Retailers are no stranger to theft. But while shoppers can’t physically shoplift inventory from a shop floor, fraudsters still target online shoppers and the merchants they buy from.
In 2023 alone, an estimated $38 billion in ecommerce losses were reported in the US due to online payment fraud, and that number is set to reach $91 billion by 2028. In terms of the cost of this fraud, a recent MRC report shows 2.9% of global ecommerce revenue was lost due to fraud between 2022 and 2023.
But no country is safe; fraud is on the rise globally.
Click here to talk with sales about Shopify plans for enterprises
This guide shares how to identify ecommerce fraud, handle the problem, and use software to help both you and your customers prevent major financial losses.
What is ecommerce fraud?
Ecommerce fraud is when scammers intercept a commercial transaction on an ecommerce store with the goal of personal or financial gain. Also known as payment fraud, it’s a criminal act in which scammers steal money from either the customer, the merchant, or both.
With global ecommerce sales tipped to reach $6.3 trillion in 2024, there’s plenty of opportunity for scammers to hijack customer data and commit fraud. Let’s take a look at the seven types of ecommerce fraud you’re likely contending with on your online store.
Types of ecommerce fraud
Friendly fraud
Friendly fraud happens when customers buy something through your ecommerce website and later file a chargeback with their bank. Shoppers illegitimately claim their purchase wasn’t delivered, looked different from what they ordered, or cancelled their order shortly after placing it. A complaint to their bank prompts an investigation, causing orders to result in a chargeback.
This type of chargeback fraud is common amongst merchants, with some 62% reporting an increase in friendly fraud since last year. The good news? Roughly 9 in 10 of them submit compelling evidence to resolve friendly fraud disputes.
“Overhead costs such as operational costs, transaction fees, and so on are included in chargeback processing,” says Dan Lee, head of marketing at Sealions. “And if the merchandise is sold to a fraudster, the merchant has a slim chance of recovering it. This results in a drop in revenue as well as the loss of a customer. As a result, ecommerce companies must take precautions to safeguard themselves and their consumers from fraud.”
Card testing fraud
Card testing is a tactic fraudsters use to determine whether a stolen credit card works. Scammers often make a small, low-value purchase so the fraudulent transaction goes under the radar of the card holder. Once the card is verified to still work, they go on to make more expensive purchases using the stolen card.
Graph showing the most common types of ecommerce fraud
Types Of Fraud Experienced By Merchants – Past 3 Year Rankings & Global Incidence (2023). 2023 Global eCommerce Payments and Fraud Report
Card testing is the third-most common type of ecommerce fraud for all merchants. Not only is it frustrating for customers, but should most of your online payments be blocked due to card testing fraud, your business will be subject to extra fees and disputes.
Refund abuse
Refund abuse is a type of ecommerce fraud where customers return broken, damaged, or stolen items to a retailer in exchange for a refund.
While many merchants have strict return policies that determine what qualifies for a refund, it’s still a costly problem. The National Retail Federation found that retailers lost $13.70 for every $100 in returned merchandise in 2023. It’s the type of online fraud that saw the biggest increase, with merchants reporting a 25% to 30% uplift in refund abuse in 2023.
Online payment fraud
Online payment fraud happens when scammers steal another person’s payment details and use them to make purchases through your ecommerce store.
Sometimes known as credit card fraud, it can also happen if scammers create duplicate versions of your website and encourage customers to unknowingly purchase items through a fake website. Hijackers recoup their cash and store their credit card number for future scams.
Account takeover fraud
Account takeover is a type of fraud that happens when scammers break into a customer’s online account and use stored payment cards to make fraudulent purchases.
Some 83% of surveyed brands experienced an increase in account takeover fraud in 2023, with scammers accessing customer accounts that use weak passwords, phishing emails, or malicious software on the device used to purchase.
Promo, affiliate, or loyalty abuse
Ecommerce brands use promotion, affiliate, and loyalty programs to attract new customers and engage existing ones. But their popularity means promotions attract scammers who rinse your business of cash through fraud using tactics like:
Affiliate fraud. Affiliate marketing gives customers who refer friends a percentage commission on their order. However, some affiliates bend the rules. They send spam traffic to the website or use stolen credit cards to get paid out—even though the customers they’ve referred aren’t legitimate.
