Home
7 Common Types of Ecommerce Fraud and How to Prevent Them

7 Common Types of Ecommerce Fraud and How to Prevent Them

As technology advances, so do the methods and techniques used by cybercriminals. The integration of technology into our everyday lives presents more opportunities for hackers to access our personal information. In 2020, we saw a massive shift in how we view remote work, with most businesses going online to continue trading through COVID-19 lockdowns. This shift led to the creation of platforms and devices that allow for sensitive data sharing, such as cloud service providers and APIs. In the same year, there was a 435 per cent increase in ransomware.

There was a 435% increase in ransomware in 2020.

As we become increasingly dependent on interconnected technologies, online retailers must keep abreast of trending ecommerce scams and do everything in their power to prevent fraudulent activities. In this blog, we’ll explore common forms of ecommerce fraud so you can identify fraudulent transactions and the impact that these illegal activities have on the ecommerce landscape.

What is ecommerce fraud?

Ecommerce fraud refers to any illegal or fraudulent activity that aims to obtain goods, services, or information through an ecommerce business, store or platform. This type of fraud can occur at any point in the fulfilment process and can take various forms that target both retailers and consumers. Anyone can commit ecommerce fraud, from false suppliers to greedy customers. Some customers even commit fraud by accident.

There are various reasons why ecommerce fraud has increased in the last few years. The advent of cloud computing and its accelerated demand over the Covid-19 crisis has led to massive amounts of data being stored over the internet. As businesses struggle to keep up with this evolving technology, security risks are exposed, many caused by simple human error. Advances in technology have also enabled cybercriminals to commit fraud on a wider scale. Just as businesses can use A.I. to automate certain processes, fraudsters can use A.I. to create data-stealing bots, create fake identities, personalise scams to their victims, and launch campaigns en masse.

Ecommerce fraud is a serious issue for online retailers, as it not only leads to massive profit losses from fraudulent transactions but it can significantly impact a brand’s reputation and erode confidence in ecommerce as a whole. Only 34 per cent of consumers trust retailer’s abilities to prevent fraud, and 66 per cent of consumers won’t buy again from an online store where their account information has been compromised.

Ecommerce fraud can impact a brand's reputation with 66% of consumers not willing to return to an online store where account information has been compromised.

Impact of ecommerce fraud annually

It’s estimated that ecommerce businesses lose approximately $48 billion to fraud every year. To combat this, businesses spend close to one-tenth of their annual revenue on fraud management. These funds may be used to expand fraud protection teams, develop fraud protection software, and other preventative measures.

Ecommerce fraud is rife in Europe. Two in three German merchants have noted an increase in ecommerce fraud, and 85 per cent of Swiss merchants reported being hit by fraudsters in 2022. North America has been hit the hardest by ecommerce fraud, accounting for 42 per cent of global ecommerce fraud in 2023, with data breaches being a key fraud risk factor. Around 20 per cent of all ecommerce revenue is said to be lost to fraud in Latin America, while Asia-Pacific and South East Asia report the cost of ecommerce fraud at $4 US per transaction, roughly 5 per cent of a business’s revenue per year.

Ecommerce businesses lose approximately $48 billion to fraud every year.

Common types of ecommerce fraud in 2024

Some of the common types of ecommerce fraud in 2024 include:

Identity fraud/payment fraud

Identity theft occurs when hackers gain access to a person’s personal and financial information. This is often credit card information that can then be used to make unauthorised purchases, but it can also include emails, names, addresses, IP addresses, and access to personal devices. Identity theft is one of the most prolific forms of ecommerce fraud, making up over 71 per cent of all ecommerce attacks. There are many different types of identity theft, and while access to information is often the end goal, it may also be used as a jumping-off point for other types of cybercrime.

Most ecommerce attacks are identity fraud which often leads to credit card information being stolen to make purchases.

Account takeover fraud

Account takeover fraud is a variation of identity theft where a user breaks into someone else’s account and uses it for criminal purposes. Because the users can change account details after they gain access, it can be difficult for victims to regain these accounts. This type of fraud targets both customer accounts and businesses.

