The Clearsale Blog

M-Commerce Is Booming. So Is M-Commerce Fraud

M-Commerce Is Booming. So Is M-Commerce Fraud

As mobile commerce continues to boom, so, too, does m-commerce fraud. For businesses, the solution is to create a multilayered defense.

When we talk about e-commerce, often what we're really talking about is m-commerce, because it's growing to dominate the e-commerce landscape. The global value of mobile commerce is expected to reach $3.56 billion by 2021. At that point, the mobile channel will account for nearly 73% of all e-commerce

Consumers love m-commerce because it's convenient. That preference can drive sales and revenue growth for merchants. But m-commerce presents some unique fraud and security risks that can't be mitigated by a one-size-fits-all fraud prevention strategy. 

Mobile fraud attempts more than doubled from 2018 to 2019 and completed m-commerce fraud costs more on average than e-commerce fraud committed on computers. Fraudsters see m-commerce as a lucrative opportunity, because many merchants haven't adapted their fraud prevention practices for the smaller screen. That means they're not keeping up with the ways that cybercriminals can now exploit the mobile channel. 

Here's what merchants need to know to avoid seeing their m-commerce grains eroded by mobile fraud.

How mobile commerce fraud harms merchants

The impacts of fraud on e-commerce merchants are similar regardless of sales channel. The larger problem is that mobile occupies an ever-growing proportion of e-commerce sales, which means that rising m-channel fraud has an outsize impact on sellers. 

LexisNexis reported in 2019 that mid/large e-commerce merchants that sell digital goods lose an average of $4.06 for every dollar of fraud to chargeback fees, lost product costs and other expenses. By comparison, similar merchants without m-commerce lost $3.50 per dollar of fraud. 

Mobile fraud can create other problems for merchants, including:

  • Customer loss and brand damage. If your business has a data breach that exposes customer information, customers are likely to not trust the merchant with their information in the future. In addition to abandoning the merchant, customers may speak up about their experience on social media and in reviews. This can dent your brand reputation for a long time.

  • More false declines. Merchants are in a dire situation where they need to protect every penny of their revenue. Out of that concern, they decline any transaction that might be fraudulent. Unfortunately, you might end up denying a transaction from a legitimate customer and losing their business forever.

  • Checkout friction. If you try to filter out fraudulent transactions with added security features, you might reduce the likelihood of fraud but also add friction to the checkout process. This can increase the rate of cart abandonment and cost you sales.

2FA isn't a complete fix for mobile fraud risks

Customer verification is one of the top mobile channel fraud-prevention challenges, so anything that helps is worth exploring. And two-factor authentication (2FA), which requires customers to enter a one-time validation code sent to their phones, can help merchants verify buyers' identities before approving their orders. 

Because it adds another layer of security, 2FA has been promoted as an easy way to secure many kinds of accounts and transactions. Organizations that don't implement it may face bad press in the wake of a breach or fraud. For example, when a Deloitte breach in September 2017 exposed clients' emails, including those of U.S. large enterprises and government agencies, security experts were quick to point out that the account that led to the breach was not secured by two-factor authentication. Attackers had exploited a single password to gain access to Deloitte's email system through an administrator account. Many professionals argued that two-factor authentication could have prevented the breach. 

However, 2FA is not a one-step security solution. Variations among 2FA regulations in different markets can make it difficult to authenticate cross-border customers, in turn creating a poor customer experience. That's a serious potential problem in an economy where cross-border m-commerce volume increased by 43% from 2018 to 2019. 

And time and again, breaches and fraud schemes highlight the reality that basic 2FA tools like SMS-based one-time passwords and knowledge-based questions can be evaded through simple phishing attacks and social engineering. Some criminals also use SIM swaps and malware attacks to thwart 2FA and take over accounts.

SIM swaps

SIM swap attacks present an opportunity for account takeover. In this kind of attack, fraudsters hijack a victim's phone number by getting it transferred to a SIM card they control. This way they gain access to the victim's email address. In one instance, this led a victim to lose their life savings

Once fraudsters have access to the victim's phone number, they can break into their social media accounts, which are often linked to payment services and retail accounts. SIM swapping also allows cybercriminals to hijack SMS two-factor authentication messages and change passwords for email, banking and shopping accounts. E-commerce merchants might not realize they're being defrauded because the account still maps to a loyal customer.

Mobile malware

One way to avoid this gap in 2FA is to replace SMS-based codes with one-time codes generated on an authentication app on the user's device. Because these codes aren't sent over the mobile network, they can't be intercepted by a SIM swap hijacker. However, it appears that criminals have found a workaround for this 2FA measure, too. 

 In February, cybersecurity researchers announced the discovery of Android malware that could exploit a vulnerability in Google Authenticator, a popular 2FA app for Android. The researchers uncovered a new variety of the Cerberus banking trojan that can allow attackers to remotely access a customer's online banking account and then take a screenshot of the generated Authenticator 2FA code, bypassing security. 

