Picture of a phone with Shopify software

Start Your Business with Shopify

Try Shopify for free, and explore all the tools and services you need to start, run, and grow your business.

Ecommerce Fraud Prevention Tips Every Merchant Should Know

Close up of check out button on an ecommerce page

You probably considered many things when starting a business, but ecommerce fraud prevention likely wasn't among them. That said, ecommerce fraud is a growing problem for brands, and it's more important than ever for business owners to protect themselves and their cashflow.

Global ecommerce sales reached $4.9 trillion US dollars in 2021, and that’s forecast to grow to $7.4 trillion by 2025. Those numbers are fantastic news for business owners, but with growth in sales also comes growth in fraud. Ecommerce fraud cost an estimated $20 billion US dollars in 2021—a massive 14% increase on 2020 numbers.

If you have or help run an ecommerce store, the unfortunate reality is that fraudsters and cybercriminals may target you and your business. And this not only affects your profits and consumes your time, but it can also negatively impact your brand's reputation and potential customer experiences.

But you can implement features and processes to protect your business.

By being as educated and prepared as possible, combined with the right ecommerce fraud prevention tools and measures, you can keep your profits and business safe. Take a look through this guide where we cover what ecommerce fraud is, the different types of fraud merchants can face, and tips for how to combat it including Shopify’s free, and built-in tools like Shopify Protect, and Fraud Analysis.

What is ecommerce fraud?

A Visa credit card placed on a laptop

Ecommerce fraud is any deliberate deception made during an online transaction with the aim of financial or personal gain for the cybercriminals or fraudsters, even if it adversely affects the merchant.

There are many types of ecommerce fraud, and the phrase itself is more of an umbrella term encompassing any fraud that happens on an ecommerce platform. You might also hear ecommerce fraud be called payment fraud. While different fraudsters use different methods, the goal of all types of online fraud is the same: to steal money or products from the merchant while staying unnoticed. 

A cybercriminal needs both personal and credit card information to carry out ecommerce fraud. However, unlike committing fraud at a brick-and-mortar store, they don’t need a physical card, and fraudsters might even buy this information—which was also likely stolen—from the underground market.

The cost of ecommerce fraud grows each year, and there are a few reasons for this. Firstly, it’s easy to commit—all it takes is stolen credit card information—and it’s equally easy to get away with. While ecommerce fraud costs billions of dollars, that amount comes from thousands of different merchants worldwide who are each defrauded of varying amounts. This makes it hard to get police or authorities to investigate. Add in the relative anonymity that online fraudsters can maintain while carrying out their schemes, and ecommerce fraud seems quite appealing to cybercriminals.

What are the types of ecommerce fraud?

Close-up of chip on credit card

Earlier, we touched on how the phrase “ecommerce fraud” is more of an umbrella term for all different types of fraud that can be committed on an online commerce platform. To help protect and prevent fraud from being carried out against your store, it’s helpful to understand the different types of fraud you and your store could experience. Here are seven types of ecommerce fraud you should be aware of:

  1. Credit card fraud
  2. Friendly fraud
  3. Account takeover fraud
  4. Interception fraud
  5. Triangulation fraud
  6. Affiliate fraud
  7. Refund fraud

1. Credit card fraud

Credit card fraud encompasses any fraud performed using a credit or debit card. In an ecommerce setting, it's also called card-not-present fraud because a customer doesn't need to present the card to the merchant, as they do in a brick-and-mortar store.

This type of fraud typically works when a fraudster gets unauthorized access to credit card information, often via the underground market. They then use the card information to buy a product or service. The criminals initially defraud the credit card holder by using their details unlawfully. Later, they defraud the merchant, who needs to refund the unlawful sale. 

The refunds generally occur after the product has already shipped or the services have been used. The merchant is left out of pocket for the product or service and is issued a chargeback fee by the card holder's bank. While individual instances of credit card fraud might not cost too much, these can add up to a significant amount. Additionally, criminals may perform card testing fraud where they test their stolen card information by making small purchases to verify it hasn't been canceled and then making big-ticket purchases.

2. Friendly fraud

In banking, a chargeback or reversal is when credit card funds used in a transaction are returned to the buyer. In this situation, the bank or credit card company returns the money to the cardholder and demands the refunded amount back from the retailer.

Card owners can request chargebacks in genuine circumstances if someone made a payment without their knowledge or permission. For example, if their credit card details were stolen and the thief made a purchase. However, these can also be done with the intent to commit so-called friendly fraud, a.k.a chargeback fraud. In this situation, someone will make a purchase, but after receiving the item, they will claim the purchase was made without their knowledge, dispute the transaction, and get their bank to issue a credit card chargeback. When committing friendly fraud, a fraudster’s goal is to get a free product.

