How to protect your business from ecommerce fraud

Picture it: You’re scrolling social media, and lucky you! The pricey online store you love is having a deep-discount sale. Plus, free shipping! Without missing a beat, you click the ad, and you’re sent to the brand’s website. You quickly fill your cart with what you’ve been eyeing for months. You make the payment. Weirdly, there’s no confirmation email. And that’s when many consumers realize they’ve fallen prey to fraud. Knowing how to protect your business from ecommerce fraud is crucial — as online sales grow, so does your risk for fraud.

We will walk you through all things ecommerce fraud, including what you can do to prevent online fraudsters looking to steal from your business and your customers.

What is ecommerce fraud?

Ecommerce fraud is essentially a type of payment fraud. It’s a serious crime, and cardholders, business owners, or both can be victims. With over 20% of all retail purchases expected to take place online in 2023 (estimated at $6.3 trillion), fraudsters have a lot of opportunities to bamboozle shoppers and the businesses they love.

Seven types of ecommerce fraud

What is friendly fraud, aka second-party fraud?

Friendly fraud, sometimes called second-party fraud, is anything but friendly. That’s because it’s when a legitimate customer makes an authorized purchase on their card, then later denies it. They can also give a family member or someone else their card info to purchase to make it look like third-party fraud or to simply say they didn’t make the purchase and make that statement true.

The customer then files a dispute with their bank, leading to a chargeback. Their reasons can include saying they never received the product, it wasn’t what they thought it was, or they simply just canceled the order soon after placing it.

What is card-testing fraud, aka credit card validation testing?

Credit card validation testing is also called card testing or card cracking. Thieves use bots, scripts and programs that enable their users to test large batches of stolen card data quickly. Stolen data can include debit card and credit card numbers, account numbers, card expiration dates or the card verification value (CVV).

Fraudsters then take the stolen data to run credit card numbers through a business’ ecommerce platform or shopping cart. Since card testing is trial and error for the scammer, they will try for as many small transactions as they can without raising any red flags to you, the merchant, or your fraud monitoring tools. If a payment goes through, they’ll know the card number and cardholder data are valid and can be used or sold elsewhere on the dark web.

What is refund abuse?

Returns in retail are a part of doing business — but it eats into revenue.

Refund abuse is a type of ecommerce fraud when customers return stolen or damaged goods back to a retailer for a refund. Retailers report that they’re receiving higher percentages of returned stolen goods or products purchased online with stolen tender. Plus, employee return fraud and collusion are on the rise. Refund abuse makes up $84 billion of the overall amount lost on refunds.

While a strict refund policy can help protect businesses, it doesn’t cut down on the costs when it happens to you.

What is online payment fraud aka credit card fraud?

Online payment fraud is when a scammer uses stolen credit card information to make an unauthorized purchase through an ecommerce store. They can steal debit and credit card information in a myriad of ways, but one is very troubling for merchants. Fraudsters will create duplicate versions of a business’ website and encourage them to make purchases. Remember the fateful social media ad example at the beginning of this article?

Many victims of these scams never see the products and have their credit card numbers stolen.

What is account takeover fraud?

Account takeover is a type of fraud where hackers gain access to a customer’s online account to use stored credit card data to make fraudulent transactions. Hackers can gain access to customer accounts on ecommerce merchants’ sites through weak passwords, phishing, or malware on the customer’s device.

This type of fraud is on the rise, especially due to the popularity of buy now, pay later (BNPL) apps. Hackers target a customer’s BNPL account directly or choose to target a user account with a business authorized to charge their BNPL account, essentially doubling their chances of success.

What is promotion, affiliate or loyalty fraud?

Every business wants to get customers in the proverbial door. Using loyalty, promotion or affiliate programs are all great ways to attract new customers and build a better customer experience for existing ones. But without data security vigilance and fraud monitoring these programs can also bring scammers to your door.

What is triangulation fraud?

Last but certainly not least, triangulation fraud is a serious issue for ecommerce merchants and their customers. If you sell through multiple digital channels, you might be more at risk for this type. Triangulation fraud happens when a fraudster acts as a silent middleman in an online purchase.

It works like this:

Since the cardholder receives the items they’ve ordered, they’re not aware of any fraud or card data theft occurring, leaving the fraudster free to make subsequent transactions that may go unnoticed by the cardholder

How to spot ecommerce fraud

Online retailers, are you overwhelmed yet? Don’t be disheartened. There are actions you can take to prevent online fraud — more on that later — but how can you spot it if it’s already happening? Let’s walk through a fraud detection checklist so you can know the signs of fraudulent purchases.

