According to recent studies, every $1 lost in direct eCommerce fraud can end up costing companies more than $2 in additional expenses.¹ These extra costs largely stem from the time and money invested in disputing fraudulent charges. They also include damages from lost consumer confidence (i.e., customers who will likely not continue to patron your online business).
Although larger companies can often absorb these losses, an estimated 60% of smaller businesses close shop within six months of experiencing a cyberattack.² Smaller companies are often more attractive targets, since they typically lack the IT infrastructure and security expertise to protect themselves.
The article below outlines some of the most common types of eCommerce fraud – and steps to help minimize your chances of becoming a victim.
How to help protect yourself from eCommerce fraud
One of the most important steps in eCommerce fraud prevention involves designing a payment environment that adheres to the latest PCI data security guidelines. This means:
- Partnering with a PCI-compliant payment processor that understands data security
- Applying for a Secure Sockets Layer (SSL) certificate that turns the “http” in your URL to “https”
- Using tools such as tokenization and point-to-point encryption (P2PE) to help safeguard any captured, stored, or transmitted payment data
These measures can help reduce overall fraud, but becoming PCI-compliant is only a starting point. It’s critical to also understand how to spot and help prevent some of the more common types of eCommerce fraud.
#1. Card testing fraud
With this type of fraud, criminals will often test stolen cards by running small transactions (less than $1) before making bigger purchase attempts with another online vendor. A few pennies here or there might not seem like much, but remember that $1 in direct fraud translates to over $3 in total losses.
Avoiding this card-testing fraud involves scanning for small transactions – especially if they don’t line up with the prices you normally charge. If the least-expensive item in your store is $4, for example, there shouldn’t be any purchases under this price. Some payment processors even have online filters that can immediately flag transaction amounts that don’t line up with your inventory.
#2. Overpayment fraud
The idea of being “overpaid” may seem alluring at first – but be careful. Some thieves intentionally overpay with stolen credit and then request a refund of the excess amount – typically paid to a different account.
Fixing this problem may be as simple as working with your processor to configure your payment environment so that overpayments aren’t possible. Equally important, commit to only refunding transactions to the original funding source – and never a separate account.
#3. Phishing and malware fraud
This type of fraud affects businesses and consumers alike. It begins when thieves send fake emails designed to look like legitimate companies. Yet every link in these phishing emails has a malware payload behind it. This is true even for the “unsubscribe” option at the bottom.
In a perfect world, no one would ever click on these links. We would all be using the latest virus protection, as well. As an online merchant, though, there’s only so much control you can exert over your employees, suppliers, and customers.
What you can do is require two-factor authentication (2FA) for your site. Criminals might be able to steal usernames, passwords, and other login credentials, but the more obstacles you present them with, the harder it is for them to access sensitive information.
#4. Friendly fraud
Also known as “chargeback” fraud, this scam begins whenever thieves knowingly buy something from you with the deliberate intention of claiming it never arrived (even though it did). Other times, they might deny placing the order.
These customers don’t request a refund from you – the online merchant. Instead, they initiate a chargeback through their credit card company. Once the card-issuing bank refunds that customer’s purchase, it then chases you for repayment. The onus is on you to prove that the sale was legitimate, which is hard to do for anonymous, online purchases.
Aside from having a clear return policy, you may also consider:
- Disabling guest checkout: Doing so makes it harder for customers to claim they didn’t place the original order. This is particularly true if signing into your online store requires two-factor authentication.
- Requiring signature confirmation for all deliveries: Doing so makes it harder for customers to claim that a package never arrived.
Note that neither of these steps will prevent chargeback fraud. Yet when used together, they can make your case much stronger when trying to prove a given customer ordered and received the item in question.
Cyberwarfare is a perpetual arms race, with criminals on one side constantly looking for better ways to defraud businesses and consumers – and security analysts on the other side always looking to stand up new defenses.
As an eCommerce merchant, you’re as much a part of this arms race as anyone else. As such, it is your responsibility to take proactive steps to protect your business and your customers.
Use the strategies outlined above to help make your online store as uninviting as possible to would-be criminals. Setting up these defense measures takes effort. That said, the investment pales in comparison to the time and money spent disputing fraudulent charges, paying punitive damages, defending yourself in court, and chasing lost customers.
To learn more tips on how best to protect yourself and your customers, be sure to review the accompanying resource.
About the Author!
Dori Bright is Senior Vice President of Marketing Intelligence and Small Business Market Development at Fiserv, a leading global provider of eCommerce payments and financial technology solutions, helping businesses connect with customers through physical, digital, and mobile payment experiences that drive commerce.
1 “CNP Fraud Costs US Merchants $3.36 for Every $1 of Direct Fraud Loss,” Card Not Present, 30 July 2020
2 “60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack,” Inc., 7 May 2018