniques that fraudsters use when committing eCommerce fraud. These attacks may be used as standalone techniques or in combination as part of a broader attack campaign.
Card Testing Fraud
In card testing attacks, fraudsters use credit cards to make multiple small purchases on an eCommerce website. These credit cards are either fraudulent credit cards or credit card information that is stolen via scams. Fraudsters use card testing fraud to see which stolen credit cards are active, and which cards have the highest limit. On the backend of an eCommerce site these purchases can go undetected, as they often are not flagged as fraudulent until several large purchases have already been made.
While the risk of not receiving a valid form of payment is an immediate concern, card testing fraud has additional consequences. Consider the cost that goes into each purchase on an ecommerce site; packaging, shipping, even the product itself – these can all, unfortunately, become a loss for your business through card testing fraud. And after a number of fraudulent purchases are made, this loss can become substantial. In addition, if a business is the victim of credit card fraud, reactionary costs may incur to investigate the fraudulent activity.
Chargeback fraud, sometimes known as “friendly fraud”, occurs when a customer disputes a legitimate charge on their credit card statement in order to receive a refund. Fraudulent chargebacks usually involve claims that the product was not as described or that it was never received. Chargeback fraud can also be used by organized groups of scammers, who use stolen credit cards to make purchases and later dispute them.
For businesses, chargeback fraud can be costly. Just like card testing fraud, the costs associated with a sale (shipping, packaging, actual product, etc) become a loss when a chargeback succeeds. The credit card company may also charge businesses for each chargeback they receive, which can add up over time.
Another common type of eCommerce fraud is interception fraud. Interception fraud is a technique where a cyber criminal intercepts information being transmitted between an eCommerce site and a user. Information that is sensitive to a business or customer is usually intercepted, including credit card details.
The goal of interception fraud can vary. Sometimes it is focused on acquiring products, for example, a hacker makes a purchase on a victim’s account and later contacts customer service to redirect the package to the hacker’s address. But more alarmingly, a hacker can use interception fraud to takeover an entire eCommerce site, intercepting a customer’s, or even an admin user’s, login and details through phishing and credential-stealing malware.
Account Takeover Fraud
Account takeover (ATO) fraud occurs when a fraudster gains unauthorized access to a legitimate customer’s eCommerce account, through phishing, social engineering, or by exploiting a weakness in the eCommerce website’s security. As with most eCommerce sites, personal information, financial information, and purchase history are commonly accessible on a customer’s account. Once an account is compromised, the fraudster is not only able to make unauthorized purchases on the account holder’s behalf, but they also may extract that account holder’s personal and financial information.
On a larger scale, account takeovers are carried out by bots. For example, “credential stuffing” uses combinations of email addresses and passwords on eCommerce sites, testing login credentials from previous data breaches or phishing attempts. This is just one of many bot attacks that scammers use to carry out account takeovers.
Social Engineering Fraud
In Social Engineering Fraud, con artists use psychological manipulation techniques, usually through social media, to convince victims to provide sensitive information or act in a certain way. A victim is more likely to give away their personal information, like passwords, if they feel that they can trust the con artist.
For an eCommerce site, social engineering fraud can be just as much of a threat. For instance, that same con artist from before could create an email account, contact an eCommerce business, and act as a customer who has been locked out of a user account. In these situations, it is likely for the business to send a reset password link. Now the business has given the con artist unauthorized access to a victim’s account.
eCommerce Fraud’s Impact on Business
A compromised eCommerce business has significant consequences. Online businesses are often discussed in terms of their financial losses, but other consequences can also be equally damaging.
The following are a few potential negative effects of an eCommerce fraud attack:
- Financial Loss: In most cases, businesses that suffer eCommerce fraud have to pay the costs associated with chargebacks, which occur when customers dispute a charge. Businesses may also have to pay for replacing stolen goods, as well as any additional shipping costs associated with the fraud. For an eCommerce business, this can lead to significant financial losses.
- Damage to reputation: When a customer’s personal information has been compromised through an eCommerce site, they are likely to lose confidence in that business. The success of a business depends on customer loyalty and trust; if those two things are broken, the business could suffer.
- Legal liabilities: If an eCommerce business is not able to deliver the ordered product to the customer, or if the customer’s personal information is compromised, eCommerce fraud can lead to legal liabilities. Not only is there the potential of financial loss, the business could be held liable for financial damages and legal costs.
