A Guide to Ecommerce Merchant Fraud Protection in 2023

October 12, 2021
October 12, 2021
Ecommerce merchant fraud protection

Learn more about Fingerprint

  • Streamline user experiences for trusted traffic
  • The highest accuracy device identification for mobile and web
  • Improve visitor analytics on mobile and web
Talk to our Team

The risk of fraud for online businesses is higher than it’s ever been in history. Ecommerce fraud topped $12 million in 2020, with 89% of businesses losing money to payment fraud that year. And with cyber criminals using increasingly sophisticated and effective methods, website operators must maintain a vigilant stance in order to protect themselves and their customers.

Given the soaring number of cases, merchant fraud protection measures have become a standard part of doing business online. This includes the implementation of effective measures for ecommerce fraud detection and protection.

The risk of fraud for online businesses has been higher than ever in history. In 2022, businesses lost 41 billion globally to ecommerce fraud, which is expected to increase to 48 billion in 2023. And with cybercriminals using increasingly sophisticated and effective methods, website operators must maintain a vigilant stance to protect themselves and their customers.

Given the soaring number of cases, merchant fraud protection measures have become a standard part of online business. This includes the implementation of effective measures for ecommerce fraud detection and protection.

What is ecommerce fraud?

Ecommerce fraud is a type of cybercrime in which criminals use stolen credit card information or fake identities to make unauthorized purchases online. It can also involve identity theft, where criminals use stolen personal information such as names, addresses, and Social Security numbers to open new accounts or take out loans in someone else's name. To learn more about the types of ecommerce fraud, read 6 Types of Ecommerce Fraud and How To Prevent Them From Harming Your Customers.

Why should online merchants implement ecommerce fraud protection measures?

The continuing ecommerce boom has also created a wealth of opportunities for fraudsters. Businesses looking to start or expand their online operations need the proper fraud risk mitigation measures; the lack of these fundamental controls will invariably lead to a security compromise. Cybercriminals continuously evolve their tools and tactics and have been one step ahead of the cybersecurity industry.

How can online merchants detect online fraud?

Though spotting online fraud has become increasingly tricky, several tell-tale indicators remain red flags for malicious activity. Any signs of the following warrant further investigation.

Inconsistencies in customer/order information

If several pieces of crucial information provided by the customer don't match (e.g., the zip code entered doesn't correlate to the area they say they're in), online fraud could be in the works. Upon spotting these discrepancies during a customer's checkout process, online merchants should take further steps to validate the customer's identity by performing additional verification. After all, the mistake might be a typo. Or it may be a fraud.

Excessively large orders

When cybercriminals intend on cashing in on their efforts, they often make sizable orders to exploit the online merchant's enthusiasm in closing a large sale. While a big customer order in itself isn't necessarily a bad thing — and indeed can be a great thing — extra verification should be put in place for transactions exceeding a certain threshold to reduce ecommerce fraud risk.

Orders made from unusual locations

The majority of ecommerce stores are not run by multinational corporations with locations across the globe. And on the other end of the order, most customers generally come from familiar markets and locations. Online merchants should therefore be wary of orders from unexpected countries — this could be deemed suspicious due to language differences, high shipping costs, or a general lack of perceived interest from that location. Additionally, if a customer who usually gets an order shipped to a particular address suddenly purchases from another country, the transaction in question should be investigated.

Multiple product delivery locations

Splitting the billing and delivery addresses can signify online fraud in the works, especially if the user does it multiple times in quick succession. For example, suppose a customer has a Texas, USA billing address but purchases four items to be shipped to four countries. In that case, the transaction should be flagged as highly irregular and potentially fraudulent.

This is often the case when fraudsters hack into customer accounts and are wary of tipping off authorities when changing billing addresses; instead, they may use different delivery addresses to receive the items within their network. For this reason, many online merchants request additional email verification from account owners to validate some purchases.

Multiple smaller orders from the same account in a short period

When cybercriminals successfully make illicit purchases, their first instinct may be to maximize their payday. However, more seasoned fraudsters are cautious about continuing to make big purchases and raising suspicions — they may opt for several smaller purchases to avoid detection. It's worth having some verification requirements when this pattern of activity is detected.

