It is hard to underestimate the role of E-commerce in a world where most communications happen on the web and our virtual environment is full of advertisements with attractive products and services to buy. Meanwhile, it is obvious that many criminals are trying to take advantage of it, using scams and malware to compromise users’ data.
Fraud Detection in E-commerce and Statistics
The level of E-commerce fraud is high, according to the statistics. With E-commerce sales estimated to reach $630 billion (or more) in 2020, an estimated $16 billion will be lost because of fraud. Amazon accounts for almost a third of all E-commerce deals in the United States; Amazon’s sales numbers increase by about 15% to 20% each year. From 2018 to 2019, E-commerce spending increased by 57% — the third time in U.S. history that the money spent shopping online exceeded the amount of money spent in brick-and-mortar stores.
The Crowe UK and Centre for Counter Fraud Studies (CCFS) created Europe’s most complete database of information on fraud, with data from more than 1,300 enterprises from almost every economic field. The studies show that 21% of consumers are afraid their credit card data will be stolen and 19% believe their confidential data may be misused. 54% of consumers said they faced fraudulent or suspicious actions on the Internet — more so than through mobile spam calls (18%), door-to-door sales (13%), postal mail (12%), or stores (5%).
Reports and user surveys show that E-commerce businesses should be aware of the potential risks of fraud as well of the tools and solutions to fight them, so that users feel much more relaxed and trusting while making payments online.
What is E-commerce Fraud?
Fraud in E-commerce happens when a fraudster goes to an online store and makes an unauthorized transaction using the compromised details of a stolen or fake credit card. He leaves the merchant without legal payment for the goods; thus, the store will have to charge money back to the compromised customer.
E-commerce fraud differs from real-life credit card fraud because there’s no card physically involved, and the victim doesn’t always have to have some type of interaction with the criminal in real life in order to be compromised.
E-commerce Fraud Trends
Fraud has never been a new thing, although the trend for E-commerce fraud rises as the number of cash-free transactions increase. It is especially obvious now, when the world is moving away from in-store purchases. Due to the COVID-19 quarantine, people have to make more purchases online to stay safe or because the products they need are unavailable in closed local shops.
E-commerce Fraud Protection
As the trend for E-commerce fraud rises and E-commerce fraud scenarios and malware become more subtle and harder to detect, E-commerce fraud protection has never been so important. To make sure that their business is protected, every merchant and bank should pay attention to the latest trends in fraud detection such as modern E-commerce fraud software on Artificial Intelligence (AI), learn the best fraud prevention practices, and be aware of common types of online fraud.
Introduction to E-commerce Fraud Prevention
A famous Amazon founder Jeff Bezos once said:
“We see our customers as invited guests to a party, and we are the hosts. It’s our job every day to make every important aspect of the customer experience a little bit better.”
What’s true about this quote is that it is very important to make each customer’s experience as satisfying as possible, especially when it comes to the security of their accounts and money spent online.
When thinking about how to decrease fraud, the first thing a banker, merchant, or other E-commerce participants should take care of is developing a risk management framework. It includes being aware of channel risk (e.g., mobile, online, staff/terminal, and network) and building a segmentation strategy based on operational risk evaluation methodology such as quantitative or qualitative methodology.
Vulnerabilities might be present in all channels, so it is vital to create a controlled environment with clearly defined layers that follow the transaction cycle and proves its resistance against relentless attempts from criminals to find weak places and hit them.
Let’s consider the most common scenarios to better understand where the roots of fraud may start:
|#||E-commerce fraud trends ranked by the significance of the threat.|
|1||Business e-mail compromise|
|3||Denial of service|
|4||E-mail account compromise|
It is crucial to understand the way fraudsters work online because they usually employ a number of common ways to deceive users and corporations:
Business e-mail compromise: this type of scam aims at businesses working with overseas suppliers and partners who continually make wire transfer payments. The fraud starts by seeking out legitimate business e-mail accounts and compromising them through social engineering or special software that allows intrusion, with the goal to make illegal money transfers.
Data breach: this happens at personal or enterprise levels and implies the leaking of sensitive, confidential, or protected information. The information is usually stolen or copied from a database.
Denial of service: disruption of any user’s session of entering into a system or network caused by fraudulent activity.
E-mail account compromise: this is the alternative version of business e-mail compromise that is aimed at the general public as well as professional people working in financial and lending enterprises, real estate companies, and judicial firms. Criminals use the compromised e-mail account to transfer costs to a fraudulent location.
Malware/scareware: a kind of ill-natured software that is developed to intrude into computers and computer systems in order to damage or disable them.
Phishing/spoofing: both terms refer to a similar notion and imply forging e-mails in a way that makes them appear very close to those being sent by legitimate businesses.
