Ecommerce fraud prevention: tips, strategies, and best practices

Ecommerce fraud prevention: tips, strategies, and best practices

Ecommerce fraud continues to rise, and it costs businesses big bucks. According to Juniper Research projections, merchants will lose $343 billion globally to payment fraud between 2023 and 2027. For perspective, this nearly equals Apple's global income in 2023. Losses span all industries, from merchants who sell digital and physical goods to financial institutions to airline ticket sellers. Despite widespread identify verification measures, user account takeovers are driving up fraud losses. 

What can businesses do to protect themselves and their customers against payment fraud? 

In this guide, we'll define what ecommerce fraud is, examine the different types of fraudulent schemes, offer practical tips for ecommerce fraud prevention, and then recommend tools for preventing fraud.

What is ecommerce fraud?

Ecommerce fraud is a type of cybercrime where malicious actors misuse online transactions to steal goods, services, funds, or account information from businesses or their customers. For example, a cybercriminal group may run a Black Friday scam by taking over customer accounts to make fraudulent purchases or signing up with multiple accounts to abuse promotional codes for new user discounts.

Ecommerce fraud attacks can serve multiple purposes for criminals:

• Enable online thieves to illegally obtain products, exploit services, or siphon money from online transactions. 

• Set the stage for identity fraud, which often leads to future misuse of customer accounts and personal information. 

• Help criminals probe company networks for weaknesses, paving the way for future attacks. 

• Damage a company's financial health and reputation—or sow economic chaos in target countries—when carried out by organized crime or terrorist groups.

Types of ecommerce fraud

Ecommerce fraud comes in many varieties. In its 2023 Global Ecommerce Payments and Fraud Report, payment management platform Cybersource identified the 12 most common types of ecommerce fraud, which have remained relatively consistent in recent years. As you'll see below, these types of fraud revolve around techniques such as identity theft, fake account creation, or abuse of account privileges.

1. Phishing, whaling, and pharming

These related attacks involve posing as trusted sources to trick users into granting access to login credentials, social security numbers, credit card details, or other sensitive information. 

Phishing, the most common variety, sends recipients an email pretending to be from a known source, with a message designed to deceive the victim into sharing their data. For example, some Cyber Monday scams attempt to steal credit card information by sending messages that claim recipients are eligible for refunds on products they never purchased. When the victim clicks on a link to a phony website and enters their password, their credentials are stolen.

Whaling and pharming are specialized forms of phishing. Whaling specifically targets high-profile individuals, such as company executives, by using personalized tactics. Pharming involves the use of a fake website designed to steal credentials from unsuspecting visitors who believe they are on an authentic site.

2. Friendly fraud (chargeback fraud)

In this type of attack, the perpetrator orders a product or service and then disputes the charge with their credit card company to obtain a refund, leaving the victim to bear the cost of both the refund money and any delivered goods or services. For example, the thief may falsely claim that a product was never received when it actually was. Or they may claim that a received product is defective when it isn't.

Chargeback fraud is also referred to as "friendly fraud" because the perpetrator uses legitimate customer credentials and may even be a legitimate customer, making them appear "friendly" to the victim. This type of fraud is often seen as the counterpart of phishing—while a phishing attacker poses as a trusted company, a friendly fraud perpetrator poses as a trusted customer.

3. Card testing (card cracking)

This attack method involves making a low-value transaction to test whether a fraudulently obtained credit card is active, setting the stage for future theft of larger amounts. The cards used in this type of fraud may have been physically stolen, hacked from merchant payment processors (scraped), or fabricated using information from legitimate cards (cloned).

Card testing employs two primary methods: small payments and payment authorization attempts. In the small payment method, the perpetrator makes a purchase for a small amount, such as $1, to check if the card is active. Or, instead of making a small payment, a thief may initiate a card authorization attempt to check if an account has sufficient funds to cover a purchase.

4. Identity theft

Identity thieves use stolen or forged information to obtain goods, services, or funds in the name of a real or fictitious person or company. This identifying information can be acquired through various methods, such as breaching databases, intercepting emails or texts, phishing, scraping credit data, or physically stealing documents. Once obtained, the stolen information can be used for activities like making purchases, opening credit card accounts, or stealing tax refunds.

5. Coupon, discount, and refund abuse

These fraud methods exploit companies' promotional offers and refund policies. For example, a coupon thief may repeatedly use the same coupon, redeem a coupon intended for someone else, or create multiple accounts to take advantage of additional coupons.

Discount and refund fraud involve similar deceptive tactics. For example, a customer may falsely claim to be a veteran to qualify for a military discount. Or an employee may improperly share their discount with family or friends who aren't eligible.

Refund fraud perpetrators often file frivolous complaints to benefit from merchant refund policies. In some cases, the thief resells the refunded item for a profit. Another variation uses fake receipts to claim refunds for goods or services that were never purchased.

6. Account takeover (ATO)

This type of fraud happens when an identity thief takes control of a customer's account. The criminal can then make purchases in the customer's name, ship goods to a different address, deplete loyalty rewards, or steal personal and payment information. According to a survey by Security.org, account takeover has become one of the fastest-growing forms of fraud in recent years, with business account takeovers rising from 13% of ecommerce fraud attacks in 2021 to 29% in 2023.

7. Loyalty fraud (rewards fraud or points fraud)

This category of fraud involves the misuse of rewards points by identity thieves, employees, or customers. For example, hackers conducting account takeovers may transfer rewards points to their own accounts or sell them to others. Employees with access to customer accounts may steal points. Even legitimate customers may use tactics like changing birthdates to receive multiple birthday rewards. 

