eCommerce Credit Card Fraud: How to Detect & Prevent Credit Card Fraud For Your Online Business
Don't let your small business fall victim to eCommerce fraud. Learn how to protect yourself and your customers when accepting credit card payments.
An increase in eCommerce purchases also means an increase in online payment fraud.
Online payment fraud is simply any false or illegal transaction committed via the internet. It deprives the victim of goods, services, funds, or sensitive information – often without them being aware that this has happened until much later. In many cases, there will actually be two victims: the consumer whose information was stolen, and you, the merchant. Online fraud can involve not only fraudulent transactions, but also lost or stolen merchandise, or falsified requests for a refund. Fraud can be committed through email, instant messaging, or online auction sites. It can also occur through text messaging or even phone calls.
In this article, we’ll discuss the various types of online payment fraud, whether it’s committed via credit card, debit card, eCheck/ACH, or any other payment method, what to look out for, and what you can do about it.
Table of Contents
- Why eCommerce Credit Card Fraud Detection Is Important For Businesses
- 9 Types Of eCommerce Credit Card Fraud You Need To Beware Of
- 7 Red Flags That Can Signal Online Credit Card Fraud
- eCommerce Fraud Prevention Best Practices
- The Final Word On Credit Card Fraud Detection
- Common Questions About eCommerce Credit Card Fraud
Why eCommerce Credit Card Fraud Detection Is Important For Businesses
One common misconception among small business owners that we’d like to clear up right now is that they aren’t as lucrative a target for cybercriminals as the larger retailers, and therefore don’t need to be as thorough in protecting themselves from fraudulent activity. Unfortunately, this “it will never happen to me” attitude can make it far more likely that it will happen to you sooner or later.
The truth is that large businesses are a “hard target,” because they have the resources to fully defend themselves against fraud. Smaller companies lack these resources, and thus often present a much easier target to cyberthieves. Cybercriminals know they can make more money by exploiting inadequately protected smaller businesses than by wasting time trying to break into defended larger businesses.
According to the Federal Trade Commission’s Consumer Sentinel Network, there were 2.2 million fraud reports in 2020, with consumers affected by fraud losing a median amount of $311 per fraud complaint. An Alte Group study projects that costs related to identity theft will rise to $721.3 billion in 2021.
Card-not-present fraud (eCommerce) is 81% more common than card-present fraud, a trend that has continued to grow since the introduction of EMV chips made in-person fraud more difficult. (Need to know more? Read our article Do You Really Need an EMV Chip Card Terminal?)
9 Types Of eCommerce Credit Card Fraud You Need To Beware Of
Credit cards are usually the easiest and most convenient way for consumers to pay for their online purchases, so it’s no surprise that the majority of incidences of online fraud involve credit cards. However, other payment methods (including debit cards, eCheck/ACH payments, etc.) are just as susceptible to being used fraudulently if the consumer’s account information is compromised. Here’s a brief rundown of the nine most-commonly recognized types of online payment fraud:
- Account Takeover Fraud (Phishing): This is when a malevolent actor obtains a victim’s online account information and uses it to make a fraudulent purchase. While accounts can be hacked, phishing attacks often work by convincing the victim to voluntarily disclose this information.
- Card Testing Fraud: The calm before the storm. Sometimes thieves will “test” stolen credit card information by attempting to make a small, insignificant purchase. If the transaction is approved, they go on to make larger, more lucrative purchases with the valid card information. Sometimes thieves will even file chargebacks on each of these purchases.
- “Friendly” Fraud: Friendly fraud occurs when there’s no third-party actor stealing information. Instead, the legitimate account holder will use their personal credit card to make a purchase, then file a chargeback, claiming that the goods were never delivered. They get the goods for free after the issuing bank refunds their money, and you’re out the cost of the products and a chargeback fee.
- Merchant Identity Fraud: Sometimes, the merchant is the criminal. Merchant identity fraud occurs when hackers present themselves as a legitimate business. They then solicit funds from unknowing victims or offer goods or services that are never delivered. This is one reason why a prospective merchant services provider will go to great lengths to investigate the nature of your business before approving you for an account.
- Refund Fraud: Sometimes cyber thieves don’t want a particular product – they just want cash. Buying something online with stolen credit card information and then returning it for a refund that’s issued to the thief is an easy and increasingly popular way to score some quick cash at someone else’s expense.
- True Fraud: True fraud is more commonly known as identity theft. This type of fraud involves the classic scenario where a hacker illegally obtains a victim’s online account information (i.e., username and password) or their credit card information, and then uses that information to make purchases. Because issuing banks have made it relatively easy for victims of this type of fraud to dispute transactions they didn’t make, liability for the illicit purchase usually falls on you, the merchant.
- Website Redirection: This form of fraud is also known as “pagejacking.” Sophisticated hackers are able to redirect traffic from your website onto a similar site that they’ve set up, where they’re able to obtain personal information or credit card data from unsuspecting customers.
- Wire Transfer Fraud: This form of fraud involves the use of the banks’ wire transfer services for fraudulent purposes. A cybercriminal will pose as a legitimate business or government agency, then contact a victim and attempt to induce them to send money to a fraudulent address. These types of solicitations usually occur over the telephone, but can also occur online through email.
