Share the article
Subscribe for updates
Sardine needs the contact information you provide to us to contact you about our products and services.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The Anatomy of Ecommerce Fraud

Fraud in e-commerce has been around since the start of online shopping. It started with stolen credit card information and unauthorized transactions. But, as security measures improved, fraudsters adapted and developed more sophisticated methods. Today, everything from account takeover (ATO), fake accounts to affiliate and loyalty abuse are common and rising threats to e-commerce businesses.

Fraud now spans many stages of the customer journey. These include account creation, login, transaction, and post-transaction activities.

Each phase presents unique vulnerabilities that fraudsters exploit.

How can merchants spot and stop these many types of eCommerce fraud? 

In this article, you will learn:

  • The most common attack methods used by e-commerce fraudsters.
  • Warning signs that fraud is occurring on your e-commerce site.
  • Effective strategies for detecting and preventing e-commerce fraud.

Let's dive into the complexities of e-commerce fraud.

Understanding your Ecommerce Fraud Risk

Now, you’re probably thinking, “Why is it so important to differentiate between types of fraud?” 

Here’s the thing: Each type of fraud requires a tailored approach to detection and prevention. A one-size-fits-nobody strategy is ineffective.

Consider the different stages of the customer journey:

  • Account opening: When a user first creates an account
  • Login: Every time a user tries to access an account
  • Payment: Everything between checkout, authorization, and settlement
  • Post-transaction: After transaction, but within chargeback and return window

The attack patterns, data we use to detect, and challenges all vary. Understanding these details helps us use targeted defenses, so this knowledge is crucial.

Let’s break down common risks and the warning signs associated with each event in the customer journey.

Account opening

Fake or duplicate accounts

Fraudsters use a mix of stolen and fake identities to create fake accounts. This can involve simple burner emails and phone numbers to more complex methods using official tax IDs and legal documents. But for traditional ecommerce, fake accounts are usually going to be tied to promo/referral abuse, evading blocklists or restrictions, manipulating reviews, using stolen cards, or running scams.

Warning Signs:

  • Multiple accounts created from the same IP address.
  • Unusual or incomplete information in account registration details.
  • High volume of new accounts in a short period.

Logins

Account takeover (ATO)

Fraudsters gain unauthorized access to a customer's account through phishing, credential stuffing, or social engineering. Once they have control, they can make unauthorized purchases, change account details, or withdraw funds.

ATOs are a significant concern for any merchant offering wallets for cash, rewards, or loyalty points. Fraudsters will often sell these compromised accounts, cash out points, or use rewards to purchase a product they'll later resell or return.

Warning Signs:

  • Sudden changes in account information (e.g., email address, password).
  • Logins from unfamiliar devices or locations.
  • Unusual purchasing behavior from an established account.

Credential stuffing

Reusing stolen credentials to gain access to user accounts, typically using some type of bot or automation script to quickly test user credentials at scale. With the increasing frequency of data breaches and big data leaks in the news lately, pressures from credential stuffing is expected to grow. 

These recent data breaches allow bad actors to easily test and access numerous accounts. We’ve built a free service in Sonar to check for this risk. The new red flag service will check if an account’s credentials exist on the dark web and return a “true” if they’re found. 

When added to these warning signs, we hope this helps manage risk of compromise.

Warning Signs:

  • Multiple failed login attempts in a short timeframe.
  • Logins from various locations for a single account.
  • High rate of account lockouts due to failed login attempts.

Account Sharing

Real users share their accounts for many reasons, often to take advantage of promotions or to game the system. Account sharing can signal buyer-seller collusion, promo exploitation, or gaming reviews. Or maybe someone just really wants to watch that Netflix show without buying a membership.

Warning Signs:

  • Multiple devices and IP addresses accessing the same account simultaneously.
  • Frequent changes to account settings.
  • Unusual activity patterns not consistent with typical user behavior.

Payments

Transaction fraud

Fraudsters use stolen credit card information to make unauthorized purchases. This type of fraud is also known as credit card fraud or card-not-present (CNP) fraud. Transaction fraud can also include fraudulent chargebacks and falsely claiming that items were never received.

Warning Signs:

  • High-value transactions from new or recently created accounts.
  • Multiple purchases in quick succession using different credit cards.
  • Orders placed with mismatched billing and shipping addresses.

Card testing

Fraudsters use small transactions to check if stolen card details are valid. They do this before making larger purchases. Again, fraudsters will use bots to test these stolen card details, often targeting merchants with low-cost SKUs. Catching these attempts early can prevent further fraud across different merchants.

Warning Signs:

  • Numerous low-value transactions from the same IP address.
  • Multiple declined transactions followed by a successful one.
  • Unusual spike in small transactions.

