3 Pillars of eCommerce Fraud Prevention

e-commerce fraud prevention lock

3 Pillars of eCommerce Fraud Prevention

Cybercrime, including e-commerce fraud, has been on the rise since the beginning of the pandemic. It means that ecommerce fraud protection and cybersecurity require more attention from online merchants.

The ecommerce fraud prevention strategy must combine three components: People, Process, and Technology.

eCommerce Fraud Trends

eCommerce fraud has been rising since the beginning of the Covid Pandemic, and more retail volume moved online. Online retailers currently deal with around 206,000 attacks on their stores each month worldwide. (1)

A Juniper Research report indicated that online retailers could lose more than $20 billion in 2021 to e-commerce fraud crimes, including identity theft, chargeback fraud, and account takeovers. (2)

What is eCommerce Fraud?

Ecommerce fraud is criminal deception conducted during a commercial transaction over the Internet with the goal of financial or personal gain of the fraudster while negatively affecting the bottom line of the merchant.

eCommerce Fraud Types

Payments Fraud

Criminals can easily buy personal information with credit card numbers on the dark web. Many merchants have been victims of chargeback fraud when a criminal buys popular items that are easy to resell using stolen credit cards. The credit card owner who didn’t purchase the merchandise files a complaint to the credit card company. Payment fraud is the most common reason for a chargeback.

The buy online, pick up in-store ecommerce model became very popular during the pandemic. This model opens new opportunities for fraudsters to use stolen credit cards and pick up goods without needing to share a legitimate postal address. There was a 55% increase in such types of fraud attacks according to the research (2).

New Account Fraud (NAF)

New Account Fraud (NAF) occurs when a fraudster creates a new account based on stolen personal information. A Social Security number is often, but not always, required to commit this kind of fraud. Since it is a new account, almost limitless online purchases can be made before the merchants and credit card companies recognize that fraud has occurred. The fraudster uses a different mailing address to prevent the victim from seeing the bills and detecting the fraud until it’s too late. (3)

Account Takeover (ATO)

Cybercriminals are also coming with new strategies and tactics targeting merchants. (2)

Sophisticated criminals are trying to take over the merchant bank account with complex attacks. Those types of attacks are not easy to detect. The volume of such attacks has increased 282% in the first half of 2020.

Friendly (Chargeback)

So-called Friendly fraud volume more than doubled in the first half of 2020. Friendly fraud is when a customer files ‘item not received’ chargebacks to play the system into getting a refund while keeping the product for themselves

Affiliate Fraud

Affiliate fraud is an illegal activity that abuses affiliate marketing to collect commissions using fake clicks and false sales conversions.

Online merchants pay affiliates a commission for sales for clicks that convert to sales. The sales are tracked via affiliate links from one website to another. When a shopper clicks on one of these links and makes a purchase, the merchant rewards the affiliate for the referral by giving the affiliate a commission.

In affiliate fraud, criminals game the system and defraud the online merchant using fake activity to generate commissions or increase the amount of the commissions.

Fraudsters may use bots or do it manually by humans, most often in click farms. A common form of affiliate fraud is “typosquatting,” in which a criminal registers domain names that match commonly mistyped versions of an online store’s legitimate URL. The fraudster then redirects that domain name to the merchant’s website with an affiliate link.

Loyalty Fraud

Loyalty and rewards programs have become valuable to fraudsters; 72% of airline loyalty programs have a fraud issue. Notably, 10% of these programs did not know if they had a fraud problem or did not know that loyalty fraud could occur. Miles and points can be used as cash when they are used to purchase goods and services.

Consumers and many businesses that offer loyalty programs are not necessarily aware of the value loyalty points have to fraudsters. The lack of awareness explains why there aren’t many security measures applied to protect loyalty programs and why fraudsters have taken advantage. Account data is stolen, and points are transferred to fake accounts, later to be sold online. (3)

Three Pillars of eCommerce Fraud Prevention: People, Process, Technology

Sometimes merchants who are new to ecommerce confuse the requirement of keeping an online store secure with encrypted HTTPS protocol and SSL certificate installed. While using encryption in online communication is essential, encryption is only one element of cybersecurity. The comprehensive ecommerce fraud prevention strategy must combine three components: People, Process, and Technology.

People

people

People are a critical part of keeping your ecommerce business secure, minimizing risk and any losses due to cyberattacks/fraud. The right people strategy combines hiring qualified personnel and providing necessary initial training, as well as regular updates about emerging threats.

