eCommerce Sellers: Watch Out for These 10 Fraud Schemes
Unemployment fraud, stolen COVID-19 relief funds, Twitter account takeovers and the hacked financial data of millions — one just needs to turn on the news to find the latest story on economic crime and fraud. With rates at record highs, fraud is affecting companies in more diverse ways than ever before.
A new survey found that 47% of businesses have experienced fraud in the past 24 months, with an average of six incidents reported per company. However, despite these staggering numbers, only 56% of organisations conducted an investigation into their worst incident, with less than one-third reporting the crimes.
The same pattern can be seen in the eCommerce industry. While online sales are currently booming, setting new year-over-year (YOY) records in 2020, with its rise comes one of the fastest-growing opportunities for fraudsters and cybercriminals who are looking to capitalise on the thriving market.
According to a recent study, eCommerce industry fraud has risen by 30% — with the trend predicted to increase by 14% by 2023, resulting in an eye-watering US$ 130 billion in losses. However, while eCommerce merchants juggle a multitude of responsibilities — from sourcing quality products, quality control, payment processing, SEO and customer service — fraud prevention remains a crucial component that’s usually overlooked until it’s too late.
The message is clear: if you are running an eCommerce store, you need to protect your business and your customers against potential threats by becoming better informed about different schemes being used by cybercriminals for online fraud.
As the use of alternative payment methods increases, fraud is no longer just exclusive to credit cards — criminals are becoming more sophisticated. So what does this new age of eCommerce fraud look like, exactly? We detail the top 10 most common types below:
Classic Fraud: Considered one of the simplest types of fraud, stolen credit card credentials can be bought on the dark web for as little as US$1, and used to purchase goods. The stolen items are then sent to reshippers who go on to resell them illegally. Internet proxies are often used to disguise the criminals’ international IP addresses.
Chargeback Fraud: Unlike friendly fraud where a cardholder mistakenly disputes a charge they actually authorised, chargeback fraud is when a customer maliciously attempts to get their money back while still retaining the goods or services, telling their credit card company that their card or account details have been stolen. The scammer is then reimbursed the full amount by their bank or credit card company — at a major cost to the retailer.
As one of the most expensive types of fraud online merchants experience, chargeback fraud is pricey and can take a lot of time to resolve. The full transaction amount is deducted from their merchant’s account as well as a chargeback fee that’s usually between US$15 and USD$25. In fact, each dollar of fraud is estimated to cost merchants US$3.36.
Triangulation Fraud: As its name suggests, triangulation fraud involves three parties: a legitimate consumer, the scammer and an eCommerce store. Here’s how it works:
- The fraudster creates a fake listing/storefront on an eCommerce site like Amazon and offers extremely low priced goods in high demand — for example, during the beginning of the COVID-19 pandemic, masks and Personal Protective Equipment (PPE).
- The customer “buys” the product from the scammer, inadvertently giving them their personal information.
- The scammer then uses the customer’s data to buy the exact same item/s from a valid eCommerce store for less money and gets it shipped to the customer.
- The customer receives the item they bought, not realising they overpaid or that they were scammed. The fraudster then keeps the markup profit.
Interception Fraud: This type of fraud sees criminals place an order using a billing and shipping address that corresponds with an address associated with a specific credit card. They will then try and intercept the delivery of the goods so that they can keep them for themselves, by using one of the following methods:
- Asking a customer service agent to change the address before it’s been shipped.
- Contact the shipper or courier to reroute the order to a different address.
- If they live in proximity, waiting for the delivery to arrive at the card holder’s address and physically sign for the package themselves in the name of the homeowner.
Identity Theft: As data breaches increase, so does the rate of identity theft. Accounting for 29% of eCommerce fraud losses, identity theft (also known as true fraud) sees cybercriminals stealing personal information such as names, addresses and financial data using phishing or malware attacks, and appropriating another person’s identity to create credit cards that will be used to purchase goods.
However, despite it being individuals who fall victim to identity theft, it’s online retailers who are often hurt the most. While credit card companies usually initiate chargebacks on behalf of the victim, there is no obligation to return the stolen merchandise. Even if merchants do manage to reclaim their goods, they’re no longer new. Therefore, the only way for eCommerce companies to escape identity theft purchases completely is to stop them before they begin. However, this type of fraud is one of the most difficult to identify as the criminals behind it are usually quite sophisticated in their methods.
It’s also worth noting that online retailers should ensure that their site is secure to avoid becoming unwitting accomplices in identity theft, by preventing hackers from stealing their customers’ information during the checkout process.
Card Validity Testing: Data shows that there’s been a 200% increase in credit card testing, a tactic used by cybercriminals to test stolen credit card credentials with small incremental purchases. Once they know that the credit card can be used to complete transactions, they will use it to make much larger, expensive purchases on an eCommerce site. To do this, fraudsters will target websites that give a different response to each transaction decline. For example, if a card is declined due to an incorrect expiration date, the fraudsters will use bots to permutate the correct date. Since cards are often stolen weeks or months prior to the fraud, the process also reveals which cards have been cancelled by banks and which are available for use.
Card testing harms merchants in several ways, including chargebacks as well as increased fees from payment processors that penalise online stores for too many declines. Additionally, automated card validity testing bots can overwhelm your network, causing legitimate transactions to time out and fail.