Promo, affiliate, and loyalty abuse

Fraudsters exploit promotions, affiliates, and loyalty schemes. They do this to gain money illegitimately. We see individuals referring themselves or connected accounts, using mobile device farms, or creating fake accounts to exploit promotions, discounts, and payouts.

Warning Signs:

  • Multiple accounts redeeming the same promotional code.
  • Sudden increase in loyalty points redemption.
  • Abnormal patterns in affiliate sign-ups and conversions.

Post-transaction

Refund Fraud

Customers exploit refund and return policies. They use them to get refunds for items they have used, damaged, or never purchased. Refund fraud has surged in 2024, with fraudsters exploiting the dispute process and return policies. The Merchant Risk Council has even advised merchants to add refund fraud KPIs like Refund Rate, Repeat Refund Requests, and Refund Amount as a Percentage of Sales into their fraud monitoring.

Warning Signs:

  • High return rate for expensive items.
  • Returns of items that appear worn or previously used.
  • Frequent return requests from the same customer.

Chargeback Abuse

Real customers make a purchase. Then, they exploit the chargeback process to claim fraudulent refunds. Similar to refund fraud, chargeback abuse involves disputing legitimate transactions to get a refund while keeping the goods or services.

Warning Signs:

  • High volume of chargebacks from the same customer.
  • Disputes raised soon after delivery confirmation.
  • Disputing multiple transactions over a short period.
  • Disputes on high-value items without contacting customer support first.

Buy-Online-Pick-Up-In-Store (BOPIS) Fraud

Fraudsters exploit the ease of BOPIS to make fraudulent purchases. They grab items quickly before detection. BOPIS fraud is common because items can often be picked up without showing ID or simply by showing a screenshot of the order. This makes it easy for fraudsters to commit triangulation fraud and intercept orders.

Warning Signs:

  • Multiple pickup locations for a single payment method or account.
  • High-value orders placed shortly before store closing times.
  • Frequent use of different credit cards for BOPIS transactions.

Understanding these fraud types through the user journey will help businesses. It will help them assess their e-commerce fraud risk and make targeted strategies to protect against these threats.

The Levels of Detecting E-commerce Fraud

Merchants can catch fraud by spotting warnings and implementing monitors. They can do so before it causes any significant financial damages. 

Here are the three levels of detection:

Basic detection techniques

Unusual login activity

  • Unexpected locations are a concern. They can indicate unauthorized access. Login attempts are from an unfamiliar or unexpected geographic location.
  • Odd hours are login attempts during unusual hours. For example, late at night. They may signal fraud.
  • Repeated failed logins could suggest a bot. It is trying to gain access through credential stuffing.

Example: A customer's account shows login attempts from different countries within a short period. This activity is flagged, and the account is temporarily locked for verification.

Unauthorized account changes

  • Email and password changes can be sudden. They happen without the customer's initiation and can be a red flag.
  • Security features are disabled. This may indicate an attempt to weaken account protection, such as turning off two-factor authentication.

Example: An account suddenly has its email address changed and two-factor authentication disabled. These actions prompt an immediate review.

Anomalous purchase patterns

  • A sudden spike in expensive purchases. This is especially true if they deviate from the customer's usual buying patterns.
  • Someone placing multiple orders in quick succession may be testing cards. They may also be a fraudster using stolen card information.

Example: A customer who typically makes small purchases suddenly places several high-value orders within an hour. This triggers a manual review to verify legitimacy.

Shipping and billing address discrepancies

  • Differences between billing and shipping addresses, especially for high-value items.
  • PO box addresses often hide delivery locations. This can reduce traceability.

Example: An order is placed with a billing address in one state and a shipping address in another, and an IP address in another.

Intermediate detection techniques

Rapid checkout and unusual behavior

  • Customers rapidly moving through the checkout process, without spending time on product pages, may be attempting to avoid detection.
  • People who repeat paste information, like credit card numbers, during checkout, may be using automated scripts.

Example: A customer quickly navigates the site and checks out within minutes, pasting the credit card information.

Suspicious device attributes

  • Recognizing patterns in device usage, such as multiple accounts using the same device.
  • Identify the true location and true IP of a device, not just the apparent IP address (as it may be behind a VPN or proxy), making it easier to flag suspicious activity.

Example: Device fingerprinting reveals that using a proxy or VPN multiple accounts are being accessed from the same device, suggesting potential multi-account fraud.

Risky behavior patterns

  • Analyze typing patterns, mouse movements, and touchscreen to spot fast navigation.
  • Identify many failed logins and inconsistent interactions, which can indicate fraudulent activity.

