Did you know that last year, merchants lost almost $50 billion to online payment fraud and spent $35 for every $100 in disputes to manage friendly fraud? Looking ahead, experts project that losses tied to online payment fraud will hit $91 billion in 2028.
But it’s not just businesses who are losing money. Consumers are taking a hit too, in the form of rising cost of goods and services. Additionally, a Statista survey found that almost 60% of consumers are more concerned about online payment fraud than last year.
Businesses, in attempts to stop fraudsters, have implemented solutions like multi-factor authentication (MFA) and one-time passwords (OTP). But these solutions bring their own problems, too; namely, introducing unwanted friction for legitimate customers during the checkout process, which results in irritation and abandoned carts.
So what’s an e-commerce business to do?
In this post, I’ll highlight some key takeaways from our recent webinar covering the most common types of e-commerce fraud and steps businesses can take to detect and prevent them — all while preserving a smooth experience for legitimate shoppers.
Account takeover attacks (ATO)
Account takeover (ATO) attacks are one of the most common — and most devastating — types of fraud across all geographies and merchant sizes. According to security.org, in 2023, 29% of U.S. adults have been victims of ATO fraud, which equates to more than 24 million households.
An ATO attack happens when a fraudster gains unauthorized access to a legitimate customer’s account. Fraudsters use a variety of techniques to accomplish their ATO attacks, including phishing (most common), credential stuffing, social engineering, and bot attacks.
Let’s take a look at an example of phishing and how it can be used for ATO attacks.
To phish for personal information, a fraudster sends a text that appears to come from a merchant, asking the customer to confirm a shipment. Believing the text to be legitimate, the customer clicks on the link, which takes them to a fake webpage that looks just like the real merchant’s login page. They then provide their login credentials, unwittingly giving the fraudster full access to their account.
Once the fraudster has access, they can place orders using the account and have the goods shipped to other addresses. They can also change the email and billing addresses on the account to ones they control or even hijack loyalty or credit card point balances and sell them on the deep web — in fact, 26% of consumers who have been victims of an ATO attack lost loyalty points or credits.
Other than lost revenue due to chargebacks, businesses who fail to protect their customers from ATO attacks also suffer a blow to their reputation, which can be difficult to recover from.
(Read more about account takeover fraud.)
Payment fraud in e-commerce
Payment fraud is another common type of e-commerce fraud and can present itself in different ways.
Third-party fraud is when a fraudster uses bot-driven attacks or other methods to crack passwords or test stolen credit card numbers. This is also what most people think of when they talk about e-commerce fraud: A criminal stealing customer information.
In contrast, “friendly fraud” aka chargeback fraud, occurs when a customer requests a chargeback from their credit card company for a legitimate transaction. An example of friendly fraud is the use of refund services, which is a growing form of chargeback fraud. In this type of fraud, a consumer hires a scammer to get a refund by choosing a refund service that specializes in the purchased item. The scammer then gets the refund on the consumer’s behalf and typically gets paid about 25% of the original price of the refunded item. The consumer pays the scammer, usually with Bitcoin or other cryptocurrency.
And finally, there’s return fraud, where a consumer initiates a return and then tries to scam the retailer by shipping back an empty box, a box filled with trash, an older or cheaper version of the original product, or a counterfeit version of the product. Another form of return fraud is when a buyer wears an item, claims it doesn’t fit, and then returns it as unworn (also known as wardrobing).
(Read more about payment fraud.)
Account creation fraud
Account creation fraud is when people create fake accounts for various illegal purposes. Some people aren’t even aware that what they’re doing counts as fraud — consumers often participate in account creation fraud to take advantage of free trial offers, skirt paywalls, or get new user discounts.
For example, consumers can use fake accounts to bypass purchase limits on popular or limited-edition items to hoard products and resell them at a higher price, dealing a blow to the merchant's reputation. In another example, streaming services that offer month-long free trials might find that their users are signing up with different email addresses to avoid paying for the service.
As you can see, account creation fraud can cause significant financial losses for businesses and drain resources due to increased operational costs in managing these fraudulent accounts, among other issues.
(Read more about account creation fraud.)
