The first defense against e-commerce fraud is simply knowing what to watch out for. Here are the most common scams online stores are vulnerable to.
1. Email Account Phishing
Most people are already familiar with email phishing scams, so let's start there. This type of scam is as old as the Internet, so many of you have probably already opened an email from a stranger asking to send sensitive information about your account.
However, lately we are witnessing an increase in scammers who pose not as Nigerian princes, but as ecommerce stores. They send emails disguised as order / delivery confirmations, in order to extract sensitive account data or to bring victims to a fraudulent site.
In the best cases, these scams redirect to an unexpected advertising page rather than an official shop page. At other times it is not a question of such harmless scams; links in phishing emails often lead to sites with viruses, malware or other hacking misfortunes.
That's why we always recommend hovering over suspicious links first to read the URL, rather than clicking on it.
2. Identity theft
What happens if some unfortunate soul loses their account information due to a phishing email? The scammer takes that information and buys a bunch of expensive gifts for himself, and guess who's going to pay the bill. Pretending to be someone else and shopping with your financial information is a well-known identity theft.
Strange as it may seem, the retailer is often the one most damaged by identity theft: a credit card company usually initiates the chargeback on behalf of the victim, but without the obligation to return the goods. Even if the retailer manages to recover the products, they will no longer be new. The only way a retailer has to escape identity theft unscathed is to stop it before it starts.
It is also worth mentioning that even online stores must be careful not to become unwitting accomplices of identity theft. If your site isn't secure, hackers can steal your customers' information from under your nose, as in the case of the million dollars stolen during the Target hacker attack in 2013.
3. Pagejacking, or the Redirection of Web Pages
You are on a site that you have used hundreds of times before, but this time, on this particular page, something definitely looks out of place. . It could be due to the fact that this page of the site has been stolen. Pagejacking is the technique by which hackers create a fraudulent web page that mimics an existing site.
The most advanced cases involve the theft of pages of a high-level site and the appropriation of its traffic from search engines. Pagejacking is also commonly associated with "mousetrapping", in which a page prevents users from exiting, for example, by opening a new window every time the user tries to close the browser or flooding the computer with infinite pop-ups.
As for ecommerce, pagejacking is another effective phishing technique, such as replicating a site's login page to collect usernames and passwords. The last thing an ecommerce brand wants is that its customers doubt its legitimacy every time they log in.
4. The Chargeback Scam
Chargeback fraud is sadly simple and very common. In practice, the scammer makes a large e-commerce order and then cancels the payment after the shipment. The goods are kept when it arrives without paying a cent.
The methods vary, although it can be as easy as when the scammer calls the credit card company and says his identity has been stolen.
Another popular technique is to claim that the delivery never came and therefore the scammer receives a duplicate of the order for free. Even if the scam is caught on time, even in the best situations, the trader still has to investigate the false claims.
Traders need to know how to differentiate "friendly fraud" from chargeback fraud.
Amicable fraud occurs when a legitimate customer accidentally causes chargeback fraud, such as failure to deliver a package or entering incorrect payment information. Traders cannot know in advance if a chargeback hides a fraud or was just an accident, and they could offend a well-meaning customer by accusing him of fraud.
Ecommerce brands operating under a subscription model often have to deal with friendly fraud, for example when customers claim they don't know that charges are recurring. It is always recommended that those who deal with subscription products and services make the costs clear and evident before that customers sign up for the service.
5. Triangulation scam
Let's move on to more advanced fraud tactics, reserved for the most intelligent and experienced scammers. To explain how triangulation fraud works, let's break it down into stages.
- The scammer creates a fake advert for a real product with a significant price increase. This behavior is also difficult to unmask; sites like eBay, for example, allow users to publish and sell items without some verification.
- A customer "buys" the product from the fake advertisement, providing the scammer with all his personal data.
- The scammer takes customer data and buys the same item on a different site and at a lower price. The item is shipped to the customer.
- The customer receives the item he purchased, without realizing that he has overpaid it. The scammer keeps the profit margin.
One of the trickiest parts of this scam is that it does victims don't necessarily know they've been scammed.
In addition, scammers who engage in successful triangulations also accumulate a large amount of account data and credit card numbers. Most of the time they use several credit cards for phase 3 to make them lose track.
This means that data from a victim of triangulation fraud could be reused again in an unrelated scam months or years after the first episode.
6. Affiliate scam
Let's move on to ecommerce merchants who deal with affiliate programs: affiliate fraud refers to scammers who manipulate or abuse affiliate links to get a bigger profit.
In other words, if an affiliate is paid for every visitor they send to a site, a scammer can make it appear that he sent more visitors than he actually sent, earning more revenue.
Affiliate fraud often involves hacking and automated systems, but in some cases it can take place quite simply, for example using a long list of fake profiles. Fraudsters usually need to have a certain level of computer skills to avoid detection.
7. Supplier Identity Fraud
Finally, another scheme of fraud that falls on merchants: the scammer passes himself off as a manufacturer, wholesale supplier or other B2B business, promising a service he never intends to provide. Online stores register, deliver some money, but then the supplier disappears into thin air.
These scams are heavily inspired by other scams such as phishing and perhaps even pagejacking, with the big difference that they target businesses rather than consumers. It is one of the reasons why we always recommend doing extensive research on the people with whom you do business.
E-commerce Fraud Warning Signs: Stop Scams Before They Start
Prevention is better than cure.
The most effective method for preventing e-commerce fraud is to recognize warning signs early enough and avoid them. Here are some alarm bells that every online store should keep an eye on:
- The shipping and billing addresses are different. As often happens with identity theft and triangulation fraud, the cardholder does not receive the goods.
- Multiple orders on the same item. E-commerce scammers tend to target high priced items, and when they find one they like, they use it all the time.
- Multiple orders at the same address but with different cards. Excessive use of the same stolen card numbers leads to suspicion and unwanted attention, so experienced scammers know that they have to change them: it is easier to use a different credit card number than to have the goods sent to a different address.
- Suspiciously large orders (especially fast shipments). As with most crimes, scammers want to make sure the rewards are worth the risk. That is why e-commerce scams often involve large orders, in case it is the latest swindler's hit. They also want the exchanges to take place as quickly as possible before their victims notice and the expedition is speeded up.
- Suspicious email addresses or phone numbers. Identity theft is rarely foolproof: there are usually one or two flaws. Beware of email addresses that don't seem to match (different names, companies pretending to be individuals, etc.) and suspicious phone numbers (for example, countries or prefixes other than the billing address).
- Repeated refused operations. It happens to everyone to be denied a transaction, sometimes. But when the waste repeats itself, here's a wake-up call. Even if it is sometimes done in an innocent way, it can be a sign that someone is trying to guess sensitive information that they don't have access to.