Credit card fraud

Credit card fraud occurs when unauthorised users gain access to an individual’s payment card and use it to make purchases, create new accounts, or simply sell the information to other criminals.

Card-testing fraud is a subset of credit card fraud and occurs when an unauthorised user has access to some, but not all, stolen credit card information. They will often test stolen credit card numbers first by making small purchases from ecommerce merchants before moving on to larger purchases if the payments are successful.

Chargeback fraud

Chargeback fraud occurs when a customer makes a purchase using their credit card and then requests an unfounded chargeback after receiving the goods or services. These customers may purposefully lie about the state of the product or whether it was delivered.

When a customer’s data is compromised and used to make fraudulent online purchases and the customer initiates a chargeback, this is also referred to as chargeback fraud, even though the customer is a victim. As a result of chargeback fraud, merchants were estimated to pay over $100 billion in chargebacks in 2023.

Merchants were estimated to pay over $100 billion in chargebacks in 2023.

Friendly fraud

Friendly fraud is a type of chargeback fraud that occurs when a customer files a chargeback claim for a legitimate transaction. It is so named because it is hard to distinguish accidental claims and intentional claims. Friendly fraud is not always committed with malicious intent but may occur because:

The customer forgot they made the purchase and assumed it was unauthorised.
The customer was impatient and requested a chargeback before receiving the item.
Another family member (often a child) made an unauthorised purchase using another family member’s account (also known as family fraud).
The customer received the product but was not satisfied with it or felt they were scammed (even if they received the product as described).
The customer regretted the purchase and instead of following the store’s return policy, initiated a chargeback.

In a survey by Statista, friendly fraud affected 34 per cent of merchants, and Australia and Canada experienced the most of it, with 70 per cent of merchants reporting they are affected by this type of fraud. It’s also estimated that most people who commit friendly fraud are likely to be repeat offenders, as high as 83 per cent.

Social engineering

Social engineering techniques are designed to manipulate individuals to reveal specific personal or financial information or perform a specific illegitimate action. Social engineering comes in many forms including:

Spoofing: Cybercriminals manipulate or falsify data to trick individuals into believing the information is authentic. For example, scammers can send emails that look like they’re from a certain individual or company, but it’s from a completely different location.
Phishing/Smishing (SMS phishing): Cybercriminals pretend to be someone they are not, such as a business, family member or celebrity, to gain information. This can be achieved through account takeovers or spoofing accounts, numbers or email addresses.
Scareware: A form of computer malware that misleads users into paying for fake malware removal.
Baiting and Quid Pro Quo: Victims are promised something of value in return for their information, such as a gift card for filling out a survey or more efficient software in return for downloading their product.
Pretexting: A scammer will create a fake scenario to gain information. For example, pretending to be a member of the ATO conducting an audit.
Water-holing: A scammer identifies a popular website and tests it for vulnerabilities. Once infected, the scammer may use the website to capture user information or distribute malware.

Data breaches occurring from social engineering cost companies on average over $4.5 million. It can take nearly 11 months to identify and contain a data breach, and a further 10 months to resolve them.

Types of social engineering techniques include spoofing, phishing and baiting.

Affiliate fraud

Affiliate fraud occurs when affiliate marketers conduct false or fraudulent activities to gain affiliate marketing program commissions. These scammers work by generating fake activity to increase commission payments. These activities may include:

Using automated software to interact with affiliate links.
Using stolen data to generate fraudulent leads.
Getting consumers to download adware or spyware that automatically inserts affiliate codes.
Copying the work of other affiliate marketers.
Spoofing traffic.
Auto-filling forms.
Buying a similar domain name to the affiliate’s company or product to trick customers.
Serving ads with infected code that downloads viruses and drops cookies on a user’s computer/browser.

Affiliate fraud can occur when an affiliate program is too accepting of new affiliates, or if their commission structure is flawed. Around 2 per cent of all affiliate transactions are attributed to affiliate fraud. As well as the monetary losses incurred, affected businesses may develop ineffective campaign strategies in the future based on falsified data from these scam influencers.

Triangulation fraud

In triangulation fraud, criminals will create fake or copycat websites and attract customers with low-cost items. What customers don’t realise is that these products don’t exist, and the site only exists to collect their personal information and use it to make fraudulent purchases.

