Where money goes, fraudsters will follow.

With consumers spending more time online every year, fraud will only keep growing. As of October 2023, nearly 66 percent of the global population were internet users who contributed over $2 trillion in global ecommerce sales last year alone.

With growth like this, ecommerce is a playground for cybercriminals who thrive on exploiting the vulnerabilities of online companies for financial gain.

The future of digital fraud

Ecommerce fraud occurs anywhere you can purchase something online. Fraudsters look for vulnerabilities in these checkout platforms. Once they identify weaknesses, they target the unsuspecting ecommerce merchant and launch their attack.

The harsh reality? Cybercriminals are seemingly always one step ahead, detecting vulnerabilities in systems often before you discover them.

Malicious ecommerce fraudsters hack into company or consumer accounts, systems, and platforms to take advantage of unsuspecting merchants. They devise schemes to deceive consumers and get the information necessary to perpetrate fraudulent acts. And sometimes, even legitimate customers commit ecommerce fraud.

No matter how it happens, for merchants, dealing with ecommerce fraud takes significant time and resources. Without proper fraud management systems in place, many merchants don’t have the capacity to block every single fraud attempt. Each attack takes a considerable bite out of their revenue and leads to risk aversion, resulting in false declines of legitimate transactions.

Here, you’ll learn about global ecommerce fraud trends, common types of ecommerce fraud, and fraud prevention strategies to help reduce your risk of an attack that could compromise the health of your business.

Global online payment fraud trends

As technology evolves at a rapid clip, it opens merchants up to new risks. Merchants prioritize developing or deploying new technologies that meet customer preferences before fully understanding the fraud risks these new solutions expose — leading fraudsters to new opportunities to infiltrate and exploit.

The emergence of solutions including artificial intelligence (AI), biometrics, cryptocurrency, the metaverse and virtual worlds, and social commerce present ecommerce fraud challenges that companies of all sizes and all types will have to combat. Similarly, the proliferation of ecommerce payment methods and digital wallets accelerates the growth of fraud as well.

Generally, fraudsters exploit three main ecommerce customer touchpoints: shopping, payment, and retrieval. So it’s important to carefully review each of these touchpoints for vulnerabilities before launching a new solution and continuously monitor them after launch leveraging fraud risk prevention gold standards.

Cost of ecommerce fraud

With more than 200,000 cyber attacks on online retail stores each month, ecommerce fraud cost businesses at least $48 billion in 2023.

Alongside directly impacting the bottom line, ecommerce fraud puts merchants in the position of having to tackle false declines and chargebacks, which include time-consuming processes and steep processing fees. It can also hurt marketing and future promotion strategies by creating reports that misrepresent how many legitimate sales were made versus how many went to fraudsters. Customer acquisition and retention take a hit as well, as customers often don’t return to stores where they’ve been victim of fraud.

Victims of ecommerce fraud will typically submit a chargeback to their credit card issuer, for which the merchant will then have to reimburse them. Aside from the associated fees, merchants can find themselves at risk of being forced into high-risk (and high-fee) programs with their acquiring bank, accompanied by more severe scrutiny and heavy fines.

What are the five types of frauds in online transactions?

1. Card-not-present (CNP) fraud
2. Account takeover (ATO) fraud
3. Chargeback fraud
4. Refund or return fraud
5. Gift card fraud

Nine common types of ecommerce fraud

Cybercriminals use both simple and advanced methods, such as encrypting systems, exploiting software weaknesses, and affecting crucial infrastructure, to infiltrate valuable customer data that merchants collect. Here are nine of the most common types of ecommerce fraud today.

1. Payment fraud: Payment fraud consists of a false or illegitimate transaction. Before the Internet, payment fraud often revolved around straightforward issues, such as bounced checks or incorrect chargebacks. However, the rise of ecommerce introduced greater complexity. Nowadays, consumers fall victim to phishing scams, malicious links in text and instant messages, and deceptive phone calls, leading to identity theft and the compromise of their payment information and credit card numbers.
2. Card-not-present (CNP) fraud: CNP fraud is an umbrella term for credit card scams that occur via online transactions, phone, or other virtual forms of payment in which a customer does not present a physical credit card. It typically happens after credit card or payment information has been stolen or illegally purchased on the dark web. It’s often harder for merchants to catch or prevent CNP fraud because they can’t physically examine the credit card.
3. Card testing fraud: Often the first thing fraudsters do after acquiring stolen credit card information is run a “test” to make sure the card is functional and the details are correct. The most common method for card testing involves making small purchases with the hopes of going undetected by both fraud prevention systems and the original cardholder.
   
