News
Ecommerce Fraud Prevention: How Retailers Can Stop Ecommerce Fraud
There's been no shortage of stories about fraudulent transactions in the ecommerce world during the pandemic. Recent research suggests that we can expect global fraud losses in 2021 to be more than $20 billion—that's an increase of 18% from 2020.
To make a bad situation worse, many ecommerce retailers don't know how to use the tools and technology needed to combat fraud effectively, which explains why they make up around 40% of all fraud cases. Merchants operating in the ecommerce space are already at a disadvantage: everything is anonymous, making it a low-risk and therefore attractive place to carry out fraud. Plus, it's now a lot more difficult to complete in-person transactions fraudulently thanks to more advanced card security measures, accelerating the transition of fraud to card-not-present dealings.
As all diligent merchants should know already, increased fraud means a greater number of chargebacks—and few things are more crucial for retailers than minimizing chargebacks if they want to keep their profit margins healthy and continue operating. These disputes result in considerable revenue loss thanks to the fees, resource expenditure, and transaction reversals they involve.
Yet retailers face an even more formidable opponent: the chargeback ratio. Generally, set at around 1%, exceeding this sacred ratio can result in payment processors inflicting fees and penalties on account holders, and in extreme cases, the termination of a merchant account. With no account, continuing to operate in the ecommerce space is practically impossible.
The ideal solution is prevention, but many retailers are put off by the expenses involved. It's also a delicate game—declining genuine, non-fraudulent transactions means shooting themselves in the foot, but failing to detect fraud is disastrous.
Clearly, ecommerce fraud is a pressing issue. The smartest thing retailers can do is clue themselves in about how it works and the solutions that exist to protect them.
Types of Ecommerce Fraud
Often, ecommerce fraud is discussed as if it's all one of the same—yet there are actually a few different types of fraud, each with their own unique quirks and features. Yes, fraudsters are innovative and always creating new methods to make the life of retailers a misery, but most cases will fit into one of five categories: true fraud, friendly fraud, phishing, refund fraud, or card testing.
True Fraud
When most people hear the word "fraud," they think of true fraud. Simply put, this is defined as using stolen card details (or other credentials) to make an online purchase. This used to happen the most for card-present transactions, but since the introduction of EMV technology, it's primarily moved online.
Friendly Fraud
Don't be deceived by the name, "friendly" fraud could hardly be described as amicable by most people's definitions. To fall under this category, a buyer disputes a transaction with their bank after making a purchase, allowing them to get a refund—despite receiving and not returning the item(s) they wanted. This can be due to misunderstanding of the chargeback process, impatience, or frustration; other times, it can be an intentional strategy to get free products or services.
Phishing (Account Takeover Fraud)
"Phishing" is a well-known fraud strategy that involves gaining access to someone else's account; the aim can be to obtain personal information or payment details to make online purchases. Criminals do this in various ways—it can be as simple as guessing a low-security password, although there are also far more sophisticated techniques.
Refund Fraud
"Buying" items with stolen payment details is even more profitable if the fraudster can then return their purchase and receive a full refund, either in cash or credit for the store. Although this used to be mostly limited to physical establishments, many criminals have now found ways to pull off the same feat in an online setting.
Card Testing
It's common for cybercriminals to steal credit card numbers without knowing the details they need to go forward with purchases (namely, the credit limit and validity). To establish this information, they will often carry out a series of tests through smaller purchases.
This is bad enough when done in isolated incidents, but it can soon spiral out of control if the fraudster is controlling vast numbers of bots to test various cards simultaneously. Once all these bots file their chargebacks, it can result in sizable fees and bring retailers dangerously close to the chargeback threshold. Unfortunately, the practice is also growing.
Ecommerce Fraud Prevention Best Practices (Tools & Strategies)
Given there's so much variation between different types of fraud, the best way to tackle them also varies widely. Each category of fraud demands distinct metrics to measure them and tools to combat it effectively.
This can be hard to do when a retailer is starting from zero, but after installing a coherent fraud prevention plan, it becomes easier for a merchant to build a clear picture of its most common fraud types and greatest vulnerabilities. With this information, deciding on the right prevention strategy becomes far more straightforward.
Let's take a look at the best strategies for retailers to use in-house and with the help of third-party tools, along with top ways to evaluate how effective fraud prevention strategies are.
True Fraud Strategies
-
Take extra care to review orders asking for expedited shipping—this is a method favored by fraudsters since it gives retailers less time to detect illicit transactions. This review can be as simple as sending an email or making a quick phone call to verify the customer's phone number, physical addresses, and email. Rather than annoying genuine customers or putting them off, this approach is likely to make them appreciate a merchant's due diligence.
-
Look for orders that don't fit the retailer's usual sales patterns, such as customers who make multiple orders or especially large orders, especially if they're from unusual international destinations. Although these high-value orders seem like a blessing, they're the most likely to be fraudulent.
