Perhaps more than any technology of the past 50 years, the internet has changed the way we do business. By expanding into the digital landscape, modern merchants can connect with customers around the globe, create seamless service experiences across a range of customer channels, and gain increasingly detailed data insights to help inform future strategy. And online stores aren’t the only ones excited about ecommerce; as of 2024, over 270 million people shop online in the U.S. alone, with that number expected to reach 331.46 million by 2029.
Ecommerce is convenient, flexible, and fast—advantages that customers and businesses alike can get excited about. But with these advantages come certain dangers. Ecommerce scams are becoming more common, cutting into merchants’ bottom lines and exposing buyers to possible data leaks and other risks.
What exactly is ecommerce fraud? And how can your business make ecommerce fraud prevention an integral part of your security strategy?
Ecommerce fraud—also called payment fraud—is a term that describes any illegal attempt by a threat actor on an ecommerce platform to deceive merchants, customers, or both with the goal of personal or financial gain. Simply put, ecommerce fraud takes advantage of the anonymity offered by online transactions; the fraudster often impersonates either a legitimate customer or business, defrauding the other parties involved in the transaction.
And although many cases of fraud represent only relatively small amounts of money (it’s estimated that the average chargeback for a disputed transaction in 2024 costs the business about $76), these amounts can add up quickly. How quickly? Juniper Research forecasts that between 2023 and 2027, merchants around the world will lose a cumulative $343 billion to online payment fraud.
Fraud in ecommerce is a major issue. Unfortunately, “ecommerce fraud” is also an extremely broad term. The first step to creating an ecommerce fraud prevention strategy is knowing what kinds of dangers are out there. Here, we break the most common types of ecommerce fraud into several distinct categories:
One of the most widespread forms of ecommerce fraud, credit card fraud (also known as card not present fraud) involves using stolen credit card information to purchase services or products online. This practice defrauds both the legal cardholder whose information has been stolen and also the ecommerce merchant who will likely end up having to refund the purchase cost along with any associated chargeback fees.
Credit card fraud often starts with card testing fraud, where a scammer will make smaller, lower-risk purchases using stolen cards to determine which accounts are legitimate and worth using for larger purchases.
Certain safety measures are in place to protect consumers from ecommerce fraud. Unfortunately, sometimes those safeguards can be misused to scam online merchants. Chargeback fraud occurs when a customer makes a purchase and then contacts their credit card company to dispute the purchase. This form of fraud not only costs the merchant the price of the product or service but also often includes losses associated with shipping costs, chargeback fees, and fines and penalties.
Sometimes called friendly fraud, this can also result from a customer not remembering or recognizing a legitimate purchase on their bank statement and contacting the bank directly to resolve it rather than reaching out to the merchant.
For the sake of convenience, many online sellers allow customers to create accounts and store payment information for a more streamlined checkout process. This represents a tempting target for fraudsters who need only gain access to the account to make fraudulent purchases. Once inside, they may change log-in details, effectively locking out the authorized account owner and making account recovery extremely difficult. They may also use the compromised account as a gateway to access other accounts associated with the owner.
A scam artist can use many avenues to gain illegal access to an online account, including phishing emails, malware, reaching out to the business to request a password reset, or even cracking weak passwords.
One of the checks that many merchants use to identify fraudulent activity is when a buyer makes a change to an on-file shipping address. Interception fraud circumvents this check, with the fraudster requesting that the goods be shipped to the standard address and then intercepting the package before it reaches its destination.
This can be as simple as waiting at the address for the package to arrive and stealing it from the pickup location. Or it may take a more involved approach—contacting a customer representative at the ecommerce business or even reaching out to the shipping company to change the shipping address after the order has been processed.
Triangulation fraud (so named because it involves a three-step process) is somewhat more complicated than many other types of ecommerce fraud. Unfortunately, it can also be more difficult to discover. First, the scammer creates a fake ecommerce website, usually offering top-quality products at significantly lower prices than their market value. When buyers attempt to purchase these items, the fraudster captures their credit card information and then uses it to purchase and ship the items from legitimate sites to the customer. Finally, they then use the stolen payment information to make additional illegal purchases for themselves.
Because the card owner receives their purchase, they often have little reason to become suspicious. That means the crime may remain undiscovered for weeks or even months, during which time the fraudster has free access to the victim’s account.
