Three challenges in eCommerce Fraud Protection
One of my side hustles is lecturing postgraduate university students on financial crime intelligence – this is all about how to identify and detect fraud and illicit activity in your data. I regularly tell my students (and clients) that fraud is really a ‘process-based crime’ – it arises because of internal control gaps in your business processes which equate to vulnerabilities for your business, and opportunities for fraudsters and criminals.
Different types of fraud arise at different points in the eCommerce process. Every fraud scheme has its own unique characteristics, which means we can prevent and detect it! From my perspective, there are three challenges in eCommerce fraud protection:
- Detecting customer profiles or transactions which are highly likely to be fraudulent with a low false positive rate (see here for explanation); and,
- Detecting the fraud in time to avoid incurring a loss (this is particularly hard with realtime payments, outourced and / or automated fulfilment); and,
- Striking the right balance between enough loss prevention measures to mitigate the risk (your ‘risk appetite’) and too many controls (which makes for a bad customer experience, impacting sales conversions and customer retention).
To illustrate this for eCommerce, I have used the four-phased eCommerce marketing lifecycle promoted by SmartInsights.com and overlaid where different fraud schemes can arise:
Three categories of eCommerce fraud schemes
Let’s deep dive into the three main eCommerce fraud schemes:
Account related frauds
Some eCommerce fraud schemes revolve around a users identity or account. Examples of ways in which this may happen, either at account creation or account login include:
- Phishing – social engineering attempts to compromise users and their accounts
- Credential stuffing – attempts to use credentials stolen from another breach to login
- Account takeover – where a user’s account credentials or browser session is hijacked
- Identity theft – a victim’s identity is stolen and used to obtain loans, goods, etc.
The second category of eCommerce frauds revolves around the payment or transaction itself, including:
- Use of stolen / purchased credit card details
- Card testing – where criminals place small charges on a card to see if it is valid which could be disputed by the cardholder
- Chargeback fraud – shopper makes a purchase on their own card, then requests a chargeback after receiving the goods
- Refund Scams – shopper purchases something and ask for a refund before the product is delivered
- Payment frauds – including card present and card not present transactions
The final category of eCommerce frauds is perpetrated by a user post-payment. Common fraud typologies include:
- Change of address scams – delivery address is changed after payment but before shipping so goods are not sent to cardholders residence
- Returns fraud – consumer receives goods, uses it, and sends it back (effectively ‘renting’)
- Product diversion – where goods are basically stolen by trusted insiders (employers, contractors, suppliers)
I have provided more information on which products are most likely to be targeted by organised fraud, product diversion and shoplifting rings in my article “product security risk assessments for tangible goods”.
Identifying your core business activities, systems and processes is key to understanding and managing your risk profile. I will review how to do this in a future article, but if you are looking for somewhere to start try www.juliantalbot.com and this article on ‘risk appetite and risk tolerance‘.
- Curwell, P (2021). Product security risk assessments for tangible goods
- Curwell, P. (2022). Alert management and insider risk continuous monitoring systems
- Curwell, P. (2023). Towards a taxonomy for product diversion
- Manoukian, J. (2016). Risk appetite and risk tolerance: what’s the difference?
- Julian Talbot – https://www.juliantalbot.com/
- SmartInsights (n.d.). Lifecycle Marketing Model in Digital Marketing for the Ecommerce Sector, https://www.smartinsights.com/ecommerce-lifecycle-marketing/
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.