ECommerce Fraud Protection for Online Merchants: The Ultimate Guide

ECommerce Fraud Protection for Online Merchants: The Ultimate Guide


What is Ecommerce Fraud?

Why Does Ecommerce Fraud Take Place?

Ecommerce Fraud Statistics

Six Types of Ecommerce Fraud

How to Identify Fraud Online

11 Steps for Preventing Fraud on Your Ecommerce Store

The news for online merchants is good and bad.

The good news is that ecommerce is expected to nearly double by 2023 to more than US$6.5 billion.

The bad news? This this growth in online sales will be matched by a growth in ecommerce fraud.

Online retailers currently deal with around 206,000 attacks on their stores each month. As the popularity of online shopping grows, so does the opportunity for cyber criminals and unscrupulous consumers to defraud online merchants.

If you own or operate an online store, you must protect yourself against online fraudsters who steal from you, wreck your online reputation, alienate your customers, damage your brand, and hurt your profits.

This comprehensive guide tells you everything you need to know about ecommerce fraud protection—what it is, how it works, and what you must do today to protect your online store from the growing threat of online fraud.

Let’s get started.

buying online

What Is Ecommerce Fraud?

Before you can protect yourself against ecommerce fraud, you need to understand what it is. So, let’s define our terms.

When we talk about ecommerce, of course, we’re talking about commercial transactions conducted electronically over the Internet, typically through an online store. These transactions are typically made from desktop computers, laptops, tablets, and phones. When we talk about fraud, we’re talking about criminal deception intended to result in financial or personal gain.

Ecommerce fraud, then, is criminal deception conducted during a commercial transaction over the Internet with the goal of financial or personal gain. Ecommerce fraud is also called payment fraud.

Two things to remember about ecommerce fraud are that the target is an online merchant and the deception is intended to remain undiscovered.

Ecommerce fraud

Why Does Ecommerce Fraud Take Place?

Online payment fraud takes place for several reasons, some of them historical, some of them geographical, and some of them legal.

1. Ease.

Before the Internet, fraudsters generally had to steal physical credit cards and make purchases with them. Breaking into homes and cars and robbing people on the street with the aim of obtaining credit cards was a risky business in itself. Occasionally, fraudsters were lucky enough to obtain credit card slips that a store had carelessly discarded and would use those card numbers to fraudulently order merchandise over the phone.

Today, fraudsters have it much easier. They simply visit a website on the dark web and buy as many stolen credit cards as they need. Last time we checked, there were at least 23 million stolen credit cards for sale on the dark web.

2. Anonymity.

Payment fraud is also popular because it is conducted unseen. The fraudsters don’t have to walk into a store, say a word to anyone, or risk getting captured on store cameras. All they need is a computer and an Internet connection. They can operate from any location, at any time of day, unseen.

Online fraudsters typically create fake email accounts and rent post office boxes using aliases that reveal no personally identifiable information about themselves.

3. Evasion.

Ecommerce fraudsters know that police departments do not make ecommerce fraud a priority. For one thing, the amounts of money involved in each fraudulent transaction are typically small relative to other types of crimes. Plus, online fraud is increasingly conducted across international borders, making it hard for the police to locate and prosecute online criminals in other countries.

Merchant Guide for E-Commerce Fraud Protection

Ecommerce Fraud Statistics

Ecommerce Fraud Statistics

According to the 2020 Global Identity and Fraud Report, nearly three in five businesses say online fraud has increased in the past 12 months. Almost 75% of businesses cite fraud as a growing concern. And 57% of businesses are experiencing rising year-on-year fraud losses.