Example: A customer’s interaction speed and rhythm differ significantly from their usual behavior, triggering an alert for potential fraud.

Expert detection techniques

Pre-auth transaction monitoring

  • Monitor transaction volumes, amounts, and frequencies to detect anomalies.
  • Analyze payment methods and flag transactions using newly added or unusual payment methods.

Example: A rule-based system combined with a ML model using multiple sources of data flags transactions involving large amounts shipped to new addresses, prompting further verification.

This is just a start to building a comprehensive fraud strategy

There's a common belief that crafting an effective fraud strategy is only for those with extensive resources and vast experience. 

Many believe it's daunting. They think it's only for large companies with fraud departments. This thinking can paralyze small businesses and individual fraud experts, causing them to shy away from building a comprehensive fraud prevention strategy.

But this mindset is flawed.

Many people mistakenly believe that effective fraud prevention is only accessible to large corporations with substantial budgets. They think that without a massive investment in technology and personnel, their efforts will be useless.

With modern technology, AI, and human intelligence, you can develop strategies that are clear and effective.

How Sardine thinks about building a comprehensive e-commerce fraud strategy

At Sardine, we specialize in fraud prevention. We provide solutions designed by operators for operators. We understand the unique challenges and pressures that developing a comprehensive fraud strategy places on your business and your fraud team.

Here’s how we think about an e-commerce fraud strategy.

1. The entire customer journey matters

A user may look low risk at onboarding but suddenly use a VPN, proxy, or emulator at checkout and appear to be on an entirely new IP address. This could indicate an account takeover or simply a change in behavior. Running a check once isn’t enough. User risk will change over time, so your data and monitoring need to adapt to that.

2. Advanced bot detection can save you from huge downstream issues

Historically bot detection was left to the Infosec team, while the fraud team looked at payments; in the middle is a chasm of opportunity for conversion optimization and fraud detection. Advanced bots can steal item descriptions and images to create counterfeit pages, in turn, spiking chargebacks. Or they might rapidly create new accounts (new account fraud or NAF). 

Read our blog on advanced bot detection.

3. Pre-auth is a key moment in time

Everything that happens before a transaction is a critical signal. If a user is copying and pasting their credentials, that could be a key sign of a credential-stuffing attack. Focussing on everything happening here (like bot detection, user device, and behavior) can deliver substantial ROI.

Read our blog on pre-auth fraud prevention.

4. Passive detection is how to balance conversion with detection

Payments leaders are often wary of adding step-up verification or any new friction at checkout because they know it harms conversion. Looking for other risk signals coming from the user, their device, their behavior, or checking email and telephone history before the transaction can give much of the benefit without the additional friction.

5. All fraud problems are data science problems

Good fraud detection requires as much high-quality data about a user and their context as possible. If you can match a user's card to the name they’ve entered, that can help screen out stolen cards quickly without additional friction. Sardine has this capability, and it’s one we’ve pushed our partners to be able to deliver because we focus on where the data science brings real value to e-commerce companies.

Read our blog about Sardine's data engineering-led risk platform.

6. Fraud rules should be easy to create, test, and change. 

Your fraud risk and tolerance are unique to you and your business and change over time. You need the ability to quickly create, edit, and change rules without that being a support request to your vendor or an IT project.

Read our blog about the Sardine rules engine.

7. Tools should be complete, yet adaptable

The solution to one-size-fits-nobody is to be adaptable and configurable. Sardine’s rule dashboard is designed to make it simple to bring your own machine learning model, or use the platform as a feature store for your model. As much as possible the dashboard should be easy to use, the APIs clean and be something your fraud analysts want to use.

The Sardine suite of tools, including APIs, dashboards, rules, and machine learning models, analyze a wide range of pre-authentication signals. We process billions of data points with behavior-based ML models. This lets us accurately discern user intent and tell real users from fraudsters.

Key Takeaways

Understanding e-commerce fraud is crucial. Senior fraud professionals must use effective strategies to protect their platforms and improve their outcomes.

  1. Understand your fraud risk: Assess and understand the specific fraud risks your organization faces. Awareness of these risks is the first step in developing a comprehensive fraud strategy.
  2. Recognize unique warning signs: Become proficient in identifying the unique warning signs of different types of e-commerce fraud. This enables timely detection and effective prevention, helping to mitigate potential threats before they cause significant damage.
  3. Build a comprehensive fraud strategy: Develop and implement a thorough fraud prevention strategy that leverages modern technology, AI, and your human intelligence.

If you need help with fraud prevention and want to learn more about Sardine, schedule a session with one of our experts.

Share the article
About the author
Eduardo Lopez
Head of Marketing