Loyalty fraud. This fraud affects 22% of global retailers. It happens when customers join your loyalty program, earn points through stolen credit cards, and resell them for a percentage of their value on the dark web.
Promotion fraud. This happens when scammers find loopholes in a retailer’s promotions to claim products for free.
Triangulation fraud
Triangulation fraud is a serious problem for both ecommerce merchants and customers. It impacts around 17% of all businesses that sell on multiple channels.
Here’s how it works:
Fraudsters list your products for sale on marketplace such as eBay or Amazon.
Customers purchase the lower-than-RRP item from the scammer using their legitimate credit card.
The scammer uses a separate fraudulent credit card to buy the real product from your store using the customers’ shipping address.
The customer receives their order but their credit card information is compromised.
Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price.
Reasons for ecommerce fraud
Ecommerce fraud stems from many sources and motivations. Some top reasons it occurs are:
Data breaches: Data breaches are among the leading causes of ecommerce fraud, where hackers gain unauthorized access to a company’s digital network and steal customer information. Fraudulent purchases are often made using this stolen information.
Weak or stolen credentials: Users’ credentials are often stolen through phishing attacks or weak passwords. By using these credentials, fraudsters can make unauthorized purchases or misappropriate funds from sellers.
Lack of secure payment verification: Ecommerce platforms without secure payment verification methods are prime targets for fraud. Without tools like two-factor authentication or CVV card verification, it’s easier for fraudsters to use stolen card information to make purchases.
Poor website security: The low-hanging fruit for cybercriminals are ecommerce websites with inadequate security measures. Vulnerabilities can be exploited to carry out SQL injection attacks, cross-site scripting, and other tactics to bypass security measures or implant malware
Advanced persistent threats (APTs): In these attacks, an intruder gets access to a network and stays undetected for a long time. APTs can be used in ecommerce to gather a lot of customer data over time, leading to fraud.
Rapid growth of ecommerce: The swift expansion of ecommerce has made it a lucrative target for fraudsters. New and inexperienced merchants might not have robust security measures in place, making them particularly vulnerable.
International transactions: Transacting across borders can be riskier, since they often bypass some of the stricter fraud prevention measures in place domestically. International laws can make it hard to prosecute fraudsters in different countries.
What is ecommerce fraud prevention?
Ecommerce fraud prevention is the strategy that online merchants use to prevent, detect, and solve online fraud. It’s important for customers’ safety and avoiding lost profits, which is why 75% of online merchants increased their fraud prevention budgets in 2023.
How to identify fraud on ecommerce websites
Ecommerce fraud is an expensive problem, both in terms of lost revenue from intercepted online orders and customer loyalty. Shoppers are unlikely to return to your website if they were a victim of fraud the last time they purchased through it.
Here are seven red flags to spot fraudulent activities happening on your website.
Higher order volumes. Scammers using stolen credit cards often purchase high-ticket items since the cash they’re spending isn’t their own.
Low value orders. “Be on the lookout for low value transactions, especially if they’re only around $1,” says Ben Hyman, CEO and co-founder of rug brand Revival. “Fraudsters will purchase low value products to see if their stolen card works.”
Different credit cards. It’s a warning sign when one customer makes several purchases, each using a different credit card. Scammers often do this to test whether stolen credit card details work.
Repeated declined transactions. Fraudsters might not have the information they need to make purchases from a stolen card. If a payment declines repeatedly due to security code errors, for example, it’s unlikely to be an honest mistake from a genuine customer.
Unusual IP locations. Look out for several orders from the same IP address, or suspicious orders from an IP address in a location that isn’t familiar. If most customers are in the US, for example, an attempted high-value order from an IP address in Indonesia is a warning sign of ecommerce fraud.
Different billing and shipping addresses. This is especially common with triangulation fraud, where fraudsters use stolen card details to ship items to legitimate customers.
PO box shipping addresses. While this type of shipping location is popular with businesses, PO boxes allow scammers to ship online orders to an anonymous location. Be wary of shipping too many orders to a single PO address.