Policy abuse

Policy abuse occurs when customers take advantage of store policies for their gain. Unlike other forms of fraud, policy abuse is often committed by regular customers as well as scammers. A few years ago, online store policies were more restrictive when it came to returns. Thanks in large part to Amazon’s fast and free delivery options, consumers’ expectations and habits have changed drastically, and stores have pivoted to become more customer-friendly and Amazon-like. Flexible policies are a double-edged sword - they fuel customer retention but open companies to increasingly bold policy fraud.

Refund/Returns abuse

In the case of returns, 58 per cent of customers want a hassle-free “no questions asked” return policy, and 79 per cent of customers want free return shipping. This can be a hard sell for online businesses, especially when you consider that 30 per cent of all products purchased from online retailers are returned. Many businesses worry that such lax policies will be taken advantage of. Unfortunately, these fears are not unfounded. This form of policy abuse has become a multi-million-dollar problem in ecommerce. Not only do businesses lose revenue on refunded amounts, but also operational costs including restocking.

Returns abuse is a form of policy abuse which has become a multi-million dollar problem.

Wardrobing, a subset of returns abuse, involves customers buying wearable items to return them after use. As many as 43 per cent of shoppers aged 16-24 have engaged in wardrobing and plan to continue doing it in the future.

Loyalty abuse

When customers abuse a business's loyalty system for additional rewards or benefits, this is called loyalty abuse/fraud. Historically, the travel industry has been a prime target for this type of abuse, but this type of abuse can affect any business that offers loyalty points that can be redeemed for cash, products, services or other bonuses.

Examples of loyalty abuse include:

Manipulating transactions to increase the number of points earned.
Fraudulent receipt uploads for loyalty programs that capture receipt data.
Taking over a customer’s account in order to use their points or engage in further illegal activity.
Members of the business rewarding themselves or associates loyalty points or selling customer information gained from a loyalty program.

Loyalty abuse also occurs when a scammer creates a fake loyalty program, usually to gather customer data.

Promotion abuse

Like loyalty abuse, promotion abuse occurs when a customer or scammer takes advantage of a business’s promotional offers. This may include:

Creating new or fake accounts to inflate referrals or repeatedly enjoy sign-up benefits.
Misusing coupons to heavily discount a transaction.
Creating fake coupons.
Redeeming coupons multiple times.
Redeeming someone else’s coupons.
Excessive discount code sharing.
Sending fake complaints to receive promotional codes.

Bot fraud

Bot fraud is committed by malicious, automated bots. Just as businesses are now using automation to provide more efficient service and logistics, scammers can use automated and AI-based bots to collect large amounts of data, perform repetitive tasks at speed, and mimic human behaviour. Bots can perform a variety of actions in a single session, allowing scammers to quickly break into a single business or attack multiple users at once.

Bots can also be used to perform DDoS (distributed denial of service) attacks that disrupt site traffic and prevent the website from functioning. Bot fraud can be hard to prevent because it is hard to distinguish bot traffic from human traffic. It can also be hard to distinguish good bots (such as a legitimate customer service support bot or search engine crawlers) from malicious bots.

How to prevent ecommerce fraud in your business

Look for common signs of ecommerce fraud

There are a few red flags that you can use to identify a fraudulent order. While each point might not indicate a fake order on its own, it may be enough to spark an investigation.

Unusual buyer behaviour: What defines a purchase as unusual will vary depending on your industry and products, but this may include first-time buyers making a large purchase above your usual average order value, or a regular customer making a purchase significantly above what they commonly spend.
Multiple transactions in a short time: If a customer makes multiple orders back-to-back and/or uses multiple credit cards, this can indicate various fraudulent activities including card testing.
Priority shipping: Scammers want their goods as fast as possible, and money is not an object for them. If an unusual order requests priority shipping, this can be an additional risk indicator.
Unusual or mismatched information: If the customer’s information doesn’t match, this may indicate account takeover fraud or identity theft. For example, a customer's billing address is in one country while their IP address is from another, or they use multiple shipping addresses in a short period.
Multiple failed login attempts/declined transactions: If a scammer doesn’t have enough personal or stolen credit card details they may make multiple login or transaction attempts.