Loyalty fraud now affects 22% of merchants, the Merchant Risk Council's 2023 Global Payments and Fraud Report shows.

8. Affiliate fraud

Companies with affiliate programs can fall victim to scams through which thieves earn fraudulent commissions. These thieves use tactics such as falsifying clicks (spoofing), generating clicks through bots, and secretly stuffing cookies onto visitors' browsers to manipulate tracking.

9. Reshipping

With reshipping fraud, criminals use stolen credit cards to purchase expensive items, such as computers and electronic devices. The goods are sent to employees of reshipping services who then unknowingly forward the goods to other countries. These reshipping employees often believe they're performing a legitimate service and may not realize they're part of a criminal scheme.

10. Botnets

Botnet attacks involve using multiple compromised devices to flood ecommerce providers with malicious software code to enable unauthorized activities. Botnets can be used to hack passwords, steal customer data, send mass phishing emails, or perform other illicit actions. They often support other fraud methods, such as affiliate fraud, by amplifying the impact and scale of the attacks.

11. Triangulation schemes

Triangulated attacks involve using multiple channels to scam companies and customers. In this type of attack, criminals list a company's merchandise at discounted prices on third-party sites such as Amazon or eBay. When customers purchase the merchandise at the discounted rate using their credit cards, they unwittingly provide their card data to the thief. 

The thief then uses a stolen credit card to order the merchandise from the merchant's website and has it shipped directly to the customer. Neither the customer nor the company realizes that the customer's credit card data has been stolen during the transaction.

12. Money laundering

Criminal organizations, terrorist groups, and other bad actors may use ecommerce sites to transfer funds surreptitiously. They can launder money by selling fake goods, inflating the prices of real goods, or conducting phony transactions to disguise the movement of illegal funds.

Ecommerce fraud prevention strategies

While ecommerce fraud comes in many forms, most schemes rely on similar tactics that follow predictable patterns that can be prevented. 

Many methods involve criminals impersonating companies or customers. For example, phishing attacks mimic companies, while friendly fraud often involves posing as legitimate customers. Other tactics exploit legitimate or stolen customer accounts to initiate fraudulent transactions, such as frivolous chargebacks or coupon abuse. Essentially, many of these attacks revolve around identity theft or the illegitimate use of identities to carry out fraudulent transactions.

This means that security teams can intercept many attacks by verifying new accounts and authenticating the use of existing ones. Account verification ensures that users opening new accounts are who they claim to be, while account authentication confirms that users accessing accounts are legitimate account holders.

Ecommerce fraud prevention tools

Twilio offers these powerful tools to help companies implement essential defense strategies against ecommerce fraud:

Twilio Verify

Twilio Verify is a purpose-built end-user verification API that handles route optimization, channels, code generation, and fraud monitoring. Verify is designed to simplify and secure authentication across the end-user journey, including sign-up, login, account maintenance, and high-value transactions, to ensure you engage with real, unique humans. This provides a seamless and secure user experience.

Businesses face a critical decision: build a custom in-house verification solution or outsource to an optimized and expert authentication service. This decision must align with strategic goals and operational capabilities, including resource allocation, scalability, performance, the dynamic and costly nature of fraud, consumer preferences, and core competencies.

For businesses seeking to benefit from new authentication technologies without the hassle of engineering, complex failover logic, or keeping up with ever-evolving fraudsters, Twilio Verify offers a reliable, easy-to-implement solution to verify user identities and reduce fraud. Twilio Verify API provides purpose-built authentication across multiple channels..

Twilio Lookup

Twilio Lookup leverages real-time mobile-based intelligence to minimize fraud risk without compromising the user experience. It verifies user phone numbers by confirming the type of phone, network carrier, and recent SIM swap changes. Additionally, the Twilio Lookup Identity Match feature cross-references user-supplied data from user-inputted phone numbers against authoritative sources. 

These measures help intercept bots, prevent fake account creation attempts, and thwart account takeovers while detecting potential fraud risks. Twilio Verify and Twilio Lookup work together as integral components of a comprehensive ecommerce fraud prevention strategy.

Ecommerce fraud prevention best practices

In addition to using ecommerce fraud prevention software, brands can further reduce risk by following these best practices:

• Incorporate account authentication procedures into your onboarding process, ensuring compliance with industry-specific requirements, such as anti-money laundering and Know Your Customer regulations.

• Implement strong verification procedures for account usage, such as deploying 2FA for logins and transactions.

• Establish clear guidelines for flagging suspicious transactions, especially those with exceptionally low or high values.

• Educate staff and customers about common fraud techniques like phishing to increase awareness and vigilance.

Reduce ecommerce transaction fraud with Twilio User Authentication and Identity

Many common varieties of ecommerce and payment fraud revolve around identity theft and the misuse of hijacked identities. Brands can minimize fraud incidents by implementing effective strategies and tools to verify customer identities and authenticate account users.

Twilio Verify provides a strong foundation for fraud prevention by giving you a turnkey solution for multichannel authentication at scale. With Verify, you can choose powerful authentication options like 2FA OTP through SMS, email, WhatsApp, timed one-time passwords, and more. For a more frictionless experience, Silent Network Authentication (SNA) verifies users via carrier connections without requiring input. 

Twilio User Authentication and Identity solutions help secure user signups, prevent unauthorized logins, and protect transactions. Start with a free trial and then switch to a pay-as-you go plan that only charges for successful verifications. Keep your company and customers safe from fraud with Twilio User Authentication and Identity solutions.