Ecommerce Fraud Prevention: Strategies to Protect Your Business Against Fraud

ecommerce fraud

Retailers are no stranger to theft. But while shoppers can’t physically shoplift inventory from a shop floor, fraudsters still target online shoppers and the merchants they buy from.

In 2021 alone, approximately $20 billion in ecommerce losses were reported in the US due to online payment fraud. Countries in Asia-Pacific are most vulnerable to ecommerce fraud, with lost revenues totaling 4% of a brand’s overall turnover. But no country is safe; fraud is on the rise globally, with North American merchants seeing a 68% increase in fraud attempts throughout the COVID-19 pandemic. 

This guide shares how to identify ecommerce fraud, handle the problem, and use software to help both you and your customers prevent major financial losses. 

Table of Contents

  1. What is ecommerce fraud? 
  2. What is ecommerce fraud prevention?
  3. How to identify fraud on ecommerce websites
  4. 9 ecommerce fraud protection strategies and best practices
  5. Ecommerce fraud prevention software 

What is ecommerce fraud? 

Ecommerce fraud happens when scammers intercept transactions happening on your online store. Also known as payment fraud, it’s a criminal act in which scammers hijack transactions and steal money from either the customer, the merchant, or both. 

With global ecommerce sales tipped to reach $5.55 trillion in 2022, there’s plenty of opportunity for scammers to hijack customer data and commit fraud. Let’s take a look at the seven types of ecommerce fraud you’re likely contending with on your online store. 

image2

Friendly fraud

Friendly fraud happens when customers buy something through your ecommerce website and later file a chargeback with their bank. Shoppers illegitimately claim their purchase wasn’t delivered, looked different from what they ordered, or canceled their order shortly after placing it. A complaint to their bank prompts an investigation, causing 2.9% of enterprise brands’ ecommerce orders to result in a chargeback.

This type of chargeback fraud is rife in Australia and Canada, though 39% of global fraud attacks are friendly fraud.

“Overhead costs such as operational costs, transaction fees, and so on are included in chargeback processing,” says Dan Lee, head of marketing at Sealions. “And if the merchandise is sold to a fraudster, the merchant has a slim chance of recovering it. This results in a drop in revenue as well as the loss of a customer. As a result, ecommerce companies must take precautions to safeguard themselves and their consumers from fraud.”

Card testing fraud

Card testing is a tactic fraudsters use to determine whether a stolen credit card works. Scammers often make a small, low-value purchase so the fraudulent transaction goes under the radar of the card holder. Once the card is verified to still work, they go on to make more expensive purchases using the stolen card. 

Card testing is the second most popular type of ecommerce fraud for all merchants. Not only is it frustrating for customers, but should most of your online payments be blocked due to card testing fraud, your business will be subject to extra fees and disputes. 

Refund abuse

Refund abuse is a type of ecommerce fraud where customers return broken, damaged, or stolen items to a retailer in exchange for a refund. 

While many merchants have strict return policies that determine what qualifies for a refund, it’s still a costly problem. The National Retail Federation found that retailers lose $5.90 for every $100 in returned merchandise due to this type of fraud. It’s the type of online fraud that saw the biggest increase, with merchants reporting a 60% uplift in refund abuse last year. 

Online payment fraud

Online payment fraud happens when scammers steal another person’s payment details and use them to make purchases through your ecommerce store. 

Sometimes known as credit card fraud, it can also happen if scammers create duplicate versions of your website and encourage customers to unknowingly purchase items through a fake website. Hijackers recoup their cash and store their credit card number for future scams. 

Retailers worldwide suffer from online payment fraud, though it’s most prevalent in Mexico, where merchants saw a 77% increase in online payment fraud last year. 

Account takeover fraud

Account takeover is a type of fraud that happens when scammers break into a customer’s online account and use stored payment cards to make fraudulent purchases. 

Some 23% of brands experienced account takeover fraud last year, with scammers accessing customer accounts that use weak passwords, phishing emails, or malicious software on the device used to purchase. 