Location spoofing fraud
In location spoofing fraud, fraudsters use a VPN or other techniques to pretend they are from another region. This is another case in which consumers may not be aware they’re committing fraud because they view this as a “hack” to save money.
It’s hard to blame them: A study by NordVPN showed that prices increased as much as 70% for rental cars or hotel rooms when they were being booked from a computer in the U.S. — so users are increasingly trying to spoof their location to disguise that they are booking from the U.S. In fact, a Kansas City news program even encouraged location spoofing as a smart way to save money!
Location spoofing can also be used to access region-specific goods, streaming services, or other promotions.
(Read more about location spoofing fraud.)
Online review fraud
Online review fraud is exactly what it sounds like: posting fake product or service reviews online.
This can include fake positive reviews where a merchant posts fake five-star reviews to boost their ratings and/or deceive customers. It can also include fake negative reviews where merchants post negative reviews on their competitors’ sites or about their competitors’ products.
Note that sometimes, fraudsters also post fake reviews on a legitimate company site to send readers to phishing websites (I’ve nearly fallen for this one before I got suspicious of the too-good-to-be-true prices — it was a very convincing website!), redirect them to counterfeit replicas of the products they’re shopping for, or boost their business.
(Read more about online review fraud.)
Balancing customer experience and fraud prevention
Consumers want protection from fraud, but they also don’t want to be over-protected either. In fact, 24% of consumers will stop shopping from a brand if the brand cancels an online order due to suspected fraud.
Then there are the problems that a complex sign-in process can create (this includes MFA and OTP), mainly tied to cart abandonment:
- Almost 60% of shoppers abandon their online carts due to sign-in issues
- 22% abandoned their baskets due to too long or too complicated checkout processes
- Consumers bail on purchases an average of almost 5 times per day because they can’t remember their password
- Twenty-five percent of online shoppers are willing to abandon a cart with over $100 worth of items if they have to reset their password in order to check out
So what can you do to prevent fraud while reducing cart abandonment? Create a frictionless checkout experience.
Using device intelligence to detect and prevent fraud
One of the main reasons Fingerprint was created was to help e-commerce merchants fight fraud. With Fingerprint, you can improve the online shopping experience while making things safer for both online merchants and consumers.
For example, when someone visits a site or uses an app, Fingerprint collects over 70 signals from a user’s browser and device, and processes that data to product a persistent, unique visitor ID. This e-commerce fraud prevention solution integrates with native mobile apps, and mobile and desktop browsers, and can accurately identify visitors even if they use incognito mode or try other methods to hide their identity, like using a VPN. Fingerprint also provides deeper insights into anonymous visitors with Smart Signals, such as browser bot detection, IP blocklist matching, tamper detection, and more.
By identifying repeat fraudsters and highlighting potential markers of concerns, Fingerprint enables businesses to stop fraud before it happens — all while improving the user experience and reducing cart abandonment by identifying already trusted users, allowing them to skip MFA and OTP requirements.
Key takeaways
Fighting fraud is tough because fraudsters continue to innovate. Previous generation solutions like third-party cookies, local storage, and IP addresses aren’t enough to recognize returning users or detect some of the more sophisticated signals that can hep you recognize potential fraud.
That’s because repeat malicious actors change their online identity often. They use techniques like incognito browsing, VPNs, privacy browsers, and cookie blocking, in addition to accessing more advanced tools and techniques like device tampering, emulators, and bots.
Interested in learning more about how Fingerprint can help your business detect and prevent e-commerce fraud? Sign up for a free trial or contact our sales team today.
Ready to detect and prevent e-commerce fraud?
Sign up for a 14-day free trial with Fingerprint.
FAQ
The most common types of e-commerce fraud include account takeover (ATO) attacks, several different types of payment fraud, account creation fraud, location spoofing fraud, and online review fraud.
The different types of e-commerce payment fraud include third-party fraud like bot attacks, friendly fraud like chargebacks, and return fraud.
Online customers want protection from fraud, but they also don’t want to be over-protected. Using a solution like Fingerprint, which identifies all online visitors with industry-leading accuracy, allows trusted users to skip MFA and OTP requirements.