Here are some more online fraud statistics that demonstrate the breadth and depth of the challenge online merchants face with this unique—and growing—type of fraud:

  • Around 92% of fraudulent online transactions involve a credit card (Digital Commerce 360, Shift Processing).
  • Card-Not-Present fraud is predicted to increase by 14% by 2023 (Information Age)
  • Online retailers are expected to lose $130 billion to Card-Not-Present fraud by 2023 (Information Age).
  • Ecommerce businesses lose $3.94 for every $1 from a chargeback (Ravelin, Quick Sprout, Midigator).
  • The top five merchant categories that are most affected by ecommerce fraud are: airlines (46%), money transfer (16%), computer/electronics (13%), general retail (9%), and clothing (5%) (Juniper Research).

<script src="" data-infographicid="SevenImportantECommerceMetrics"></script>

Types of ecommerce fraud

Six Types of Ecommerce Fraud

When you hear the term “ecommerce fraud,” you likely think of stolen credit cards being used by criminals to buy products from online stores. But credit card fraud is just one of the most common types of ecommerce fraud. Here are the top six.

1. Credit card fraud.

Credit card fraud is the umbrella term for fraud that is committed using a credit card or debit card. In the context of ecommerce fraud, credit card fraud is also known as card-not-present fraud and payment fraud. In a credit card fraud conducted online, the fraudster uses a stolen credit card to purchase products or services from a web merchant.

In a typical scenario, a criminal visits a site on the dark web that sells stolen credit cards. The criminal buys a stolen credit card and visits an online store, using that stolen card number to buy a product or service. This initial transaction defrauds the cardholder whose card was stolen. But eventually it defrauds the store owner, who must refund the purchase (and sometimes pay a chargeback fee to the bank that issued the card).

2. Affiliate fraud.

Affiliate fraud is illegal activity intended to generate affiliate commissions. In affiliate marketing, online merchants pay affiliates a commission for sales that affiliates refer. The merchants give affiliates a unique, trackable web link that points shoppers to the merchant’s store pages. When a shopper clicks on one of these links and makes a purchase, the merchant rewards the affiliate for the referral by giving the affiliate a commission (typically a percentage of the sale price).

In affiliate fraud, criminals game the system and defraud the online merchant using fake activity to either generate commissions or to increase the amount of the commissions.

A common form of affiliate fraud is “typosquatting”, in which a criminal registers domain names that match commonly mistyped versions of an online store’s legitimate URL. The fraudster then redirects that domain name to the merchant’s website—but with an affiliate link.

3. Chargeback fraud.

In the world of credit card transactions, a chargeback is a demand that a credit-card provider makes to a retailer to refund a fraudulent or disputed transaction.

In the online commerce world, chargeback fraud occurs when an online shopper makes a purchase with their credit card, receives the purchased goods or services, but then requests a refund from the issuing bank (the bank that issued their credit card). This results in the bank demanding that the retailer refund the purchase amount to the bank. When a bank demands a chargeback, the online merchant is responsible to refund the purchase.

In a typical scenario of chargeback fraud, a shopper makes a purchase from an online store. After receiving delivery of the goods or services, the criminal waits weeks or months, then contacts their bank and disputes the transaction, claiming it to be unauthorized or fraudulent. The fraudster hopes that the merchant lacks the time and resources to dispute the claim, or simply gives them the benefit of the doubt.

Buying online with credit card

4. Phishing/account takeover.

Most ecommerce stores provide customers with accounts that store personal information, financial data, and purchase history. Cyber criminals hack into these accounts through phishing schemes. In one of the most common tactics, fraudsters send emails to trick customers into revealing usernames and passwords. They then log into the customers’ accounts, change the passwords, and make unauthorized purchases. Criminals are also using bots to steal confidential information from customers.

5. Interception fraud.

In interception fraud, fraudsters use stolen credit cards to make online purchases, ship the goods to the address that’s on file for the credit card, but then intercept the package. For example, a criminal will visit an online merchant and use a stolen name, address, and credit card to purchase an item. After the transaction is completed, the criminal calls customer service before the item has shipped and changes the delivery address to the criminal’s desired pickup location.

6. Triangulation fraud.

Triangulation fraud uses three steps to defraud online merchants. In the first step, criminals create a fake online storefront, typically one that offers popular brand-name goods at bargain-basement prices. The only goal of the site is to steal names, addresses and credit card numbers from unsuspecting shoppers.