Yuvi Alpert, founder and CEO of Noémie, gives an example: “A purchaser that uses multiple shipping locations, a sudden change to a PO box, or several orders coming from a region or country that you had never received orders from before are all signs that ecommerce fraud could be occurring.”
9 steps for successful ecommerce fraud prevention
Manually review risky orders
Limit order quantities
Collect proof of delivery
Be PCI compliant
Show clear policies on your website
Be vigilant around peak shopping seasons
Use verification software
Build a blocklist
Use IP fraud scoring tools
The ecommerce fraud detection market will be worth $84.83 billion by 2026, with US companies spending 10% of their annual ecommerce revenue on payment fraud management.
“If you do experience fraud, it’s important to have a system in place for dealing with it,” says Kristin Stump, marketing manager at My Enamel Pins. “This might involve working with your payment processor to cancel the transaction and refund the customer, or contacting the customer directly to resolve the issue.”
Here are nine fraud prevention strategies to minimize the likelihood of fraud happening through your website.
1. Manually review risky orders
Ecommerce software exists to flag risky orders. Manually review orders that raise a red flag, reaching out to the customer for further information if you’re unsure whether it’s legitimate.
If you’ve received a low-value order from an unusual IP location, conduct a manual review and reach out to the customer for further verification. Failing to hear back means there’s a strong chance that the order was made using a stolen credit card.
Similarly, consult a customer’s purchase history to determine whether a risky transaction is ecommerce fraud. It’s likely not a cause for concern if a shopper who usually makes orders from the US makes one purchase from an IP address in Spain. But there’s a strong chance their account has been compromised if they’re making orders bigger than usual, using a different credit card, from a different location.
It’s important to get right. Customer experience is at risk if you approve a false positive—a genuine customer who’s been incorrectly flagged as fraud. If an online order has been declined, shoppers will avoid trying another time before moving to another merchant.
2. Limit order quantities
High order quantities is a red flag for scammers using stolen credit card information to make fraudulent purchases on your ecommerce store.
Limit the likelihood of these orders going through by limiting the number units a customer can buy. Analyse previous sales data to understand your “normal”—the average number of units you sell each day. Automatically block orders that superseded this volume to restrict the chances of people committing fraud through your online store.
3. Collect proof of delivery
Return fraud often happens when customers say they haven’t received their order. It’s a $101 billion problem online retailers face, largely exasperated by lazy shipping or third-party logistics (3PL) partners.
Combat the problem, and be sure that customers only claim when they legitimately haven’t received their delivery, by working with trusted shipping carriers or 3PLs that supply proof of delivery. Customer signatures or photos of a delivered parcel act as evidence they have received the item they’re illegitimately claiming a refund for not receiving.
4. Be PCI compliant
All ecommerce businesses need to meet Payment Card Industry Data Security Standards if they’re processing online payments safely. These PCI compliance standards include:
Changing the default password for software and systems
Encrypting cardholder data across open, public networks
Using antivirus software to prevent malware attacks
Restricting which employees can access sensitive customer data
Regularly testing online security systems
“Having a firewall between your internet access and any system that stores credit card details is one way to ensure PCI compliance,” says Sina Will, co-founder of Foxbackdrop. “Therefore you must verify that you are adhering to the appropriate PCI requirements to avoid sanctions or penalties.”
5. Show clear policies on your website
Policies are pages on your website that explain how your business works. Aside from blanket terms and conditions, showcase clear policies on your website to crack down on ecommerce fraud. That includes:
Strong password policy. It’s easier for scammers to commit account takeover fraud if a customer’s login details are easy to crack. Alongside two-factor authentication, Stephen Light of mattress brand Nolah recommends a password policy. “While some customers find password requirements tedious,” he says, “it makes it much harder for any fraudsters to hack into our customers’ accounts if their passwords are complex.”
Return policy. Build your case against customers requesting chargebacks or refunds with a solid return policy. Explain what qualifies for a return, the documentation needed, and how it’ll be processed (such as a cash refund, exchange, or store credit).
