eCommerce Fraud Detection

As more people are doing business online, fraud has become more prevalent. eCommerce fraud places both merchants and customers at risk. Fortunately, there are ways to detect eCommerce fraud to help you stay safe when buying online. In this post, we’ll look at eCommerce fraud, see the main types, and see how to avoid it using the best eCommerce fraud detection practices.

The image above is from DataDome eCommerce fraud protection service, taken from https://datadome.co/

There are many types of eCommerce fraud online. These types can be used independently or together. In this section, we’ll see the major types of eCommerce fraud to help you recognize them.

Account Takeover

With Account Takeover (ATO) fraud, thieves use stolen customer credentials to log into a website to make purchases, change the shipping location, steal account information, etc.

Card Not Present Transactional Fraud

The Card-Not-Present (CNP) is a transactional fraud that takes place when a stolen card is not presented to a merchant to check visually. A merchant doesn’t have a way to inspect the card. A person can purchase without having the card, making it easy for thieves to use a stolen card.

This is common practice online since we only need to enter the card information into the fields when making a purchase online. This fraud is easy to accomplish until the card is reported as stolen and canceled. A stolen credit card can cost hundreds or thousands of dollars in damage.

Chargeback

Chargeback fraud is when someone makes a purchase with their credit card and then files a claim to dispute the charges. The bank then files a chargeback to the merchant, so the customer gets the money and the product. If a merchant gets too many chargebacks, they could be marked as a high fraud target. This will increase their payment processing fees.

This isn’t the same as an unauthorized purchase, a stolen card, or a legitimate claim such as the seller not shipping the product. In this case, the person knowingly received the product and filed a claim anyway.

Friendly Fraud

With Friendly Fraud, a chargeback is claimed when a person doesn’t recognize an authentic purchase. They believe an unauthorized purchase was made. However, they may have forgotten about the purchase, someone else in their family made the purchase, the name of the seller doesn’t match the store, etc.

There are many reasons they wouldn’t recognize the purchase. In this case, they had good intentions, but the result is still a chargeback.

Refund Fraud

With Refund Fraud, a customer makes use of the gaps between order fulfillment and shipping to get a refund without returning the product. This gap caused the company to ship the product after the order was refunded. This is also known as Return Fraud.

Fake Website

Scammers often build fake websites that appear to be a real brand or a real online store. The websites sometimes have misspelled brand names for the domain and unfinished dummy text on the detail pages. They offer a common product at a ridiculously low price. Unfortunately, the product never arrives.

This is usually coupled with a Facebook ad that shows the low prices. The scammers create multiple accounts to make comments on the ad, claiming they received their product and highly recommend ordering from them.

Card Testing

With card testing fraud, or credit card fraud, thieves steal a credit card and make a small purchase to see if the bank notices. Once the purchase is approved, they move on to larger purchases.

Hijacking Affiliate Links

Scammers use website crawlers to hijack the site’s real affiliate links and replace them with their own links.

Phishing

Phishing usually occurs through email or text. The recipient receives a fake email that’s made to look as if it came from a known website, such as Amazon, Netflix, UPS, FedEx, or many others.

The email or text claims that the recipient’s credit card was declined, someone logged into their account, thanking them for their recent purchase, their package couldn’t be delivered, or many similar tactics.

The goal is to get the recipient to click on the link to enter their information or contact them to straighten out an issue. Both of these result in the scammer getting the recipient’s bank account information.

Data Scraping

With data scraping, someone collects data from a legitimate website to sell to other scammers. The website is usually hacked, and the activity is unknown to the website owners until it’s discovered.

Comment Spam

Spam comments on blog posts and social media posts sometimes include links to fake websites. They often include the link in their comments, but not always. For comments on blog posts, they sometimes add the link to their name when commenting. To help reduce spam, see the article Anti Spam WordPress Plugins.

Retail Arbitrage

With Retail Arbitrage, scammers use bots to purchase large amounts of products at discounted prices. The scammers then sell the products at higher prices somewhere else. While it’s not illegal to purchase something at a low price and sell it for a higher price, the use of bots is malicious, so the products are bought and sold fraudulently.

Interception Fraud

With Interception Fraud, a credit card thief purchases a product with a stolen credit card. After they’ve made the purchase, they intercept the package by either contacting customer service at the company or contacting the shipping company to reroute the package.

Triangulation Fraud

Triangulation Fraud involves a fake eCommerce store with fake products, but it’s harder to detect because the customer receives the products. The goal is to steal the credit card.

When a customer makes a purchase, the fake website gets the credit card information. The website owner uses the card to purchase the product somewhere else and send it to the customer. If the bank contacts the customer, they approve the transaction because they want to make the purchase. The website owner now has access to the credit card to make other purchases.

The image above is an eCommerce fraud detection service, taken from https://seon.io/

There are lots of ways to detect eCommerce fraud. There are things to look out for when making purchases on the web, and there are things to look for when selling products on the web.

Wrong URLs for Domains and Email

Names of companies are sometimes misspelled. Sometimes the name is shortened, or a word is left out. For example, PayPal becomes PayPai. An upper case I can look like a lower-case l. The scammer hopes we don’t notice the letter l is replaced with the letter i.

This is more difficult to see in some mobile email apps. Not all email apps show the email address on mobile. This makes it easier for the scam to work because the emails often use real company logos.