Chargebacks can be a particular hassle to ecommerce merchants because if a store has too many chargebacks, payment processors can revoke your ability to accept payment from specific credit card companies. Additionally, chargeback fees can be crippling to small businesses costing $15 per chargeback.

3. Account takeover fraud

Laptop with code on the screen placed on a table next to the window

Account takeover fraud is a type of identity theft and occurs when cybercriminals gain access to customers’ login details. 

In most cases, these are acquired through a fraudulent practice called phishing. Phishing is when fraudsters send messages or emails claiming to be from the company to get customers to reveal their personal and account login information. In 2021, 7.6% of phishing attacks were on ecommerce and retail stores.

With the login credentials in hand, these criminals enter their accounts, change their personal information such as their passwords and addresses, and carry out unauthorized shopping. The personal data may also be sold on the dark web. 

Account takeover fraud can be extremely damaging to online businesses. It results in chargebacks and other fees, and a store’s reputation can also be affected should victims take their complaints public.

4. Interception fraud

Interception fraud is when criminals purchase items online using someone else’s payment details and redirect the goods to themselves. 

The order and checkout processes take place as they normally would, and the online store is instructed to deliver the items to the shipping address it has on file. But once the order is placed and confirmed, the fraudster intercepts the delivery and has it shipped to their desired location instead. This can be achieved by contacting the store’s customer service team to get their shipping address changed or directly contacting the shipping company to reroute the goods elsewhere. 

In certain cases where the criminal lives close to the victim, they can simply wait for the goods to arrive and either sign for them while pretending the victim isn’t home or steal them from their drop-off locations.

5. Triangulation fraud

A laptop with the screen turned on on a bed in a dark room

Triangulation fraud is a type of ecommerce fraud whose end game is to make money selling goods purchased using stolen personal information. It takes place in three steps and involves three parties to pull off: the fraudster, the online business, and a shopper. 

In the first step, fraudsters create a fake online storefront, typically selling popular products at low prices to attract buyers. Next, unsuspecting shoppers landing on the website make a purchase and, in doing so, enter details such as their names, addresses, and payment information as part of the checkout process. In the final step, the fraudsters use stolen credit card information and the buyer information collected from their fake storefront to purchase the items the victim ordered, and have them delivered to the victim. The victims of triangulation fraud believe they’ve gotten a purchase at a bargain when they’ve actually given up their personal information in exchange for it. 

More often than not, triangulation fraud doesn’t just end here. These fraudsters will continue to use the stolen personal details to carry out further purchases. Because victims actually receive their goods, triangulation fraud can go undiscovered for a long time, especially if the fake online storefront appears legitimate and trustworthy.

6. Affiliate fraud

With affiliate fraud, criminals aim to make monetary gains through commissions. The tactic stems from affiliate marketing, where an online business pays a third party commission for referrals and/or sales.

For example, an online store selling smartphones may offer a tech blogger a commission for every visit (and/or resulting sale) they receive through their blog. This is monitored using trackable, tagged links that tell the store where its online traffic comes from.

Criminals engaging in affiliate fraud cheat the system to increase the amount of commission they receive illegitimately. They can do this through methods like IP spoofing, cookie stuffing, malware, and typosquatting, all of which generate fake human activity to carry out the affiliated action.

7. Refund fraud

Close-up of two credit cards placed on top of one another

Refund fraud is when cybercriminals attempt to get a refund for their online purchase due to a variety of illegitimate reasons. 

Here are some common examples of refund fraud:

  • Saying the order never arrived and then attempting to get a refund through an alternative method 
  • Claiming the box arrived empty and/or that the item(s) arrived with defects
  • In the event items must be returned to qualify for a refund, fraudsters may stick the return shipping label on junk mail, send it off, and claim to have sent the items back

In some instances, fraudsters can also use a stolen credit card to buy something and then request a refund to an alternative method, claiming that the original credit card used has been canceled.

5 ecommerce fraud prevention methods

A code lock next to two credit cards placed on top of the keyboard of a laptop

With ecommerce fraudsters so prevalent and unrelenting, it’s hard to fully protect yourself from fraud. But, you can take preventive measures to shield yourself as much as possible from fraudulent activities that can harm your online business.

  1. Leverage Shopify’s fraud detection and analysis tools
  2. Use a service to cover fraud-based chargebacks
  3. Set up workflows to handle fraud seamlessly
  4. Ensure PCI-compliance
  5. Double down on security during peak shopping seasons

To that end, there are many fraud protection and prevention tools available to safeguard your business.

