Read the AITE Report! Maximizing the Potential of CNP: Collaboration via 3-D Secure is the Key

What Is eCommerce Fraud Prevention?

eCommerce Fraud Is any fraud perpetrated on an ecommerce site or platform. E-commerce fraud prevention is the implementation of strategies for detecting high-risk transactions and preventing fraud. Measures include PCI compliance, AI and machine learning, risk-based monitoring, and more.

Thanks in part to the dramatic shift to online shopping during the COVID-19 pandemic, e-commerce fraud could cost online merchants as much as $20 billion for the full year 2021, according to Juniper Research. And it’s easy to see why.

From a criminal perspective, it’s a low-risk, high-value proposition. In the past, fraudsters would have to physically steal credit and cards and use them in brick-and-mortar stores or over the phone. Today, they can easily and inexpensively acquire stolen card details and other credentials through dark web marketplaces. This level of convenience combined with multiple layers of anonymity makes e-commerce fraud extremely attractive to cybercriminals.

Types of eCommerce Fraud

Over the years, fraud has evolved beyond simply exploiting stolen cardholder data. Today, criminals have many ways to carry out e-commerce fraud, with some being much harder to detect and prevent than others. Here’s a look at a few of the most common forms of e-commerce fraud.

CNP Fraud

Card Not Present (CNP) fraud occurs when a criminal makes an illicit purchase without physical possession of the payment card.

Almost all e-commerce sites require a Card Verification Value (CVV) to prove card ownership, but that’s not always enough. As mentioned, crooks gain access to full card details through dark web marketplaces. They also steal this information directly, through phishing scams.

Fraud prevention methods like CVV and Address Verification Service (AVS) can stop some fraud, but not all of it. CVV codes are often included in stolen data dumps and retrieved from phishing campaigns, while AVS can be bypassed by a few minutes of online research.

Organizations can take steps to prevent CNP fraud by:

Chargeback Fraud

Chargeback fraud occurs when a customer receives the product they paid for, but then initiates a chargeback with the intention to keep both their money and the item. This fraud can be tough to identify because the excuse for a chargeback can vary in each case. For example, fraudsters can claim they never received the item or lie to card issuers by claiming they never made the purchase in the first place.

When chargeback fraud is done by accident, it’s often referred to as “friendly” fraud. Sometimes customers forget they placed an order, fail to recognize a charge on their statement, or think that a chargeback is another way to initiate a return. Either way, it still hurts revenue, impacts inventory—and is often avoidable.

Organizations can prevent chargeback and friendly fraud by doing the following:

  • Using strong credit card verification methods to identify repeat offenders
  • Identifying fraudulent behavior through machine learning
  • Providing order confirmation emails
  • Making return policies easy to find and understand
  • Using clear transaction descriptions
Account Takeover Fraud (ATO Fraud)

ATO fraud happens when a criminal hijacks a legitimate customer account and uses that account to commit fraud. Fraudsters often attempt to make purchases, drain reward points, make large transfers, and more. ATO attacks now lead to more than $16 billion in annual loss just in the US, up 300% from 2019. This form of fraud is also tough to spot, since the intruder is logging in as a verified customer.

Account information is primarily stolen through phishing scams, where victims will unknowingly attempt to log in to a malicious clone of a trusted site. These sites can look indistinguishable from the legitimate company they impersonate and even redirect users to the company’s real site once their information is stolen.

Compromised accounts impact revenue, but also quickly erode the trust between the customer and the brand. Even if the customer was careless with their account information, it’s up to the e-commerce platform to identify ATO based on behavior.

Machine learning-based risk decisioning is one of the best ways to prevent an account takeover. By monitoring metrics such as geolocation, session data, and device ID, e-commerce platforms can quickly identify suspicious login attempts and prevent fraud entirely.

Organizations can prevent ATO fraud by the doing the following:

Mail Interception Fraud

Mail interception fraud occurs when a criminal uses a stolen credit card or hijacked account to make a purchase that ships to the cardholder’s legitimate address. Once the order is placed, the fraudster will quickly call customer service at the business or its shipping company to change the address or arrange for pick-up at the shipping company’s distribution center.

This technique is used to bypass address verification checks and avoid fraud detection systems. Luckily, this type of fraud is easy to prevent by leveraging machine learning and implementing rigorous procedures for changing account information.

Organizations can prevent mail interception fraud by doing the following:

  • Using robust payment security to prevent the transaction
  • Training customer service to identify interception fraud
  • Requiring additional authentication when making changes to orders or account information

Account Enrollment Fraud

Why take over an account when you can use stolen card information to set up an account or rewards program with an online merchant from scratch?

Today, the volume of stolen and synthetic identity information is climbing fast, with losses stemming from identity theft surging 42% in 2020, according to Aite Group. The Federal Trade Commission reports that as much as 88% of credit card fraud in the US now consists of thieves opening up new accounts.

In these attacks, fraudsters open an account or activate a mobile app using pilfered card information. Since the new user appears legitimate, there is no discrepancy between shipping addresses or contact information—helping them bypass most traditional fraud detection systems.

Organizations can prevent account enrollment fraud by:

  • Requiring multiple forms of identity proof and running it through external databases
  • Deploying solutions that leverage machine learning and identity science to correlate and verify physical and digital identities

Brand Impersonation

Brand impersonation is now implicated in 49% of all fraud attacks worldwide. Brand abuse is by far the most prominent attack vector for cybercriminals due to its simplicity and effectiveness. Cybercriminals steal brand images, company assets, and register closely related domain names in order to trick unsuspecting customers.