Promo, affiliate, or loyalty abuse

Ecommerce brands use promotion, affiliate, and loyalty programs to attract new customers and engage existing ones. But their popularity means promotions attract scammers who rinse your business of cash through fraud using tactics like:

  • Affiliate fraud. Affiliate marketing gives customers who refer friends a percentage commission on their order. However, some affiliates bend the rules. They send spam traffic to the website or use stolen credit cards to get paid out—even though the customers they’ve referred aren't legitimate. 
  • Loyalty fraud. Research suggests that $1 billion in rewards value is lost every year to fraud. It happens when customers join your loyalty program, earn points through stolen credit cards, and resell them for a percentage of their value on the dark web.
  • Promotion fraud.Almost half of ecommerce businesses have experienced a rise in promo abuse since the start of the COVID-19 pandemic. It happens when scammers find loopholes in a retailer’s promotions to claim products for free. 

Triangulation fraud

Ecommerce businesses that sell through various sales channels often fall victim to triangulation fraud. It happens when:

Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price. 

  • Fraudsters list your products for sale on marketplace such as eBay or Amazon
  • Customers purchase the lower-than-RRP item from the scammer using their legitimate credit card
  • The scammer uses a separate fraudulent credit card to buy the real product from your store using the customers’ shipping address
  • The customer receives their order but their credit card information is compromised

Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price.

What is ecommerce fraud prevention?

Ecommerce fraud prevention is the strategy that online merchants use to prevent, detect, and solve online fraud. Almost 90% of global merchants say it’s important to their business strategy not just for customers’ safety, but for avoiding lost profits. 

How to identify fraud on ecommerce websites

Ecommerce fraud is an expensive problem, both in terms of lost revenue from intercepted online orders and customer loyalty. Shoppers are unlikely to return to your website if they were a victim of fraud the last time they purchased through it. 

Here are seven red flags to spot fraudulent activities happening on your website.

  • Higher order volumes. Scammers using stolen credit cards often purchase high-ticket items since the cash they’re spending isn’t their own.
  • Low value orders. “Be on the lookout for low value transactions, especially if they’re only around $1,” says Ben Hyman, CEO and co-founder of rug brand Revival. “Fraudsters will purchase low value products to see if their stolen card works.”
  • Different credit cards. It’s a warning sign when one customer makes several purchases, each using a different credit card. Scammers often do this to test whether stolen credit card details work. 
  • Repeated declined transactions. Fraudsters might not have the information they need to make purchases from a stolen card. If a payment declines repeatedly due to security code errors, for example, it’s unlikely to be an honest mistake from a genuine customer.
  • Unusual IP locations. Look out for several orders from the same IP address, or suspicious orders from an IP address in a location that isn’t familiar. If most customers are in the US, for example, an attempted high-value order from an IP address in Indonesia is a warning sign of ecommerce fraud. 
  • Different billing and shipping addresses. This is especially common with triangulation fraud, where fraudsters use stolen card details to ship items to legitimate customers. 
  • PO box shipping addresses. While this type of shipping location is popular with businesses, PO boxes allow scammers to ship online orders to an anonymous location. Be wary of shipping too many orders to a single PO address. 

A purchaser that uses multiple shipping locations, a sudden change to a PO box, or several orders coming from a region or country that you had never received orders from before are all signs that ecommerce fraud could be occurring.”

—Yuvi Alpert, founder and CEO of Noémie

9 ecommerce fraud protection strategies and best practices

  1. Manually review risky orders
  2. Limit order quantities
  3. Collect proof of delivery
  4. Be PCI compliant
  5. Show clear policies on your website
  6. Be vigilant around peak shopping seasons
  7. Use verification software
  8. Build a blocklist
  9. Use IP fraud scoring tools

The ecommerce fraud detection market will be worth $69.13 billion by 2025, with enterprise companies spending 10% of their annual ecommerce revenue on payment fraud management. 

“If you do experience fraud, it's important to have a system in place for dealing with it,” says Kristin Stump, marketing manager at My Enamel Pins. “This might involve working with your payment processor to cancel the transaction and refund the customer, or contacting the customer directly to resolve the issue.” 

Here are nine fraud prevention strategies to minimize the likelihood of fraud happening through your website. 

1. Manually review risky orders

Ecommerce software exists to flag risky orders. Manually review orders that raise a red flag, reaching out to the customer for further information if you’re unsure whether it’s legitimate. 

If you’ve received a low-value order from an unusual IP location, conduct a manual review and reach out to the customer for further verification. Failing to hear back means there’s a strong chance that the order was made using a stolen credit card. 

