Last week, your business’s e-commerce sales were much higher than forecasted and it seemed that orders would continue to fly in – that is until you received a notification from customer support informing you that there’s been an influx of customer complaints and credit card chargebacks. What could have gone wrong? Was there an issue with that batch of items during production? Or was it an issue with shipping, such as missing or damaged products? Maybe our company struggled to keep up with the sudden rise in orders and there were some operational mishaps?
After customer support spends some time talking to your frustrated clientele to find out why they were requesting chargebacks, you discover that all of them claim they didn’t make any purchases on your e-commerce website all throughout the previous week. Is it really possible that this many people forgot about a purchase they made? Maybe, but probably not. What’s more likely is that your e-commerce business, and by extension these consumers, were victims of e-commerce fraud, which is becoming very common in the digital marketplace.
Types of E-Commerce Fraud
There are many different ways that attackers are trying to steal from and take advantage of e-commerce businesses and consumers. Most of the fraudulent attempts seen on e-commerce sites involve the use of stolen or misrepresented information including credit card numbers, shipping and billing addresses, and even entire identities. Scammers are becoming more technically and socially savvy as they work to swindle online shoppers and the websites they visit.
Companies conducting business online need to be aware of the types of e-commerce fraud they are being exposed to and how to prevent themselves from falling victim to it so they can operate more effectively and profitably.
BIN Attack or Credit Card Testing
A Bank Identification Number (BIN) attack is when an attacker uses your e-commerce site to repeatedly test a large amount of credit card account numbers that they’ve randomly generated using software tools. Most of the attempts will be invalid and lead to failed transactions, but once a transaction is successful, the attacker will know they have found valid credit card numbers and will begin to rapidly make more purchases using that information until they are detected.
Friendly Fraud or Chargeback Fraud
Friendly fraud and chargeback fraud are almost identical, because as the latter’s name implies, they both involve credit card chargebacks. There is one key difference between them though – the intentions of the person requesting the chargeback.
Friendly fraud is when a person requests a chargeback without trying to purposely commit fraud. For example, a customer forgets about a purchase they made on a new website and then doesn’t recognize the merchant or transaction, so they request a chargeback on their credit card.
Chargeback fraud is when the person requests a chargeback in order to knowingly commit fraud and avoid paying for a product or service that they have benefited from and have no legitimate problems with.
Refund Fraud
This type of fraud is similar to a chargeback fraud, but instead of requesting a chargeback through their credit card issuer, a person requests a refund from the company that sold them the product or service directly. By requesting a refund and lying about the condition or arrival of the product, the fraudster can get their money back and keep the product they purchased at what is now no-cost.
Triangulation Fraud
This is an advanced type of fraud where a bad actor who is in possession of stolen credit card information will post a copy of a product online, usually at a price much cheaper than the product is typically sold for. Then, they wait for a buyer to come along and purchase their discounted item. The attacker will then use their stolen credit card to purchase the actual product from a legitimate seller and have it shipped to their buyer’s address.
This leaves the buyer happy as they receive the item they wanted at a low price. The scammer is happy because they pocket the money from the buyer without actually selling or losing anything. Meanwhile, the e-commerce company is left with less inventory and a mess of fraudulent transactions from the scammer to deal with.
Account Takeover Fraud
Account takeover fraud is a form of identity theft where a criminal gains control of a legitimate shoppers account, making it very easy for them to commit financial fraud on the e-commerce site that the victim’s account is registered to. They will begin to make purchases and have the orders shipped to themselves, all on the victim’s dime, until they’re fraudulent activity is discovered.
Clean Fraud
Clean fraud is another form of identity theft where a criminal has enough Personally Identifiable Information (PII) about an individual that they are able to completely pose as that person. This typically involves setting up a new account, rather than taking over an existing one, and using the PII they’ve collected to make the account appear as legitimate and allow them to bypass any fraud detection systems that may be in place. The criminal will then start making purchases in the victim’s name until they realize what’s happening and freeze or close the financial account that was compromised.
