You’ve likely heard the phrase “the customer is always right.” It’s a mantra for traditional business owners to show that they go above and beyond the call of duty for their clientele. To be fair, it’s a respectable way to go about building your customer base and there’s a reason that philosophy was the norm for the brick-and-mortar world of the last century.
However, new ways of doing business require another set of skills to help you prevent opening the door open for fraudsters, scam-artists and criminals.
Online businesses are becoming savvy about the tactics that cyber-criminals are employing. In this evolutionary arms-race, the criminals continually shift and pivot to even more sophisticated ways of phishing, hacking and outright theft.
Operating a digital storefront or other online venture without an understanding of modern fraud can be like walking through a minefield without protection. You must have strong tools and tactics in place for combating the risks. It’s crucial to prevent fraud and theft, especially when your business could be held financially responsible for any losses incurred.
Once you understand the types of fraud and what to do in case you’re business has been targeted, you are able to react in a swift and professional manner to stop any thieves from getting further with their plan!
There are numerous types of fraud that criminals can and will employ to disrupt your online business. The umbrella term for them is Online Fraud. This is when an individual or group targets an eCommerce or similar business with the goal of stealing money, customer data, or swindling in general.
Customer accounts are commonly used at online stores like Amazon and Ebay to make it easy for users to come back and make purchases regularly.
A fraudster will begin by phishing for account information directly from a customer. This can take place in the form of a fake email that convinces the customer to hand over their login information. From there, they will change the password and proceed to make purchases and steal credit card/PayPal information. Many people use the same credentials for multiple resources (such as social networks) so the hackers may phish for details faking one website but actually use them at some other place. Except for making purchases and stealing credit card information, the hackers may also target personal information and the services themselves. E.g. a hacker may change the DNS settings to point a domain to some fraudulent website or forward the traffic to another resource.
According to a study released by Javelin Strategy, account takeover is on the rise.
Account takeover bounces back - After reaching a low point in 2014, both account takeover incidence and losses rose notably in 2016. Total ATO losses reached $2.3 billion, a 61 percent increase from 2015, while incidence rose 31 percent. Account takeover continues to be one of the most challenging fraud types for consumers with victims paying an average of $263 out of pocket costs and spending a total of 20.7 million hours to resolve it in 2016 – 6 million more than in 2015.
What to look for in identifying an account takeover:
Whether obtaining credit card information online or via physical theft, credit card fraud is very common. Once the payment is approved, the onus is on the business owner to properly identify the credit card owner/verify the customer. This can lead to the victim of the credit card theft seeking to be paid back from the company directly or via the bank.
This is a game of cat-and-mouse, with large companies staffing entire departments dedicated to loss prevention.
For example, the national food chain, Chipotle, recently had a problem with user accounts being stolen. The food ordered was charged on credit cards and sent to locations other than the billing address on file. This attack was a combination of credit card fraud, identity theft, and the infiltration of weak passwords.
Similar to credit card theft, this method involves taking on a user’s identity either via an existing customer profile, or creating one from scratch using stolen identification data. Sometimes these account takeovers occur using data stolen from breaches in other online shops. For example, you can check the story of Equifax data breach.
When Uber suffered an infamous data breach in 2016, some riders saw mysterious travel appear on their accounts. This fraud affected over 57 million customers and drivers. Their private information including names, addresses, and phone numbers was stolen. Uber at first denied the breach but ultimately paid off the hackers to delete the data.
Chargeback fraud occurs when the owner of the card commits the crime. The consumer purchases an item from your store and then claims the credit as stolen, requesting a chargeback after the items or services have been delivered. Originally created to protect the credit card holder from unfair business practices, cyber thieves can exploit this process to their own advantage.
The interesting aspect of chargeback fraud is its alternative name, friendly fraud. This term is used because sometimes the fraud is committed without the customer’s intention to commit a crime. An intentional fraudster will abuse this process to receive an item for free.
Chargeback happens when a customer circumvents going directly to the seller for a refund and immediately contacts their credit card company to request a their money back. A legitimate card owner will dispute the charge with their bank. The bank takes over the process and forces a refund, citing that the seller is in the wrong.
Issuing a bank refund is not the same as requesting a return, but some customers do not know there is a difference. No matter the intention, the result is the same for seller.
This type of fraud has a few layers of deception. Making a purchase with a stolen credit card, the criminal purposely overpays for the item. They then report an overpayment requesting reimbursement for the difference via an alternative method rather than the original credit card. If the business owner agrees to this, they are responsible to the card owner for the full amount of the charge on top of losing money for the refund.
Another aspect of refund fraud, known as a Whitehouse scam, revolves around returning items in exchange for money or other items. For example in 2019, two college students in Oregon got caught defrauding Apple. They claimed their iPhones were defective, ‘returned’ counterfeit iPhones the students received from China, and the company replaced these with real ones. The thieves cost Apple over $900,000 before they were caught.
Sellers should keep track of serial numbers and customers that make a habit of opening claims with the company. Some larger operations will flag a customer account for suspicious activity.
With so many methods of deception for theft, it can seem impossible to stem the tide of online thievery. That said, there are solid strategies to implement that can prevent most, if not all, of online fraud.
