The risk of fraud for online businesses is higher than it’s ever been in history. Ecommerce fraud topped $12 million in 2020, with 89% of businesses losing money to payment fraud that year. And with cyber criminals using increasingly sophisticated and effective methods, website operators must maintain a vigilant stance in order to protect themselves and their customers.
Given the soaring number of cases, merchant fraud protection measures have become a standard part of doing business online. This includes the implementation of effective measures for ecommerce fraud detection and protection.
Why should online merchants implement ecommerce fraud protection measures?
The continuing ecommerce boom has also created a wealth of opportunity for fraudsters. Businesses looking to start or expand their online operations need to have the proper fraud risk mitigation measures in place; lack of these fundamental controls will invariably lead to a security compromise. Cyber criminals are continuously evolving their tools and tactics and have so far been keeping one step ahead of the cybersecurity industry.
How can online merchants detect online fraud?
Though spotting online fraud has become increasingly difficult, several tell-tale indicators continue to serve as red flags for malicious activity. Any signs of the following warrant further investigation.
Inconsistencies in customer/order information
If several pieces of key information provided by the customer don't match (e.g., the zip code entered doesn't correlate to the area they say they're in), online fraud could be in the works. Upon spotting these discrepancies during a customer's checkout process, online merchants should take further steps to validate the customer's identity by performing additional verification. After all, the mistake might just be a typo. Or, it may be fraud.
Excessively large orders
When cyber criminals intend on cashing in on their efforts, they often make sizable orders to exploit the online merchant's enthusiasm in closing a large sale. While a big customer order in itself isn't necessarily a bad thing — and certainly can be a great thing — extra verification should be put in place for transactions exceeding a certain threshold in order to reduce ecommerce fraud risk.
Orders made from unusual locations
The majority of ecommerce stores are not run by multinational corporations with locations across the globe. And on the other end of the order, most customers generally come from familiar markets and locations. Online merchants should therefore be wary of orders originating from unexpected countries — this could be deemed suspicious due to language differences, exorbitant shipping costs, or a general lack of perceived interest from that location. Additionally, if a customer who usually gets an order shipped to a certain address suddenly makes a purchase from another country, the transaction in question should be investigated.
Multiple product delivery locations
Splitting the billing and delivery addresses can be a sign of online fraud in the works, especially if the user does it multiple times in quick succession. For example, if a customer has a Texas, USA billing address but purchases four items to be shipped to four different countries, the transaction should be flagged as highly irregular and potentially fraudulent.
This is often the case when fraudsters hack into customer accounts and are wary of tipping off authorities when changing billing addresses; instead, they may use different delivery addresses to receive the items within their network. For this reason, many online merchants request additional email verification from account owners to validate some purchases.
Multiple smaller orders from the same account in a short span of time
When cyber criminals successfully make illicit purchases, their first instinct may be to maximize their pay day. However, more seasoned fraudsters are cautious about continuing to make big purchases and raising suspicions — they may opt for a number of smaller purchases to avoid detection. It's worth having some sort of verification requirement when this pattern of activity is detected.
Multiple online payment failures
Ecommerce fraud involving stolen or fake credit card numbers is a perennial favorite of cyber criminals. Fortunately, these incidents are usually easy to spot (e.g., 10 declined transactions in a row). Fraudsters often only have partial credit card information and will try their luck with the missing information. Of course, one or two failed transactions may indeed be actions of a genuine customer — however, someone attempting fraud is likely to have a much higher number of declined transactions.
Multiple orders or transactions from a new country
As with multiple online payment failures, receiving the first order ever from a certain country followed by 10 more from the same country in the next two hours is highly irregular. Again, the fraudster may attempt to capitalize on the online merchant's eagerness to sell (and is using multiple accounts to exploit this human weakness). In this case, the online merchant should delay processing the order while the transaction's authenticity is being checked.
What measures should online merchants take to prevent ecommerce fraud?
Tools should be implemented to alert or require additional authentication when any of these signs of online fraud are detected. Implementing solutions for effective monitoring and early detection will allow for proper intervention without impacting the online experience of other legitimate customers.
The following measures can help online businesses bolster the security of legitimate customers while at the same time hindering the malicious activities of cyber criminals.
Set up recurring website security audits
Regular audits of existing website security controls are crucial for verifying whether or not systems are protected against the latest threats. These activities evaluate the effectiveness of the security measures in place and surface new exposures that could be exploited.
The following are crucial areas to focus on when performing website security audits:
- Customer data protection and encryption (e.g., are encryption protocols up to date?)
- Purchase verification methods (e.g., are credit card verification services/third-party providers secure?)
- Password security (e.g., are passwords being reused in multiple places or not being rotated at all?)
- Malicious file detection (e.g., how often is the website scanned for malware and suspicious files?)
- Compliance (e.g., how do your cybersecurity efforts align with industry standards and requirements from relevant oversight bodies?)
Ensure that your online store is PCI compliant
As its name implies, the Payment Card Industry (PCI) Security Standards Council is the primary oversight body responsible for credit card security and online payment standards. Its PCI Data Security Standards (DSS) serves as the de facto framework for ecommerce security; online retailers are required to adhere to the requirements or risk being fined and/or penalized for non-compliance
PCI DSS consists of a set of security standards for bolstering online security and protecting customer/payment information. Since these requirements are continuously evolving, online merchants should actively monitor their web stores for compliance on an ongoing basis.
Actively monitor for suspicious online activity
Online merchants (and companies at-large) often make the mistake of taking a reactive approach to online security and customer privacy — that is, they investigate fraudulent activity only after it has been reported (or is known to have occurred). Instead, systems should be deployed to proactively monitor and block suspicious activity before the order is processed (e.g., automated alerts for orders involving suspicious parts of the world, requiring further authentication to change/update customer information).
Implement address verification service
Address verification services (AVS) enable online retailers to check the credit card holder’s address on record with the address provided during the ordering process, in real-time. Orders with mismatched details can then be declined or flagged for further analysis, saving online merchants the trouble and expense of issuing chargebacks.
Enforce CVV checks for all transactions
The card verification value (CVV) consists of a three or four digit security code on the back of physical credit/debit cards. Customers with their physical cards on-hand can easily type in the CVV numbers upon request. On the other hand, fraudsters are immediately tripped up as they usually only possess details from the card's front. However, requiring CVV for all transactions does increase friction for valid returning customers. In these cases, browser fingerprinting solutions like Fingerprint can identify new or suspicious visitors — in the case of return customers, the CVV check can then be disabled for trusted users.
As its name implies, Hypertext Transfer Protocol Secure (HTTPS) is the more secure version of the protocol a customer's browser uses to transfer data over the internet (i.e., communicate with a web store). It essentially encrypts all the data sent between the online merchant and the customer: credit card information, order details, confirmation numbers, and the like. Without this critical security control in place, cyber criminals can easily view and steal data as it travels between the store's website and the customer’s browser.
Use fraud detection solutions to protect your online store
These days, online merchants have a wide range of solutions at their disposal for detecting suspicious activity and apprehending malicious actors. For example, Fingerprint helps identify suspicious online activity by flagging visitors with multiple accounts or a history of fraudulent transactions.
In short, without the proper merchant fraud protection measures in place, online businesses are highly vulnerable to the continuously evolving tactics of cyber criminals. To learn more about how Fingerprint can help you mitigate the risk of ecommerce fraud and account takeovers, contact one of our experts or test drive our solution — it’s free for 10 days with unlimited API access.