Ransomware: this is a type of malware that targets technical and human weak points in enterprises with the goal to disable valuable data or systems. Once the victim finds out they cannot gain access to the valuable data again, they receive a demand from the criminal to pay a ransom to re-gain access.
What Happens if Fraud Scenarios are Successful
- Account takeover. Criminals try to obtain valuable information about users such as personal data, shopping history, and financial details through phishing. Most often fraudsters send malicious e-mails with forms for users to fill out. If a user fills out the falsified form, he will send his account access data right to the criminal’s computer. The criminal then will be authorized to make purchases and change access details such as the password.
- Identity theft. The second most common way for criminals to get illegal access is identity theft. Even though businesses follow many precautions to prevent criminals from breaking into their databases if the criminals succeed they will steal customers’ data in the form of usernames, credit card details, and personal information.
The best thing you can do in this situation is to not let fraudsters use the data they stole. You can do this by implementing a fraud prevention service that would automatically identify fraudulent behavior patterns, linked to the time, place, and device name related to the login or transaction. By recognizing malicious behavior on an account, you will stop criminals even before they enter the transaction process.
The layers of a fraud prevention system at an enterprise have to include safe authentication, device analysis, navigation steps, and the possibility to integrate these data sources with a real-time fraud prevention solution.
A fraud prevention solution must:
- include risk-weighted control at different levels of user interaction with the channel gateway;
- be planned in a way that allows the additional integration of third-party solutions in order to enforce the monitoring of every step a user takes in a session; and
- be real-time scalable in order to handle the introduction of quicker payments corresponding to any integrated third-party software.
Types of E-commerce Fraud: 5 Methods Fraudsters Use to Steal Your Money
The number of methods that criminals may use to get to your accounts are countless and limited only by their imagination, although there are some tricks that are most commonly followed by the perpetrators of financial crimes.
Here, we highlight five types of fraud in E-commerce:
- True (classic fraud)
- Triangulation fraud
- Interception fraud
- Card validity testing fraud
- Chargeback fraud
True (classic) fraud: this is the simplest type of fraud and implies the stealing or purchasing of a victim’s credit card details on the Dark Web. When a criminal makes an unauthorized purchase, a customer can dispute the purchase. The bank then closes the current account and issues a new credit card number and sends a new credit card to the fraudster. This is usually a method for newbie fraudsters.
Triangulation fraud: this type of fraud is called triangulation because it involves a fraudster, a legitimate shopper, and an E-commerce business. A criminal sets up an online shop at Amazon or eBay that sells high-demand products at unusually low prices. After he receives the card details from the customers who ordered, he purchases goods from a legitimate shop to send them to the customers.
Interception fraud: in this type of fraud, criminals create an order where the billing and shipping address match the address associated with the card. Then they will try to intercept the package by using one of these methods:
- asking the customer service agent to change the address on the order before shipping it;
- asking the shipper to re-address the order to a place where they can intercept the stolen item;
- waiting for the delivery to arrive at the actual card holder’s address and asking to sign for the package in the name of the homeowner.
Card validity testing fraud: in this case, a criminal tests different card details to reveal if the credentials are valid and then uses them at another website to make unauthorized charges. If a website declines the card because of an invalid expiration date, they will know this is the number they have to permutate using bots.
Chargeback fraud: a customer will make order online, but then ask for a chargeback because their card was stolen. This usually happens after the product was delivered. This fraud is more typical for customers rather than for experienced fraudsters and is difficult to detect.
Learn about other types of fraud in this video:
E-commerce Fraud Prevention Best Practices
It is a no brainer that every payment provider wants to be trusted by each of their customers and gain their loyalty for a long-term ongoing relationship where both the customer and the provider are happy to collaborate.
As long as immediate payments on the Internet are not the most popular means of obtaining products and services, payment providers should carefully develop a leveled customer-oriented approach for real-time fraud prevention. Also, every E-commerce provider should consider the following fraud prevention best practices:
The Payment Card Industry Security Standard Council (or PCI in short) in partnership with global brands like Visa and MasterCard created rules to help businesses protect themselves on the Internet and keep customers’ data safe. You can read the full requirements on the PCI website. You will find a short summary of these rules in the next few paragraphs.
Daily monitoring of bank accounts and transactions.
A good piece of advice is to monitor your customers and look for suspicious things in their purchasing behavior. Plan to supervise your customers’ accounts and the transactions they make while being alert that something unusual may emerge in the form of incorrect billing or shipping details or the user’s geolocation. This type of monitoring can be achieved through special tools for tracking IP addresses.
Limits on daily spending.
Consider setting a limit for the maximum possible number of purchases and the total monetary value accepted from one account each day. This will at least protect you from more drastic losses if fraud occurs.
The Address Verification System (AVS).
