You’ve likely heard the phrase “the customer is always right.” It’s a mantra for traditional business owners to show that they go above and beyond the call of duty for their clientele. To be fair, it’s a respectable way to go about building your customer base and there’s a reason that philosophy was the norm for the brick-and-mortar world of the last century.
However, new ways of doing business require another set of skills to help you prevent opening the door open for fraudsters, scam-artists and criminals.
Online businesses are becoming savvy about the tactics that cyber-criminals are employing. In this evolutionary arms-race, the criminals continually shift and pivot to even more sophisticated ways of phishing, hacking and outright theft.
Operating a digital storefront or other online venture without an understanding of modern fraud can be like walking through a minefield without protection. You must have strong tools and tactics in place for combating the risks. It’s crucial to prevent fraud and theft, especially when your business could be held financially responsible for any losses incurred.
Once you understand the types of fraud and what to do in case you’re business has been targeted, you are able to react in a swift and professional manner to stop any thieves from getting further with their plan!
There are numerous types of fraud that criminals can and will employ to disrupt your online business. The umbrella term for them is Online Fraud. This is when an individual or group targets an eCommerce or similar business with the goal of stealing money, customer data, or swindling in general.
Customer accounts are commonly used at online stores like Amazon and Ebay to make it easy for users to come back and make purchases regularly.
A fraudster will begin by phishing for account information directly from a customer. This can take place in the form of a fake email that convinces the customer to hand over their login information. From there, they will change the password and proceed to make purchases and steal credit card/PayPal information.
Many people use the same credentials for multiple resources (such as social networks) so the hackers may phish for details faking one website but actually use them at some other place. Except for making purchases and stealing credit card information, the hackers may also target personal information and the services themselves. E.g. a hacker may change the DNS settings to point a domain to some fraudulent website or forward the traffic to another resource.
Whether obtaining credit card information online or via physical theft, credit card fraud is very common. Once the payment is approved, the onus is on the business owner to properly identify the credit card owner/verify the customer. This can lead to the victim of the credit card theft seeking to be paid back from the company directly or via the bank.
This is a game of cat-and-mouse, with large companies staffing entire departments dedicated to loss prevention.
For example, back in 2024, the national retail chain Hot Topic suffered a significant data breach. Hot Topic (along with its sister brands Torrid and BoxLunch), had the personal information of nearly 57 million customers exposed, including full names, email addresses, physical addresses, phone numbers, and site data.
Investigations by cybersecurity firm Hudson Rock revealed that the breach likely originated from an infostealer malware infection on a computer belonging to an employee of a third-party retail analytics provider used by Hot Topic. This attack combined elements of credential theft, identity exposure, and partial payment card compromise.
Similar to credit card theft, this method involves taking on a user’s identity either via an existing customer profile, or creating one from scratch using stolen identification data. Sometimes these account takeovers occur using data stolen from breaches in other online shops. For example, you can check the story of Equifax data breach.
When Uber suffered an infamous data breach in 2016, some riders saw mysterious travel appear on their accounts. This fraud affected over 57 million customers and drivers. Their private information including names and phone numbers were stolen. Uber at first denied the breach, and then disguised the ransom payment as a bug bounty reward. Eventually, its former CSO was convicted of federal charges for covering up the breach.
More usually, though, hackers will sell that information on darknet sites, where identity thieves snap it up. As the story of Uber shows, you cannot rely on companies to tell you when they’ve lost your data. This is why you should always keep an eye out for the red flags of identity theft.
Chargeback fraud occurs when the owner of the card commits the crime. The consumer purchases an item from your store and then claims the credit as stolen, requesting a chargeback after the items or services have been delivered. Originally created to protect the credit card holder from unfair business practices, cyber thieves can exploit this process to their own advantage.
The interesting aspect of chargeback fraud is its alternative name, friendly fraud. This term is used because sometimes it is committed without the customer’s intention to commit a crime. An intentional fraudster will abuse this process to receive an item for free.
Chargeback happens when a customer circumvents going directly to the seller for a refund and immediately contacts their credit card company to request their money back. A legitimate card owner will dispute the charge with their bank. The bank takes over the process and forces a refund, citing that the seller is in the wrong.