   By doing so, fraudsters gain the confidence to then make bigger fraudulent purchases. In many cases, fraudsters will later resell these now fully tested cards on the dark web to a larger pool of fraudsters.
4. Gift card fraud: Gift card fraud is any illegitimate activity that involves gift cards. Gift cards appeal to fraudsters because they are as good as cash and don’t have to pass fraud prevention measures like address verification and delivery.
   Every year, gift card fraudsters become more sophisticated at stealing the monetary value of gift cards from consumers who buy them. Common scams include a fraudster:
   • Posing as an authority figure from an official entity or organization telling the victim they have to pay outstanding fines or debts.
   • Posing as a friend or family member who needs emergency help, asking the victim to send a gift card right away, and even tampering with gift card packaging to steal codes they can redeem after a consumer buys it from a retailer.
5. Account takeover (ATO) fraud: An account takeover takes place when a bad actor gains access to a legitimate user’s online store account and either makes illegitimate purchases or transfers loyalty points to a different account. This often starts with login credentials or other personal identifiable information (PII) being phished through fake websites, emails, or SMS messages, and then sold on the dark web.
   
   Some customer accounts have stored payment methods, which makes purchases both easy for the fraudster and legitimate-looking to the merchant. Even when an account doesn’t have a stored payment method, a fraudulent purchase made from a legitimate customer account can oftentimes be enough to bypass basic fraud prevention measures.
6. Triangulation fraud: As the name suggests, triangulation fraud involves three steps to complete this scheme. The first step requires a cybercriminal to create a fake online store that looks like it sells popular brand names — only at much lower prices. Shoppers, not knowing the difference and thinking they’re getting a good deal, buy an item from the shop. What they don’t know is a fraudster is on the other end who wants to steal their personal and payment information.
   
   The fraudster then uses the stolen information to buy the real item from the legitimate retailer and ships the product to the customer. The customer remains unsuspecting because they receive the item they purchased as planned. In the third and final step, the fraudster repeatedly buys other goods from online retailers with the stolen credit card information. Before the victim realizes it, the cybercriminal has racked up quite a bill.
7. Chargeback fraud: When a customer reports a fraudulent or otherwise unsatisfactory transaction to their credit card issuer, the issuer is legally obligated to refund the charge. Chargeback fraud can occur when a customer falls victim to a fraud attack, notices an unknown charge on their credit card, and files to receive the stolen money back. Chargeback fraud can happen in a “friendly fraud” way, such as when someone close to the cardholder (a friend or family member) makes an unauthorized purchase with their card. In other cases, individuals fail to recognize a transaction they made in the past, they recognize the purchase but experience buyer’s remorse afterward, or sometimes they intentionally take advantage of the chargeback process for their own benefit.
8. Refund or return fraud: A major player in policy abuse is refund or return fraud. Often, refund fraud is committed by otherwise legitimate customers who dishonestly claim “item not received” (INR) or “significantly not as described” (SNAD), or return items in used condition. But it can also be a systematic attack made by habitual abusers — consumers who intentionally exploit a retailer’s refund policy to obtain items for free. Refund fraud methods are easily found on the dark web as part of a quickly evolving industry of fraud-supporting services.
9. Mcommerce fraud: M-commerce fraud is ecommerce fraud conducted using mobile sites and apps. Often merchants classify it under the umbrella of ecommerce, but there are important reasons why it should be managed differently to prevent fraud. And that’s because customers can make purchases on their mobile devices from wherever they are – meaning they rarely connect through the same network.
   