1. Leverage Shopify’s fraud detection and analysis tools

If you’re a merchant on Shopify or thinking about starting an online store with them, you’ll be pleased to know Shopify offers fraud analysis tools that help ecommerce businesses spot red flags. 

Shopify merchants have access to its fraud analysis tool. Powered by machine learning algorithms, it analyzes data across its entire network to determine the level of fraud risk in an order, so that business owners can make an informed decision about whether to fulfill it.

Screenshot of Shopify's fraud analysis tool for ecommerce fraud prevention

Some of these indicators include: 

  • Whether the shipping and billing addresses match
  • Whether an order volume is higher than the average order volume of your store
  • Whether a buyer has placed multiple orders in a short period of time

This tool flags medium or high risk orders so that merchants can take follow-up preventive measures like:

  • Scoping out the shipping address using a map to ensure that it’s not a fake location or doesn’t look like a residential building 
  • Verifying the customer’s identity by sending them an email
  • If need be, canceling the order
  • Adding the account to a block list

2. Use a service to cover fraud-based chargebacks

Shopify protect asset

Another ecommerce fraud prevention method is to engage services that protect you against fraudulent chargebacks. They ensure your business is covered in the event it receives a fraud-related chargeback on a transaction that has already been approved. 

Shopify Protect is a great and free solution that protects US businesses from fraud on eligible Shop Pay transactions. So the next time a merchant experiences fraud, Shopify covers the order amount and chargeback fee automatically so you can keep your hard-earned cash. Plus, the entire dispute process is handled by Shopify, so there’s no paperwork required from your business.

3. Set up workflows to handle fraud seamlessly

Screenshot of how Shopify Flow works

Using ecommerce fraud prevention tools to help detect illicit activity and protect your business is a good start. However, incorporating such solutions into a workflow allows you to manage them faster and in a simpler way.

Shopify Flow is an ecommerce automation tool that helps you manage fraud with your business set-up—specifically, how to handle orders that have been flagged as “high risk.”

With Shopify Flow (available to businesses on an advanced Shopify plan and Plus plans), you can set up your operations to streamline how you manage fraud like automatically delaying payment on orders that have been flagged as “high risk” and even canceling the order. As the saying goes, “prevention is better than cure.” Since you haven’t received any payment from the customer, it saves you the trouble of having to refund them. 

If you prefer to get human eyes to review a purchase, Flow also allows you to structure it such that fishy-looking orders are forwarded to your support team via email. Plus, you can also prevent repeat fraudsters from placing more orders by adding them to a block list. 

The Fraud Filter app is available for you to install if you aren’t currently on an advanced or plus plan.

4. Ensure PCI-compliance

Screenshot of PCI homepage

Any online store accepting credit card payments should make sure to comply with Payment Card Industry (PCI) requirements. 

PCI’s security standards are set to ensure online transactions take place safely. Businesses processing and maintaining credit card and cardholder information must abide by their guidelines and meet their standards. This lowers your chances of fraud and failing to do so may result in sanctions or penalties.

Renowned ecommerce solutions such as Shopify provide their stores with PCI compliance by default

5. Double down on security during peak shopping seasons

Two credit cards placed at the corner edges of a laptop/tablet screen

The shopping season is one that many merchants look forward to, and for good reason. The surge in traffic and sales generated during this period often contributes to the bulk of a store’s annual revenue. 

However, it’s precisely for this reason that store owners must take extra precautions. In 2021, the number of ecommerce fraud attempts between Thanksgiving and Cyber Monday was 25% higher than the earlier parts of the year.

The high purchase volumes keeping businesses busy may result in them subconsciously dedicating less time to fraud monitoring. Consumers distracted by shopping may also unwittingly let their guard down when purchasing with their credit cards and become a victim of triangulation fraud. In short, the holiday season creates perfect conditions for cybercriminals to both test new schemes and carry out ecommerce fraud. 

Keep your chargeback rates low

The more ecommerce fraud is inflicted on you, the higher your chargeback rates. This isn’t good for your online business.

Keeping chargeback rates low is key for ecommerce businesses. Fraudulent chargebacks can eat into potential revenue and dispute management also consumes a ton of a business’s precious time and resources. 

Perhaps more importantly, payment processing networks like Visa and Mastercard have certain charge thresholds that, when exceeded, can be detrimental to merchants. Businesses with high chargeback rates are placed into card brand monitoring programs, which can incur monthly fines and additional fees until chargeback incidences are lowered. In worst-case scenarios, merchants can even have their accounts terminated if they’re unable to lower their chargeback rates.

