Protecting your ecommerce business from fraud

Even ten years ago, you might have associated retail theft with brick-and-mortar shops. Think shop floor pilfering, late-night burglaries, or warehouse break-ins.

But, as of 2023, 85% of global consumers shop online. Plus, e-commerce spending is set to exceed $7 trillion by 2025.

Thieves and scammers are following the money. E-commerce companies are estimated to lose more than $48 billion globally in 2023.

As fraud methods evolve, it’s tricky for small retailers to stay in step with the risks. In this guide, we’ll talk you through how E-commerce fraud works and discuss some key prevention techniques for your business.

Types of e-commerce fraud

E-commerce fraud isn’t a single, obvious threat like a thief pocketing an item during a busy Saturday. Instead, it covers a number of different techniques. This could include stealing login credentials, intercepting payments and exploiting promotions.

Here are some of the most common:

• Friendly fraud – often called chargeback fraud. It happens when a customer buys something through an e-commerce site, and then files for a fraudulent refund with their bank. Often, they falsely claim their order wasn’t delivered, wasn’t authorised or was somehow unsatisfactory.
• Credit card fraud – where a fraudster uses stolen credit/debit card details to make unauthorised transactions. This information often comes from hacking or phishing.
• Credit card testing – another form of credit card fraud. Here, scammers will use a stolen credit card to make small purchases under the radar. Once they’re sure the card works, they’ll make larger ones. This can result in account freezes and charges for your business.
• Identity theft – when a scammer uses someone else’s name, address or card details to make purchases, open accounts or access credit.
• Account takeover – uses the data stored on e-commerce websites to make unauthorised purchases. Often, they obtain confidential payment and personal details through email scams and phishing.
• Phishing techniques – normally involve deceptive emails, websites or messages. They trick users into providing confidential or sensitive information. This can then be used for fraud.
• Refund fraud – where scammers pose as a customer to request fake refunds. They’ll normally use stolen account information or fake order details.
• Counterfeit products – imitation items sold to consumers as the real thing.
• Affiliate fraud – scammers abuse affiliate marketing programmes. They generate false flicks, sales, commissions and traffic.
• Dropshippingfraud – a scammer poses as a legitimate supplier of a product, but never sends what they’ve sold. As a retailer, you may have to deal with the fallout of this – both financial losses and angry customers.

What businesses are at risk?

Almost every business is at risk of fraud in one way or another. But as an e-commerce business, you should take particular care. By handling confidential information and other sensitive data, you might be at risk.

Globally, e-commerce businesses have lost almost $50 billion in 2023 – an average of 2.9%4 of their revenue. This rose by a huge 16% year on year due to the rise of Buy Now Pay Later (BNPL) platforms. Here, the deferred payments provide additional time and opportunities for scammers.

As the e-commerce sector continues to grow, consumers look for quicker and more convenient ways to make purchases. According to Cybersource, the average e-commerce business now accepts an average of 4.6 payment methods. This could open even more touchpoints for fraudulent payments.

What puts you at risk of fraud?

Normally, fraudsters exploit weaknesses in data, security, and digital systems.

Some of the key risks include:

• Data breaches. These often occur when hackers breach the security of a digital network and steal customer information.
• Stolen or weak credentials. Phishing attacks often trick people into sharing their passwords or credentials. They then use these to make fraudulent purchases or redirect funds. Sometimes, hackers can also guess weak passwords.
• Poor payment verification. Weak payment systems are also a prime target for scammers. It’s important to have strong two-factor or CVV payment verification in place.
• Weak website security. Security updates, malware protection and firewalls can all help shore up your site.
• Advanced persistent threats. Here, an intruder enters a network undetected and bides their time. They can then gather consumer data and commit fraud.
• International transactions. Sometimes, international money/goods transfers can bypass security measures. Plus, it can be harder to prosecute scammers from different countries.

How to prevent fraud

With those common e-commerce fraud touchpoints in mind, here are a few tips to help stay safe.

• Use secure paymentgateways - Reliable payment gateways with strong fraud detection and encryption can help you protect data.
• Strong authentication and verification - Make sure your customers are using unique passwords or multifactor authentication. One-time passwords and address/CVV verification can help stop fraudsters in their tracks.
• Keep an eye on your transactions - If something doesn’t feel quite right, don’t be afraid to check it out. For example, especially low or high-value orders, or multiple orders from the same IP address, might be cause for concern. It might be worth checking out user behaviour to look for unusual or sudden account creation or multiple sign-in attempts. This is particularly important during busy periods like Black Monday/Cyber Monday, or during the lead-up to Christmas. In the scrum for deals, unusual activity often goes unnoticed.
• Set limits - If you’re worried about suspicious orders, you can always impose flags or blocks on them until you give them the all-clear. Take a look at your sales data to understand what normal sales data looks like before you start.
• Monitor chargebacks - It’s also important to keep an eye on chargebacks when you receive them. Looking at the reasons behind them can help you spot unusual patterns or suspicious user behaviour.
• Be PCI Compliant - It’s a legal requirement for e-commerce businesses to follow the Payment Card Industry Data Security Standards. This includes a number of important measures. Such as changing the default password on your systems, encrypting user data and restricting data access.
• Set rules, filters and policies - Strong policies for passwords, returns and promotions may sometimes be inconvenient for customers. However, they’re essential to combat fraud. Likewise, you should set digital rules and filters on your website to flag high orders, mismatched addresses and more .
• Update your security - Your platform providers will regularly update their software to respond to the latest threats. Make sure to install them.
• Be fraud smart - Training and development time is important to boost you and your staff’s fraud awareness.
• Stay safe - Work with other businesses, share information and create channels to help each other prevent fraud. There are plenty of industry-wide anti-fraud initiatives that can help you stop repeat offenders. You can also stay up to date with emerging threats. Blocklists – which display the names and card details of known fraudsters – are a good place to start.

If you stay on top of your game, you could stop e-commerce scammers in their tracks. At Tyl, we have a wide range of resources to help you stay safe as a business. Check out our guides to:

• Becoming PCI-compliant
• Chargebacks
• Combating fraud

Disclaimer

This has been prepared by Tyl by NatWest for informational purposes only and should not be treated as advice or a recommendation. There may be other considerations relevant to you and your business so you should undertake your own independent research.

Tyl by NatWest makes no representation, warranty, undertaking or assurance (express or implied) with respect to the adequacy, accuracy, completeness, or reasonableness of the information provided.

Tyl by NatWest accepts no liability for any direct, indirect, or consequential losses (in contract, tort or otherwise) arising from the use of the information contained herein. However, this shall not restrict, exclude, or limit any duty or liability to any person under any applicable laws or regulations of any jurisdiction which may not be lawfully disclaimed.