Ecommerce Fraud & Risk Mitigation
What are the types of Ecommerce Fraud?
If there is any positivity out of the current pandemic, is that ecommerce is on the rise with lockdowns and restrictions pushing more and more consumers online to purchase. However with this comes the growth in ecommerce fraud (also known as payment fraud) which is increasing parallel to the global increase in ecommerce payment transactions.
Ecommerce fraud is a parasite that encumbers the potential growth of this shift in consumer spending behaviour. It grows along with the increase globally in the total number of ecommerce payment transactions performed. Experts expect this to continue unabated with payment fraud continuing to increase at a projected cost of $40.62 billion to consumers by 2027 – 25% higher than in 2020. (Merchant Savy a division of VUBO Ltd, 2020).
This is a challenge technical, digital and consumer-oriented businesses face every minute. If a business is currently running an ecommerce shop or considering starting one, understanding ecommerce fraud and how to mitigate the risk associated with payment fraud must be a significant component to your online development plan. Ignore at your peril.
Currently we can segment ecommerce fraud into seven broad categories, though not all will be applicable directly to ecommerce shops, nonetheless it is important as an online shop owner to be aware of them all.
Purchase made by a real customer using their own card but post transaction the customer issues a charge back. This can occur after goods have shipped which means there is a reliance on the customer making the effort to return the goods.
Purchase made using a stolen credit card, this will cost the vendor the price of their goods and shipping. This will cost the vendor the price of goods and shipping.
Purchases made using personally identifiable information stolen from another to validate a transactions. This will cost the vendor the price of their goods, shipping and reputation if the PII was stolen from their ecommerce shop.
Pretending to be a known acquaintance to gain access to information with a view to initiating a transaction. This is less directly associated with ecommerce shops, but the intent is using to achieve identity theft via phishing.
Purchase attempts using list of stolen credit card details in an attempt to identify which cards can be transacted against. Given the process is normally automated and the lists can be in the thousands and 10’s of thousands of transactions, the chargeback fees can cost the vendor a substantial amount.
A 3rd party is hired to receive and re-ship the product but is not usually paid and becomes the criminal’s accomplice. Costs the vendors to the price of the goods and shipping.
A fake online shop is deployed with cheap items matching to other shops. The purchaser is charged and then their payment information is used to purchase from a real shop. The criminal keeps the original payment. The purchaser receives the good but has paid twice for the goods. Costs the purchaser not the vendor.
Next Step? Review your online shop technology, talk to your customers and cross check against this list. Start the essential process of tightening the tech and securing the platform to protect against future threats. Want to talk through your options? Click here.
How do you identify ecommerce fraud?
In Part 1 (link) I wrote about type of ecommerce fraud. Here are some potential indicators that help you identify ecommerce fraud in the early stages. This can be something you, your team or customers can flag for review.
Here are some indicators that a transaction or batch of transactions might be fraudulent. The more indicators the higher the risk of a transaction being fraudulent:
- First-time customers, email address
Customers who have purchased previously or regularly are much less likely to be performing fraudulent transactions. First time customers warrant closer inspection for other indicators especially if they are using an easily accessible email platform.
- Fast shipping
New customers requesting fast shipping warrant closer inspection especially if the transaction(s) have other indicators some of which are discussed below.
- Location information
Customer transactions with substantial discrepancies between IP location and billing address, IP location and shipping address, shipping address and billing address, or those having many shipping addresses warrant closer inspection especially if the transaction(s) have other indicators.
- Product volume, Order size
Customers suddenly ordering substantially larger than usual quantities or new customers ordering substantially large volumes warrant closer inspection especially if the transaction(s) have other indicators.
- Multiple cards, Same IP address
Orders from different cards originating from the same IP address warrant closer inspection especially if the transaction(s) have other indicators.
- Multiple transactions
Many orders occurring in a short period of time especially if unexpected warrant closer inspection especially if the transaction(s) have other indicators.
Next Step? Educate your team and work with your technology partner on what ‘suspicious’ customer behaviour looks, implement an escalation path is to identify and decide quickly to reduce risk or fraudulent transactions causing material damages. Don’t have a technology partner? Click here.
What actions can be taken to reduce risk of ecommerce fraud?
Part 1 (link) & 2 (link) you now know about what types of ecommerce fraud are prevalent and how to identify suspicious transactions.
Here’s the part where you take action to limit or eliminate the fraud proactively There are various different levels of action and payment gateway configurations that can assist to prevent fraud before payment occurs at all or, at least, prevent volumes of fraudulent transactions that might trigger substantial charge-backs.
Basic steps to take to reduce the risk of ecommerce fraud include:
- CVV Check
Card Verification Value is the three or four digit number on the other side of the credit card, so that if the details were stolen though imprints of the card front side, then the perpetrator will not have the CVV and the transaction will fail. CVV is not a guaranteed fraud prevention solution and given the rapid decline in use of imprint machines, its effectiveness is declining.
- AVS Check
Address Verification Service checks the billing address submitted by the card user with the cardholder's billing address on record at the issuing bank and returns a match or partial match. This is widely used in the USA but not implemented globally. AVS is not a guaranteed fraud prevention solution. Additionally, the system can on rare occasions generate false declines or partial declines.
- Risk Threshold Rules
Payment gateway risk threshold rules also known as velocity check are effective (when appropriately configured) in limiting high volume fraud attempts. The rules trigger different actions when specified customer information passes through the gateway multiple times within a designated time period.
reCaptcha is a technology that attempts to determine if the payment submission is coming from a human or an automation (see carding). It can be an effective technique for reducing the risk of automated payment submissions but in turn offers an obstacle to real purchasers transacting.
Advanced steps to take to reduce the risk of ecommerce fraud
For more advanced/enterprise ecommerce implementations, the implementation of a 3rd party fraud detection service can be integrated into the ecommerce payment flow. Some 3rd party fraud prevention service providers:
- ClearSale - https://www.clear.sale/
- Riskified - https://www.riskified.com/
- Signifyd - https://www.signifyd.com/
- Kount - https://kount.com/
- IDVision with iovation - https://www.iovation.com/idvision
- SEON. Fraud Fighters - https://seon.io/
- Sift - https://sift.com/
- Bolt - https://www.bolt.com/approve/
- Stripe Radar - https://stripe.com/radar
- Ekata - https://ekata.com/products/transaction-risk-api/
Some of the service vendors offer the option of chargeback guarantees.
Complacency around ecommerce fraud is the biggest threat not only to the security of a business and your customers’ protection but also a threat to the potential for an online shop to grow and return on an investment.
Talk to your business partners, customers, technology staff or tech partner about ecommerce fraud and take action now to limit the risk to your business. If you don’t have tech staff or partners and would like to seek assistance click here.