Some common signs of ecommerce fraud include multiple failed logins, mismatched customer information and a high number of transactions in a short period of time.

Review high-risk orders manually

While AI and automation software can be useful for flagging unusual or fraudulent transactions, it is not without risk. Machines are more likely to wrongly flag users and, if they have to interact with customers, cause frustration and annoyance. For these reasons, you should still run manual checks for suspicious orders. In an ideal system, a machine will sort through your data and flag suspicious transactions, and a fraud prevention team will provide customer support and examine complicated cases.

Build a blocklist

Blocklists are lists of specific traits or entities that have been identified as high-risk for fraudulent activities. They allow businesses to automatically flag suspicious transactions. These traits may be based on location (such as an IP address), card information or personal information.

Find reliable suppliers/retailers

For dropshipping retailers, it is important to perform due diligence when researching suppliers. The easiest way to do this is to use a platform such as Dropshipzone, which gives you access to hundreds of pre-vetted Suppliers with quality products. Other services include supplier directories, which will give you a wide range of suppliers across industries. Whoever you choose, you should be wary of suppliers who do not have a strong online presence or mostly negative reviews, who are difficult to contact, who charge large upfront or monthly fees, or who appear to sell unlicensed or counterfeit products.

Find reliable suppliers and retailers with Dropshipzone and let us do the vetting.

For dropshipping suppliers, unscrupulous retailers can also affect your business. Attaching your product to a fake or unreliable online store may affect your reputation as a manufacturer or turn consumers off your product entirely. Dropshipzone helps to keep your business protected and Retailers accountable, but if you’re choosing retailers alone, watch out for retailers that avoid talking about their customer service, struggle to pay on time, cannot be easily contacted or don’t have a professional-looking, legitimate online store.

Train employees to recognise fraud

All employees should be trained in basic fraud awareness. Employees should be able to detect ecommerce fraud as it occurs, understand who commits fraud and why, and recognise the impact of fraud on your business. You’ll also need to outline a clear process for reporting fraud - when to report it, who to talk to, and how to record it. You may also want to examine how well your employees know your business, its policies and its processes. The more your team knows the business, the more empowered they will be to prevent fraudulent activity.

Ensure your website is compliant

There are some rules and regulations that online stores and payment processors in Australia must follow that help prevent fraud. As well as legislation (such as The Privacy and Data Protection Act 2014), stores must comply with the Payment Card Industry Security Standards Council (PCI) security standards. These global standards apply to all online businesses that store, process and transmit cardholder data. Standards include restricting access to cardholder data, encrypting data transmissions, regularly testing for vulnerabilities, and regularly updating antivirus software.

Be cautious during peak season

The holidays are a peak season for not only shopping but also fraud. According to data from Seon Fraud Prevention, there was a 255.36 per cent increase in fraudulent bot activity, a 1246 per cent increase in suspicious browser usage, and an 84.46 per cent increase in VPN use from high-risk locations over the 2022 holiday season. The abundance of communications during this time makes it easier for scammers to blend in with legitimate messages, making it easier to gather data through phishing or tempt customers with cheap products from a fake website.

There is a cyber attack every 39 seconds.

For businesses, the influx of online sales provides opportunities for fraudsters to exploit vulnerabilities in payment systems, making it easier for them to execute various forms of financial fraud. Moreover, the holiday season often sees an uptick in counterfeit products, fake returns, and supply chain disruptions, adding to the challenges businesses face in maintaining integrity and security. To safeguard against holiday-related fraud, businesses must prioritise robust cybersecurity measures, employee training, and stringent monitoring of financial transactions.

Clarify your policies

Transparent policies regarding payment procedures, return and refund processes, shipping details, and any additional fees or charges help set clear expectations for customers and discourage fraudulent activities. Retailers should prominently display these policies on their websites and ensure they are easily accessible during the checkout process. Providing detailed information about security measures, such as encryption protocols and secure payment gateways, can also instil confidence in customers. Regularly updating and reinforcing these policies, along with implementing stringent identity verification measures, will contribute to a safer online shopping environment and help protect both businesses and consumers from potential fraud during ecommerce transactions.

