Ecommerce fraud is a problem every online retailer faces. Signifyd, an eCommerce fraud protection provider, reports that in 2018 total fraud losses were 7 percent of revenue, totaling over $10 billion, a 3 percent increase on the previous year. The situation is even worse in some verticals, with the beauty and jewelry industry losing over 10 percent of revenue to fraud.
It’s easy to understand why criminals target eCommerce stores. The online retail industry processes millions of credit card transactions each month. It’s challenging to validate those transactions and easy to script automated bots that exploit stolen credit card numbers. The cost of chargebacks falls largely on retailers and not credit card providers. Ecommerce stores are rich with data that criminals can turn into revenue.
Fraud hurts eCommerce retailers in many different ways. The most obvious is the loss of revenue through fraudulent transactions: few businesses can afford to lose stock without payment. But fraud also makes eCommerce retailers suspicious of genuine transactions, which are often blocked because they look as though they might be fraudulent.
Fraud prevention false positives constitute a significant percentage of lost revenue. Ecommerce retailers targeted by fraudsters and other criminals also face increased credit card processing fees, and may even lose the right to take credit card payments altogether.
Because of the prevalence of eCommerce fraud, it’s important that all retailers have an understanding of how criminals will target their business.
Friendly fraud is a — not particularly accurate — euphemism for chargeback fraud. It occurs when a customer disputes a charge on their credit card. Their credit card provider refunds the customer, and then demands that the retailer makes them whole. Retailers aren’t in a position to fight credit card providers, so they lose the product they delivered in good faith and the revenue from the sale.
Chargebacks were originally introduced to protect credit card users from potential fraud by online retailers and marketplaces. They perform that function well, but they also transfer the risk from the shopper to the retailer.
Friendly fraud can be divided into two categories: deliberate fraud by criminals who exploit the chargeback system and “accidental” fraud by customers who don’t understand the implications of issuing a chargeback.
There are little retailers can do to protect themselves from deliberate chargeback fraud, but they can reduce the incidence of illegitimate chargebacks by providing a generous return policy and making customers aware of it.
The most common form of eCommerce fraud, identity theft uses stolen personal information to make fraudulent purchases. Identity theft often includes the use of stolen credit card details. Although individuals are usually the victims of identity theft, it’s increasingly common for the identities of small businesses to be used when making fraudulent purchases.
As with friendly fraud, it’s often the merchant that ends up losing the most when credit card numbers are used fraudulently. The owner of the credit card is likely to be refunded by the credit card provider, but the merchant will be left out of pocket.
This type of fraud is particularly difficult to defend against because of the false positive problem we mentioned earlier. Retailers could implement strict checks on transactions, denying any that appear unusual, but they risk denying a large number of legitimate transactions and losing sales. Services such as ThreatMetrix and Riskified aim to accurately predict fraudulent purchases.
Account Takeover Fraud
Account takeover fraud is closely related to identity theft, but instead of creating fraudulent accounts with stolen identities, criminals take over existing accounts and use them to buy products.
Criminals use several methods to take over accounts. Brute force and dictionary attacks are the least sophisticated: the attackers use bots to “guess” username and password combinations. Attackers may exploit vulnerabilities in eCommerce stores to bypass authentication. Another popular technique is credential stuffing: attackers use credentials leaked from other online services in the hope that shoppers have used the same email and password on multiple accounts. For larger stores, attackers may launch sophisticated phishing attacks that aim to trick shoppers into entering their credentials into a fake login interface.
The defenses against account takeovers are as varied as the methods. Two-factor authentication is the best defense, but eCommerce retailers are reluctant to use TFA because it reduces conversion rates. The only effective solution is to use behavioral data to identify possible account takeovers and act accordingly. Increasingly sophisticated fraud identification technologies from companies such as Riskified have been used to spot account takeovers, but the risk of false positives remains.
Let’s finish with one of the more sophisticated eCommerce frauds. In triangulation fraud, a criminal lists a retailer’s product on a third-party marketplace or eCommerce store. The products are priced much lower than on the genuine store. When a shopper sees the bargain, they buy it from the criminal. But the criminal doesn’t have anything to sell.
Instead, they use stolen credit card numbers to purchase the product from the legitimate store and then ship it to the buyer. The criminal gets money from the buyer. The buyer gets the product from the store. All the store owner gets is a chargeback when the fraud is discovered.
There are several variations on this theme. Sometimes the criminal buys the products using stolen credit cards in advance and ships them to the buyer. But, however the scheme is run, the retailer loses out.
Ecommerce Fraud Is on the Rise
Ecommerce fraud is a risk for retailers of all sizes. As eCommerce grows as a proportion of total retail sales, the attractiveness of eCommerce fraud increases. As machine learning services and other sophisticated fraud prevention technologies mature, there is likely to be an escalating arms war involving criminals, retailers, and services created to help retailers verify transactions.
About Brad Boegler – Brad is Director of System Operations at Nexcess. With over a decade in systems administration, he oversees out internal systems and was the author of The Definitive Guide to Magento 2 Optimization. Few systems at Nexcess escape his insight. When not monitoring our hosting infrastructure or upholding PCI security standards, Brad celebrates life with his family and plays a mean game of Puerto Rico.