-
Trace the IP addresses of all purchases, especially if they seem suspicious. Although the country might seem irrelevant, it's a strong predictor of fraud since some nations have far higher fraud rates. Be particularly cautious of orders from countries that rarely make purchases.
-
Make sure that AVS and CVV matching features are enabled on the payment gateway. It's very unlikely thieves will hold both these details, making it a simple yet effective way to reject charges from stolen cards.
-
Store order information in an order management system to protect sensitive data from fraudsters. Look for a system that complies with the Payment Card Industry Data Security Standard, which was established by major card networks to reduce fraud.
True Fraud Tools
-
Tools for address validation
-
Methods for email verification
-
Fraud prevention tools using rules and artificial intelligence
-
Frictionless 3-D Secure 2.0
-
Order insurance
Friendly Fraud Strategies
-
Choose merchant descriptors that customers can easily recognize, or they might file a dispute when they see a transaction they don't recognize on their statement. Including the company's name in the descriptor helps customers quickly remember where the transaction comes from.
-
Avoid disappointment or unrealistic expectations by using clear, accurate descriptions and marketing materials. Otherwise, there's a risk that customers will feel so misled that they'll file a chargeback.
-
Conduct business in an ethical way at all times. Taking advantage of customers might pay off in the short run, but it increases the chance of them behaving in an equally unethical way when they get the chance.
-
Offer helpful customer service that can be accessed quickly and easily. If customers can't get through to representatives, they're more likely to contact their bank instead, which often provides around-the-clock customer service options. In contrast, excellent customer service builds trust and prevents disputes from ever being filed.
-
Blacklist customers who file disputes. It might sound petty or unnecessary, but it's a matter of survival. Evidence suggests that many customers file two or three more chargebacks with the same retailer if their first chargeback is successful and no action is taken against them. Fraudsters love easy targets, and even genuine customers may realize they can easily take advantage. By blacklisting these customers straightaway, the number of future disputes is likely to reduce.
-
Deliver orders promptly and track return packages. Although some delays are inevitable, no merchant wants to get a reputation for always fulfilling their items late, and frustrated customers might resort to chargebacks (especially if they can't contact customer service). In addition to being diligent and speedy, keep customers in the loop by notifying them about delays, allowing them to access tracking information, and issuing refunds swiftly after orders are returned.
-
Let customers know when their order has been processed. In the case of recurring payments, sending an alert both before and after the order is processed is ideal. If there's too much of a time lag between the customer making the order and receiving a charge, they may forget what they ordered.
-
Have a dependable system to prevent merchant errors, which is one of the most common causes of chargebacks. These include shipping to the wrong address, charging a customer double for the same item, and processing refunds incorrectly. Fortunately, it's easy to avoid a sizable amount of these errors through improving internal systems.
Friendly Fraud Tools
-
Order management software to detect and blacklist troublesome customers
-
Third-party chargeback management services
-
Chargeback alerts
-
Reporting tools to analyze chargebacks
-
Visa Merchant Purchase Inquiry (VMPI)
Phishing Fraud Strategies
-
Find out if there's anyone using the same business name on the internet to carry out fraud. This can significantly negatively impact a company's reputation, but using Google Alerts should offer a way to take action.
-
Prompt customers to choose secure passwords that require a set number of special characters, numbers, and capitalized letters, along with a fixed minimum length. Also, if using security questions for resetting passwords, ensure that the answers can't be found online.
-
Decrypt customer login details at the database level with adequate security procedures. Otherwise, if hackers gain access to a company's database file, they can view all the passwords. Encryption and decryption make this impossible.
-
Create secure protocols for writing and saving code and storing login details when using third-party developers. No matter how amazing a company's security processes are, there's no guarantee that everyone they work with will take the same precautions.
-
Make sure the CRM system and database have strong password requirements. Often, employees falsely assume that a company's internal computer systems are protected from cybercriminals and don't choose strong enough passwords.
-
Opt for reliable, high-quality third-party hosting services for CRM systems, such as Google Cloud or AWS. It might be tempting to go for more affordable options, but newer and smaller services tend to be less secure.
-
Ensure third-party CRM systems are PCI-compliant and updated with the latest security patches regularly. PCI standards ensure a good level of protection, but new patches are constantly being added; using an outdated system leaves a company vulnerable to hackers.
-
Subscribe to your own emails and newsletters so you'll know if anybody has hacked into them to carry out fraud.
-
Take measures to ensure employees can't log into admin accounts using public Wi-Fi. Open Wi-Fi networks are insecure and can leave data open to cybercriminals, yet this can be easily prevented.
-
Install the latest security patches regularly to keep all systems protected. This applies to all devices used by employees, including computers, phones, tablets, and notebooks. Criminals create new bugs and hacks every day, so keeping everything updated is essential.