   Consumers can also switch from a desktop, or a traditional ecommerce experience, to a mobile device to make a purchase. They can purchase through an app or a mobile site. This additional exposure creates opportunities for fraudsters. Each of these entry points needs an efficient review of attempted and successful fraud and identification of the origin. With this knowledge, merchants can then implement security protocols to contain and prevent it.

Ecommerce fraud warning signs

Legitimate customers tend to follow similar buying and spending patterns. Outlier patterns may indicate that fraudsters are trying to scam a merchant. Analyze your data for red flags that include:

Address and credit card security code mismatches

The billing address and the three- or four-digit numbers on the back of most credit cards — known as the Card Verification Value (CVV) — provide important pieces of security information for issuers and payment processors that approve transactions. When the details submitted at checkout don’t match the details on file with the issuing bank, it could signal fraud.

Distance between IP address and billing address

Checking the distance between the IP address where a consumer makes a purchase and the billing address of the credit card can be helpful to stop fraud in specific cases. Consumers generally make retail purchases within 10 miles of a consumer’s billing address, so if the IP address is much further than a 10-mile radius, it can raise a red flag. However, consumers often make travel and ticketing purchases while they are in an alternate location, so you frequently find a greater distance between the IP address and the billing address in this case.

Unusually high-order volumes

Fraudsters focus on their financial gain — and that means spending a lot of someone else’s money. Fraudsters oftentimes make back-to-back high-ticket purchases.

Unusually low-order volumes

 A frequent technique: fraudsters will test credit card numbers with a small purchase before using it for large purchases. They seek to verify that the stolen card number in their possession works, and believe that a small purchase won’t trigger a red flag with consumers or the issuing bank.

Shipping concerns

Be wary of too many express shipping orders by one customer. Express shipping (unless it’s Amazon) isn’t usually preferred by consumers because of the extra expense. A fraudster, on the other hand, doesn’t mind spending someone else’s money to get their order more quickly.

Shipping to a P.O. box also causes concern. While businesses use P.O. boxes for anonymity, fraudsters may use P.O. boxes for the same reason. Look out for too many orders going to one P.O. box.

Repeated transaction declines

Entering incorrect payment information happens, but not repeatedly. Too many declined transactions could indicate that a fraudster is trying to figure out a billing address, CVV number, or other necessary payment information. 

Ecommerce fraud prevention strategies

Fraudsters can attack from across the globe, necessitating businesses to stay on top of local and global fraud trends at all times. Fortunately, most merchants understand the risk associated with fraud and may staff in-house teams as well as leverage fraud risk and prevention technology to combat this persistent problem.

However, ecommerce fraud has become an accepted “cost of doing business.” Cumulative losses to online payment fraud globally from 2022 to 2027 are predicted to exceed $343 billion.

Unfortunately, merchants may be overestimating their ability to prevent ecommerce fraud. Riskified surveyed consumers and merchants about their perceptions: the resulting report drew upon data from surveys of more than 4,000 consumers and 400 merchants. The research found that 55 percent of the merchants surveyed stated they were confident in their ability to prevent ecommerce-related fraud while only 34 percent of consumers surveyed said they trusted retailers’ ability to prevent fraud.

Rather than catch fraud after the fact and have to deal with the fallout, preventative measures can help mitigate ecommerce fraud. Below, learn five ways merchants use technology and best practices to prevent fraud.

Secure payment gateways and encryption

A secure payment gateway is an infrastructure that ensures ecommerce payments and financial transactions are safely processed. It moves a customer’s online transactions from a merchant’s website or app to a bank or payment processor and validates payment information, fund availability, and more.

Some features of secure payment gateways include:

• Encryption: Encryption transforms data into code to safeguard personal information before it’s transmitted for processing.
• Bank verification: Bank verification occurs when the customer’s bank verifies the encrypted data, ensuring the customer has the appropriate funds and has entered the correct payment details.
• Approval: Once the bank verifies the payment details and fund availability, it sends a response back to the merchant and customer approving or denying the transaction.

Card verification value (CVV) and address verification system (AVS)

CVV and AVS comprise two of the earliest forms of ecommerce fraud detection. When a customer submits their credit card to make an online payment, payment companies perform CVV and AVS checks to flag potential fraud.