Issuing a bank refund is not the same as requesting a return, but some customers do not know there is a difference. No matter the intention, the result is the same for seller.
This type of fraud has a few layers of deception. Making a purchase with a stolen credit card, the criminal purposely overpays for the item. They then report an overpayment requesting reimbursement for the difference via an alternative method rather than the original credit card. If the business owner agrees to this, they are responsible to the card owner for the full amount of the charge on top of losing money for the refund.
Another aspect of refund fraud, known as a Whitehouse scam, revolves around returning items in exchange for money or other items. For example in 2019, two college students in Oregon got caught defrauding Apple.
They claimed their iPhones were defective, ‘returned’ counterfeit iPhones they received from China, and the company replaced these with real ones. The thieves cost Apple over $900,000 before they were caught.
Sellers should keep track of serial numbers and customers that make a habit of opening claims with the company. Some larger operations will flag a customer account for suspicious activity.
With so many methods of deception for theft, it can seem impossible to stem the tide of online thievery. That said, there are solid strategies to implement that can prevent most, if not all, of online fraud.
The first step, if you’re choosing a third party platform on which to host your business, is to choose one with a solid reputation for best practices in security.
Popular third party sites implement the security protocols necessary to verify customers and protect databases. A handy checklist to help you decide which platform or hosting company to choose should include:
Implementing a CAPTCHA will stop almost all bot attacks in their tracks. CAPTCHA stands for “completely automated public Turing test to tell computers and humans apart” and is one method to ensure your customer is a human being on the other end of that connection. This method demands that the user type the letters they see on the screen into a field box. Usually these letters and/ or numbers are visually jumbled and forces the customer to focus and assess what they are seeing on the screen. Sometimes controversial since the CAPTCHA can be difficult from a usability standpoint, it still remains as a good tool for preventing automated fraud and data leaks.
Help your customers to secure their accounts with added levels of security. Encourage more complex passwords. While it seems quick and easy to create a memorable password from a few letters, use a system that only accepts longer characters with numbers and capitalization included.
It’s very common for individuals to re-use old passwords or take common ideas from a dictionary, birthdates, children’s names, etc. Encourage the use of password generators and such as Last Pass and Passwords Generator to help with this process.
Verifying addresses and credit card value are other standards of compliance that will keep fraudsters at bay. The AVS, address verification system, cross-references the billing address of the customer with the information stored on the credit card system itself. Both CCV and AVS are used by banks and card networks but a merchant can also use AVS at their end as a supplementary verification option.
CCV, credit card value, is the familiar three-digit code on the back of all credit cards. You may have also heard about the alternative names such as CVV, CVC, or CVV2. In compliance with PCI, the CCV data is never stored with credit card numbers on an online retailer’s database. With this security in place, hackers can’t acquire this information without actually stealing the card in real life.
Payment Card Industry Security Standard Council, PCI for short, is a grouping of major global credit card brands that developed an industry specific protocol for protecting consumer data. What is now referred to as PCI Compliance, ensures that sellers follow PCI standards across the board when customers pay with their credit cards.
The upside of PCI Compliance being strictly enforced is that an online retailer can rely on their payment processor to handle all of these details. PayPal and others have built this compliance directly into their operations to take the pressure off the seller.
The PCI Security Standards Council’s website provides all the details to help you better understand this globally-used payment protocol.
As a business owner, it is your responsibility to monitor all transactions as they come through. You can either develop your own fraud detection systems from scratch or employ ready-to-use solutions offered by reputable providers. If something looks suspicious, it’s wise to put that purchase on hold until you can properly verify the payment’s origin.
Additionally, it’s recommended to enable two-factor authentication(2FA) and SCA (Strong Customer Authentication or 2FA for cards) which helps to avoid account takeover and prevents unauthorized use of card information.
Keeping your operating systems and all business-related software up-to-date is a must for preventing hackers from exploiting any weaknesses. Running anti-virus software and installing new patches will keep your operation running smoothly.
When Magento’s eCommerce software revealed multiple flaws in their system that came about after fixing and patching previous issues, shop owners were made vulnerable to attack. If the shop owners using Magento did not update their software, they’d be left vulnerable to attack via payment card skimmers. The company publicly urged all clients to immediately update their software regularly to avoid such problems.
