Your suspicions are correct: ecommerce fraud is on the rise. A nearly 30% rise, to put an exact number on it, according to a year-over-year study from LexisNexis Risk Solutions. Even more troubling: that figure is almost twice the growth of ecommerce sales, based on data from Digital Commerce 360.
To make matters worse, ecommerce merchants have to fight fraud on two different fronts. For one, you have to protect yourselves from schemes targeting merchants specifically, like fraudulent chargebacks or site mimicking (see below).
But on top of that, you also have to protect your customers from scams as well. Harboring scammers on your site is a kiss of death for online stores, even if you’re as much of a victim as your shoppers.
Luckily, ecommerce fraud prevention is also on the rise, with methods just as sophisticated as the scams they thwart. In this article, we outline the 7 worst and most common fraud scams for ecommerce: how they work, what warning signs to watch out for, your best defenses, and 10 ecommerce fraud prevention tools to optimize security.
Let’s get started!
7 Worst Ecommerce Fraud Scams to Watch For
Your first defense against ecommerce fraud is simply knowing what to look out for. Here are the 7 most common scams online stores are vulnerable to.
1. Email Account Phishing
Most people are familiar with email phishing scams, so let’s start there. These are as old as the internet itself, so many of you have likely already opened an email from a stranger asking for sensitive account information.
However, lately we’re seeing an increase in scammers posing not as Nigerian princes, but as ecommerce stores. They send emails disguised as order/delivery confirmations, aimed at either extracting sensitive account data or leading victims to a fraudulent site.
In the best-case scenarios, these lead to an unexpected advertisement page rather than an official store page. Other times, it’s not so harmless; links in phishing emails often go to trap sites with viruses, malware, or other hacking-related misfortunes. That’s why it’s always recommended to hover over suspicious links rather than click them.
2. Identity Theft
If some poor soul loses their account information to a phishing email, what happens next? The scammer takes that info and buys a bunch of expensive gifts for themselves, and guess who pays the bill. Posing as someone else and making purchases with their financial information is known as identity theft.
Strange as it sounds, the retailer is often the one hurt most by identity theft: a credit card company usually initiate chargebacks on behalf of the victim, but with no obligation to return the merchandise. Even if the retailer manages to reclaim products, they’re no longer new. The only way for a retailer to escape identity theft unscathed is to stop it before it starts.
It’s also worth mentioning that online stores also need to watch out for becoming unwitting accomplices in identity theft. If your site is not secure, hackers can steal your customers’ information from right under your nose — as was the million-dollar case in the 2013 Target hacks.
You’re on a site you’ve used hundreds of times before, but this time, on this particular page, something just seems… off. It could be that the site had one of their pages jacked. Pagejacking is when hackers create a fraudulent web page that mimics an existing site.
More advanced cases involve pagejacking a high-ranking site and syphoning off its search engine traffic. Pagejacking is also commonly associated with “mousetrapping,” in which a page prevents users from exiting, for example, by opening a new window every time the user tries to close the browser or flooding their computer with endless pop-ups.
But as far as ecommerce is concerned, pagejacking is another effective technique for phishing, such as mimicking a site’s login page to collect usernames and passwords. The last thing an ecommerce brand wants is their customers second-guessing their legitimacy every time they log in.
4. Chargeback Fraud
Chargeback fraud is painfully simple and woefully common. Basically, the scammer purchases a large ecommerce order and then cancels the payment after it’s shipped. They keep the merchandise when it arrives without paying a cent.
The methods vary, although it can be as easy as the scammer calling the credit card company themselves and saying they had their identity stolen.
Another popular technique is claiming the delivery never arrived so the scammer receives a duplicate order for free. Even if the scam is caught in time, even in the best situations, the merchant still has to investigate false claims.
To make matters worse merchants have to differentiate “friendly fraud” from actual chargeback fraud.
Friendly fraud is when a legitimate customer accidentally causes a chargeback fraud, such as missing a package delivery or entering the wrong payment details. Merchants are stuck in the dark about whether a chargeback had malicious intentions or was just an accident, with fear of offending a well-intentioned customer with accusations of fraud.