With AVS, the numeric parts of the billing address saved in a credit card are compared to the address on file with the credit card issuer. This fraud prevention method is most commonly used in payment processing, so make sure your payment processor has AVS.
Card verification value is required (CVV).
Every credit card now has a three or four-digit security number marked on the flipside. Pci’s advice is to not store the CVV with all the other credit card information of a user (e.g., the card number and the owner’s name). Criminals are unable to get this code unless they physically have the card, so it really makes sense not to store it.
Passwords should be stronger.
Some hacking programs such as those working by the principle of “brute force” can be used to try all possible combinations of a password. Obviously, a simple four-digit password without any letters or special signs (called alpha-numeric) will be the easiest to break.
The best advice for passwords today is to use an alpha-numeric password with eight or more digits, including at least one capital letter and one special character (e.g., !, #, _). This may bother your customer a bit, but he will be safer in the future.
Update your platforms and software on time.
Your operating system should be of the latest version because of the fact that providers permanently update their software with new security patches to ensure that you are protected from newly discovered vulnerabilities and malware.
Enterprise-level anti-malware and anti-spyware programs should also be updated regularly to ensure protection from newly discovered cyber-attack methods.
All of these practices will help you reassure your customers of their security.
E-commerce Fraud Prevention Tools
The E-commerce industry does provide a great opportunity for a customer to order any goods at any time from any place, but simultaneously it carries a threat of online fraud. A number of E-commerce fraud prevention tools claim to protect you from Internet criminals, but it is all about trust when you choose such a tool. We have prepared a list of E-commerce fraud prevention solutions that offer service for a monthly payment:
Subuno is an umbrella for 20+ fraud detection and prevention tools. It allows you to see your customer’s address, ensure that the address matches the payment details, validate their e-mail address usage, among other functions.
Each order is reviewed on a separate page, and you are offered the use of a variety of color warnings and methods for comprehensive verification. Subuno claims to have an algorithm that analyzes 100+ threat factors to protect your business from fraudulent activity. They have a 30-day free trial and a $19 monthly plan.
Riskified fraud prevention software is the second candidate for saving your system from fraud. Riskified is one of the services that offers algorithms based on machine learning with real-time insights. It offers a chance to avoid delays in the work of fraud detection.
Among the factors analyzed by Riskified are IP, location, proxy detection, order linking, browser fingerprinting and friendly fraud tools, as well as analytical methods.
Instead of estimating the risks of a transaction being fraudulent, this E-commerce fraud detection service just accepts or denies each transaction. Their pricing plan depends on the number of transactions.
This fraud detection solution offers 40+ validation rules for the efficient control of E-commerce fraud while utilizing blacklist information contributed by numerous international enterprises.
They have no free trial but have a free plan that supports 500 queries a month and a number of variations for goods validation. The free plan allows you to access e-mail notifications, risk scoring, and a reporting tool.
A paid plan that is $30 a month will give you access to additional features such as social profile query, e-mail validity check, high-risk username, e-mail domain age, ISP usage, and password.
This service supports all E-commerce platforms while being quick and easy to install. It does not require API integration and can be set up within 15 minutes. The most recent innovations in device identification and validation by fingerprint are part of DupZapper.
Also, the solution claims to offer smart machine learning approaches to track geolocation consistency of data registration, recognize cookie blocking attempts, and identify if a proxy is being used.
Dupzapper has a function of revealing the same user under different accounts. Reports provide information about all sorts of unusual activity before a dangerous transaction happens.
This is one more service with a billing system based on the number of transactions. Kount has proven to be an efficient tool in a number of industries. To estimate the risk of fraud, there is an engine consisting of 200+ data variables that can be adapted according to your own preferences.
The service has a transaction system approval that is very fast — up to 300 milliseconds. The factors that are considered to identify fraud are device ID, location, order linking attributes, etc. Kount is built for the Magento platform.
E-commerce Fraud Solutions with Machine Learning
We know that conventional rule-based solutions work according to specific rules written by programmers, which does not allow them to be flexible and smart with new fraud patterns. At the same time, E-commerce fraud solutions built with Machine Learning improve themselves over time with the input of new information; in other words, they can “learn.”
There are two major classes of Machine Learning algorithms — supervised and unsupervised. Both can be used for fraud detection and prevention, but each has its pros and cons.
Machine Learning grounded detection solutions scan transactions and evaluate their threat score, such as between 0 and 1. The score is then compared to a pre-established threshold that will mark the transaction as fraudulent or not. Let’s take a closer look at the nature of some of these algorithms:
Supervised Decision Tree
After being fed data on fraudulent and normal transactions, a supervised Decision Tree will then make a classification (a prediction). The fraudulence score computation starts from the root node of the tree when it is split into child nodes; other nodes are also split into child nodes with binary or multi-fashion conditions. This is done depending on the value of the input variable.