If users made a practice of updating their software frequently, they would not have become vulnerable to this type of attack.
An ounce of prevention goes a long way, and so does a solid plan for understanding the traffic in online fraud. Every eCommerce shop owner will encounter an attempt at fraud at some point in the life of their business. Keep a record of all prior attempts at fraud. By tracking these you can see a pattern if there are repeated attempts from one source or clear methods of attack.
Use this knowledge to prevent them from breaking through your defenses. Establish security protocols and train your employees on what to look for, especially around the holidays. Certain times of the year like Hosting Black Friday, Cyber Monday, Christmas, and whenever large purchases are commonly made, are a field day for online criminality. If your eCommerce shop does high volume at this time it might be easy to miss a few scams.
It is wise to have a crisis management plan established in the case of if your business falls prey to an online fraud scheme. Having a set of actions to follow in terms of public relations and statements to customers and dealers will allow you to act swiftly on the public facing front while fixing the problems internally.
In a damage control situation it is vital to counteract the situation that decreases your company’s brand value and trust. Stem the flow of significant loss and customer complaints by being prepared and understanding the conditions in which the fraud took place.
Trends in new ways of shopping will eventually lead to patterns emerging in fraudulent behavior. Credit card payments are still a mainstay of purchasing online, however, the payments landscape has expanded significantly in recent years.
Alongside PayPal, dedicated payment platforms such as Stripe and Square have become the backbone of online retail, while digital wallets like Apple Pay and Google Pay are increasingly popular for both mobile and desktop purchases.
Buy Now Pay Later services such as Klarna and Afterpay have also grown rapidly as checkout options. It is vital that an eCommerce business analyze the information coming through when introducing a new payment option. Criminals will always test a new method for vulnerabilities and loopholes in the system.
Protecting your business, and customers, from online fraud is an ongoing job that should be at the top of every retailer’s list of priorities. Cybercrime is not going to go away. It will become more sophisticated and clever, thus it is up to the retailer to keep adjusting strategies as they go.
From following security protocols to hiring outside agencies to monitor and advise, protecting your endeavors from fraud doesn’t have to be overwhelming. Common sense and an understanding of what tools to use will keep your business safe from most attacks.
Act quickly and follow a prepared crisis management plan. Put any suspicious transactions on hold, notify your payment processor, and investigate the source of the suspicious activity.
Communicate transparently with affected customers and, where required, report the incident to relevant authorities. The faster you respond, the better your chances of limiting financial damage and protecting your reputation.
Chargeback fraud is when a customer receives goods or services and then contacts their bank to dispute the charge and claim their money back, bypassing the seller entirely.
Refund fraud involves manipulating the seller's own returns process, for example, by overpaying with a stolen card and requesting the difference back via an alternative method, or returning counterfeit items in place of genuine ones.
Fraud affects businesses of all sizes. Smaller operations can actually be more vulnerable because they often lack the dedicated security infrastructure that larger companies have.
Fraudsters are aware of this and will actively probe new or smaller ecommerce stores for weaknesses, particularly when a new payment method is introduced or during high-volume periods like Black Friday and Christmas.
PCI compliance refers to the Payment Card Industry Security Standards, a set of protocols developed by major global credit card brands to protect customer payment data. If your business accepts credit or debit card payments online, you are expected to comply with these standards. In practice, many payment processors like PayPal and Stripe have PCI compliance built directly into their platforms, which significantly reduces the burden on individual sellers.
There are several red flags to watch for: Login activity from an unusual location, a sudden change in a registered email address, shipping address, or password. Also, purchasing behaviour that seems out of character for that customer, or several unusually large transactions in a short space of time are always worth flagging for closer inspection.
From site security to email service providers, here’s what you need to manage your online business.
guideRead now
20 mins
guideRead now18 minsguideRead now10 minsguideRead now23 minsguideRead now29 mins
guideRead now7 minsguideRead now6 minsguideRead now12 minsguideRead now15 minsguideRead now12 minsguideRead now12 minsguideRead now49 mins
Need help? We're always here for you.