How to Help Prevent eCommerce FraudAuthored by: Dori Bright
Posted on May 14, 2021
When you’re making lots of online sales, it’s easy to overlook or underestimate the true impact of eCommerce fraud. But studies suggest that every dollar lost in fraudulent sales can end up costing businesses more than three dollars in total losses. Beyond the monetary value of whatever was stolen, you must also factor in:
- Penalties from credit card companies and payment processors
- Time spent disputing individual cases
- Litigation and legal fees, with lawsuits possibly lasting months or longer
- Diminished consumer confidence in your business (i.e. fewer sales)
These risks exist for businesses small and large. Fortunately, there are strategies you can use to help reduce eCommerce fraud and the associated costs that come with this increasingly common threat.
1. PCI data security
One of the most important fraud prevention steps involves working with a payment processor that specializes in Payment Card Industry (PCI) data security. PCI compliance is a requirement for any organization (big or small) that accepts, processes, stores, or transmits payment card data of any kind.
Failure to become and remain PCI compliant not only makes you a more attractive target, but it may also expose you to hefty fines.
2. Fraud prevention tools
Although PCI compliance is mandatory, it’s only a starting point. Whichever payment processor you choose should also offer advanced fraud management tools to help detect and prevent suspicious activity for online payments.
Common fraud prevention tools include:
- Tokenization – substitutes credit card data for one-time tokens that can’t be reverse-engineered
- Point-to-point encryption (P2PE) – encodes sensitive payment data during transmission
- Address Verification Service (AVS) – matches billing addresses with what the credit card companies have on file for that cardholder
- Velocity filters – declines back-to-back transactions depending on several parameters to help prevent card testing
- Geo filters – prevents any purchases made from blacklisted IP addresses and countries
3. Stronger passwords
You should require all employees, suppliers, vendors, and customers to use stronger passwords – complete with numbers, symbols, and upper/lower case letters. The longer these passwords are the better. And it’s good practice to change each password on a regular basis.
4. Two-factor authentication
Even the strongest passwords in the world can be cracked, which explains why more companies are adopting two-factor authentication (2FA) as a way to keep criminals out.
You’ve probably seen 2FA in action if you’ve ever received a verification code via text or been asked to answer security questions selected by you. There are also newer biometric authentication technologies that rely on fingerprints, retinal scans, or voice recognition.
5. Move to HTTPS
To convert your URL from an “http” to a more secure “https,” you’ll need to install a secure sockets layer (SSL) certificate to complete the migration. Once installed, this certificate helps to create a more direct connection between your website and each user’s computer or smartphone.
SSLs are technically a PCI requirement for eCommerce merchants, but even if they weren’t, using one can help reduce online fraud on your own eCommerce site.
Thanks to consumer protection laws, users have the ability to reverse credit card charges if they suspect an unauthorized purchase was made with their payment info. In fact, most credit card companies eagerly market “zero liability protection” to their users.
The problem is that this system is prone to abuse, with some customers knowingly ordering things online – only to claim they never bought the item or that it didn’t arrive. Either way, they keep the goods, initiate a chargeback, get their money back, and leave you holding the bill.
Even with plenty of documentation on your side, proving the charge was legitimate can be very difficult, but you can help reduce the number of chargebacks by:
- Having a clear and easy-to-find refund policy so that honest users won’t inadvertently abuse the system
- Tracking all shipped packages to reduce the likelihood of items getting “lost” in transit
- Disabling guest checkout options to prevent unauthorized purchases. It’s much harder for customers to deny placing orders if they have to sign in with two-factor authentication
7. Patches and updates
From operating systems to email platforms to smartphone apps, criminals are constantly looking for vulnerabilities in the digital tools we use to manage our lives. And once those vulnerabilities are discovered, security experts and software developers rush to plug holes and push those changes to the public.
Unfortunately, not everyone keeps their digital tools up to date with the latest patches and plug-ins. This can be a huge mistake since failure to upgrade leaves you exposed. A case in point is the 2017 WannaCry cyberattack, which targeted Windows XP – an operating system Microsoft had not supported for years.
It is inherently important that you patch all computers, devices, servers, and software platforms you use throughout your personal and business lives.
8. Phishing education
Some cybercriminals send out fake emails designed to look like legitimate messages from real companies. The goal isn’t to get you to buy anything. Instead, these criminals want you to click any link in the message so that malware is instantly injected into your computer or smartphone. Not only does this put your own device at risk, but that malware could also infect every connected device on your company’s network.
It is imperative that you train your team to be extremely cautious about clicking on email links. Even the “unsubscribe” option at the bottom of most newsletters should be avoided since this is precisely where smart cyberthieves will hide their malware payloads.
We tend to hear about the big cyberattacks – for example, those impacting Home Depot, Target, or government agencies. But online fraud is actually a more serious threat for smaller businesses, with an estimated 60% having to shut down operations within six months of a cyberattack because the damage costs are too much to overcome. Unfortunately, this threat is only growing worse as the world becomes more digitally connected.
Although there is no magic bullet that provides comprehensive protection from eCommerce fraud, combining some or all of the strategies above will help reduce the likelihood of becoming a victim.