- Triangulation Fraud: Perhaps the most complex and subtle form of online fraud, triangulation fraud attempts to leverage what would be a legitimate purchase by selling goods fraudulently purchased with the customer’s credit card information, then delivering that good to the buyer, often after skimming some additional profit. They may later use the stolen card information to make more purchases.
7 Red Flags That Can Signal Online Credit Card Fraud
Any online transaction can potentially be fraudulent, but some transactions should raise your suspicions more than others. Unusual transactions should be scrutinized more carefully than others before being approved and processed. While not constituting conclusive proof of fraud, the following “red flags” indicate a higher probability of fraud and should merit further investigation:
- Different shipping and billing addresses. Obviously, there are any number of legitimate reasons why a customer would want to ship an order to a different address. However, fraudsters almost always ship orders to somewhere other than their victim’s billing address. Be especially suspicious if expedited shipping is also requested.
- Multiple orders of the same item. It’s not out of the ordinary for a customer to order multiple quantities of an item. However, if you see an order for an unusually large number of the same item from an individual customer (not a B2B order), you might want to check it out before you ship anything.
- Abnormally large orders. If an order represents a much larger ticket size than what your business normally averages, you should probably confirm that it’s legitimate before processing the transaction and shipping the goods.
- Multiple orders to the same shipping address with different payment cards. Again, we have to emphasize that there are plenty of legitimate reasons why a customer might want to do this instead of just putting all orders on the same card. However, it’s a hallmark of fraudulent activity.
- Unexpected international orders. If your business normally only processes orders in your home country, a sudden order that needs to be shipped to a foreign country should get your attention and warrant further inquiry before approval. As we’ll see below, some countries have significantly higher rates of online fraud than others.
- Velocity attacks. A velocity attack occurs when a hacker makes multiple attempts to run different credit card numbers in rapid succession. Often using bots, the idea is to keep trying until a number is found that works.
- IP Location and credit card address differ: The customer might be shopping on vacation, but this can be a warning sign that someone far away from the customer is trying to use their card.
eCommerce Fraud Prevention Best Practices
If you’re feeling overwhelmed by the number of tools and strategies fraudsters can employ, don’t fret. There are plenty of tools – both manual and automatic – that can flag suspicious transactions for you and lower the risk of a fraudulent transaction slipping through. While it’s not possible to ensure 100% total protection, you can reduce the likelihood of becoming a victim of credit card fraud. Here are some actions you can take:
- Use Tokenization & Encryption: These security measures are now standard features of most modern payment gateways. Both methods protect your customers’ credit card data from being stolen during a legitimate online transaction. The use of tokenization and encryption is an essential step in keeping your merchant account PCI compliant.
- Use Velocity Attack Protection Tools: As we’ve noted above, velocity attacks involve repeated attempts to place an order with different credit card numbers, often with the use of a bot. These types of attacks can be detected and blocked by IP addresses using payment gateway security tools.
- Set Flexible Refund Policies: Buyers are more likely to file a chargeback if they can’t return an item due to an overly strict refund policy (i.e., the allowed refund window is too short). You can cut down on “friendly” fraud by giving your legitimate customers a reasonable amount of time to complete a return.
- Use the Address Verification Service (AVS): An AVS mismatch is a strong indicator that the order is fraudulent, as a hacker using stolen payment information is unlikely to know the actual card owner’s physical address. Most merchant services providers mandate the use of AVS for all eCommerce transactions, so this tool is already part of your merchant account.
- Use CVV & CVC Checks: Card Verification Values (CVV) and Card Verification Codes (CVC) are three- or four-digit codes that are printed on the back of all credit and debit cards. Whenever possible, you’ll want to obtain and match the cardholder’s code against the value submitted with an order. Unless the card in question has been physically stolen, it’s unlikely that a hacker will have access to this information.
- Emphasize Order Fulfillment: Ensure that all orders ship promptly and verify that they’ve been delivered. Delivery tracking can provide proof that the goods were delivered and received, helping to protect against “friendly” fraud.
- Confirm The Buyer’s Location: Geolocation and IP address verification tools can confirm with reasonable certainty that the customer’s IP address matches the billing and shipping addresses provided. This method of detecting fraud will not be 100% effective if a legitimate customer is placing an order while traveling, but can often catch suspicious transactions in most other circumstances.
The Final Word On Credit Card Fraud Detection
Protecting your business from fraud is an ongoing process, as fraudsters are constantly finding new ways to get around the latest anti-fraud measures. They aren’t going to give up just because one particular avenue of attack has closed on them, and neither should you. Securing your account is a never-ending effort that will require coordination between you, your employees, and your merchant account provider.
One thing we’ve noted over the course of reviewing dozens of merchant services providers is that they all take payment security and anti-fraud measures very seriously. This includes even the worst providers on the market (of which there are quite a few). The difference is that a low-quality provider will often offer you only the most basic anti-fraud tools, and they’ll usually charge you extra for them.
Protecting your account from fraud is extremely important, but you shouldn’t have to pay an unreasonable amount of money for anti-fraud tools – especially when other providers include the same tools as a standard feature with your account.
For some recommendations of great merchant services providers that specialize in serving the eCommerce community, check out our article, The Best Online Credit Card Payment Processing Services For Small Businesses. You can also read more about how to prevent chargebacks.