Ecommerce brands that operate under a subscription model deal with friendly fraud often, as customers claim they didn’t know the charges were recurring. It’s best for subscription brands to make charges clear and obvious before customers sign up.
5. Triangulation Fraud
Let’s move into more advanced fraud schemes, reserved for more clever and experienced con artists. To explain how triangulation fraud works, let’s break it down into steps.
- The scammer creates a fake listing for a real product with a significant price markup. This isn’t always so fraudulent, either; sites like eBay allow users to post and sell items without verification.
- A customer “buys” the product from the fake listing, giving the scammer all their personal data.
- The scammer takes the customer’s data and buys that same item for them at a different site for less. They have the item shipped to the customer.
- The customer receives the item they bought, without realizing they overpaid. The scammer keeps the markup profit.
One of the most devious parts of this scam is that the victims don’t even necessarily know they’ve been scammed.
Additionally, successful triangulation fraudsters accumulate long lists of account data and credit card numbers. More often than not, they use different credit cards for step 3 to throw off their scent.
That means the victim of triangulation fraud could have their data used again in an unrelated scam months or years later.
6. Affiliate Fraud
Specifically targeting ecommerce merchants with affiliate programs, affiliate fraud refers to scammers manipulating or abusing affiliate links to get a greater payoff. In other words, if an affiliate gets paid for every visitor they send a site, a scammer can make it seem like they sent more visitors than they actually did, earning a bigger paycheck.
Affiliate fraud often involves hacking and automated systems, but in some cases, it can be as simple as using a stable of fake profiles. Scammers usually must have a certain level of computer skills to deftly avoid detection.
7. Supplier Identity Fraud
Last, another merchant-specific fraud scheme: the scammer poses as a manufacturer, wholesale supplier, or other B2B business, promising a service they never intend to deliver. Online stores sign up, hand over some money, but never hear from the supplier again.
These scams draw a lot on other scams like phishing and maybe even pagejacking, with the big difference being they target businesses instead of consumers. It’s one of the reasons we always recommend thoroughly researching who you’re doing business with.
Ecommerce Fraud Warning Signs: Stop Scams Before They Start
An ounce of prevention is worth a pound of cure.
The most effective method of ecommerce fraud prevention is recognizing the warning signs early enough to avoid them. Here are some red flags every online store should keep an eye on:
- Shipping and billing address are different. As if often the case for identity theft and triangulation fraud, the owner of the card is not receiving the goods.
- Multiple orders on the same item. Ecommerce fraudsters tend to target high-ticket items, and when they find one they like, they’ll use it over and over. Often the goods are fenced anyway, so it’s more about the monetary value than the actual product.
- Multiple orders to the same address but different cards. Overusing the same stolen card numbers brings unwanted attention and suspicion, so experienced scammers like to change it up… and it’s easier to use a different credit card number than have goods shipped to a different address (Make sure to check out our guide on how to prevent and reduce credit card fraud by 98% Using Stripe Radar).
- Suspiciously large orders (especially expedited shipping). As with most crime, scammers want to make sure the rewards are worth the risks. That’s why ecommerce scams frequently involve large orders, in case it’s the fraudster’s last. They also want the exchanges to go through as quickly as possible before their victims catch on, hence expedited shipping.
- Suspicious email addresses or phone numbers. Identity theft is rarely foolproof — there’s usually one or two holes. Keep on the lookout for email addresses that don’t seem to add up (different names, companies posing as individual, etc.) as well as suspicious phone numbers (i.e. different country or area codes than the billing address).
- Repeated declined transactions. Having a transaction declined once or twice happens to everyone, but repeated declined transactions are a red flag. Although sometimes innocent, it can be a sign of someone trying to guess sensitive information they don’t have lawful access to.
Ecommerce Fraud Prevention: Your Ironclad Defense
Now that you know all the misfortunes that can happen to you, let’s move on to the real reason you’re here: making sure it doesn’t! Here’s the best advice on ecommerce fraud prevention and protecting your online store against scams.