Interception Fraud or Shipping Fraud
This is a type of fraud that involves the scammer making a fraudulent purchase on an e-commerce website using a victim’s stolen credit card information, billing address, and shipping address. By accurately matching this information, the scammer prevents the transaction from being flagged as fraudulent. Then they reach out to either the company’s customer service department or the company responsible for shipping the product in an attempt to get the shipping address changed to their own.
Basically, the victim unknowingly pays for a product, the scammer reroutes it to their own address, and the seller loses inventory and gets a chargeback (once the victim notices the illegitimate purchases).
Affiliate Fraud
Affiliate Fraud is an umbrella term for a number of different ways that bad actors manipulate and exploit the affiliate marketing campaigns of advertisers. It is always done with the intention of frauding the advertiser in order to receive a higher payout from the marketing program they’re participating in.
Examples of affiliate fraud include generating fake clicks or views on a webpage ad using automated software and cookie stuffing – when a user visits an affiliate partners website, but does not click on the affiliate link, the affiliate partner will leave a cookie on the users device without having redirected them to the advertisers site. Now if the user ever independently visits the advertisers site, the affiliate software will detect the cookie, think that the affiliate partner must have redirected the customer here, and payout an unearned commission to the partner.
How To Mitigate E-Commerce Fraud
E-commerce businesses can defend themselves from fraudulent activity in a variety of ways, including technical and regulatory controls. It’s crucial for organizations conducting online transactions to implement proper protections to keep themselves and their customers safe from fraud. Strong security practices will make your customers and stakeholders more confident in your businesses ability to manage and grow its online presence.
Some customers may actually be interested in exactly how you’re protecting their private or financial data, and it can be beneficial to your reputation to educate them with an FAQ page for security related questions. The following security controls can be adopted by e-commerce businesses working to mitigate fraudulent activity on their website and protect consumers.
Multi-Factor Authentication, Strong Passwords, and Adaptive Authentication
It is important to have both Multi-Factor Authentication and strong passwords enabled (and preferably enforced) for all user accounts on your e-commerce website. Adaptive authentication is also important – it generates a risk profile for users and requires additional authentication for risky profiles attempting to access more highly privileged systems or data. This greatly improves their overall account security and will reduce the odds of your users falling victim to account takeover fraud and other social engineering attacks.
CAPTCHA
Using CAPTCHA on your e-commerce site for user signup, password resets, and even purchases will hinder attackers who are attempting a BIN attack or credit card testing. CAPTCHA helps prevent bots and automated software from repeatedly attempting to make transactions with fraudulent credit card details on your website. It also helps protect against an attacker attempting to create new fake accounts or resetting users passwords with automated scripts.
It’s worth noting that CAPTCHAs can be very annoying for customers. When installing a CAPTCHA, consider using a human-friendly CAPTCHA. It might be difficult to believe, but the simple math problem (What does 4+7 equal?) on our contact form is doing a better job of stopping spam than Google’s own reCAPTCHA. It’s much easier for humans too!
Fraud Identification Training for Employees
Training your employees on how to recognize and detect fraudulent activity that is occurring on your e-commerce platform will always be a valuable investment. It’s impossible to completely block all attempts of fraud on your website using only software and tools, so it’s important for your workforce to be trained in identifying and responding to different types of e-commerce fraud. Your team may be the last line of defense in protecting your business from fraud and scammers, so be sure to equip them with the skills and knowledge they need to properly safeguard your business.
Email Address Verification/Notification
Adding an email address verification step to your user enrollment process can greatly reduce the amount of fraudulent accounts that attackers can create with stolen email addresses. By requiring users to verify their email address before completing their account sign up, your e-commerce site will have an extra layer of protection against attacks like clean fraud or identity theft.
It can also be beneficial to create email notifications that confirm or notify customers when a purchase is made or their shipping and billing information is updated.
Address Verification System
An Address Verification System (AVS) does exactly what it says on the tin: it verifies addresses. When a customer makes a purchase on your e-commerce site with a credit card, you should also have them enter the billing address for that card. Before the transaction is processed, an AVS can be used to verify that the billing address provided by the user matches the billing address that the credit card issuer has on file for that card. If there is a discrepancy, then the transaction can be flagged as fraudulent and stopped before it is processed.