You’ll find the CVV — a three- or four-digit number — on the back of most credit cards. Merchants use the CVV for proof that the person placing the order is the verified cardholder. The AVS checks for consistency between the billing address submitted by the card user at checkout and the billing address on file with the credit card’s issuing bank. The bank determines the correctness of these checks and either accepts or rejects the payment upon making its determination.

In theory, a fraudster doesn’t have access to the CVV number or billing address if they have stolen the credit card information. But CVVs don’t provide fail-safe protection for more sophisticated fraudsters.

Comply with strong customer authentication (SCA):

The United Kingdom set a standard to further protect the privacy and security of consumers in financial transactions — and help prevent fraud for businesses — with the creation of SCA.

By March 2022, all companies serving U.K. customers were mandated to meet SCA requirements. It states that customers must authenticate their ecommerce payments using two methods of verification.

3D Secure technology and other solutions help merchants comply with SCA and facilitate authentication of ecommerce and other card-not-present transactions with two methods of customer verification. While this is a useful practice in preventing more fraud, requiring two methods also creates more friction in the payment process leading to greater cart abadonement. However, ecommerce fraud prevention solution providers such as Riskified have introduced SCA-compliant solutions to remove unneeded friction with the goal of minimizing friction for customers.

Chargeback monitoring and dispute automation

According to Riskified data, chargeback fraud accounts for nearly 50 percent of chargebacks. Monitoring chargebacks closely can help reduce this type of fraud. This happens through a process called chargeback disputes, which is a formal complaint by the merchant to the credit card issuer that the chargeback is unwarranted. Just saying so, however, isn’t an acceptable dispute. A dispute requires sufficient and compelling evidence that your customer authorized their purchase. It’s a time-intensive process, requiring resources and expertise to file effective disputes.

Instead of taking up valuable time and resources in-house, many merchants choose to implement an automated chargeback dispute process that uses data-based decisions for chargeback fraud prevention. Therefore, merchants stop more chargeback fraud from offenders who may be intentionally taking advantage of them.

Machine learning fraud prevention solutions

We recommend using a fraud prevention solution that can identify fraud, at scale, before it hurts your business. Merchants can use different approaches to ecommerce fraud prevention, including machine learning-based chargeback guarantee, rules-based solutions, scoring engines, and manual review.

Legacy solutions, such as those based on rules, are inherently rigid by design and slow to adapt to the dynamic nature of fraud, making them inept and often unreliable. Other solutions introduce greater friction or are at risk of being overzealous and falsely declining good customers. It’s important to learn what ecommerce fraud prevention solution is best for your business, not only for today but also ensuring it can grow as your business grows in the future.

How to choose an ecommerce fraud prevention solution

Selecting the right fraud prevention partner is a strategic decision that affects both revenue and customer experience. Legacy, rules-based solutions are often too rigid, struggling to adapt to new fraud patterns and frequently blocking legitimate customers. When evaluating a solution, prioritize machine learning capabilities that can analyze vast datasets to distinguish between a good customer and a fraudster in real-time.

Consider whether a provider financially guarantees its decisions. Some offer chargeback guarantees, shouldering the liability for any approved transaction that turns out to be fraudulent. This approach aligns the provider’s interests with your own. An effective solution should also integrate seamlessly with existing systems, perform reliably during peak traffic, and create a frictionless experience for legitimate customers. The right fraud prevention partner enables growth by adapting to the changing ecommerce and fraud landscapes.

No financial loss to fraud is too small

Learn how to build a predictable financial future for your organization with the right fraud strategy.

Get the guide

Protect yourself with Riskified

Ecommerce fraud is a year-round threat. As a global team of fraud experts who serve the largest ecommerce merchants worldwide, our pulse stays on the latest ecommerce fraud threats and prevention strategies to help merchants like you prevent attacks.

Issues like return fraud cause ecommerce retailers to lose sleep at night. One fraudulent return won’t make or break you, but a targeted attack by a fraud ring could be catastrophic to your business. Thankfully, Riskified was built to prevent that from happening. With features like Chargeback Guarantee and Policy Protect, we can help fraud-proof your business. Contact us today to learn more.

Frequently asked questions

What is payment fraud and how do you prevent it?