Ecommerce Fraud Prevention
In 2017, ecommerce grew 17% over 2016 to reach $453.46 billion in sales in just the U.S. alone. By 2021, worldwide retail ecommerce sales are expected to reach $4.5 trillion. With that much money changing hands, it is inevitable that it would also be a prime target for fraud. Ecommerce fraud covers a wide range of activities ranging from chargeback fraud (sometimes referred to as "friendly fraud") to account takeover (ATO) fraud to true fraud. Here are the three main types of ecommerce fraud and how to prevent them.
Common Types of Ecommerce Fraud
- True Fraud - True fraud is when someone uses someone else's legitimate financial information to make a purchase. There is any number of ways in which cybercriminals can gain access to someone's financial information, such as simply purchasing it on the dark web. Large scale hacks can potentially expose the financial information of millions of consumers, which can then be sold on the dark web and used to make purchases. One of the best ways to prevent true fraud is through the use of EMV (chip) cards or digital wallets like Google Pay or Apple Pay.
Credit card information is static, it does not change. When a consumer makes a purchase or pays a bill using their credit card information, the merchant or service provider generally stores that information as a courtesy to the customer so they don't need to re-enter their information each time. Unfortunately, this also means if the information is stolen, it can be used again and again. When consumers use EMV or digital wallets to make purchases or payments, however, the chip or digital wallet generates a one-time-use code specific to that transaction so even if it were stolen, it could not be used again. The other way that merchants can secure stored data is through encryption. When stored financial information is encrypted it cannot be read even if it is stolen.
- Chargeback Fraud ("Friendly Fraud") - Chargeback fraud is sometimes referred to as "friendly" fraud because it is a fraud that is committed by the actual legitimate holder of an account. Chargeback fraud occurs when a consumer knowingly makes a purchase but then calls their bank or credit company to dispute the charges. In some cases, consumers are simply trying to get something for free and in other cases, they simply use this method to get a refund rather than having to pay to return an item by mail.
Chargeback fraud also occurs much more frequently on sites where an individual may not want others to know about their activities such as on adult entertainment sites or gambling sites. Ultimately, there is not as much that can be done about chargeback fraud as other types of fraud because banks that refuse to issue a credit for purchase may also lose the consumer's business. As a result, many banks and credit-issuing agencies are reluctant to crack down too hard on chargeback fraud due to potential fallout.
- Account Takeover (ATO) Fraud - Between 2015 and 2016, ATO fraud rose 61%, another 122% in 2017 and almost the same amount again in 2018. ATO fraud occurs when an unauthorized individual is able to gain access to a legitimate account and change the account holder's information to give themselves access while at the same time blocking access to the legitimate account holder. Unfortunately, the legitimate account holder's financial information will still be used for purchases or to pay for services even though they no longer have access to the account themselves. ATO fraud is generally accomplished through phishing scams or credential recycling.
Unfortunately, many users are creatures of habit and in spite of years of warnings to the contrary, they will use the same login credentials for low-security sites like their grocery store loyalty program as for high-security sites like their bank or credit card issuers. Multi-factor authentication is one of the best protection against ATO fraud. In the past, all that was necessary to gain access to an account were login credentials, which have become all-too-easy to obtain. With multi-factor authentication, however, users must also provide a biometric scan or enter a security code that is sent to a device or account they control such as a pre-arranged email address.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.