Ecommerce fraud hit businesses harder than ever last year. Research by consumer credit reporting agency Experian showed nearly two-thirds (63%) of businesses experienced equal or increasing losses due to fraud throughout 2017-2018. As eCommerce transaction volume expands, this number will only increase.
It goes without saying that online retailers try to protect themselves from fraudsters. Yet clearly, many continue to fall short of the eCommerce fraud detection mark. Why?
There are many reasons. But one of the most important is also one of the most basic. Online merchants simply don’t understand the games fraudsters play. In other words, the term eCommerce fraud is so broad that it’s dangerously inaccurate.
In reality, fraudsters use a variety of distinct tactics to steal from their victims. And if you don’t understand the mechanics of how payment fraud happens, you are flying blind when it comes to prevention.
The paragraphs below explain the five most common specific types of eCommerce fraud and provide actionable tips for how to prevent each one:
- Clean Fraud
- Friendly Fraud
- Synthetic Identity Theft Fraud
- Triangulation Fraud
- Account Takeover Fraud
Get informed so you can up your own eCommerce fraud detection game and avoid becoming a statistic.
1. Clean Fraud
What Is Clean Fraud?
Clean fraud is when a fraudster successfully impersonates the legitimate owner of a credit card. Fraudsters accomplish this by providing enough accurate personal data about a cardholder to convince merchants and payment processors the cardholder placed the order.
Here’s how clean fraud works:
- The fraudster obtains a credit card number and accurate personal information about the card holder. This includes Name, Address, Date of Birth, Social Social Security number, etc.
- The fraudster connects to an online store of their choice and fills their shopping cart with goods or services
- The fraudster completes the purchase using the stolen credit card number and matching personal information
The most common way for fraudsters to obtain enough accurate personal data to successfully make a clean fraud purchase is through a data breach. An example of this is the Equifax data breach that compromised the personal information of 143 million American card holders in late 2017.
Every legitimate eCommerce transaction makes personal data vulnerable. And given the number of eCommerce transactions, the risk of data being stolen is very high.
How to Prevent Clean Fraud?
Because fraudsters accurately pass themselves off as the legitimate cardholder, it’s hard to detect clean fraud. However, there are a few best practices you can follow:
Do additional research on customers
A match between the personal information linked to a card and the personal information provided for an order placed with it is a good sign. But it does not mean an order is legitimate. Don’t automatically approve orders with accurate cardholder information.
One method used by many eCommerce fraud detection solutions is to research card holders’ online presence. This is the process of cross-checking orders with additional information available on the internet such as social media accounts.
For example, merchants selling to teenagers should be wary of a large order placed by a customer with a social media profile that is active on AARP forums.
Be extra vigilant after major data breaches occur
Unfortunately, eCommerce fraud is a lucrative business. Large companies in every industry are constantly under attack from fraudsters trying to steal massive amounts of information. Breaches will inevitably happen.
Although it’s impossible to monitor every breach, you should be aware of the really major ones. For example, the breach at the Marriott Hotel Chain that compromised the credit card and password information for up to 500 million customers.
Fraudsters with stolen details tend to move quickly before consumers are notified of a breach and can cancel their cards. So in the days and weeks following a major breach, make sure to be extra diligent about reviewing large or otherwise suspicious orders for fraud.
2. Friendly Fraud
What Is Friendly Fraud?
Friendly fraud is when the legitimate card holder makes a purchase, but then later claims the purchase was fraudulent and gets their bank to cancel payment. This is done by filing a chargeback with the bank when the purchase appears on their credit card statement.
Here’s how friendly fraud works:
- A legitimate card holder makes a purchase.
- The legitimate card holder receives notice of the charge on their monthly statement
- The legitimate card holder calls their bank, claims they did not make the purchase, and files a chargeback
- If the bank agrees, the purchase is deemed fraudulent. Funds do not get passed on to the merchant
Unfortunately, because banks don’t lose money directly on chargebacks and want to keep their customers happy, the burden of proof is usually on the merchant to prove friendly fraud.
How to Prevent Friendly Fraud?
Friendly fraud begins with a legitimate purchase, so it cannot be prevented at the point of sale. Instead, prevention measures focus solely on documenting consumer intent in order to better dispute chargebacks later on.
Contact consumers about large or unusual purchases
If an order seems odd, get customers’ intent to purchase on record. This can take the form of a conversation via a validated phone call or email address. The merchant’s representative should state the order and cost clearly, and have the customer confirm they wish to make the purchase.
Record order delivery information
Use delivery confirmation that requires packages containing merchandise to be signed for by the card holder. All major commercial delivery services offer this service. In the event a customer files a friendly fraud chargeback, there is a paper trail linking them to both intent to purchase and receipt of goods.
3. Synthetic Identity Fraud
What is Synthetic Identity Theft Fraud?
Synthetic identity theft fraud is when a fraudster creates a “synthetic” person by applying for credit cards using legitimate (stolen) identity information and a legitimate (untraceable) address. This “synthetic” person can then make purchases using these fraudulently obtained credit cards.
A fraudster can then spend years slowly building up sufficient good credit for the “synthetic” persona”. During that time, the fraudster will actually pay merchants for all transactions and appear to be a model, ethical credit card customer.