Because online customers have so many different options to choose from, many online merchants use affiliate, loyalty, or other promotional programs to attract and engage buyers. But while these programs can reward loyal customers with increased savings or other special offers, they can also be misused by scammers.
Affiliate fraud takes advantage of affiliate programs that reward customers for referring friends or associates. Fraudsters create illegitimate customer referrals using either stolen cards or fake web traffic, raking in a commission without actually provisioning any new business. Loyalty fraud and promotional fraud describe situations where a scammer joins a loyalty program and earns rewards on purchases made with stolen payment information or fraudulently takes advantage of promotional offers.
Before you can identify ecommerce fraud solutions, you need to be able to recognize the signs of fraud.
Given the various routes and tactics scammers can use to defraud online businesses, it’s important to know what indicators may represent fraudulent activity on your ecommerce platform. Be aware of the following kinds of website activity, as they may portend scams in progress.
Your business and your reputation depend on your ability to defend yourself and your customers from ecommerce fraud. The good news is that you can incorporate ecommerce fraud prevention best practices into your business strategy and take steps to protect your organization from scammers.
Often, one of the goals of an ecommerce scammer is to get their hands on sensitive personal information from customer accounts. Limit what the fraudster has access to by collecting and keeping only the minimum amount of customer data. Social security numbers, for example, are not needed to process payments but can create real problems for customers should they become compromised.
If there are weaknesses in your ecommerce security, scammers will find them–unless you find them first. Perform regular audits of your site to determine whether all certificates and plug-ins are current, malware defenses are up to date, communications are properly encrypted, and your business is operating in full compliance with established standards. Then, take things further by continuously monitoring your site for any suspicious activity.
Most major credit card issuers include an additional security precaution directly on the card. This card verification value (CVV) or card security code (CSC) is a three-digit number printed on the back of the card. It provides added security against scammers who may only have access to the credit card number.
As previously mentioned, fraudsters will often try to make several large-ticket purchases before the card can be discovered and deactivated. By limiting how much a single buyer can purchase in a given time period (such as one day), you reduce the amount you may be liable for should fraudulent activity occur.
PO Boxes, freight forwarders, and other non-physical addresses are a favorite of scammers who don’t want to share their actual location. Requiring a real, physical address for all deliveries—and then verifying that address through an address verification system (AVS) provided by an issuing bank or credit card processor—may be enough to identify fraud before it occurs. This check can be a built-in part of the transaction authorization process, automatically flagging or declining transactions that don’t match up.
Although it may not be commonly known, IP addresses can usually be tracked to their regions or countries of origin. Performing a check on the IP addresses from online transactions will help inform you of any purchases being made from areas not associated with the address you have on file for the account.
Many different regulatory bodies are assigned to keep customer and business data safe. The standards and laws established by these groups provide a framework you can use to secure any weaknesses you may have in how you manage and process online orders.
Payment card industry (PCI) compliance is a requirement for any ecommerce business that accepts credit payments. Generally, this compliance is built into most ecommerce platforms, but it’s still worth double checking, as the fines associated with noncompliance can be steep—to say nothing of the increased fraud risk.
In the fight against ecommerce fraud, you don’t have to go it alone. Anti-fraud software solutions can help identify evidence of fraud wherever it may occur. These solutions range from basic tools that perform address verification, IP location services, and auto declining of suspicious transactions, to more advanced options that outsource anti-fraud tasks to trusted, experienced third-party providers.
In the end, successful ecommerce is built on trust. If your customers don’t feel as though they can depend on your site to protect their sensitive data and provide a secure shopping experience, they’ll take their business elsewhere. Norton Shopping Guarantee with Package Protection by EasyPost, an industry leader in ecommerce fraud prevention, will build that trust.
Norton Shopping Guarantee provides identity theft protection and purchase protection guarantees, and will even reimburse shoppers if a price goes down within 30 days of their purchase. The end result? Improved trust, reduced risk from ecommerce fraud, higher conversion rates, and a better, more positive relationship with the customers who keep you in business. After all, your buyers want to shop with you, they just want to be sure that they won’t be exposed to fraud in the process.
Download Norton Shopping Guarantee on your Shopify store to increase trust and conversion on your ecommerce site, and help your customers get the most out of their buying experience.
Have questions about how it works? Talk to one of our ecommerce specialistse about how Norton Shopping Guarantee can help with ecommerce fraud protection.