Email Account Phishing: While phishing scams are nothing new, since the start of the global pandemic, there has been a 33% rise in scammers posing as eCommerce stores and approaching customers for their sensitive account information and credit card details, or leading them to a fraudulent site. Using emails disguised as order or delivery confirmations, links in phishing emails often redirect to trap sites with viruses or malware.
According to a recent survey, 4,500 malicious domains have been blocked daily since the start of the pandemic, compared to 500 or less in January 2020 — more than half of which were related to COVID-19-related purchases.
Account Takeover Fraud: This type of fraud is rampant in the online gaming industry that relies on real-time approval of small transactions, however, it’s slowly spreading across all areas of eCommerce. This usually occurs when fraudsters manage to obtain a legitimate customer’s login credentials via the dark web or phishing emails, so that they can take advantage of stored credit cards to purchase goods and services. In 2019 alone, losses from account takeovers reached US$9 billion.
Affiliate Fraud: When fraudsters specifically target eCommerce sites with affiliate programmes in a bid to abuse the system and manipulate traffic or signup statistics to get a greater profit, this is known as affiliate fraud. This can be done in a number of ways, including faking conversions. Often done using bots, or manually using click farms, most affiliate fraud revolves around affiliates faking a conversion to collect the commission in the form of a completed lead form, app install or even a sale. For merchants, affiliate fraud eats into profits and depletes marketing budgets.
Supplier Identity Fraud: Targeting businesses instead of actual consumers, and drawing on methods like phishing, this merchant-specific fraud sees scammers posing as manufacturers, wholesale suppliers or other B2B organisations, promising a super-affordable service that they never intend to deliver. Another form of fake supplier fraud involves hijacking the email address of a business’ main supplier. The fraudster then requests that payment to the supplier be made to a new account. The targeted business only realises the legitimate supplier never received payment when it’s too late.
Steps to Fraud Prevention
One of the best revenue accelerators is customer trust, which results in long-term loyalty. With the rise of online scammers threatening to jeopardise businesses only increasing with the surge of the eCommerce market, it’s never been more important for merchants to develop real-time fraud prevention strategies so that they can improve user experience.
Watch Out For Red Flags
Recognising the warning signs early enough is one of the most effective methods of eCommerce fraud prevention. Becoming aware of repeated declined transactions, multiple orders of the same item, suspiciously large orders, and different shipping and billing addresses are key factors to preventing fraud before it begins. While it’s important for companies to do their own due diligence, there are many reputable third-party fraud detection software solutions that merchants can take advantage of when trying to prevent various types of fraud. Just ensure you invest in a good one. Many popular fraud detection solutions on the market today are known to rely on faulty fraud-flagging mechanisms that inadvertently reject legitimate customers trying to make a purchase.
Maintain PCI Compliance
The Payment Card Industry Security Standards Council (PCI SSC) — in partnership with brands like Visa and Mastercard — has a list of best practices that eSellers should use to avoid scams and ensure the security of their customer’s credit card and personal information. PCI compliance is mandatory and revolves around basic security precautions, such as creating payment firewalls on your site.
Be Cautious During the Holidays
Black Friday, Cyber Monday, Christmas and other holiday months are a critical time for most online stores. With sales skyrocketing, festive periods are also an ideal time for fraudsters to strike as consumers and merchants are distracted by a wave of orders, and too preoccupied to notice potential fraud. That’s why it’s essential to be extra vigilant when receiving a significant number of foreign orders, rush orders and small-dollar purchases during the holidays. In a bid to protect you from drastic losses if fraud occurs, also consider setting a limit for the maximum number of purchases a single customer can make as well as the total monetary value accepted from one account each day.
Ensure AVS and CVV
Both Address Verification Services (AVS) and Card Verification Value (CVV) are standard security measures, however, some eCommerce stores still overlook them as requirements. AVS ensures that the billing address matches the one on file, while CVV — the three or four-digit security number at the back of the card — is needed for the customer to complete their purchase. Criminals are unable to get this code unless they have the physical card which is rare. When choosing a payment processor, make sure you pick one that has both these safeguards present — and one that doesn’t store CVV numbers.
Always Use HTTPS
The difference between HTTP and HTTPS is encryption. The latter also works with Secure Sockets Layer (SSL) to protect data shared on the internet. Not only is having HTTPS in your eCommerce store’s domain better for warding off hackers, but it also comes with the perk of a better SEO ranking and more accurate referral data.
Ask For Stronger Passwords
Customers who use a password without any letters or special characters risk getting their details hacked. eCommerce owners should encourage their users to use alphanumeric passwords with eight or more digits, and at least one capital letter and special character (e.g. !, #, $).
Use 3D Secure Prevention Tools
Created by card networks like Visa, 3D secure is a security protocol that protects merchants from routine chargeback fraud and friendly fraud. It does this by getting customers to complete an additional verification step in real-time after redirecting them to an authentification page on their bank’s website, where they have to enter a one-time code that was sent to their phone. Once the customer is verified, fraud liability is directed from the merchant to the cardholder, eliminating the expensive, lengthy and burdensome chargeback process.