Shoppers don’t arrive at your eCommerce store by chance. They either typed in your URL directly, arrived via search engine, or clicked a link on some other website. Merchants usually use this information to maximize the quantity and quality of their site visitors. But one aspect that tends to get overlooked is the rate at which channels are bringing fraudsters to your site.

With a better understanding of this traffic, merchants can concentrate marketing resources on channels with less fraud, and even improve their fraud detection accuracy.

In this post, I’ll share some general trends, based on Riskified data, about the relationship between fraud and how shoppers arrive at online stores. Bear in mind that trends in shopper traffic are highly industry – and store – dependent, and it’s quite likely that any given store will exhibit idiosyncratic trends.

Referral vs Direct

Shoppers coming from a referring site are significantly safer than those who typed in the store URL. In fact, we see over twice the rate of fraud attacks in direct traffic orders.

Of all direct shoppers, those coming in via desktop computer are riskier, with a 15% higher rate of fraud attacks than direct shoppers browsing via mobile device. This implies that legitimate desktop customers tend to do more perusing before checking out, so going straight to an eCommerce site on a desktop and purchasing is a slightly unusual behavior for a legit shopper. Whereas on a mobile, where browsing is less comfortable, genuine customers are a bit more likely to go straight to the store they need.

Device type, and other device fingerprinting data, can be provided by 3rd party analytic sites, like KissMetrics, Piwik or Google Analytics. Even apart from the traffic source context, it’s valuable to know whether an order was placed on a desktop or a mobile device  – this is definitely a variable worth considering during both manual and automatic review processes.

Not all referrals are the same

In terms of fraud, it’s quite significant which referring site led a customer to your store. Given the staggering amount of time spent on social media, and the fact that it’s proportionally increasing as a share of total internet usage, it’s interesting to note the variation in fraud traffic between different social sites.

Inbounds from Twitter are more than twice as safe as those from Facebook and Instagram. And Pinterest is an even safer referral site than Twitter. There are a wide range of possible explanations for this – one is that because Twitter and Pinterest feeds are more tailored to the user’s tastes (content is almost entirely built on the user’s interests, as opposed to their real-life connections) they convert legitimate customers at a higher rate, thus diluting out the fraudsters on these channels.

But the safest shoppers visit your site by clicking email links. This traffic is much less risky than even the safest social media sites: Only around one in a thousand of these orders are fraud attacks.

Paid vs Organic

Dealing with fraud is bad enough. But the thought of fraudsters clicking on your ads, so you’re effectively paying to bring them to your site, is flat-out horrifying.

The good news is that, according to Riskified’s data, paid traffic carries less than a third of the fraud risk of organic traffic. This potentially points to the accuracy of ad targeting, that marketing teams are delivering ads mostly to legitimate customers who are interested in their product and have higher conversion rates after clicking.

This pattern generally holds on a site by site basis too. For instance Facebook traffic is twice as safe when a shopper clicks a paid ad compared to an unpaid link.

The linking effect

One of the most important data points Riskified looks at when reviewing an order is whether we’ve seen a shopper before – either at the eCommerce store she’s currently buying from, or another store in our network.

We dug into this linking data, combined with referral data, and found an interesting pattern. Linking is rather insignificant for customers shopping for the first time at a merchant’s store when they’ve arrived there via a referral page. However, when the customer arrives at the store directly, the difference is stark: we are 41% more likely to approve an order when we determine that we’ve seen the shopper before, elsewhere.


The bottom line for merchants: you’ll be able to greatly increase fraud prevention accuracy for first-time customer’s orders if you know: 

1) whether they came from a direct URL or a referral page and

2) if this customer has been seen shopping online before.

The first point, as mentioned before, can be determined with the help of 3rd party analytics sites. For point two, it may be helpful to enter into a data-sharing agreement with other merchants in your vertical. The Merchant Risk Council is one of a handful of organizations that facilitates such programs. Retailers should exercise caution, however – any bad tagging practices by colleagues (like blacklisting or whitelisting cards) could potentially result in false declines or chargebacks for anyone relying on their data.

Research for this article provided by Elad Stauberg