Brand impersonation is most prevalent in social media- and email-based phishing campaigns, but can also be found in text messages and increasingly, fraudulent brand mobile apps. In these scams, fraudsters leverage the stolen brand’s reputation to bamboozle victims out of their money and harvest their card details.

Brand abuse is costly to both consumers and e-commerce merchants. Consumers stand to lose not only their money through a fake purchase, but also their payment and shipping information. This stolen information is typically used to perpetrate CNP fraud or is sold to others on the dark web.

Consumers often don’t understand how the attack was carried out and hold the brand responsible. This loss of customer trust can lead to negative reviews and news reports that render a brand’s legitimate mobile apps and email and social media communications radioactive to leery customers and prospects—hobbling critical revenue channels. Prevention is vital when combating brand abuse as larger companies are often targeted more frequently.

Organizations can prevent brand abuse by doing the following:

  • Setting up proactive brand abuse monitoring and takedown services
  • Implementing strong email security such as DKIM, SPF, and DMARC
  • Educating staff and customers on identifying fraudulent messaging
  • Using email filtering to protect your network from phishing attacks

Identifying Fraud in Your E-commerce Business

Fraud is an evolving game of cat and mouse, but by identifying the telltale signs of fraud, prevention systems can be built to automatically stop new attacks.

Here are a few risk factors that could indicate e-commerce fraud:

  • New device login for an existing account
  • Unusual login location
  • Mismatched shipping/billing address
  • Large purchases of the same product in a single transaction
  • Numerous separate orders placed in quick succession
  • Multiple orders to the same address with different cards
  • The consumer is using a brand new email address

To automate fraud detection, merchants can leverage machine learning algorithms to identify these and other red flags.

How to Prevent E-commerce Fraud

Identifying fraud is only half the battle; it takes proactive measures to recognize high-risk users and activities and prevent fraudulent transactions before they even happen. Let’s review some steps you can take to prevent e-commerce fraud.

Define Your Strategy

Understanding your fraud and risk tolerance is key in fraud prevention. For card issuers, banks, and merchants, it’s critical that each channel should have appropriate layers of protection, backed by policies that balance fraud prevention and user experience in accordance with your tolerance. Do you throttle up fraud prevention to avoid loss at the risk of customers defecting to competitors? Or do you prioritize customer experience to outplay rivals while risking serious damage to your bottom line? The best solutions will have strategies for each channel that stop fraud while preserving the customer experience.

Follow PCI Standards

Following the Payment Card Industry (PCI) standards keep merchants in line with best data security practices and legal requirements. These standards help identify weaknesses in fraud protection through self-assessments and official audits conducted by Qualified Security Assessors.

There are 12 key steps that can help merchants easily achieve PCI compliance:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a need-to-know basis.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

Implement Layers of Security Throughout the Perimeter—and Beyond

There is no single foolproof solution to e-commerce fraud. Merchants should strategically deploy layers of technology that together create a web of interconnected safeguards. For instance, card issuers, banks, payment processors and merchants should all deploy tools that enhance features built into the EMV® 3-D Secure (3DS) payment standard to prevent transaction fraud.

Using our own product as an example, Outseer 3-D Secure builds upon the 3DS standard by combining it with advanced identity science and shared intelligence from global, cross-industry transaction data to prevent CNP fraud. Merchants around the world leveraged our technology to protect more than $100 billion in CNP transactions in just the first half of 2021.

Likewise, merchants can leverage email standards such as DMARC help prevent phishing-based brand impersonation attacks, and brand abuse monitoring and takedown services like Outseer FraudAction to shut down the sites (as well as imposter apps and social media pages) used to harvest login and payment credentials from the victims in these attacks.

Put Data Science and Machine Learning to Work Across All Channels

Advancements in machine learning and big data analytics present one of the best ways to proactively counter e-commerce fraud when transactions may occur across the web, mobile, IoT, API, voice, or any number of other channels.

Case in point: Outseer Fraud Manager, which analyzes behavior and cross-references it with offline and online digital identities and transaction data spanning every industry and geography, to detect fraudulent transactions, logins and new account enrollments and prevent e-commerce fraud across any channel.

Stop Fraud, Not Customers

Of course, there’s one other factor central to e-commerce fraud prevention strategies: the customer experience. At a time when shopping cart abandonment continues to impact 75% of all purchases, leading to $4 trillion in lost revenue potential each year, adding any customer friction to prevent fraud is a gamble.

Unlike traditional anti-fraud solutions, Outseer products read between the lines to understand how legitimate customers behave—stopping 95% of all fraud loss while reserving step-up challenges for the scant 5% of transactions that ever require intervention. That’s the best performance in the industry.

With Outseer, checkout times are reduced by 85% and cart abandonment by 70% while fueling consumer confidence and loyalty. Which means a whole lot more revenue for merchants, banks, card issuers and payment processors. And a whole lot less for fraudsters.

To learn how you can protect your customers through the power of frictionless e-commerce fraud prevention, request a free demo today.

Armen Najarian

CMO + Chief Identity Officer

Armen is a 15-year Silicon Valley veteran with deep experience leading the marketing function for fast-growing fraud prevention, predictive analytics, and cybersecurity companies. His most recent leadership roles include CMO positions at Agari and ThreatMetrix, the latter of which he established as the definitive category leader for digital identity solutions.