By Rafael Lourenco, EVP and Partner, ClearSale
If you run an ecommerce store, there is a good chance that you’re using Shopify. With a 29% market share as of September 2021, Shopify is one of the most popular online storefront platforms, and with good reason.
The platform is flexible and has multiple features baked in that merchants – from new shop owners to experienced retailers – want and need. What isn’t available directly in the platform itself can be easily obtained through third-party developers, who are required by Shopify to code to specific standards.
Beyond the features, however, Shopify works hard to help merchants have a secure online storefront. The platform takes care of regular security updates and monitoring, as well as the aforementioned coding guidelines for developers. Shopify also maintains PCI Level 1 compliance for payment processing, meaning that they are validated as adhering to the highest level of standards for payment security.
Security features are part of the reason some Magento 1 shop owners migrated to Shopify when Adobe ceased support of their platform. The ecommerce platform simplifies as much security for store owners as it can.
However, many of the risks that online merchants face can’t be eliminated with security updates and industry standards. Payment fraud can be challenging to detect, even for Shopify’s built-in fraud detection service. The volume of payment fraud has increased over the last two years as more shoppers switched to making online purchases, and the increase in digital payments has shifted the odds in favor of the fraudsters.
Worse, fraud is only one of the concerns that online merchants need to be aware of. Sometimes, in trying to protect their businesses and customers, retailers make the problem worse for themselves. The number of customers they lose because of misaligned fraud protection measures is costing merchants more than fraud.
The good news is that protecting your Shopify store from these risks is possible. It’s important first to understand what the risks you face are, and then what you can do to mitigate those risks.
What is eCommerce Fraud – and Why is it Important?
So, what exactly is ecommerce fraud? It’s the execution of or attempts to execute a criminal activity in a digital commerce environment with the goal of financial or personal gain that results in losses for the merchant and potentially damage to unwitting consumers. Or, to put it more succinctly, it’s when someone (a fraudster) deceives an online merchant to steal goods or money.
In 2019, it was estimated that for every $1 a U.S. ecommerce retailer loses directly, it actually costs the merchant $3.60 in lost merchandise, time, and fees. In other words, if you were defrauded out of a $100 item, the actual cost of the fraudulent transaction would be closer to $360 when all is said and done.
eCommerce Fraud Shopify Merchants Must be Aware of
Clearly, fraud is something that Shopify merchants need to be vigilant about. It’s crucial that these merchants do everything they can to protect their bottom line from fraudulent strategies.
Prevention starts with understanding those strategies, however. Below you’ll find some if the most common fraud tactics used on ecommerce stores.
Card Not Present (CNP)
Card Not Present, or CNP, fraud is just as it sounds – it’s fraud that is accomplished on transactions where the physical card isn’t used. That means that, while ecommerce is the most prevalent use case, CNP fraud can occur in any transaction where the credit card isn’t used, including phone orders and mail orders.
Because modern cards have incorporated chip technology for verification, merchants generally aren’t liable. However, in the case of CNP fraud, the merchant may be forced to return the funds if the cardholder has a successful claim with their card company. This results in a chargeback.
Chargebacks are a catchall that is associated with several types of fraud, from CNP to friendly fraud, which we discuss below. Chargebacks can be incredibly expensive for merchants, who must prove that the charge was handled correctly as part of the dispute process. It can be costly and time-consuming to fight these chargebacks, but necessary. It’s predicted that CNP fraud and the associated chargebacks will cost businesses $34.66 billion in 2022.
Account Takeover (ATO)
Account takeover (ATO) fraud occurs when a bad actor takes over a legitimate customer account. Once compromised, a customer account can be used to make purchases with saved credit cards or use loyalty points or account credits to make purchases. Fraudsters can also access account holder information and sell that data on the dark web for use by other criminals.
During an ATO attack, criminals can change the password, phone number, or email address associated with the account to cover their tracks. This will be a growing problem, too. Digital native Gen Zers are both overconfident in their ability to protect their information and underprepared to do so. In a survey conducted by F5, 60% of Gen Z respondents indicated that they had not received any education about online safety.
Interception Fraud
Interception fraud is a type of CNP fraud. In this case, fraudsters use a compromised credit card to make a purchase, but they leave the personal information associated with the card the same as what is on record. This prevents the transaction from being flagged in some fraud prevention software.