Promotions and rewards policies. From limited order quantities to prohibiting the sale of reward points, this type of policy backs up any ecommerce fraud that goes against the terms and conditions of your promotion.
“Avoid merchant errors like unclear billing descriptions or confusing return policies that can end up frustrating legitimate customers,” says Zarina Bahadur, founder of 123 Baby Box.
6. Be vigilant around peak shopping seasons
The five-day weekend from Thanksgiving to Black Friday Cyber Monday in 2023 was the biggest online shopping season on record: $38 billion in sales, a 7.8% jump from 2022, according to Adobe Analytics.
Lily Will, founder and CEO of Nia Wigs, says you should be extra cautious around these dates.
“Customers are likewise focused and busy, and they often disregard safety measures,” she says. “Many fraudsters depend on merchants being too preoccupied or distracted to identify possible fraud during these months.”
Increase your investment in fraud prevention solutions around these peak shopping times—be that through specialist software or extra cybersecurity staff who manually review risky orders. It’ll go a long way in protecting both yours and your customers’ finances during peak fraud season.
7. Use verification software
A tell-tale sign of ecommerce fraud is when a customer’s billing, shipping, or card details don’t line up correctly. Automatically identify orders that raise this red flag using verification software, such as:
Card verification value (CV). Scammers only need to see the front of a credit card to make fraudulent online purchases. Add the three or four digit PIN (CVN) as a required field on your ecommerce checkout as an added layer of security. It’s the most popular fraud detection feature, used by over half of merchants.
Address verification system (AVS). This verifies a customer’s billing address against the card they’re using. As Stephen Light, CEO and co-owner of Nolah, says, “Many fraudsters will use multiple cards to make purchases to a single address, so an address verification service can catch them out.”
Identity validation. This means verifying that the person is who they claim to be. It’s a tactic used by 50% of merchants, and can involve document verification, biometric identification, or 2FA.
Graph showing the most common types of ecommerce fraud
Current & Planned Usage Of Fraud Detection Tools. 2023 Global eCommerce Payments and Fraud Report
8. Build a blocklist
Catching a scammer once doesn’t mean they won’t become a repeat offender. Fraudsters can try to trick merchants by changing their name, shipping address, or credit card in the hopes that fraudulent orders will fly under the radar.
Used by 32% of merchants, blocklists prevent repeat offenders from committing fraud through their websites. It’s a document that contains names, credit card numbers, IP addresses, and shipping addresses known to be a fraud risk. Any new orders with information that matches the blocklist are automatically blocked.
While blocklists can block fraudulent orders before they’re processed, use them with care. A legitimate customer might use a credit card previously flagged as fraudulent without realizing. Blocking their order without explanation will cause confusion and frustration—two things bound to put them off future purchases once their request to be removed from a blacklist has been approved.
9. Use IP fraud scoring tools
One person can commit several types of fraud using the same computer. Detect those serial fraudsters with IP scoring tools such as SEON or Scamalytics. Each detects an IP address that’s been linked to fraud patterns in the past, using signals like:
Their location (and whether it matches the country the card is registered in)
Whether they’re using a VPN to disguise their true location
The type of internet service provider, such as a residential or public connection
Orders placed from an IP with a high fraud score are highlighted, ready to manually review risky orders or automatically block them.
Ecommerce fraud prevention software
The likelihood of fraud happening on your ecommerce platform scales as your business does. Protect your store with ecommerce fraud prevention tools that check, flag, and block high-risk orders on autopilot.
Shopify Protect
Image of screen showing a fraudulent order was protected by Shopify Protect
Shopify merchants already have access to a world-class fraud algorithm that uses machine learning and data from stores across the Shopify network to identify fraudulent ecommerce orders.
Shopify Protect provides an extra layer of protection that secures your business against fraudulent chargebacks—the friendly fraud that costs retailers between $20 and $100 each time.
Any Shop Pay transaction that’s been cleared by Shopify Protect is safe to fulfill. Should a chargeback happen on a protected order, Shopify will cover the total cost and the chargeback fee, and handle the dispute process on your behalf.
Price: Free for Shopify merchants.