One way to keep your chargeback rates low is to study your chargeback data to understand what’s causing high chargeback incidences. Once you’ve identified a root cause, you can look at how you can tackle it to prevent further similar chargebacks.

Ecommerce fraud is not insurmountable

Four Mastercard credit cards sticking out of the back pocket of a pair of jeans

As more and more people shop online, there’s no question cybercriminals will be coming up with new ways to commit ecommerce fraud.

Don’t let this deter you.

Ecommerce fraud is, by no means, insurmountable. With adequate preparation, constant vigilance, and the right ecommerce fraud prevention tools, you can detect these online attacks before they even happen and safely protect both your business and your customers.

Learn more about ecommerce fraud

How much ecommerce fraud is there?

In 2021, global ecommerce fraud was estimated at $20 billion, a 14% increase from 2020. 

The ecommerce boom resulting from the COVID-19 pandemic has also led to a 62% increase in ecommerce fraud attempts among small- and medium-sized businesses.

How much revenue is lost to ecommerce fraud?

Around 2.6% of the total online revenue of North American retailers in 2021 was lost to ecommerce fraud. This figure stands at 4% for retailers in the APAC region.

Retailers in Latin America and Europe lost 3.7% and 3.2% of their 2021 revenue to ecommerce fraud, respectively.

How is ecommerce fraud detected?

Ecommerce fraud can be detected manually or using ecommerce fraud prevention tools like Shopify’s fraud analysis tool, Shopify Protect, and Shopify Flow

Common indicators of ecommerce fraud include:

  • Multiple orders being placed over a short period of time by the same buyer
  • Multiple payment attempts
  • Different billing country from the country the order was placed

What is a fraudulent chargeback?

Card issuers classify fraudulent chargebacks as when a shopper purchases something with a credit card and claims that they did not make the purchase. Both actual credit card fraud, as well as friendly fraud, will be classified as a fraudulent chargeback by the bank and this makes it difficult for merchants to properly classify the difference between the two. 

While the bank investigates the claim, they reverse the funds paid out to the merchant and charge a fee. If the bank decides in favor of the buyer, the funds will be returned to them and the merchant will be charged the chargeback fee. In cases where the bank rules in favor of the merchant, the order amount and chargeback fee will be returned to the merchant.

Online stores can protect themselves from fraudulent chargebacks with Shopify Protect. It covers fraudulent and unrecognized chargebacks on eligible orders by reimbursing merchants the chargeback amount and chargeback fee. It also handles the dispute process.

Does Shopify Protect cover chargeback fees related to fraud?

Yes, Shopify Protect covers all chargeback fees and chargeback amounts related to fraud. The order must contain physical items that require them to be shipped. This means that digital products or products that are picked up in-store are not covered.

Orders must also be fulfilled within seven days and by a recognized carrier, or Shopify Shipping.

Is Shopify Protect a chargeback guarantee? 

Yes, Shopify Protect guarantees the reimbursement of all chargeback fees and the full chargeback amount for eligible fraudulent chargebacks. 

There are certain conditions orders and merchants must meet to qualify for a chargeback guarantee:

  • Orders must be for physical products and require shipping
  • Orders must be processed through Shop Pay
  • Merchants must be located in the US and have a US Shopify Payments account
  • Orders must be fulfilled within seven days
  • Shipments must have a valid tracking number from recognized carriers or Shopify Shipping

What is 3D Secure?

3D Secure is an extra layer of security for online payments carried out by credit and debit cards to prevent ecommerce fraud. With 3D secure, at checkout, users are redirected to the card issuer’s domain to authenticate their card before they can finalize their payment. 

3D Secure is beneficial and highly recommended for online businesses because, upon authentication, any liability for fraudulent chargebacks or disputes is shifted from the merchant to the card issuer.

With affiliate fraud, criminals aim to make monetary gains through commissions. The tactic stems from affiliate marketing, where an online business pays a third party commission for referrals and/or sales.

For example, an online store selling smartphones may offer a tech blogger a commission for every visit (and/or resulting sale) they receive through their blog. This is monitored using trackable, tagged links that tell the store where its online traffic comes from.

Criminals engaging in affiliate fraud cheat the system to increase the amount of commission they receive illegitimately. They can do this through methods like IP spoofing, cookie stuffing, malware, and typosquatting, all of which generate fake human activity to carry out the affiliated action. 

Learn more about Shopify Protect

Topics: