2020 saw tremendous growth in the number of online stores and customers. eCommerce has been crucial in sustaining economic viability for most businesses during the Covid-19 pandemic. Merchants who were contemplating going online “eventually” and those who may not have thought of eCommerce as being part of their business plan (think grocery stores) at all accelerated into online businesses faster than ever before. Some stores closed up their brick and mortars for good and moved online. With most consumers now comfortable ordering anything from groceries to home office equipment (and even cars) from home, e-commerce merchants have to become more savvy in protecting their websites and customer information this year as well. This boom brought in a new, more sophisticated generation of fraudsters and revitalized the experienced ones who still use their old tricks… but have added new ones as well.

Fakes Hiding Among Your Real Customers (ATO’s)

Not only are new customers shopping online, but those who were busy with everyday life pre-pandemic and may not have been to an online store where they have an account in quite some time, are returning as well. Toilet paper, board games, and puzzles flew off the virtual shelves of Amazon and Walmart.com so online customers had to go to elsewhere online to get necessities and item to keep their families at home and entertained. Life slowed down and online shopping skyrocketed. However, since the last account login, some customers moved. Others may have forgotten their account email or password. Over the past year, more customer information is coming through e-commerce websites and updating data files with new information than ever before. And fraudsters are hiding among the masses, blending in, and making a business out of stealing customer data. It is important for merchants to use reliable security software to detect buyer behavior (tracking cursor pathways and jumping from one tab or field to another in a checkout for example), matching credit card information (are the billing and shipping addresses the same? Are they even in the same state or country?), and two factor authentication help diminish successful fraud attempts with this influx of new data. However, ATO’s (account takeover attacks) have become more sophisticated and easier for fraudsters to make a profit on.

In years past, once a fraudster received online goods through illegitimate means, they would simply sell them. Some intercept the package at their credit card victim’s address, others would commit “interception fraud”. For example, the fraudster would ship the order to the credit card owner’s address and then call or email customer service to have the ship to address changed to their desired location. Either way, the real customer reports the illegitimate charge to their bank, if they catch it on their monthly statement. As a result, the merchant ends up with a chargeback, the fees associate with the chargeback, a loss of revenue, and possibly a reserve attached to their merchant account. In today’s world, with the changes in technology and ease of transferring information online, fraudster’s have updated their scheme by breaching a customer account, testing the account by purchasing a popular or low dollar item, and then cancelling the order before it is fulfilled (as to avoid raising red flags with the customer or the merchant). Then on the dark web, they sell the customer’s account. Fraudsters no longer have to take in physical inventory of stolen goods, repackage them, and send them out. Customer accounts with a refund can be resold for up to 10 times higher than a loyal customer account.

Due to the challenges and financial strain of being in a pandemic over the past year, many merchants have loosened their refund policies to gain customer loyalty and confidence in their purchase. ATOs will continue as merchants ease up on their refund policies as sales increase again with people returning to work and/or spend their stimulus checks. This means that merchants need to continuously improve their fraud detection, or implement it immediately if they don’t have sufficient spoofing protection or fraud security software that detects bad actor behavior such as multiple failed password attempts or bad credit card expiration dates, billing address information or cvv entries.

Real Customers Who Game The System

Jobs were lost and unemployment claims skyrocketed in 2020 due to the pandemic. People who were normally good people became desperate and abused refund and return policies. Money back guarantees became welcome mats for consumers to use all (or almost all) of a product and claim it wasn’t satisfactory and merchants ate the cost to keep the customer happy. Others claimed they did not receive the product even though they did (this is why Amazon takes photos of their deliveries on doorsteps) and requested a refund, and then proceeded to sell the product online or use it themselves for free (called INR or item not received claim). Most of the time, it may be a one and done event, but there are people who will take advantage of the policies over and over again, and may need to be blocked from purchasing from the website. Although this may feel empowering to the merchant, the customer will simply use the guest checkout option instead. Cross-merchant linking, where similar companies sharing online criminal information, and/or putting the customer through a series of questions before honoring a refund may curb your not-so-honest customer from moving forward with their claim. If they sense they are being tracked, they may be hesitant about trying it again or at all.

For Your End User – Old School Phishing

Baby boomers are not only buying groceries online, but the first quarter of 2021 shows that those over 65 are the fastest growing segment of e-commerce shoppers. In past years, they have been the target of offshore identity and financial fraud from thieves who call them over their landline claiming to be their internet or cable provider, the IRS, or even their own grandchild asking for a loan. Now, as new e-commerce consumers, baby boomer’s lack of experience with phishing sites make them easy targets. A phishing site is one that looks like a real site of a trusted website (such as eBay, PayPal, and other well-branded online companies) but is meant to trick you into giving them your login or credit card information. Usually links to these spoofed sites come through an email. The easiest way of preventing someone from becoming a victim of a phishing site is to manually enter the store’s legitimate website address in the URL, and not the one provided to you via email or online ad, while using a browser with an anti-fishing detection plugin.

And Speaking of Plugins…

As an e-commerce business owner, it is important to keep your website’s platform version, theme, and plugins up to date. Hackers look for data that are easy targets. Open-source attacks are one of the easiest – open-source tools are free and are relatively easy to use for even the newest online business owner. Popular ones include WordPress, Magento, and Shopify. This is why we recommend, for example, WordPress site owners, whether you are using WooCommerce, ECWID, BigCommerce, or any other plug-in that accepts any kind of payment, update their website’s theme and platform version when available and all 3rd party integrations at least once a quarter. In September 2020, WordPress websites who were still running an older version of File Manager, a widely used plugin, allowed attackers to upload malicious files to millions of websites.

Four action items to safe guard your e-commerce business are:

• Use a reliable, secure e-commerce hosting provider. Don’t go with a new company We also recommend they have timely and responsive 24/7 customer support.
• Use fraud prevention and security software. 2FA (Two-factor authentication) at the account login, policy abuse protection, and order fraud prevention (with manual reviews of denied orders is a plus) with a company who also has a strict inhouse data security policy.
• Have an SSL certificate for your website (this is recommended for any website, not just e-commerce). SSL certificates encrypt the data in transit and assists in securing data from being hacked. SEO Fact: Websites with SSL certificates rank higher on Google’s SERP.
• Use an established payment services gateway company with security features and tokenization. A payment gateway is the “gateway” between the customer’s payment data entered into the checkout fields and the merchant account. The gateway passes the authorization request to the credit card company/merchant bank and back to the merchant for order fulfillment. High quality gateways, such as eMerchant’s, provides a layer of protection by encrypting the credit card information between the customer and the merchant. They will also assist you in making your website PCI compliant.

The growth in online sales will be matched in growth of fraud. It is the nature of the business. Whether it is through your customers’ email or their account with your online store, the e-commerce cart tools and plugins, or the loosening the lasso around company policies to keep customers happy, fraudsters will continue their old ways and find new ways to steal from your online business. Do not underestimate these criminals – they are becoming more sophisticated and will continue to do so.

Whether you are running your e-commerce business of Shopify (Plus for Enterprise), Woocommerce, Magento, Miva, CommerceV3, MicroD, BigCommerce or other major carts, eMerchant can provide a total safe and secure solution for your payment processing needs. Contact us today.