Once the “synthetic” persona obtains an amount of credit the fraudster deems high enough, the fraudster maxes out all the credit cards and doesn’t pay the bills. When the bank or merchant tries to collect, there is no one to collect against.
Here’s how synthetic identity theft fraud works:
- A fraudster obtains the name and Social Security number of a legitimate person
- They open up a legitimate but untraceable address (usually a PO Box)
- The identity and address get combined into a new “synthetic” persona on credit card applications and obtain as many cards as possible
- The “synthetic persona” builds good credit over time, increasing its card limits in the process
- The fraudster maxes out all credit cards and doesn’t pay any of the bills.
- The fraudster discontinues use of the “synthetic” persona
How to Prevent Synthetic Identity Theft Fraud?
A synthetic fraud attack is potentially predated by years of excellent credit activity, so it is difficult to prevent. And even though a fraudster doesn’t have to build up a reputation with an individual merchant for the fraud to work, it’s still a best practice to watch out for a sudden spike in spending by a good customer.
Merchants can also protect themselves from synthetic identity theft fraud by checking that the bank attached to a purchasing credit card uses the new Social Security Number verification tools made available by the Economic Growth, Regulatory Relief and Consumer Protection Act.
This act allows banks to use an electronic system to see the names and birth dates associated with any Social Security number. The system provides visibility into Social Security numbers so the names and numbers on credit applications can be verified as legitimate, and also allows to check that assignees are old enough to be applying for credit.
Although far from perfect, these measures do make it possible for banks to identify some of the more brazen methods fraudsters use to create “synthetic customers”.
4. Triangulation Fraud
What is Triangulation Fraud?
Triangulation fraud is when a fraudster opens a fake online store, and then uses it to sell merchandise purchased with stolen credit cards.
Here’s how triangulation fraud works:
- A fraudster obtains a “synthetic” persona — an identity created by combining a stolen Social Security number with an untraceable address
- The “synthetic” persona is used to open an online store
- The fraudster uses stolen credit cards to make fraudulent purchases of merchandise at legitimate online stores
- The fraudulently purchased merchandise up for sale — at a steep discount — at the online store they created with the “synthetic” persona
- The fraudster sells the fraudulently purchased merchandise to honest consumers who believe they found a deal on a legitimate purchase
How to Prevent Triangulation Fraud?
Triangulation fraud is a multi-stage process, and merchants can take steps at several of them to try and protect themselves.
At the point of sale
Merchants can directly prevent triangulation fraud by protecting themselves at the point of sale. You can hire a payment fraud prevention team do this entirely in-house, use an external eCommerce fraud prevention tool to inform your in-house decisions, or outsource the process entirely to a third party vendor.
The average shoppers will research a product before purchasing it. Merchants can put literature into trade publications or review websites warning consumers that deals that look to good to be true most likely are.
Merchants can monitor the prices offered by competitors. If they notice a store selling merchandise for a price far too low to be profitable, learn how to alert the eCommerce hosting platform of a potentially fraudulent store.
5. Account Takeover Fraud
What Is Account Takeover Fraud?
Account takeover fraud is when a fraudster uses the stolen personal information of a bank or online store account holder to fraudulently gain access to the account. The fraudster then uses the account to make purchases the actual account holder did not authorize.
Here’s how account takeover fraud works:
- The fraudster obtains personal information about an account holder. It could something as mundane as a full name, date of birth, mailing address, or email. Or, it could be something sensitive like a Social Security number or PIN code.
- The fraudster uses the information to access the account
- The fraudster makes purchases using the account while rerouting merchandise delivery to themselves
When the account owner realizes unauthorized purchases were made from their account, they contact their bank and cancel the payment.
How to Prevent Account Takeover Fraud?
Account takeover fraud comes from usage of a regular account, so it’s very difficult to spot using standard fraud eCommerce fraud detection methods. However, there are two technological methods merchants can use to protect themselves.
Tokenization fraud prevention takes the personal identification information a customer needs to provide in order to complete an online purchase, and assigns a “token” of random data to represent it. Then, when the customer makes a purchase, only that token is sent to the merchant as identification verification.
Merchants can only match a token back to the personal information it represents using the tokenization system that created it. Access to that system and process is strictly controlled to ensure it is protected from hackers.
This process prevents account takeover fraud by removing personal information from payment processing. Because verified account use for purchasing purposes is no longer established via the provision of personal information, fraudsters cannot use that information to make fraudulent purchases.
Biometric security uses the biological characteristics of a customer to authenticate their identity. The most common ways of doing this are to require fingerprints or a retinal scan to gain access to a customer account.
Because a customer’s physical person creates these patterns, they are nearly impossible for an online fraudster to successfully replicate.
The Best Ecommerce Fraud Detection Is Knowledge and Vigilance
There is no way to stop every fraudster. But merchants can maximize their eCommerce fraud prevention efforts by arming themselves properly. Knowledge of the tactics that fraudsters use every day to steal from unsuspecting businesses is a good start.
Stay vigilant and on the look out for the tactics listed above. You’ll be one step closer to allowing fraud to have as little impact on your business as possible.