How to protect your e-commerce business from online fraud


The increasing shift to online shopping and the decrease of face-to-face transactions caused by the Covid-19 crisis resulted in the rise of fraudulent attacks across the e-commerce landscape as payment fraud is migrating online.

The increased volume of electronic transactions has resulted into a surge in fraudulent activities as cyber-criminals have adapted their techniques and methods to the realities of the pandemic and employ now more sophisticated tactics against consumers and e-commerce merchants than ever. Online fraud is focused on segments that have seen high sales growth since the beginning of the pandemic, while click-and-collect also accounted for a rise in attempted fraud.

As the shift to digital is most probably here to stay, and global cybercrime damages are predicted to reach $6 trillion annually by 2021, e-commerce brands need to be aware of current fraud trends and prioritise the systems, tools, and strategies that will help them to stop fraudulent attacks and minimise losses. Having a fraud-protection system in place that is continually being updated and monitored is of paramount importance as online fraud these days resembles a virus in the way it constantly mutates and evolves.

Phishing emails

Phishing is an example of a social engineering (i.e. the psychological manipulation of people into performing actions or revealing confidential information) technique used to mislead users and exploit weaknesses in network security. It refers to any attempt to obtain sensitive information for malicious reasons, by impersonating a trustworthy entity in an electronic communication.

The top five types of data that are compromised in a phishing attack are:

·     Credentials (passwords, usernames, PINs)

·     Personal data (name, address, email address)

·     Internal data (sales projections, product roadmaps)

·     Medical data (treatment information, insurance claims)

·     Financial data (account numbers, credit card information)

Although online fraudsters have used phishing emails for years to obtain personal information and bank details from customers, the use of phishing emails has risen steeply during the pandemic, as cyber-criminals are trying to capitalise on the fear and uncertainty caused by the Covid-19 crisis. Phishing email attacks increased by 667% during the first month of the pandemic and of all the COVID-19 themed phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail, and 1% as business email compromise.

Scam websites

Phishing attacks are usually supported by scam websites that are deliberately designed to look like legitimate, trustworthy websites, such as those operated by official government organisations or famous brands, for example. The number of scam websites has massively increased since the beginning of the pandemic with many of them advertising face masks and medical equipment, offering life insurance against the coronavirus, asking money for charity, advertising the government’s coronavirus Job Retention Scheme, and more. Her Majesty's Revenue and Customs (HMRC) has formally asked Internet Service Providers (ISPs) to remove 292 scam web addresses exploiting the coronavirus outbreak within the first three months of the lockdown.

Account takeover and identity theft

Cyber-criminals often hack into customer accounts created by e-commerce stores that store personal information, financial details, and purchase history. Fraudsters either sell the stolen information to other scammers, or they log into customers’ accounts, change the passwords, and make unauthorised purchases. Hackers may also highjack parts of an e-commerce shop and reroute traffic. That way, they can redirect customers to a different website where they can steal their personal information and credit card details. Finally, cyber-criminals can set up fake merchant accounts that imitate legitimate businesses or brands and charge customers’ credit cards.

Financial solvency and customer trust

Fraudulent or unauthorised transactions and identity theft will hold your e-commerce company financially responsible for your customers’ financial and personal data loss as you will have to pay for the chargeback process and most probably cover the costs of a forensic investigation and data recovery services. Nowadays, an increasing number of e-commerce companies turn to cyber liability insurance that enables them to mitigate the financial cost related to recovering from a cyber-related security breach or similar events.

Nevertheless, the hit on your brand’s reputation caused by a fraudulent attack can be worse than any financial risk. Earning your customers’ trust has a significant impact on brand loyalty and customer retention. Once your brand has lost that trust, it is incredibly difficult to earn it back as 64% of consumers claim that is unlikely to do business again with a company from which their personal data was stolen.

While it is extremely difficult to eliminate the threat of fraud for your e-commerce store, there are several ways and practices to help you mitigate the risk and reduce false positives (i.e. mistake legitimate transactions as fraudulent).

PCI compliance

The Payment Card Industry Security Standards Council (PCI SSC) is a forum of global brands including Visa, MasterCard, and American Express among others. Its mission is to manage the ongoing evolution of the Payment Card Industry Data Security Standard (PCI DSS) and support services that drive education, awareness, and effective implementation by companies. PCI SSC has developed a set of best practices to safeguard consumer data that helps businesses protect themselves and their customers from online fraud.