- Additional workload on customer service: In addition to consuming a business’s resources, fraud consumes a lot of its time as well. In the event of an attack, a company is forced to devote a significant amount of time and resources to responding to customer complaints, tracking packages, and dealing with chargebacks. In addition, this can take away valuable time from a customer service team, causing other customers to be underserved.
- Affecting the delivery and supply chain: Specific types of eCommerce fraud, interception fraud for example, can redirect a large number of packages, which can impact a businesses’ delivery and supply chain. As a result, there could be delays, additional costs, and revenue loss due to backorders.
- Compliance : Fraudulent eCommerce transactions may also lead to non-compliance with regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR), which may result in fines.
Best Practices for Protecting Your eCommerce Business from Fraud
Keeping your online business protected from fraud is crucial for success and longevity. By taking steps to prevent eCommerce fraud, you can help your business avoid financial loss and other risks that come along the way.
Below are a few strategies you can implement to ensure your company’s security and customer satisfaction:
- Keep your software up to date: Your website and payment gateway software should be updated regularly to ensure they are secure and have the latest features. This will prevent potential information leaks, privacy vulnerabilities and compromised software.
- Always review suspicious behavior: Fraudulent activity can be detected early on by reviewing suspicious behavior before it results in significant financial losses. Keep an eye out for suspicious behavior, such as orders coming from high-risk countries or shipping addresses that aren’t the same as the billing addresses.
- Create order and purchase limits: You can reduce your risk of fraud by setting limits on both the number of purchases and dollar amount from one account per day. Additionally, Fraudulent orders are often accompanied by chargebacks, which can be costly for businesses. By setting limits on purchases, businesses can reduce the risk of chargebacks.
- Educate your customers: Make sure your customers are aware of how to prevent fraud, how to identify a scam, and what to do in case of a scam. Fraud prevention education can be easily incorporated into the checkout process by providing tips and guidelines on how to protect themselves or by creating a FAQ page on your website to provide answers to common questions about fraud prevention and online security. Always provide customer service that is responsive, informative and helpful to customers who have questions or concerns about fraud prevention.
- Be PCI compliant: PCI (Payment Card Industry Data Security Standards) compliance establishes a set of security standards businesses must comply with to process, store, and transmit credit card information. Using these standards reduces the risk of fraud and protects sensitive customer information because it requires regular security assessments that help to identify and address vulnerabilities in a business’s security systems.
- Invest in a go-to-market security solution: The most comprehensive solution for eccommerce fraud prevention is a go-to-market security tool. A go-to-market security platform, like CHEQ can provide a layer of visibilty over all fraudulent activity, testing each visitor with cybersecurity challenges and automatic blocking of malicious activity.
Maintaining Customer Trust and Ensuring eCommerce Security with CHEQ
With CHEQ, businesses can be confident that fraudulent activity will be challenged with the world’s first full funnel security platform, with 2000+ cybersecurity challenges for suspicious traffic and automatic blocking of malicious activity. This allows online businesses to focus on their product, and not be backlogged with reactionary solutions for fraud protection.
Frequently Asked Questions
How can I tell if I am a victim of eCommerce fraud?
For a customer, unauthorized transactions on your bank statement and charges on your credit card that you don’t recognize could be signs of fraud.
For a business, eCommerce fraud could cause an unexpected decrease in your inventory, unusual or large orders, orders from high-risk countries, shipping addresses that don’t match billing addresses, multiple failed login attempts from a customer, or unexpected chargebacks.
What are the most common types of eCommerce fraud, and how can I protect my business from them?
Some of the most common types of eCommerce fraud include:
- Card testing fraud
- Chargeback fraud
- Interception fraud
- Account takeover fraud
- Social engineering fraud
To protect your business, you should:
- Keep your software up to date
- Review suspicious behavior
- Create order and purchase limits
- Educate your customers
- Be PCI compliant
- Invest in a go-to-market security solution, like CHEQ
How can I ensure that my customers’ payment information is secure on my eCommerce platform?
Secure payment gateways, PCI compliance, address verification, and CVV verification are all ways to protect your customers’ payment information.
How can I reduce the risk of chargeback fraud?
Chargeback fraud can be reduced by verifying customer information, monitoring for suspicious behavior, using fraud prevention tools, and developing a chargeback prevention plan.
What are some best practices for protecting my business from account takeover and social engineering fraud?
Account takeover and social engineering fraud can be prevented by using strong passwords, implementing two-factor authentication, monitoring suspicious login attempts, and educating employees about social engineering.
How can I maintain customer trust and ensure that my business is seen as secure and reliable by shoppers?