The researchers said that although this variant of Cerberus is designed to attack bank accounts, it could easily be adapted to hijack other types of authentication-based 2FA-protected accounts. It's perhaps the most recent example of how 2FA can't provide total security for consumers and e-commerce merchants. 

At the same time, the additional step 2FA requires users to take to authenticate themselves can drive them toward frustration. The need to balance fraud protection and customer experience can leave e-commerce merchants with little room to strike a balance between transactional security and customer experience.

Creating a multilayered defense against mobile fraud

There's no one-step fix for mobile commerce fraud, but there are steps you can take to reduce your fraud risk while keeping good customers happy. 

  • Require customers to choose strong passwords for their online shopping accounts. Encourage them to use password managers so they can use unique passwords across all online accounts.

  • Consider offering two-factor authentication that sends codes to an authenticator app as one layer among many in your security program.
    If you implement 2FA, carefully monitor your conversion and cart abandonment rates to see if you need to change course.

  • Encourage customers to opt in to receive real-time alerts whenever their password is changed or when they make an unusually large purchase.

  • Manually review flagged transactions instead of automatically denying them. This can help you reduce false declines and identify compromised accounts.

  • Educate your customers on how to identify secure websites before they enter sensitive data, like checking that the website name begins with HTTPs or has the lock symbol.

  • Respond quickly to customers' fraud grievances. You might set up a dedicated email address or phone number where customers can report fraud.

  • Create a multilayered fraud defense system with a combination of skilled analysts and deep learning algorithms that scan every transaction to identify and prevent false declines.

  • Detect potential SIM swapping incidents by using mobile-specific screening measures to compare geolocation, device and behavioral biometric history to the current mobile specifics. 

You can also use machine learning and knowledge about fraudster behavior to analyze batches of orders for patterns that indicate potential fraud. For example, fraudsters often use the same shipping address for many hijacked accounts and set up fake email addresses on the same domain names. If you spot such a pattern across customer accounts, it's time to investigate potential fraud. 

Clearly, there's no quick fix or single solution for the growing challenge of mobile commerce fraud. But by understanding the signs of potential fraud, screening all transactions, communicating with your customers, and creating a layered system of fraud defenses, you can safeguard your business, grow your m-commerce revenue, and offer the convenient experience your loyal mobile customers want.

Original article at:

You may also like

ClearSale Wins Comparably Awards for Best Work-Life Balance and Happiest Employees

ClearSale Wins Comparably Awards for Best Work-Life Balance and Happiest Employees

Fraud protection leader recognized by career site for a second time this year

ClearSale Becomes Shopify Plus Certified App Program Partner

ClearSale Becomes Shopify Plus Certified App Program Partner

The fraud protection leader has been selected as a premier app provider for the highly regarded commerce platform.

Account takeover is the biggest fraud threat U.S. consumers haven't heard of

Account takeover is the biggest fraud threat U.S. consumers haven't heard of

Account takeover fraud is a huge problem, but most US consumers don’t know about it. Only 36% of US consumers say they are familiar with account hijacking fraud, even though it’s one of the..

U.S. shoppers say they'll trade privacy (but not convenience) for better ecommerce fraud protection

U.S. shoppers say they'll trade privacy (but not convenience) for better ecommerce fraud protection

As more consumer spending shifts to e-commerce, merchants need to strike a balance between fraud protection and customer experience. A recent survey just before business closures swept the U.S...

What does effective B2C marketing look like now? Messaging is only part of the story.

What does effective B2C marketing look like now? Messaging is only part of the story.

As more consumers shop online, many companies are pivoting their marketing strategies to focus on digital channels. But smart marketing now requires more than simply reallocating resources for..

ClearSale and BigCommerce Partner to Prepare E-Commerce Merchants for the Holidays

ClearSale and BigCommerce Partner to Prepare E-Commerce Merchants for the Holidays

Fraud protection leader joins e-commerce platform powerhouse to help merchants accentuate customer experience while preventing fraud this seasonMIAMI, FL (September 11, 2020) -- Global fraud..

Survey: Men Experience More Online Shopping Fraud

Survey: Men Experience More Online Shopping Fraud

Male shoppers are more likely to experience online shopping fraud than female shoppers. New research from ClearSale of over a thousand U.S. consumers that shop online at least once every few..

The Four Ways Fraudsters Try to Snag Online Shoppers - and How You Can Avoid Them

The Four Ways Fraudsters Try to Snag Online Shoppers - and How You Can Avoid Them

The COVID-19 pandemic has got more Australians shopping online, leaving them increasingly vulnerable to scammers poised to take advantage. Understanding the four key ways these fraudsters can..

Canadians Concerned About Fraud when Shopping Online: Survey

Canadians Concerned About Fraud when Shopping Online: Survey

A new survey suggests Canadians are much more concerned about the safety of online shopping compared with consumers in the United States.

Want to write
for our blog?

Please review our writers' guidelines
and then email with your pitch!

Subscribe to our blog