First, start with the official guidelines for ecommerce fraud prevention: the Payment Card Industry Security Standards Council (PCI SSC). Basically, the biggest credit cards brands around the world got together and outlined a list of best practices for avoiding scams. Think of these as the bare minimum for ecommerce fraud prevention, and a good starting off point.
Luckily, a lot of payment gateways can handle PCI compliance for you, so you can solve the problem straightaway by choosing more secure ones. We explain how to comply to the PCI guidelines here or you can go straight to the source with the PCI SSC blog.
AVS and CVV
More low-hanging fruit for fighting fraud: Address Verification Services (AVS) and Card Verification Value (CVV). These standard security measures are closer to rules than recommendations.
AVS makes sure the billing address entered matches the billing address on file, while CVV requires customers to enter the three-number code on the back of the card (in case the identity thief only stole the card numbers, not the actual card).
Both of these safeguards are typically included in the payment processor, so make sure they’re present before choosing yours.
Required Signature on Delivery
With so many ecommerce scams involving fake identities, a physical signature can carry a lot of weight. Although this option may cost extra depending on your shipping, it’s a great defense against identity theft, fraudulent chargebacks, and triangulation schemes.
If scammers are trying to convince you they’re someone else, or that a delivery never arrived, a required signature corners them in their own trap.
Follow Up Personally
Scammers love lazy victims. They never look twice.
A successful con involves things falling through the cracks, so one of the most effective preventative measures is to follow up on suspicions. If you have the time to spare, a little extra attention and elbow grease can reveal exactly what the scammer doesn’t want you to see. Consider these options:
- Email the customer personally to see if their email address is authentic. Innocent customers won’t mind if you politely explain your suspicions, but scammers won’t know what to do. Pay attention to things like grammar and spelling in their responses to see if English is their second language.
- Verify the person on social media. Search for their name and/or username to see whether or not they’re real, and whether their profiles match their other information.
- Call the customer’s phone. This is the quickest route to verifying someone is who they say.
- Delay the shipment. As we’ve said, scammers want their operations completed as quickly as possible to decrease the chances of getting caught. If you delay a shipment on purpose, and tell them as much, it may scare them off. This is an inconvenience to honest shoppers, so only use it if you have to.
Of course, you don’t have the time to do all this for every order, so a good start is to develop your instincts. Learn to identify suspicious orders early, and if something seems off to you — even just a little — by all means, don’t ignore it.
Always Use HTTPS
What’s the difference between HTTP and HTTPS? In a word, encryption. HTTPS works with another protocol, Secure Sockets Layer (SSL), to protect data as it “moves” across the internet. HTTP (no S) does not, so HTTPS is always better for avoiding hackers. Think of it as the S stands for Security.
HTTPS has other benefits too, such as better SEO ranking and more accurate referral data. If you’re using WordPress, read our in-depth guide on how to switch from HTTP to HTTPS. And if you’re managing a WooCommerce store, here’s how to install an SSL certificate.
Last but not least, you can share the burden of security with your customers by requiring them to have safer, more elaborate passwords. Sure, no one likes those annoying password requirements, especially if they have accounts on tons of sites… but really, getting victimized by a credit card scam is a lot more inconvenient than remembering a new password.
At the moment, the industry standard is eight characters, one capital letter, and one special character. Another less than this is a risk, and for extra security, you can add more requirements like a number, or even randomly generated passwords.
Top 10 Best Tools for Ecommerce Fraud Prevention
You’re not alone in your fight against fraud, there are tons of allies if you know where to look. Here are the 10 best software for ecommerce fraud prevention.
With a sliding scale to accommodate both large and small businesses, Signifyd is one of the first places to look for fraud prevention software. It runs in the backend of your store and assigns every purchase a “score” based on the likelihood that it’s fraud.
Users have the option of handling the case themselves or enlisting help from the Signifyd team. They also offer insurance on select orders, for extra peace of mind in case there’s something suspicious you can’t put your finger on.