Card Verification Value/Code
A Card Verification Value (CVV/CVC) is a security code, typically printed on the back of a credit card, that can be used as an extra security measure to verify legitimate transactions online.
In addition to needing a victim’s credit card number and expiration date, an attacker would also need the CVV to complete a purchase. The CVV is much harder to obtain because of the Payment Card Industry Data Security Standard or PCI DSS (which will be discussed later in the article) prohibits companies from storing users’ CVV data, meaning it can’t be exposed in a data breach like a credit card number or expiration date could be.
One last security bonus: CVVs aren’t stored on the magnetic strip of credit cards so skimming devices can’t steal them either.
PCI DSS Compliance
PCI DSS (Payment Card Industry Data Security Standards) is a compliance framework that helps secure the processing and storage of credit card data and cardholder information. It requires organizations handling credit card information to implement specific business processes and security controls to protect card data and keep online transactions secure.
If your company handles credit card details then it’s imperative that you maintain PCI DSS compliance or you may become subject to significant fines. If your company uses a third-party vendor to process payments, then it is equally important to ensure that the vendor you have chosen is PCI DSS compliant and properly secures data at rest and in transmission.
IP Geolocation Software
This type of anti-fraud system works by using IP geolocation software to determine where a user is geographically located before completing an order. The geolocation software will then compare its location results with the billing and shipping addresses provided by the customer at the time of purchase. If the system determines that the transaction is fraudulent then it can be flagged and prevented from processing. Anti-fraud geolocation software helps protect against triangulation fraud and different types of identity theft.
Fraud Prevention Tools
There is a wide range of software available that is intended to help e-commerce companies mitigate the number of fraudulent transactions and attempts they see on their website. These tools can utilize a number of different technologies to detect and prevent fraudulent activity including, device fingerprinting, machine learning, automated scanning and detection, data visualization dashboards, blocking of bots and automation software, and many other anti-fraud practices.
A Quick-Start Guide to Protecting your E-Commerce Business
If your e-commerce website is looking to take the first steps in protecting itself and its customers from fraud or wants to brush up on the basics of its cybersecurity, then it should ensure it has effectively implemented and maintained the following key security controls. Focusing on these three controls, plus using a PCI DSS-compliant payment processor, will significantly improve the security posture of any e-commerce business and make it less susceptible to successful fraudulent attempts.
Multi-Factor and Adaptive Authentication
Multi-factor authentication (MFA) is one of the most universal security controls. Combining it with adaptive authentication is essential for securing access to user accounts, sensitive information, and privileged actions. It is one of the best and most basic ways of tightening your platform’s security and defending against attackers. If nothing else, you should require that your customers use MFA!
Think Like an Attacker
Fraudsters are very clever. One of the tricks in preventing fraud is thinking about the privileged activities in your site and creating roadblocks for a fraudster that will not significantly impact the user. If the amount of the transaction is higher than normal, force the user to reauthenticate. If the shipping address changes, send an email to the account owner for confirmation. Thinking like an attacker can help you to thwart their attack before it begins.
Fraud Identification Training for Employees
Fraud identification training for employees can be one of the most cost effective investments you can make in your organization’s cybersecurity program. Enabling your employees to identify fraudulent activity occurring on your e-commerce website empowers them to look deeper into suspicious orders that don’t seem to align with what is typical for your business and block transactions that they deem to be fraudulent. Properly trained, your employees will have a better understanding of your business than any software can, and could help catch fraud where code fails.
E-commerce fraud can be very costly to businesses of all sizes. It’s becoming more common, as attackers figure out many e-commerce companies are suitable targets for making some quick cash. Thankfully, there are as many ways to reduce your risk as there are ways for an attacker to rip you off.
The larger the fraudulent purchase an attacker can get away with, the more it costs businesses in stolen inventory and higher credit card costs. Secure your e-commerce business today, so your best-month-ever doesn’t wind up as a nasty surprise!Want to get great cybersecurity content delivered to your inbox? C lick here to sign up for our monthly newsletter, Tales from the Click.