Multiple online payment failures

Ecommerce fraud involving stolen or fake credit card numbers is a perennial favorite of cybercriminals. Fortunately, these incidents are usually easy to spot (e.g., 10 declined transactions in a row). Fraudsters often only have partial credit card information and will try their luck with the missing data. Of course, one or two failed transactions may indeed be actions of a genuine customer — however, someone attempting fraud is likely to have a much higher number of declined transactions.

Multiple orders or transactions from a new country

As with multiple online payment failures, receiving the first order from a certain country, followed by ten more from the same country in the next two hours, is highly irregular. Again, the fraudster may attempt to capitalize on the online merchant's eagerness to sell (using multiple accounts to exploit this human weakness). In this case, the online merchant should delay processing the order while the transaction's authenticity is being checked.

What measures should online merchants take to prevent ecommerce fraud?

Tools should be implemented to alert or require additional authentication when these signs of online fraud are detected. Executing solutions for effective monitoring and early detection will allow for proper intervention without impacting the online experience of other legitimate customers.

The following measures can help online businesses bolster the security of legitimate customers while at the same time hindering the malicious activities of cyber criminals.

Set up recurring website security audits

Regular audits of existing website security controls are crucial for verifying whether or not systems are protected against the latest threats. These activities evaluate the effectiveness of the security measures in place and surface new exposures that could be exploited.

The following are crucial areas to focus on when performing website security audits:

  • Customer data protection and encryption (e.g., are encryption protocols up to date?)
  • Purchase verification methods (e.g., are credit card verification services/third-party providers secure?)
  • Password security (e.g., are passwords being reused in multiple places or not being rotated at all?)
  • Malicious file detection (e.g., how often is the website scanned for malware and suspicious files?)
  • Compliance (e.g., how do your cybersecurity efforts align with industry standards and requirements from relevant oversight bodies?)

Ensure that your online store is PCI compliant

As its name implies, the Payment Card Industry (PCI) Security Standards Council is the primary oversight body responsible for credit card security and online payment standards. It's PCI Data Security Standards (DSS) serves as the de facto framework for ecommerce security; online retailers are required to adhere to the requirements or risk being fined and/or penalized for non-compliance

PCI DSS consists of security standards for bolstering online security and protecting customer/payment information. Since these requirements are continuously evolving, online merchants should actively monitor their web stores for compliance on an ongoing basis.

Actively monitor for suspicious online activity.

Online merchants (and companies at large) often take a reactive approach to online security and customer privacy — that is, they investigate fraudulent activity only after it has been reported (or is known to have occurred). Instead, systems should be deployed to proactively monitor and block suspicious activity before the order is processed (e.g., automated alerts for charges involving suspicious parts of the world, requiring further authentication to change/update customer information).

Implement address verification service

Address verification services (AVS) enable online retailers to check the credit card holder's address on record with the address provided during the real-time ordering process. Orders with mismatched details can then be declined or flagged for further analysis, saving online merchants the trouble and expense of issuing chargebacks.

Enforce CVV checks for all transactions

The card verification value (CVV) consists of a three or four-digit security code on the back of physical credit/debit cards. Customers with physical cards can easily type in the CVV numbers upon request. On the other hand, fraudsters are immediately tripped up as they usually only possess details from the card's front. However, requiring CVV for all transactions does increase friction for valid returning customers. In these cases, browser fingerprinting solutions like Fingerprint can identify new or suspicious visitors — in the case of return customers, the CVV check can then be disabled for trusted users.

Install/verify HTTPS

As its name implies, Hypertext Transfer Protocol Secure (HTTPS) is the more secure version of the protocol a customer's browser uses to transfer data over the internet (i.e., communicate with a web store). It encrypts all the data sent between the online merchant and the customer: credit card information, order details, confirmation numbers, and the like. Without this critical security control, cybercriminals can easily view and steal data as it travels between the store's website and the customer's browser.

Use fraud detection solutions to protect your online store.

Online merchants have many solutions for detecting suspicious activity and apprehending malicious actors. For example, Fingerprint helps identify suspicious online activity by flagging visitors with multiple accounts or a history of fraudulent transactions.


In short, without the proper merchant fraud protection measures in place, online businesses are highly vulnerable to the continuously evolving tactics of cybercriminals. To learn more about how Fingerprint can help you mitigate the risk of ecommerce fraud and account takeovers, contact sales for a demo or test-drive our solution — it's free for fourteen days with unlimited API access.