The first step, if you’re choosing a third party platform on which to host your business, is to choose one with a solid reputation for best practices in security.
Popular third party sites implement the security protocols necessary to verify customers and protect databases. A handy checklist to help you decide which platform or hosting company to choose should include:
Implementing a CAPTCHA will stop almost all bot attacks in their tracks. CAPTCHA stands for “completely automated public Turing test to tell computers and humans apart” and is one method to ensure your customer is a human being on the other end of that connection. This method demands that the user type the letters they see on the screen into a field box. Usually these letters and/ or numbers are visually jumbled and forces the customer to focus and assess what they are seeing on the screen. Sometimes controversial since the CAPTCHA can be difficult from a usability standpoint, it still remains as a good tool for preventing automated fraud and data leaks.
Help your customers to secure their accounts with added levels of security. Encourage more complex passwords. While it seems quick and easy to create a memorable password from a few letters, use a system that only accepts longer characters with numbers and capitalization included.
It’s very common for individuals to re-use old passwords or take common ideas from a dictionary, birthdates, children’s names, etc. Encourage the use of password generators and such as Last Pass and Passwords Generator to help with this process.
Verifying addresses and credit card value are other standards of compliance that will keep fraudsters at bay. The AVS, address verification system, cross-references the billing address of the customer with the information stored on the credit card system itself. Both CCV and AVS are used by banks and card networks but a merchant can also use AVS at their end as a supplementary verification option.
CCV, credit card value, is the familiar three-digit code on the back of all credit cards. You may have also heard about the alternative names such as CVV, CVC, or CVV2. In compliance with PCI, the CCV data is never stored with credit card numbers on an online retailer’s database. With this security in place, hackers can’t acquire this information without actually stealing the card in real life.
Payment Card Industry Security Standard Council, PCI for short, is a grouping of major global credit card brands that developed an industry specific protocol for protecting consumer data. What is now referred to as PCI Compliance, ensures that sellers follow PCI standards across the board when customers pay with their credit cards.
The upside of PCI Compliance being strictly enforced is that an online retailer can rely on their payment processor to handle all of these details. PayPal and others have built this compliance directly into their operations to take the pressure off the seller.
The PCI Security Standards Council’s website provides all the details to help you better understand this globally-used payment protocol.
As a business owner, it is your responsibility to monitor all transactions as they come through. You can either develop your own fraud detection systems from scratch or employ ready-to-use solutions offered by reputable providers. If something looks suspicious, it’s wise to put that purchase on hold until you can properly verify the payment’s origin.
Additionally, it’s recommended to enable two-factor authentication(2FA) and SCA (Strong Customer Authentication or 2FA for cards) which helps to avoid account takeover and prevents unauthorized use of card information.
Keeping your operating systems and all business-related software up-to-date is a must for preventing hackers from exploiting any weaknesses. Running anti-virus software and installing new patches will keep your operation running smoothly.
When Magento’s eCommerce software revealed multiple flaws in their system that came about after fixing and patching previous issues, shop owners were made vulnerable to attack. If the shop owners using Magento did not update their software, they’d be left vulnerable to attack via payment card skimmers. The company publicly urged all clients to immediately update their software regularly to avoid such problems.
If users made a practice of updating their software frequently, they would not have become vulnerable to this type of attack.
An ounce of prevention goes a long way, and so does a solid plan for understanding the traffic in online fraud. Every eCommerce shop owner will encounter an attempt at fraud at some point in the life of their business. Keep a record of all prior attempts at fraud. By tracking these you can see a pattern if there are repeated attempts from one source or clear methods of attack.
Use this knowledge to prevent them from breaking through your defenses. Establish security protocols and train your employees on what to look for, especially around the holidays. Certain times of the year like Black Friday, Cyber Monday, Christmas, and whenever large purchases are commonly made, are a field day for online criminality. If your eCommerce shop does high volume at this time it might be easy to miss a few scams.
It is wise to have a crisis management plan established in the case of if your business falls prey to an online fraud scheme. Having a set of actions to follow in terms of public relations and statements to customers and dealers will allow you to act swiftly on the public facing front while fixing the problems internally.
In a damage control situation it is vital to counteract the situation that decrease your company’s brand value and trust. Stem the flow of significant loss and customer complaints by being prepared and understanding the conditions in which the fraud took place.
Trends in new ways of shopping will eventually lead to patterns emerging in fraudulent behavior. Credit card payments are still a mainstay of purchasing online, however, with the rise of PayPal, new competitors have come out in recent years. Venmo and Zelle are currently popular methods of buying online, especially since users are trending toward shopping via their mobile devices and wearables. It is vital that an eCommerce business analyze the information coming through when introducing a new payment option. Criminals will always test a new method for vulnerabilities and loopholes in the system.
Protecting your business, and customers, from online fraud is an ongoing job that should be at the top of every retailer’s list of priorities. Cybercrime is not going to go away. It will become more sophisticated and clever, thus it is up to the retailer to keep adjusting strategies as they go.
From following security protocols to hiring outside agencies to monitor and advise, protecting your endeavors from fraud doesn’t have to be overwhelming. Common sense and an understanding of what tools to use will keep your business safe from most attacks.