In the second step, the fraudsters use the stolen customer credentials and credit card numbers to visit a legitimate online store, buy exactly what the victim purchased from the fake store, and ship it to the customer.

The third step is the payoff for the fraudsters. They use the stolen customer data to make additional online purchases that they ship to themselves. This type of fraud typically remains undiscovered for a longer time than other types of online fraud because the original purchase (from the fake site) raises no suspicions on the part of the victim.

Are you leavnig money on the table? Calculate your approval rate today

How to Identify Fraud Online

As an online merchant, you can spot ecommerce fraud in a number of ways. Just remember that the success of ecommerce fraud depends on the skill and ingenuity of the fraudsters. As merchants increase their defenses against online criminal activity, online crooks also up their game and devise cunning ways to defraud their targets. Here are the most common red flags to look for:

Inconsistent order data.

The zip code and city entered don’t match. Or the IP address of the shopper and their email address don’t match.

Larger than average order.

The order is far larger than your customer typically spends. Other red flags include multiple units of the same SKU in the one order, and expedited shipping (the crook wants to receive the order before getting caught).

Unusual location.

Your customer always purchases from an IP address in North America, but suddenly makes a purchase from an IP address in an unusual location (Nigeria, for example).

Multiple shipping addresses.

The buyer makes multiple purchases under one billing address but ships the products to multiple addresses.

Many transactions in a short timeframe.

The fraudster makes multiple purchases back to back—and it’s not the holiday season.

Multiple orders from many credit cards.

Someone makes multiple purchases using multiple credit cards (either in one day or over a longer period.

Multiple declined transactions in a row.

The purchaser makes not just one or two attempts (honest shoppers make mistakes, after all), but four, five, six, seven, eight or more attempts without getting the card number, expiry date, and card security code correct.

Strings of orders from a new country.

You’ve never received a single order from the Kingdom of Bhutan, and then you suddenly receive 11 orders from that country in the space of a week.

11 Steps for Preventing Fraud on Your Ecommerce Store

The key to protecting your online store from fraudulent credit card transactions, affiliate fraud and other types of ecommerce fraud isn’t just recognizing these activities when you see them—it’s taking steps to prevent them in the first place.

You have several tools at your disposal: some technical, some non-technical, some based on software and some based on good-old-fashioned know-how. Here are the steps you can take today to prevent fraud on your online store.

1.    Conduct regular site security audits.

Want to discover flaws in your security before criminals and fraudsters do? Conduct security audits—often. Ask yourself these questions:

  • Are our shopping-cart software and plugins up to date?
  • Is our SSL certificate current and working?
  • Is our store PCI-DSS compliant (Payment Card Industry Data Security Standard)?
  • Are we backing up our online store often enough?
  • Are we using strong passwords for admin accounts, hosting dashboards, CMS, database, and FTP access?
  • Are we scanning our website regularly for malware?
  • Are we encrypting communication between our store and our customers and suppliers?
  • Have we removed inactive plugins?

2.    Make sure your store is PCI compliant.

If you operate an online store that accepts credit card payments, you must be PCI compliant. PCI stands for Payment Card Industry. PCI standards for compliance are developed and managed by the PCI Security Standards Council to ensure the security of credit card transactions in the payments industry. PCI compliance means your online store and your businesses processes meet these PCI standards.

3.    Monitor your site regularly for suspicious activity.

Bricks-and-mortar stores hire fraud prevention officers to catch shoplifters. You can protect your online store against fraudulent transactions by monitoring your store for suspicious activity. Monitor your accounts and transactions for red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers. Use tools that track customer IP addresses and alert you to any addresses from countries known as a base for fraudsters.