Similarly, consult a customer’s purchase history to determine whether a risky transaction is ecommerce fraud. It’s likely not a cause for concern if a shopper who usually makes orders from the US makes one purchase from an IP address in Spain. But there’s a strong chance their account has been compromised if they’re making orders bigger than usual, using a different credit card, from a different location. 

Be vigilant when it comes to new customers. Take a closer look at orders from new customers, and be prepared to cancel or refund them if something looks suspicious.”

—Susan Carin, marketing manager at Dr.Sono

Enterprise brands reject 3.3% of domestic orders and 5.5% of international orders. But it’s important to get right. Customer experience is at risk if you approve a false positive—a genuine customer who’s been incorrectly flagged as fraud. If an online order has been declined, 18% of shoppers will avoid trying another time before moving to another merchant. One in five won’t place an order with that retailer again.

image1

2. Limit order quantities

High order quantities is a red flag for scammers using stolen credit cards to make fraudulent purchases on your ecommerce store. 

Limit the likelihood of these orders going through by limiting the number units a customer can buy. Analyze previous sales data to understand your “normal”—the average number of units you sell each day. Automatically block orders that superseded this volume to restrict the chances of people committing fraud through your online store. 

3. Collect proof of delivery 

Return fraud often happens when customers say they haven’t received their order. It’s a $25.3 billion problem online retailers face, largely exasperated by lazy shipping or third-party logistics (3PL) partners.

Combat the problem, and be sure that customers only claim when they legitimately haven’t received their delivery, by working with trusted shipping carriers or 3PLs that supply proof of delivery. Customer signatures or photos of a delivered parcel act as evidence they have received the item they’re illegitimately claiming a refund for not receiving. 

4. Be PCI compliant

All ecommerce businesses need to meet Payment Card Industry Data Security Standards if they’re processing online payments safely. These PCI compliance standards include:

  • Changing the default password for software and systems
  • Encrypting cardholder data across open, public networks
  • Using antivirus software to prevent malware attacks
  • Restricting which employees can access cardholder data
  • Regularly testing online security systems 

“Having a firewall between your internet access and any system that stores credit card details is one way to ensure PCI compliance,” says Sina Will, co-founder of Foxbackdrop. “Therefore you must verify that you are adhering to the appropriate PCI requirements to avoid sanctions or penalties.”

5. Show clear policies on your website

Policies are pages on your website that explain how your business works. Aside from blanket terms and conditions, showcase clear policies on your website to crack down on ecommerce fraud. That includes: 

  • Strong password policy. It’s easier for scammers to commit account takeover fraud if a customer’s login details are easy to crack. Alongside two-factor authentication, Stephen Light of mattress brand Nolah recommends a password policy because, “While some customers find password requirements tedious, it makes it much harder for any fraudsters to hack into our customers’ accounts if their passwords are complex.”
  • Return policy. Build your case against customers requesting chargebacks or refunds with a solid return policy. Explain what qualifies for a return, the documentation needed, and how it’ll be processed (such as a cash refund, exchange, or store credit).
  • Promotions and rewards policies. From limited order quantities to prohibiting the sale of reward points, this type of policy backs up any ecommerce fraud that goes against the terms and conditions of your promotion. 

Avoid merchant errors like unclear billing descriptions or confusing return policies that can end up frustrating legitimate customers.”

—Zarina Bahadur, founder of 123 Baby Box

6. Be vigilant around peak shopping seasons

Black Friday Cyber Monday was the biggest retail season on record, with 47 million customers spending $6.3 billion on ecommerce purchases throughout the weekend. 

Lily Will, founder and CEO of Nia Wigs, says you should be extra cautious around these dates since “customers are likewise focused and busy, and they often disregard safety measures. Many fraudsters depend on merchants being too preoccupied or distracted to identify possible fraud during these months.”

Increase your investment in fraud prevention solutions around these peak shopping times—be that through specialist software or extra cybersecurity staff who manually review risky orders. It’ll go a long way in protecting both yours and your customers’ finances during peak fraud season. 