However, once the item has been purchased, the bad actor gets to work. Some fraudsters use the card of someone local to them and simply intercept the package before or at the card holder’s front door. Others contact the shipping carrier and request that the package be re-routed. And still others contact the merchant directly to “correct” the shipping address after the purchase has gone through.
Refund Fraud
Related to interception fraud, refund fraud is when a criminal makes a purchase on a compromised credit card and then contacts the retailer and requests that a refund be applied to a different card. Frequently the merchant is informed that the previous card has been closed or lost and can’t be refunded to any longer.
Friendly Fraud
What could be friendly about fraud? Nothing, of course, but it’s the name that has been given to fraud perpetrated by actual customers, and it’s a trend that has been growing since the beginning of the pandemic.
Friendly fraud occurs when a customer orders an item and then requests a chargeback, claiming that the item never arrived, arrived damaged, or wasn’t what was described. The buyer keeps the item, and the merchant loses both the merchandise and the costly chargeback fees.
Friendly fraud can cause a sticky situation for merchants, too, who don’t want to risk offending a good customer who may then turn to social media with their complaints. However, heavy-handed tactics to deter friendly fraud can result in damaged customer loyalty.
The Other eCommerce Risk: False Declines
The solution may appear to be to amplify the fraud protection that you use, dialing in the settings until any suspicious activity is automatically declined. Dollar for dollar, however, false declines are even more detrimental to a retailer than fraud. It’s estimated that U.S. merchants lose nearly $118 billion annually to falsely declined transactions.
The news is even worse than that. As ClearSale discovered in our 2021 Global Ecommerce Consumer Behavior report, 41% of consumers reported that if their credit card was falsely declined with a merchant they would never shop at that retailer again. Equally concerning, 35% of respondents indicated that a false decline would send them to social media to express their frustration with the merchant.
How to Protect Your Shopify Store and Customers
As mentioned, Shopify handles much of your site security for you, from software patching and updates to PCI compliance. Shopify also follows fraud protection best practices by offering both an Address Verification System (AVS) and requiring the 3 or 4 digit Card Verification Value (CVV) from the card being used in Shopify Payments. But there are still a few things that you can do to add additional layers of protection to your purchases.
Minimize Personal Information Collected
Ideally, you should only be collecting as much information as is absolutely necessary to process and ship the order. Collecting additional information can make you an attractive target to hackers looking for personal information to collect and sell on the dark web. Another way to prevent customer personal informational leaks is to recommend using VPN services for additional protection. Also, limiting the amount of personal information that must be collected before a purchase can be completed improves the customer experience.
Use Tracking
Chargebacks can be disputed, especially in the case of friendly fraud, if the merchant has documentation to prove out the transaction and show that it was received. Whenever possible, you should use shipping services that allow for packages to be tracked and show when and where they were delivered.
For especially valuable merchandise, it’s important that you also require a signature for receipt of the item. This creates nearly indisputable proof that the customer has received their merchandise.
Add in a Third-Party Fraud Prevention Solution
Shopify already includes some fraud protection as part of the platform. However, your fraud protection can do much more than what the included software offers.
Fraud solutions specifically designed ecommerce are kept up to date to adapt to the newest fraud tactics, and some use advanced AI to continuously learn from both good and bad transactions made with a merchant.
That can go a long way to preventing fraud, but there will always be some transactions that land in the gray area between clearly fraudulent and clearly legitimate. In those cases, it’s advantageous for a merchant to use a fraud service that combines AI with human fraud analysts that can manually review each transaction that would otherwise be declined. Combined, a sophisticated fraud prevention platform and human expertise can all but eliminate fraud and costly false declines.
Protecting Your Store is in Your Hands
Shopify retailers have a powerful platform at their fingertips that increases their revenue potential while limiting the back office work needed to set up and manage a secure ecommerce storefront. By understanding and protecting against the various types of common online payment fraud through best practices and best in breed, integrated solutions, Shopify merchants can ensure that their bottom line is as healthy as possible.
###
Rafael Lourenco is Executive Vice President and Partner at ClearSale, a global card-not-present fraud protection operation that helps retailers increase sales and eliminate chargebacks before they happen. The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives. Follow on LinkedIn, Facebook, Instagram Twitter @ClearSaleUS, or visit https://www.clear.sale.