When the tree is built, a new data input (a transaction) is classified by going through the root of the tree starting from the root node according to the feature values of the input.
Supervised Support Vector Machine (SVM)
A Support Vector Machine (SVM) works in another way — it separates transaction data samples into two classes on a plane graph in such an order that the formula needed for it shows the smallest error as compared to the ground truth dataset (real transactions labeled). The main idea behind an SVM is to draw a line between classes that will leave the biggest margins between fraudulent and non-fraudulent transactions to achieve a high level of detection.
Anomaly Detection Using Autoencoder
In the event that a customer has a very few examples of fraudulent transactions, it is better to use Autoencoder — where fraudulent samples are excluded on the step of model training, but are still used for testing. All anomaly detection techniques are aimed at denoting unusual or unexpected events in the data.
A neural autoencoder is a type of architecture that is trained on one class of events and used to notify us about unusual events. The process of training implies an equal number of input and output units that have a certain number of layers in between. The final decision on whether a transaction is fraudulent or not is based on the threshold value and the distance between the input and its reproduced output layer.
Outlier Detection: Isolation Forest
The other technique that tackles cases where there are very few or no fraudulent transactions in a dataset is Isolation Forest, which belongs to the outlier techniques class. The idea behind the Isolation Forest is that the outlier can be defined through making less random splits than a data point that belongs to the normal class; outliers happen much more rarely than normal samples and have values that are not typical for the average values of a data set.
The algorithm chooses a split value out of a randomly selected value range of a randomly selected feature. As a result of the selections, a tree is grown. The tree depth is measured with the number of required random splits (called mean length). When a forest consisting of such trees is grown, the mean length number is measured over all trees and becomes a measure of normality, or in the other words, the function we use to trace outliers.
Random splits have significantly shorter tree depth in cases with outliers than in cases with normal data samples. This helps us identify which data points are likely to be outliers.
Some Advice for Retailers to Stay Safe
Customer Support Should be Guided with E-commerce Fraud Prevention Tips
Your E-commerce customer service undoubtedly plays a critical role in ensuring that the troubles and inconveniences your customers face are taken care of, while it also can contribute to your fraud prevention strategy.
To prevent situations where your customer support team lets fraudsters get away with illegal purchases, you should organize the training process in order for them to learn to be careful and pay attention to signs of fraud. Also, think of adding more employees during peak sales periods. The faster your customer support treats customers’ requests, the more customers will be satisfied.
Customize your Legal Policies
Your E-commerce business needs customized fraud prevention legal policies, rather than simply using the policies of popular E-commerce stores. Consider wisely as to what practices you should and should not use.
Usually, criminals carefully consider the niche and location of an online store that they are going to compromise. So, it is necessary to adjust existing policies to your particular case. Be true to your policies and protect their necessity — even if some of your customers find it troublesome to follow some of the rules.
What Are the Services and Software Solutions that Can Help Solve Problems in E-commerce Transactions?
There are a number of services and software solutions such as Subuno or Riskified that claim to help solve the problem of E-commerce fraud, but not all of them rely on innovative methods such as AI-driven solutions. SPD-Group develops custom software that can be grounded on Machine Learning to achieve high accuracy in the detection of E-commerce fraud.
How Can We Minimize Losses from E-commerce Fraud with Modern Tools?
Modern tools are more efficient in minimizing fraud losses because they can learn new fraudulent patterns from transactions that happen over time; also, modern tools are quicker than old tools. Paired with E-commerce fraud detection best practices like PCI standards, AVS, CVV, and others, a potent fraud detection system for a business can be created.
Why Machine Learning? What’s the Difference Between Old School Methods Like Rule-based Detection for E-commerce Fraud Prevention?
The first and the main difference between classical methods and machine learning for E-commerce fraud prevention is that the latter is a learning system, meaning that it is programmed in order to learn to perform a task — while rule-based methods do not react to any new patterns.
What Types of Fraudulent Scenarios Can We Detect Using ML?
We can detect fraudulent E-commerce scenarios related to online purchases, transactions, and chargebacks. In general, we can detect which activity happens from a compromised user account or when a compromised credit card is being used.
What Are the Best Machine Learning Methods to Efficiently Detect Fraud?
Machine learning for E-commerce uses supervised and unsupervised anomaly detection methods that find fraudulent patterns in online transactions information or user behavior patterns.
Looking at the world’s rising trend for E-commerce businesses, the amount of online purchases and transactions is booming as well the rise of fraudulent activity. A business should carefully consider the opportunities offered by relevant companies in the field of fraud detection and prevention and choose the best option — such as machine learning based algorithms that can improve over time and find new fraudulent patterns. Also, common security policies and PCI standards should not be overlooked while making your business more secure and reliable for your customers
Originally posted here