7. Use verification software 

A telltale sign of ecommerce fraud is when a customer’s billing, shipping, or card details don’t line up correctly. Automatically identify orders that raise this red flag using verification software, such as:

  • Card verification number (CVN). Scammers only need to see the front of a credit card to make fraudulent online purchases. Add the three or four digit PIN (CVN) as a required field on your ecommerce checkout as an added layer of security. It’s the most popular fraud detection feature used by more than half of merchants. 
  • Address verification system (AVS). This verifies a customer’s billing address against the card they’re using. As Stephen Light, CEO and co-owner of Nolah says, “Many fraudsters will use multiple cards to make purchases to a single address, so an ASV can catch them out.” 
image6

8. Build a blocklist 

Catching a scammer once doesn’t mean they won’t become a repeat offender. Fraudsters can try to trick merchants by changing their name, shipping address, or credit card in the hopes that fraudulent orders will fly under the radar. 

Used by almost a quarter of merchants, blocklists prevent repeat offenders from committing fraud through their websites. It’s a document that contains names, credit card numbers, IP addresses, and shipping addresses known to be a fraud risk. Any new orders with information that matches the blocklist are automatically blocked.

While blocklists can block fraudulent orders before they’re processed, use them with care. A legitimate customer might use a credit card previously flagged as fraudulent without realizing. Blocking their order without explanation will cause confusion and frustration—two things bound to put them off future purchases once their request to be removed from a blacklist has been approved.

9. Use IP fraud scoring tools 

One person can commit several types of fraud using the same computer. Detect those serial fraudsters with IP scoring tools such as SEON or Scamalytics. Each detects an IP address that’s been linked to fraud in the past, using signals like:

  • Their location (and whether it matches the country the card is registered in)
  • Whether they’re using a VPN to disguise their true location 
  • The type of internet service provider, such as a residential or public connection 

Orders placed from an IP with a high fraud score are highlighted, ready to manually review risky orders or automatically block them. 

image7

Ecommerce fraud prevention software

The likelihood of fraud happening on your ecommerce platform scales as your business does. Protect your store with ecommerce fraud prevention tools that check, flag, and block high-risk orders on autopilot. 

Shopify Protect

image4

Shopify merchants already have access to a world-class fraud algorithm that uses machine learning and data from stores across the Shopify network to identify fraudulent ecommerce orders. 

Shopify Protect provides an extra layer of protection that secures your business against fraudulent chargebacks—the friendly fraud that costs retailers $191 each time. 

Any Shop Pay transaction that’s been cleared by Shopify Protect is safe to fulfill. Should a chargeback happen on a protected order, Shopify will cover the total cost, the chargeback fee, and handle the dispute process on your behalf. 

Price: Free for Shopify merchants.

Signifyd

image5

Signifyd is an ecommerce fraud prevention software that integrates with Shopify stores. It uses machine learning, big data, and expert reviews to identify fraudulent transactions happening through your ecommerce store. Should fraud occur, Signifyd has a financial guarantee. You won’t lose out on revenue if its software approves a fraudulent transaction. 

Signifyd also provides account takeover protection for your customers. Block suspicious login attempts and avoid takeover chargebacks to prevent ecommerce fraud on your website.  

Price: $1,500/month. 14-day free trial available. 

NoFraud

image3

NoFraud’s protection software vets ecommerce transactions to identify fraudulent transactions. Once a customer places an order through your website, the software automatically passes or fails this test. Choose to automatically cancel those transactions or flag them for internal review.

NoFraud uses proprietary and third-party systems to examine order details, such as email longevity, device history, geolocation, IP address, household income, home value, and social media to identify the person behind the transaction and the likelihood of them being the legitimate cardholder.”

—Isaac Gurary, CEO of NoFraud

Price: Free to install. Additional charges may apply.

Protect your ecommerce store with Shopify Protect

We know how much fraud can eat away at merchants’ time and profits. So today, we’re excited to share that Shopify Protect, Shop Pay’s free and built-in fraud protection, has launched in early access. The next time a merchant experiences fraud, we’ve got their costs covered.

Shopify Protect is now available to 50% of eligible merchants in the US and will roll out to 100% of merchants with Shop Pay active at the end of May. Learn more about Shopify Protect.

About the author

Elise Dopson

Elise Dopson is a freelance writer for leading B2B SaaS companies. She teaches everything she knows through Peak Freelance.