Multiple Chargebacks

Someone may request a legitimate chargeback, but this shouldn’t happen often. When someone requests multiple chargebacks, block them from making future purchases. Send automated email confirmations so the customer is aware they are receiving a product they purchased. Require a signature for delivery when possible.

Address and IP Don’t Match

Customers can purchase something and have it shipped to a different location. However, it could be fraud. It’s best to keep watching these types of purchases for other indications that they could be fraudulent purchases.

Multiple Shipping Addresses

It’s common for credit card thieves to have products shipped to several different addresses to make it more difficult to find them. If you see lots of addresses connected to one account, this is an indication that the account should be watched for fraudulent purchases.

Expedited Shipping

Credit card thieves often choose expedited shipping to get the products as fast as possible. Since they’re not paying for the shipping, they don’t mind that it costs extra. If you see expedited shipping selected at an abnormal rate, this could indicate fraudulent purchases.

Changing Email Addresses

Sometimes a customer wants to change the email they use for making purchases, but they usually keep both email addresses. While customers can change their email addresses, it’s not a common practice. Changing email addresses is an indication that the account should be watched closely.

Multiple Credit Cards

Many customers have two or more credit cards, so they can use more than one. However, if the same account adds new credit cards regularly, that could be an indication they’re using stolen cards.

The image above is from Ubiquity eCommerce fraud detection service, taken from https://www.ubiquity.com/solutions/fraud-risk-compliance

We need to protect ourselves online as consumers as well as sellers. Here are some tips to protect yourself when buying or selling online.

Protect Yourself When Buying Online

The image above is a personal online protection service from LifeLock, taken from https://lifelock.norton.com/

When purchasing products online, there are several ways to ensure that you’re buying from a reputable seller.

• Never use PayPal Friends and Family. Always use Goods and Services.

• Don’t click on links within emails or respond to emails alerting you about your password, credit card, etc. Instead, go to the sites directly.

• Keep a close watch on your bank accounts. Check through your reported purchases and immediately report any activity that looks suspicious.

• When purchasing from websites or reading emails, look at their spelling and grammar. Often, scammers are from countries where English is not the first language. Scammers are prone to making lots of spelling and grammar mistakes. Companies like Amazon are not going to send an email that looks as if English isn’t their first language. They’re not going to misspell their own name.

• Never give your payment information to a non-secured website. Make sure they use Hypertext Transfer Protocol Secure (HTTPS) for secure transactions.

• Never pay a company with gift cards. These are scammers and gift cards can’t be traced. Authentic online companies take standard forms of payment.

• Research companies you’ve never heard of. Check their reputation online and see if other buyers have shared their experience with the company. If in doubt, don’t make the purchase.

• When looking at comments on social media ads, check the commenter’s accounts to see if they’re new.

• Consider an online identity protection service.

Protect Yourself When Selling Online

The image above is an eCommerce fraud detection service, taken from https://kount.com/

When selling from your website, there are several ways to ensure you’re selling to the correct person. For more information about eCommerce, see the article How to Create an eCommerce Website with WordPress.

• Use a WordPress security plugin that blocks spam comments and fraudulent links. Use the security plugin to block comments from unwanted URLs, IPs, countries, or that contain certain keywords. For more, see the article Best WordPress Security Plugins.

• When taking credit cards from customers, verify the mailing address associated with the card.

• Send an email verifying the purchase. This works as a reminder and helps reduce friendly fraud. If you suspect a person has engaged in friendly fraud, send a reminder once the package has been delivered.

• Don’t use out-of-date plugins for eCommerce and affiliate marketing. Keep all WordPress plugins and themes updated. This is true of eCommerce plugins and themes. For more, see the article How to Better Manage Automatic WordPress Updates.

• Never use WordPress plugins and themes that haven’t been kept updated. There are lots of plugins and themes in the WordPress repository that no longer receive updates. It’s best to avoid them.

• If your online store is accepting payment cards, then you must comply with the Payment Card Industry Data Security Standard (PCI DSS). This specifies practices and protocols that you must adhere to. These security practices are designed to protect your store and your customers from fraud.

• Use 2-factor Authentication. This reduces account takeovers because the person has to answer a security question or enter a code from an email or a text message. If they don’t have access to this second factor, they are not the account owner and can’t make the purchase.

• Always require a Card Verification Value (CVV) or Card Security Code (CSC). Every payment card has a 3- or 4-digit code on the back that gives an extra level of security. If the card itself is stolen the thieves will have access to this code. However, requiring the code reduces activity from malicious bots and stops those who don’t have the code from making a purchase.

• Always use Hypertext Transfer Protocol Secure (HTTPS) for secure data transfer.

• Set purchase limits to keep thieves from testing cards. Thieves often use bots to test multiple cards, and they sometimes make dozens or hundreds of small purchases per hour. Setting the maximum number of transactions per account keeps them from quickly testing multiple cards.

• Close the gaps between order fulfillment and shipping. If an order has been refunded, stop the shipping process. Once an order has been shipped, require the customer to return the product before refunding the purchase.

• Consider an eCommerce fraud detection service.

That’s our look at eCommerce fraud detection. Unfortunately, we face such a high rate of eCommerce fraud. While no detection system is foolproof, there are lots of things we can look for to detect eCommerce fraud. Following the tips we’ve included here will help make the web a safer place to buy and sell.

We want to hear from you. Have you used these tips for online fraud detection? Let us know about your experience in the comments.