(This is a guest post from our friends over at ClearSale, a Card-Not-Present (CNP) fraud prevention operation that protects eCommerce merchants against chargebacks.)
Fraud is on the rise and no consumer is immune — the 145 million Americans who had sensitive personal data exposed during the Equifax breach in 2017 can attest to that. But e-commerce merchants need to go beyond acknowledging e-commerce fraud exists; they must be aware of the specific ways fraud can be executed.
The more online retailers understand about the latest fraud schemes, the better prepared they’ll be to protect both their business and their customers. So what exactly does e-commerce fraud look like? Let’s look at four common types of fraud that every online retailer should have on their radar.
Cybercriminals are increasingly using phishing as a way to trick customers into divulging sensitive personal information. In this type of attack, a third party mimics a trustworthy brand and uses electronic communication (like websites, emails or texts) to convince unsuspecting customers to disclose information like online banking credentials, credit card numbers, Social Security numbers, and user names and passwords.
If customers click the link, they’ll be taken to a fake (but very convincing-looking) website, where they’ll be prompted to enter their sensitive data. If they do, the fraudster captures the information, using it to commit fraud or identity theft. What’s worse, the customer doesn’t even have to enter data for the damage to be done. Just clicking on the link itself could install malware that infects the customer’s computer and collects personal information.
What Merchants Can Do
As phishing scams increase in frequency and sophistication, remind customers that you’ll never ask for personal data in an email. Also tell them to:
- Open a new browser window instead of clicking on the link. If the email appears to be from PayPal, for example, they should visit PayPal directly from a new browser window to check their account for messages. If unsure, they should contact the company who is supposedly sending the email, who’ll be only too happy to let them know if the email was genuine (and if it wasn’t, they’ll be grateful for the heads-up).
- Always confirm a website is secure (e.g., starts with “https”) before they enter sensitive information.
- Hover their mouse over links before clicking on them to ensure they’re being directed to the intended site.
2. Friendly Fraud
When a customer commits friendly fraud against a business, they don’t do it with the malicious intent to defraud the merchant. Instead, the customer genuinely (but mistakenly) believes that the charge is in error or they’re legitimately owed a refund. Merchants who offer subscription-based products or services often experience this type of fraud. For example, a customer will be billed for a subscription they don’t remember purchasing and will request a chargeback for this unfamiliar purchase.
Other common reasons for a customer filing a chargeback against a merchant include:
- Misunderstanding the return policy
- Seeing an unfamiliar merchant name on their account statement, when in fact it’s simply the operating name or parent company of a merchant with whom they did do business
- Not realizing another family member authorized a purchase
What Merchants Can Do
Keeping customers informed and providing outstanding customer service are essential to reducing the risk of friendly fraud. Merchants should:
- Remind customers well in advance of recurring billing amounts and charge dates.
- Make it easy for customers to cancel their recurring subscriptions.
- Let customers know what business name they’ll see on their credit card statements.
- Offer 24/7 customer service to address customer questions and concerns.
3. Man-in-the-Middle Attacks
A significant amount of behind-the-scenes communication goes on when a customer shops online. After a customer accesses their account on an e-commerce merchant’s website, the customer’s computer sends the login information to the merchant’s server. When the server confirms that login information, the customer can access their account. And when a customer makes a purchase, another interaction is initiated between the merchant’s servers and the customer’s financial institution.
Generally, these interactions are uneventful. But fraudsters launching man-in-the-middle (MITM) attacks drastically alter the flow of information by intercepting the communication between two parties and impersonating them both.
With this digital eavesdropping, cybercriminals can exploit the real-time processing of transactions and data transfers, intercept sensitive data, and gain access to funds — all without either party realizing the breach until after the damage has been done.
Any merchant whose site requires a login is vulnerable to having these sensitive communications hijacked and controlled by a cybercriminal — and the vulnerability can remain even after a customer has signed out from their account.
What Merchants Can Do
MITM attacks are successful only when an attacker can successfully impersonate the sender and receiver. To prevent impersonation, merchants should implement these three strategies:
- Authentication — provides confidence that a message came from a legitimate source
- Tamper detection — flags messages that may have been altered
- Encryption — authenticates a server by presenting a digital certificate and using secure connections
4. Identity Theft
Cybercriminals are becoming increasingly clever in how they steal personal data: Data breaches, mobile phone and tablet thefts, and malicious software have become common ways to capture sensitive information. In 2016, more than 29 million consumer records were subject to data breaches, and 63% of these data breaches resulted in stolen consumer credentials, like login passwords and other identifying information.
Many criminals don’t even bother stealing data; they simply wait for others to do it, and then purchase sensitive identification data once it’s made available on the dark net. And once that information is theirs, it’s easy for fraudsters to use it to make purchases and apply for credit accounts.
What Merchants Can Do
Hackers use stolen credentials in fraudulent transactions 77% of the time, so it’s critical for merchants to secure company and customer data by:
- Encouraging password security by requiring customers to set a password that uses a combination of upper- and lowercase letters, numbers, and symbols
- Verifying click-and-collect purchases by asking for ID and the original credit card when a customer picks up an order
- Encrypting all sensitive and confidential business and customer data, rendering it useless to any fraudster who circumvents your security features
Take a Proactive Stance to Stop Fraud
More and more customers are turning to e-commerce merchants for their shopping needs. While this is more convenient for customers, the absence of a physical payment card when making purchases makes committing fraud more convenient for cybercriminals.
This fraud risk isn’t going away anytime soon, so merchants must be proactive in anticipating and protecting against fraudsters’ evolving threats. That’s where a fraud protection program can help. When it comes to implementing a robust solution, companies around the world are turning to ClearSale’s unique blend of expert human analysis and state-of-the-art machine learning.
About the Author: Rafael Lourenco
Rafael Lourenco is Executive Vice President at ClearSale, a Card-Not-Present fraud prevention operation that protects e-commerce merchants against chargebacks. The company’s flagship product, Total Guaranteed Protection, is an end-to-end outsourced fraud detection solution for online retailers. Follow on twitter at @ClearSaleUS or visit http://clear.sale.