Keeping your ecommerce store and retail operation compliant with PCI Data Security Standard (PCI DSS) is not only a requirement but a good practice for your business, the PCI standard and recommendations should be part of your training program. (6)

What is the PCI DSS?

The PCI Data Security Standard (PCI DSS) applies to all entities storing, processing, and transmitting cardholder data. It covers technical and operational practices for system components included or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.

PCI provides necessary resources and tools for merchants to defend against threats and attacks that can put their business at risk. (5)

Process

process

There are a few recommended practices to follow:

  • Make sure your online store is PCI DSS compliant.
  • Monitor your site regularly for suspicious activity.
  • Use an Address Verification Service (AVS).
  • Require Card Verification Value (CVV) numbers for all purchases.
  • Avoid collecting too much sensitive customer data.
  • Set limits on purchases.

Technology

Technology

3 Technology Recommendations

  • Work only with PCC DSS compliant third-party service providers for your ecommerce website hosting, payments service providers, or payment gateways.
  • Use point-to-point encryption for any credit card data in transit, for instance, HTTPS protocol for online stores.
  • Do not store credit cards if you need to charge for customer service or recurring process payments. Use tokenization technology instead. Tokenization eliminates the need to store credit card data so the original card value cannot be determined from the token value.

Ecommerce Fraud Prevention Technologies

Ecommerce Fraud prevention technologies are a fast-growing category of software that helps merchants minimize risks from losses caused by fraud. The new technology solution utilizes AI machine learning algorithms to spot illegitimate activity and notify merchants about the potential risk.

The new generation of anti-fraud systems uses multiple technologies to minimize risk instead of relying only on rule-based behavioral patterns detection. These solutions may combine customer authentication, the information contained in the order, credit card credentials, location, and other data to detect potential fraud.

False Declines

Unfortunately, some techniques focus only on credit card fraud prevention and may trigger false card declines, causing merchants to lose sales from legitimate customers and damage the customer experience.

The negative consequences of falsely declined transactions extend beyond a single transaction. The retailer may lose potential new customers forever. On the other hand, a valid credit card transaction does not prevent “friendly fraud.”

Hybrid Fraud Protection

Hybrid fraud solutions combine fraud detection software and experienced agents who analyze the orders, seeking evidence to approve them or confirm fraud in this step without contacting the customer. There is evidence that the hybrid approach helps minimize financial loss by a much more balanced approach than traditional systems and processes. It minimizes the risk from fraud and saves orders that are falsely declined.

ClearSale

One of the fraud prevention operations, ClearSale offers a broad range of such solutions for SMB and enterprises. ClearSale is the complete fraud solution that addresses both chargebacks and false declines.

Conclusion

Cybercrime, including e-commerce fraud, is on the rise. It means that ecommerce fraud protection and cybersecurity require more attention from online merchants.

The traditional process and technologies are not adequate anymore to protect from the growing threats. Most small and medium businesses don’t have the necessary resources and expertise in-house, so it is practical to partner with expert service providers to minimize fraud risk.

References

  1. Merchant Fraud Journal’s 2021 Fraud Trends Report., https://www.merchantfraudjournal.com/wp-content/uploads/2021/02/MFJ-2021-Fraud-Trends-Rep
  2. Ecommerce Losses To Online Payment Fraud To Exceed $20 Billion Annually In 2021, https://www.juniperresearch.com/press/ecommerce-losses-online-payment-fraud-exceed-20bn
  3. The Top 5 Types of Fraud Impacting the eCommerce Industry, https://blog.securedtouch.com/the-top-5-types-of-fraud-impacting-the-ecommerce-industry
  4. “Ecommerce Fraud + 11 Fraud Prevention Strategies – BigCommerce.” https://www.bigcommerce.com/blog/ecommerce-fraud/.
  5. Protect your business. Secure your payment data, https://www.pcisecuritystandards.org/merchants/
  6. Why Security Matters, https://www.pcisecuritystandards.org/pci_security/why_security_matters
Igor Nesmyanovich, Ph.D., CISSP
igor@eradium.com

Igor Nesmyanovich, Data Scientist and CEO of Eradium. Igor began his career as a space scientist, and for more than two decades applied the unique art of science to the emerging digital world. Igor is a Certified Information Systems Security Professional since 2004. Today Igor’s focus is on helping clients to accelerate business growth with technology innovations at the intersection of marketing, science, and technology.