Use couriers that provide Proof of Delivery (POD)

Couriers that use POD will provide you with the time and location of delivery, a customer’s signature and/or photographic evidence that a parcel arrived at the correct shipping address. This can help prevent refund fraud while providing additional security for buyers.

Use couriers that provide proof of delivery to help combat refund abuse.

Set purchase limits

Purchase limits are designed to deter fraudsters from making large, unauthorised transactions. By imposing restrictions on the maximum amount that can be spent in a single transaction or a specific time frame, businesses can mitigate the impact of fraudulent activities. Moreover, these limits can help identify unusual purchasing patterns or behaviours, triggering alerts for further investigation.

Ecommerce fraud software recommendations

Some ecommerce fraud software includes Chargeflow, Riskified as well as the in-built Shopify Protect that is available for all Shopify Shop Pay users.

Chargeflow

Chargeflow is an automated system that helps businesses deal with chargebacks. Chargeflow offers a 4x ROI guarantee, thanks to its industry-leading recovery rate. They use a science-based chargeback response template to automatically find new chargebacks, calculate the likelihood of success, and automatically respond in a way that is optimised for your store. Chargeflow has a unique pricing system in which they take a cut of each successful dispute, meaning you only pay when you win. It also offers detailed analytics and a single, easy-to-use platform to monitor all of your disputes at once.

Shopify Protect

Shopify Protect is a free, built-in chargeback protection for Shopify Shop Pay. Shopify uses a sophisticated algorithm to identify the latest forms of fraud and keep your business secure. Eligible orders are completely covered in case of chargebacks including the total order cost and any chargeback fees. Shopify also handles the dispute process so you don’t have to. Shopify Protect covers a wide range of payment channels, from Facebook to Google. All you need to do is fulfil eligible orders within 7 days and provide a tracking number from a supported carrier.

Signifyd

Signifyd is a comprehensive ecommerce fraud protection solution that tackles fraud challenges across the entire customer journey. The platform uses intent and identity data to proactively identify and block potential fraud. They offer full customer account protection, complete chargeback protection and recovery, and return abuse prevention that combines your policies and customer behaviour. With sophisticated analytics and insights, retailers can understand why a transaction was denied, examine transactional data to improve performance, and tighten store policies to reflect customer behaviour. It also seamlessly integrates with a variety of platforms including Shopify, Bigcommerce and Adobe.

aiReflex

aiReflex is a comprehensive ecommerce fraud prevention software that protects your business inside and out. The company aims to futureproof fraud prevention through integration and central intelligence. You can use it to link your existing fraud prevention tools and methods to get a full picture of your business. Their adaptive policy engine helps you create rules to automatically prevent attacks and rule safeguards and performance analysers can help you adjust your rules and monitor their performance over time. Their adaptive A.I. system claims to be 80 per cent effective from day one. A centralised case management system gives a full view of fraud threats and helps discover fraud rings, account takeovers and each kind of abuse with advanced link analysis.

Riskified

Similar to aiReflex, Riskified is a machine-learning fraud prevention solution that draws on data from their vast global Merchant Network to guide decisions. Their features have been developed through a combination of expert development and deep learning to create accurate predictive models for each industry, product type or merchant. The simple control centre gives your fraud team easy access to analytical data, allowing them to fully understand the customer experience and even manually overtake as required. The system can automatically detect systematic policy abusers, block resellers from cleaning out your inventory, automatically dispute chargebacks, and boost promotion ROI by preventing the reuse of referral programs or coupons. Each decision made by A.I. is backed by context, and the platform promises to scale with your business, even as far as global expansion.

Summary

As our reliance on technology and integrations increases, the opportunities for ecommerce fraud grow exponentially. Coming into 2024, businesses should be particularly cautious of increasing fraudulent practices including identity theft, promotional abuse and friendly fraud. To combat ecommerce fraud, it’s important to stay up to date on the latest scams, ensure you’re using reliable suppliers, and continually refresh and maintain your store policies and fraud prevention solutions.