Types of Ecommerce Fraud
Since the Covid-19 pandemic struck the world in early 2020, the appetite to shop online has been unprecedented. As shoppers have enjoyed a wider and more convenient shopping experience and businesses have enjoyed higher online revenues, there has also been a growth in unscrupulous people looking to rip off businesses through different types of ecommerce fraud.
Ecommerce fraud can be incredibly lucrative for criminals, as the pandemic pushed people who had previously been devoted to the high street online. In total during 2022, £110bn was spent online in the UK and €97.4bn in Germany. Another €129bn was spent online in France in 2021, and accessing just a tiny slice of this will represent a significant payday for fraudsters.
What is ecommerce fraud?
Ecommerce fraud is any type of fraud that happens through an ecommerce platform. Whether fraudsters use payment card details that have been physically or digitally stolen, or hijack genuine accounts, ecommerce fraud affects consumers and businesses alike. Consumers can have their financial details stolen for the gain of fraudsters and businesses can also lose out due to data theft and other means of financial fraud from non-genuine transactions.
In 2020, the losses in ecommerce “card not present” (CNP) fraud reached a huge £376.5m. A UK Finance report found that CNP fraud makes up 79% of fraud losses on UK debit and credit cards. In Europe, 2.5% of ecommerce transactions are found to be fraudulent. While this is lower than Asia Pacific and the Americas, businesses, consumers and authorities are still losing out on millions of Euros every year.
What is credit card fraud?
Credit card fraud, also known as identity fraud, is the least sophisticated method of ecommerce fraud. Small-time fraudsters steal an individual’s debit or credit card through the physical theft of a person’s wallet or purse and then use it to make purchases online.
The next step up from credit card fraud is card skimming. This is where a small device is attached to a card reader (such as a cash machine or self-service car refuelling station) that collects credit card numbers. Unsuspecting victims may not realise what has happened until unauthorised transactions - usually made online - appear on their bank statements. The advice given to consumers is to stay vigilant at self-service machines, and never allow your card out of your sight when in a shop or a restaurant.
Credit card fraud also occurs when thieves purchase reams of credit card data from online security breaches.
Credit card fraud does not just affect consumers who have had their details stolen. It is more often than not that businesses are left out of pocket, too.
Not only do businesses lose out on the product, but banks will also seek to reclaim the money that the consumer has had stolen from the business that has been targeted by the fraudster. This leaves companies facing a loss in merchandise as well as their bottom line. In addition, the experience can leave consumers with a negative association with a business, despite the company also being a victim in this situation.
What is card testing fraud?
Another way that criminals attempt to make fraudulent purchases is to engage in card testing fraud. This is when criminals make small, seemingly inconsequential purchases to see if the card works and has not yet been reported as lost or stolen and therefore, blocked by the bank.
They may test card details one by one, however, they also use automated scripts or ‘bots’ to test multiple credit card numbers very quickly. The first small purchases often go unnoticed, so the fraudsters are then emboldened to make more transactions with increasingly more expensive purchases, leaving businesses to often foot the bill when the customer becomes aware.
Businesses may not always recognise a fraudulent transaction if it is of a low value, meaning fraudsters can work undetected for a short time before their activities are discovered.
What is refund fraud?
Another way that lawbreakers can make the most of stolen credit card details is to engage in refund fraud. Refund fraud happens when fraudsters are unable to have online purchases redirected to a different address and they are unable to withdraw cash from an ATM. They use the stolen card to make a purchase but then contact the ecommerce store to request a refund.
The fraudster will get in touch with a business to make their requests and either make a ‘mistake’ by ordering too many items or making an excess payment, but they will claim that their original account has been closed and that they need the refund to a separate account. This means the fraudster is able to access money from the business and the original credit card isn’t refunded.
Businesses keen to give good customer service can be charmed into giving the refund and are then affected again when the true owner of the credit card seeks repayment for the fraud through their bank.
What is chargeback fraud?
Chargeback fraud happens when a customer uses the bank’s chargeback feature to fraudulently claim that goods or services haven’t been received, or reclaim funds back from a “fraudulent” transaction using that card. It’s also known as friendly fraud, but it’s anything but friendly.
Businesses are disproportionately affected by this type of fraud as they are typically the party to lose out due to consumer protection regulations.
What is Account Takeover (ATO) fraud?
Account Takeover (ATO) fraud is a particularly serious type of ecommerce fraud because individuals can be conned into sharing account details as well as losing money, making the deception feel much more personal for the victim.
ATO fraud happens when a criminal gains access to a user’s account on an ecommerce store or website which then enables them to use the account. They gain access by either purchasing leaked login details and personal information on the dark web or using phishing scams.
Once a criminal gains access to an account, they can change delivery addresses, place orders using saved account details and lock the genuine customer out of their account. The seriousness of this type of ecommerce fraud is compounded by the fact that many people struggle to remember passwords, and so repeat details for all manner of accounts despite advice from police and authorities fighting fraud not to do so.
From a business perspective, even if you have taken all reasonable steps to prevent ATO fraud, your reputation can still be affected by association.
What is triangulation fraud?
With triangulation fraud, a scammer needs an unsuspecting shopper and an ecommerce store. The fraudster creates their own online storefront using an ecommerce platform and sells popular products at a lower price than what can be found elsewhere. Hiding behind the validity of the storefront that they have replicated or piggybacked off, the criminals collect payment details and then use them to purchase the product on the genuine website so the customer receives their goods and for a short time is unaware that their details have been stolen.
Most ecommerce customers consider themselves to be pretty savvy but when there are criminals out there desperate to deceive, even careful shoppers can be taken advantage of. Triangulation fraud is a great example of this.
It is easier than you think for this type of fraud to work. Consumers have a higher average spend when shopping using a desktop computer. This makes sense because if someone is spending a lot of money, they may be more conscientious and careful with their purchases, and feel like desktop is a more secure method of purchase.
The average spend on mobile devices is lower which suggests that there could be a tipping point with purchases under a certain amount being slightly less considered, leaving shoppers vulnerable to fraud.
Additionally, a 2018 study found that over three-quarters of the British population use a second screen when watching television which could mean shoppers are less attentive and vigilant to fraud when purchasing online at lower price points.
What is interception fraud?
Interception fraud happens when a fraudster attempts to intercept a package either legitimately placed by a customer or that they have placed themselves using genuine billing and shipping details. As the details on the face of this are genuine, the transaction goes through with the targeted business, and the consumer unaware of fraudulent activity. The fraudster then attempts to intercept the order in usually one of three ways:
- The fraudster makes a seemingly legitimate claim to an ecommerce store’s customer service department to change the address before shipment is sent.
- They wait for the delivery to arrive and attempt to physically intercept the package at their victim’s front door.
- The criminal contacts the courier directly with genuine tracking information to get the package rerouted to another address.
Take steps to prevent ecommerce fraud with Mollie
Since 2004, Mollie has served businesses across Europe, providing businesses and consumers with safe and secure payments. We want to be your partner in business and to support you to grow in your own way with advanced security features and local (and leading) payment methods with simplicity and ease.
We help businesses strike the right balance between a simple frictionless ecommerce buying experience for their customers and ecommerce security for the benefit of all parties. With features such as dynamic 3D secure payments, PCI-DSS level 1 certification, and fraud monitoring to help protect against fraud, Mollie is a partner you can trust with no lock-in contracts, no hidden fees, and charges only for successful transactions.
Read our guide to fraud detection and prevention in ecommerce or find out more about fraud management strategies for online businesses to discover practical solutions to counter the activities of would-be fraudsters.
Want to learn more? Learn about ecommerce security with Mollie.