Formerly Sift Science, the fraud prevention tool Sift is aimed at higher-end stores — more features for more money. Although you can buy individual packages, the full suite offers:
Need a blazing-fast, reliable, and fully secure hosting for your ecommerce website? Kinsta provides all of this and 24/7 world-class support from WooCommerce experts. Check out our plans
- order evaluations
- fake account prevention
- account takeover prevention
- abuse of promotions prevention
- spam prevention for content
- device fingerprinting API
Sift touts its machine learning as one of the best in the industry, so perhaps that, along with the other features, justifies the price tag.
Simility specializes in “device fingerprinting,” identifying a device and evaluating its threat level. By monitoring a device’s data — location, OS, language, web browser, username, even the battery level! — Simility cross-references the device against any blacklists and determines its threat level.
Easy to use, quick to install, and no API integration necessary, DupZapper is a low-maintenance, high-return software. Designed to regulate online gaming, their algorithm detects duplicate accounts, geography consistency, cookie-blocking, and proxy usage, among other things. If you’re looking for painless and effortless fraud prevention tools, this is our recommendation.
A favorite of global enterprises like Chase Bank and GNC, Kount is another high-cost, high-quality option. If you have the budget for it, Kount enlists some of the most advanced technology to access the risk of a transaction, utilizing over 200 data variables. Their system is also one of the fastest with a response time of less than a second (300 milliseconds, to be precise). For large companies with sizable budgets, that speed can be useful when going through your daily orders.
Subuno offers a lot for its low price: over 20 fraud detection tools that analyze over 100 risk factors. It’s a prime choice for those who don’t have a lot in their budget but still prioritize site safety, especially considering it works with ecommerce sites like Shopify and WooCommerce.
Riskified sets itself apart from other ecommerce fraud prevention software in a few ways. For starters, they use lightning-fast reports in real-time. A good choice if you want the speed of high-end software like Kount, but without the enterprise-level pricing.
Casting aside the “fraud score” model, Riskified presents a clear “approve/decline” analysis for each order. It also works on a sliding scale where you only pay for approved orders that generate sales, making a smart alternative for smaller online stores.
8. FraudLabs Pro
FraudLabs Pro has a couple of strong advantages over the other fraud prevention tools on this list. Namely, it uses unique detection methods, including authenticity checks for email (like email domain age), social media, ISP, and usernames.
But the other advantage is even more appealing: a viable free plan that accepts up to 500 queries per month. For small stores or brands that just launched, this is a lucky find for online security.
Optimized for mobile transactions, Forter offers broad, blanket coverage on almost nearly any transaction, regardless of geographic location or payment method. One of its favored features is its customization options, allowing users to hone in on specific risk profiles or payment gateways. It also uses quick, real-time reports, with a simple “yes/no” reports rather than a fraud score.
Technically speaking, Bolt is more of a checkout UI solution than a fraud prevention solution… however, because fraud prevention is built-in to its system, it qualifies as both. Bolt is an optimized checkout system for both fraud detection and user experience, aimed at increasing sales and decreasing abandonment through usability.
Bolt scans over 200 behavioral data points during the checkout to assess risks. That, combined with its usability advantages, makes it a great choice for online stores that need help in more areas than just online security.
Your fraud prevention safety measures directly improve your ecommerce brand’s success — or more accurately, your failure to prevent fraud schemes directly impedes your success. And with ecommerce fraud on the rise, security is a higher priority to online stores now than ever before.
Luckily, if you’re vigilant, you can step out of its way. Review the 7 most common scams listed above so you “know your enemy,” so to speak, and prepare yourself for what to expect. Likewise, review the warning signs and red flags we outlined so you can catch fraud attempts while they’re still just “attempts.”
We listed effective, DIY methods of ecommerce fraud prevention — techniques any online store-owner can implement on their own from scratch. But the bigger your ecommerce brand, the more outside help you’ll need. The top 10 fraud prevention tools offer something for everyone, so take a look at our evaluations and find the one that best fits your needs, goals, and limitations.
Save time, costs and maximize site performance with:
- Instant help from WordPress hosting experts, 24/7.
- Cloudflare Enterprise integration.
- Global audience reach with 28 data centers worldwide.
- Optimization with our built-in Application Performance Monitoring.