4.    Use an Address Verification Service (AVS).

Credit card processors and issuing banks offer an Address Verification Service to detect suspicious credit card transactions in real time and prevent credit card fraud. The Address Verification Service checks the billing address submitted by the card user (the customer) with the cardholder’s billing address that’s on file with the issuing bank. This check takes place as part of the merchant’s request for authorization of the credit card transaction. When addresses don’t match, the system either declines the transaction or flags it for investigation.

Online verification for fraud

5.    Require Card Verification Value (CVV) numbers for all purchases.

The three-digit security code on the back of VISA®, MasterCard® and Discover® credit and debit cards and the four-digit security code on the back of American Express® credit and debit cards is called the Card Verification Value (CVV) or Card Security Code (CSC). By requiring all purchasers to supply this code for every transaction, you ensure that customers have the physical credit card in their possession. This helps to keep you safe and reduces fraud.

6.    Use Hypertext Transfer Protocol Secure (HTTPS).

HTTPS is the secure version of HTTP, which is the primary protocol used to send data between a customer’s web browser and your online store.  HTTPS encrypts this data to protect sensitive information, such as customer names, addresses and credit card numbers. Using HTTPS prevents your online store from having its transactions broadcast in a way that’s easily viewed by hackers, cyber criminals, and fraudsters. You use HTTPS by buying an SSL certificate. 

7.    Avoid collecting too much sensitive customer data.

One way to protect your store in the event of a data breach or hack is to collect and store as little customer data as possible. Hackers can’t steal what you don’t have. So only collect the data you need to complete a transaction and ship the product. Avoid collecting Social Security numbers, dates of birth and other unnecessary sensitive customer data.

8.    Set limits on purchases.

Based on your order and revenue trends, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. This reduces your exposure to a minimum should fraud occur.

9.    Try an anti-fraud solution.

When it comes to detecting and preventing online fraud, there is a variety of software solutions to suit your needs and your budget. Additionally, the tools you select may vary widely when it comes to how much work is involved in installation and ongoing management. Some may prefer a more hands-on solution, while others would rather leave it in expert hands.

  • Rudimentary anti-fraud tools perform a specific, single function. They are typically integrated into online shopping carts and ecommerce platforms. These tools identify fraudulent transactions through IP geolocation, validate email addresses, conduct device fingerprinting, and verify addresses.
  • Mid-level anti-fraud tools offer a wider variety of functions, including chargeback guarantees, auto declining of high-risk orders, protections against new account fraud and account takeover protection.
  • Top-level anti-fraud tools offer everything the other tools offer plus outsourced case management, expertise working with large merchants, loyalty fraud management, policy abuse protection, automatic decisions, and manual rev of transactions.

Checking online information

10. Double check that IP addresses and credit card addresses match.

Every order placed on your online store comes from a unique, public IP address (a string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over the Internet). From the IP address you can generally detect the city or region of the world where the purchaser is making the purchase. If this city or region does not match the address of the credit card being used, that’s a red flag.

11. Avoid non-physical shipping addresses.

Fraudsters commonly avoid detection by protecting their physical address, preferring to use a PO box or other anonymous location. After all, the police can’t come knocking if there’s no door to knock on.

If you are an online merchant, and if you want to prevent this type of fraud, never ship online orders to PO boxes and other virtual addresses, such as those of freight forwarders. You can spot addresses that belong to freight forwarders because they have a container number in the address, such as 726 Dock Road Suite 300 #KXQ-582899328.

Nova call to action

Looking throught phone and computer

Knowledge Is Power

Yes, fraudsters are getting more sophisticated in how they attack online merchants. And the number of attacks on web stores is increasing as ecommerce grows in popularity. But ecommerce merchants are also getting more sophisticated in how they detect and deter online crooks.

Once you understand what ecommerce fraud is and why it is so prevalent, and once you learn how to detect online fraud, you are empowered to take the necessary steps to prevent fraud on your online store.

False declines report

Are you leaving money on the table? Check With our Approval Rate Calculator

Original article at:

You may also like

Want to write
for our blog?

Please review our writers' guidelines
and then email with your pitch!

Subscribe to our blog