Any business that manages credit card transactions must comply with the PCI-DSS requirements no matter their size or revenue. Nevertheless, there are four levels of compliance based upon the annual credit or debit card transaction volume of your business with level 1 being the strictest.

·      Level 1:> 6 million annual card transactions

·      Level 2:1 million - 6 million annual card transactions

·      Level 3:20,000 - 1 million annual card transactions

·      Level 4:< 20,000 annual card transactions

These data security standards are defined by the PCI Security Standards Council (PCI SSC) and enforced by credit card companies. And although most payment processors and e-commerce SaaS (software as a service) platforms build PCI compliance into the solutions they offer to businesses, it is essential to familiarise yourself with your company’s required compliance level. Please visit the PCI Security Standards website for more details.

Site security

Merely choosing a safe payment processing provider and being PCI compliant is not enough. Further steps must be taken to ensure that all personal and financial information of your company and customers are secure. There are specific programs by credit card companies and security software firms that provide additional protection from fraud. The most popular ones are Verified by Visa, MasterCard Secure Code, and McAfee Secure.

Make sure that all your URL stays in “https” (Hypertext Transfer Protocol Secure) status during the check-out process and set up system alerts to screen suspicious activity. Many e-commerce platforms and payment providers have various types of fraud monitoring systems already in place; PayPal makes use of a series of fraud managements filters, and eBay has strict fraud monitoring protocols in place, for example.

Also, make sure the payment solutions you have included in your e-commerce site are using an address verification system (AVS). An address verification system is a service provided by most major credit card processors and enable merchants to authenticate ownership of a credit or debit card used by a customer. AVS is done as part of the merchant's request for authorisation in a non-face-to-face credit or debit card transaction.

Data storage and password requirements

Another critical measure you should take to minimise payment fraud risk is to avoid storing sensitive customer and transaction data. PCI standards in most cases advise against storing customer data, but if credit card information needs to be stored, it has to meet PCI standard encryption and storage policy guidelines. In any case, you should hold the minimum amount of sensitive information possible, back up your data, never store credit card security codes, and make sure your data handling procedures comply with the General Data Protection Regulation (GDPR).

Besides reducing the amount of stored customer data to the absolute minimum, it is good practice to be stricter with password requirements for both your staff and customers. You should require at least an eight-character, alphanumeric password that includes at least one capitalisation and one special character as well as considering using 2-step verification, 2-factor authentication, or multi-factor authentication. That might cause a slight annoyance to your customers, so make sure to inform them exactly why you implement these extra security measures. Being upfront and customer-focused is one of the best ways to strengthen brand loyalty.

Credit card security codes

The credit card security code is the 3- or 4-digit number usually printed on the back of a credit or debit card also referred to as Card Verification Value/Code (CVV2 or CVC2), Card Member ID (CMID), or Card Identification Number (CID). Requesting one to complete the check-out process on your e-commerce shop ensures that the cardholder is in physical possession of a valid card.

This number is referred to by different names for specific credit cards, as follows:

·      Visa: 3 digits - CVV2

·      MasterCard: 3 digits - CVC2

·      American Express: 4 digits - CID


Just as e-commerce retailers are responding to the rapid growth in online orders by adapting their business model accordingly, there needs to be just as strong of a focus on fraud detection and prevention. Payment fraud can hurt your company financially and also permanently damage your brand’s reputation. While fraud patterns evolve rapidly as a result of the Covid-19 pandemic, you should maintain awareness of the latest fraud trends, strengthen, regularly review, and keep up-to-date your e-commerce site’s fraud defences, and closely monitor transactions.

If in doubt regarding what the best ways to secure your e-commerce website and your customers against fraudulent attacks are, consider hiring a security advisor or auditor. Nevertheless, keep all your platforms and software up-to-date to ensure the latest security patches are installed. Additionally, if your site has been a victim of fraud in the past, keep detailed records of these events so you and your employees can study them and plan how to prevent situations like that from happening again. Finally, it is always worth to educate your staff on security and fraud protocols or hire a third party to do it for you.

Stathis Kampylis

Marketing and Communications Coordinator at Shiptheory