Phishing Fraud Tools
-
Automated tools to prevent account takeover
-
Bots to carry out vulnerability tests on data stored in the cloud
-
Tools to find compromised credentials
Refund Fraud Strategies
-
Make sure every order shipped has its own tracking number to prove that it was genuinely shipped and delivered. This way, customers can't lie about never receiving their items.
-
Have a transparent, specific refund policy that is displayed prominently on the company website. It might be tempting to make refunds as easy as possible for the customer to attract more business, but this can also result in more fraud, so ensure terms are fair.
-
Use analytics software to track how many refunds each customer requests, along with their stated reason for the refund. This kills two birds in the same stone by identifying possible weaknesses in internal processes and customers taking advantage of the refund policy.
-
Write a policy document that clearly outlines the refund process to the customer service department. It's easier for refund abuse to happen when a retailer uses a third-party call center, but having a well-trained internal team to handle requests will reduce the chance of fraudulent refunds being approved.
-
Don't offer overnight shipping during holiday seasons. Shipping delays are likely to take place over this period, giving criminals an opportunity to commit fraud.
-
Create a database of all customers who have filed disputes to avoid double refund fraud. Since many fraudsters try to request one or more refunds through their bank if their first attempt was successful, blacklisting these customers before they can file a second dispute is key to keeping the number of chargebacks low.
Refund Fraud Tools
-
A CRM system with PCI compliance (can blacklist chargeback abusers, prevent orders from blacklisted customers, track returns and refunds, and manage record-keeping).
Card Testing Fraud Strategies
-
Make sure the AVS and CVV matching features on the payment gateway are activated. This way, fraudsters will receive an error message when they try to make purchases, keeping them away.
-
Watch out for high numbers of small orders, especially if they all took place within a short period. Consider setting a minimum order amount or verifying these orders with the customer.
-
Take extra care to review orders from foreign IP addresses, especially if they're from more unusual countries. Most fraud related to card testing occurs outside of the United States, so foreign purchases are automatically more suspicious. Some retailers might even want to decline all orders that come into this category.
-
Be on high alert for fraud during the holiday season. This is prime time for cybercriminals, who are well aware that many merchants will be too busy to keep tabs on all orders to their usual standards, and it's also more common for customers to make multiple orders. Try to take the time to verify any suspicious orders with a phone call or email.
-
Don't hesitate to blacklist customers that are showing signs of running card testing schemes. These individuals are likely to commit fraud multiple other times after their original successful attempt if they can get away with it.
Card Testing (Card Cracking) Fraud Tools
-
Payment gateways with AVS/CVV matching, PCI compliance, and fraud screening
-
Automated fraud prevention tools that are capable of reviewing suspicious orders on the fly and blocking fraudulent orders and customers instantly
Ecommerce Fraud Management Options
No matter how diligent retailers are with implementing top-of-the-range, up-to-date fraud prevention strategies, it's impossible to avoid chargebacks altogether. When customers do file disputes, merchants have to react, and that involves serious time and resource expenditure—putting together evidence to prove transactions were legitimate is no easy task, and analyzing the root cause of every chargeback takes serious time.
Fortunately, there's a way to make everything a whole lot easier: working with a chargeback management firm. Bringing in the experts is often a necessary step—firms will often have access to around-the-clock support and sophisticated analytics that help you understand exactly where your chargebacks are coming from.
Naturally, that doesn't mean merchants should go into the process blindly and hire the first chargeback management firm that comes knocking on their door. Any company worth its salt should be able to produce hard evidence proving they'll offer their clients a positive return on investment. Further aspects to look for are a transparent billing process, security procedures, and performance.
The world of fraud and chargebacks is dynamic, and unfortunately, they're growing over time. It's becoming increasingly difficult to know everything, but it's no longer an option for retailers to bury their head in the sand and hope for the best. Instead, they need to keep themselves educated and take a stand to protect the empire they've built.
Ecommerce Fraud Solutions: Prevention is Key
Where fraud goes, chargebacks follow, and it is vitally important for ecommerce merchants to minimize the number of chargebacks that get filed against them. Prevention is key, but it can also be costly.
Merchants are stuck in a bind where they must make every effort to detect and avoid fraud and chargebacks, while being careful not to overzealously decline legitimate transactions or allow the costs of fraud prevention to harm their profitability.
MidMetrics offers you real-time visibility into what's going on with your chargeback activity and helps you identify patterns of fraudulent behavior.
Want to see MidMetrics in action? Book a demo with one of our chargeback specialists today.
A solid chargeback protection plan is essential, but what is a good chargeback protection? What components does it need to have, and how can you tell if they’re working effectively? We’ve got answers for you in this helpful guide, How to Protect Your Business Against Chargebacks & Fraud.