In the past year, ecommerce businesses experienced a dramatic increase in activity as more and more shoppers moved online in response to lockdowns. Ecommerce jumped to nearly 20% of all global retail sales. Along with the increase in online shopping came a rise in online payments and, unfortunately, payment fraud.
Ecommerce fraud cost businesses tens of billions of dollars last year, and fraudulent transactions caused more problems than chargeback costs. Some ecommerce businesses also found themselves labeled as high-risk and subsequently lost their payment providers.
No merchant will ever be able to prevent payment fraud completely. But there are ways ecommerce businesses can protect themselves and their customers from all the bad actors out in the world. Below are several steps every prudent business should take.
Common fraud attempts in ecommerce
Hackers and fraudsters use various ways to gather the information needed to commit fraudulent transactions, ranging from targeting single individuals to generating fake identities to large-scale data breaches. And when criminals can’t find the data themselves, they can often simply purchase it on the dark web from other criminals.
Here are just a few ways fraudsters are accessing or creating payment information.
Phishing attacks remain a tried-and-true method for fraudsters to obtain identity information. They are simple compared to other methods and frequently successful. Phishing relies on users believing that the source of a communication they receive is genuine and trustworthy. Attackers make their communication appear to come from a trusted sender, for instance, by spoofing a company email address.
Synthetic identity fraud
In synthetic identity fraud, criminals create a fake persona using stolen identity information (e.g., a social security number) combined with fabricated identity information such as a name, address, phone number, or birth date. They then establish credit under the fake persona, make transactions, never pay, and eventually abandon the persona. According to the Federal Reserve, synthetic identity fraud is growing faster than any other financial crime in the U.S.
Automatic card number generators
A quick online search will turn up quite a few virtual card number generators. They exist for legitimate purposes, namely for creating single-use cards specifically to defeat online transaction fraud.
But criminals also have been successful in using these generators to facilitate fraud, by generating a large set of numbers and then using bots to try each card number until one goes through. It is a simple, automated process that does not require much effort on the criminal’s part.
In e-skimming attacks, hackers insert malicious code into a company’s online store or payment gateway, stealing a customer’s payment information during a transaction. Consumers are unaware of the skimming code and, in fact, have no way to identify its presence.
Minimizing online payment fraud
Fraud attempts will only continue to increase as consumers shift further towards online, cashless transactions. So businesses must do everything in their power to offer payment processing services that are secure for the consumer and minimize the possibility of chargebacks.
Ensure that you are compliant with security standards
All businesses that process online credit card transactions should comply with the Payment Card Industry-Data Security Standard (PCI-DSS). PCI-DSS includes a set of twelve requirements to secure credit card data and other personal information related to online transactions. The requirements generally fall into several categories:
- Network security – e.g., properly using firewalls and anti-virus programs
- Data security – e.g., encrypting transmission of consumer data and limiting internal access (both digital and physical) to consumer data on a need to know basis
- Policies and procedures – e.g., instituting cybersecurity policies and providing continuous monitoring and frequent security testing
Most ecommerce businesses look to third-party providers for PCI-DSS compliance. Businesses should subsequently ensure that all applications and providers they use for touching transactions, from invoicing to payment acceptance, ensure customer data is kept secure with PCI-DSS certification.
Review transactions for common indicators of fraud
While not all fraudulent transactions are easily identifiable, certain traits can raise red flags for merchants, causing them to look more closely at given transactions. One common indicator is an unusually large transaction amount. Often, criminals who have stolen credit card information will quickly attempt several large transactions before having the card blocked.
A business that allows one of these transactions may suffer a correspondingly large chargeback. Worse yet, payment processors may label the business high-risk and revoke access to payment services. The primary way to avoid this type of payment fraud is to limit the size of transactions going through the payment gateway.
Another common indicator of fraud is the transaction’s country of origin. Certain countries are notorious for high levels of credit card fraud, including Indonesia, Brazil, Romania, Nigeria, Pakistan and Russia. Businesses should require additional verification when processing orders from these countries, such as asking the customer to call and personally verify their payment information.
Merchants can even look for suspicious devices attempting to access their online payment systems using specific identifying information for the actual device attempting the transaction (e.g., IP address, operating system, browser, etc.). Mobile devices are notoriously susceptible to attacks, and criminals can exploit 89% of mobile device vulnerabilities without physical access to the device. If the payment system detects a suspicious device, the merchant can ask for additional verification information or decline the transaction.
Verify card information
Most businesses are already familiar with the range of card verification options available and should use them whenever possible. In addition to the widely used card verification value (CVV), the three-digit number on the back of the card, there are also other options for verifying cardholder identity.
One option growing in popularity is the 3D-Secure card verification system, which many merchants will recognize under the names Verified by Visa or MasterCard SecureCode. 3D-secure systems act much like multi-factor authentication for account logins.
In addition to entering basic card information and a CVV, cardholders must further verify their identity by entering a pin or other additional information before a transaction is processed. Some banks require a user to verify transactions through the bank’s application on their mobile phone, which consumers already use for many other fintech applications.
Another commonly used method is address verification, which all online consumers have seen and used at one time or another. Address verification services (AVS) match the card information against known address information for the consumer, most notably the zip code of the billing address. AVS, however, do not always detect more advanced frauds such as synthetic identity fraud. But they can be very useful in defeating automatic card number generators because those cards will typically not have an associated address.
Other advanced methods such as biometric verification are also becoming more popular, although they have limitations, particularly regarding data privacy concerns.
Stay one step ahead
By taking sensible measures to protect your website, your network and your customer’s data, you can stay a step ahead of the majority of fraudsters. A few small investments on the front end will save the business from large chargebacks in the future, as well as reputational damage.