Ecommerce fraud prevention strategies

So now we know what online fraud looks like — but what are some of the fraud prevention solutions we can use?

Complete site security audits regularly

You’ll want to make sure you discover your ecommerce site’s vulnerabilities before scammers do. Conduct site audits early and often — use this checklist to suss out where your security might be lacking.

Maintain your PCI compliance

If you accept debit or credit cards, you’ve agreed to maintain PCI compliance to protect cardholder data consistently. The Payment Card Industry (PCI) Security Standards Council, which includes Visa, Mastercard, American Express, Discover and JCB, created the PCI Data Security Standards (PCI DSS) that businesses must follow to reasonably care for and safeguard cardholder data. Maintaining your PCI compliance isn’t a one-time deal, it’s a state of being. And if you’re noncompliant, it can cost you big. Think fines, legal liability and a whole lot of other problems. If you operate a SaaS-based online store, your ecommerce platform typically helps you with this. You can also reach out to your payment processor.

Look out for suspicious activity on your site

We went through a list of fraudulent activity red flags earlier — and while it’s one thing to know them, it’s another to be on the lookout for them actively. You should consistently monitor your site for these red flags — use monitoring tools to keep you ahead of the game.

Use an address verification service (AVS)

Issuers and credit card processors will usually offer an AVS to detect any suspicious transactions in real time. AVS checks the billing address submitted in the transaction with the cardholder’s billing address on file with the card issuing bank. If the addresses don’t match, the system will deny the transaction or flag it to be investigated.

Use CVV numbers for transactions

Card verification value (CVV) numbers are the three-digit code on the back of credit cards (four digits on the back of an AmEx card). Requiring this card security code for every transaction can help make sure the customer has the physical card on them.

Use hypertext transfer protocol secure (HTTPS)

You probably know that “http://” is the beginning of an internet URL. HTTPS is the secure version of HTTP, the protocol that sends data between a user’s web browser and your website. To use HTTPS, you need to buy an SSL certificate. HTTPS encryption protects sensitive information, including your customer’s identity, card info, and more. It keeps your business’ transactions obscured from hackers and would-be thieves trying to find easy marks to prey on.

Collect only the customer data you need

Understanding your customers helps you provide better products and services for them. That said, collecting data you don’t actually need can put them at risk for identity theft. Collect and store as little sensitive customer data as possible. You should only collect what you need to do a business transaction — it protects both you and your customers in the event of a data breach.

Set purchase limits

You know your business better than anyone. Take a look at your order and revenue trends to set limits on the total dollar value you’ll accept from a single account or cardholder in a single day. You can also set limits for the number of purchases you’ll accept in a single day. Should you then become a victim of card-testing, it’ll limit your exposure.

Only accept physical shipping addresses

One way that scammers avoid detection is that they’ll use post office (PO) boxes or other anonymous locations to accept their goods. Police can’t arrest anyone at a PO box.

Limiting your use of these virtual addresses, including freight forwarders (also called forwarding agents — companies that organize supply chain services for shippers, including ocean or air freight transportation), might help you keep fraudsters at bay.

Work with a processor that offers ecommerce fraud solutions

As fraud becomes more sophisticated, the need to detect and prevent it from happening is imperative for small businesses. At Heartland, we offer a suite of tools that can keep your business safe.

Transaction monitoring analyzes patterns and transaction types in real-time, identifies suspicious activity and takes action to counter it. Many payment processors don’t offer transaction monitoring, leaving business owners to find their own vendor. Heartland provides our processing merchants with Control Scan, our trusted partner for validating PCI compliance and Merchant Protection Plan, which covers you up to $100,000 in the event of a data breach.

Plus, when it comes to the hardware and software you need to mitigate all types of fraud, Heartland Secure™ delivers EMV®, encryption and tokenization, and comes standard for payment acceptance devices. Our POS and payment processing solutions make it easy to comply with PCI and practically eliminate the risk for fraudulent in-person transactions.

Disclaimer: The information provided in this document does not, and is not intended to constitute legal advice; instead, all information, content, and materials available are for general informational purposes only. Information provided may not constitute the most up-to-date legal or other information, and readers of this information should contact their attorney to obtain advice with respect to any particular legal matter, in the relevant jurisdiction. All liability with respect to actions taken or not taken based on the contents here are hereby expressly disclaimed.

---

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us