Ecommerce fraud is a big problem. It’s estimated that it costs businesses billions of dollars every year and can take months to recover from. For this reason, understanding how e-commerce fraud works is essential if you want your business to survive in the online world. Fortunately, it isn’t all bad news – there are plenty of ways you can protect your business and make sure that the money coming in exceeds the money going out.
What is E-commerce fraud?
E-commerce fraud is when criminals try to steal a business’s money for themselves. It usually comes in three different forms: phishing, identity theft, and credit card theft.
E-commerce fraud can have a massive impact on a business. It can not only put a business out of business, but it could also leave with substantial financial penalties from the banks and credit card companies and leave you open to legal action from customers. In some cases, fraudulent orders can cause a business site to be block listed by the search engines, meaning that all the hard work done in building up traffic will disappear overnight.
Let’s go through each type of e-commerce fraud in turn.
This is when a customer gets an e-mail or text message that looks like it’s from their bank, credit card provider, Paypal, Amazon – in fact, anywhere where they might have stored their payment details. The criminal will include a link to the login page of the site where the customer has their account. The customer is encouraged to log in so that their account details can be verified. Unknowingly, the customer logs in and gives away all their personal information – including credit card number, expiry date, name on the card, etc… At this point, your business’s money is gone.
Although it might not seem like it at first, this type of fraud is just a variation on phishing. In this case, the criminal will send out an email pretending to be from your business telling the customer that there has been a problem with their order and asking them to click on a link that takes them to a site where the customer’s personal information can be filled in – giving the criminal access to all of the customer’s details.
Credit card theft
Credit card theft takes advantage of a security loophole in online businesses rather than tricking the customer into giving out their credit card information. Because we don’t see your credit card as you type it in to pay for an order, we usually use SSL (Secure Sockets Layer) to encrypt information to send it securely – we only decrypt the lead when we receive it on our server. The encryption is done using a security certificate that comes from a trusted authority. Unfortunately, there are still some certificates out there that aren’t as secure as they should be, and these can be bought by criminals who then use them to decrypt the information they intercept – giving them all the credit card details they need.
This type of fraud is so common because the criminals know that most businesses don’t understand how it works and will do nothing to protect against it. Because of this, they will be able to carry on stealing money from businesses for months before anyone catches them – if at all.
Prevention and Detection Techniques
The first step to preventing this type of fraud is to try and stop it from happening. For example, if a customer comes to your website, you should change the URL so that the customer’s browser knows they have reached their intended destination – instead of going to a blank page or site with just a few words in the status bar as many phishing sites do. You can do this by making sure that your server sends a “301 Moved Permanently” response as soon as someone requests the root directory of your website.
Another way to prevent stolen customer information is to disable SSL because it’s less secure – at least you know the customer data isn’t going anywhere! Of course, you can certainly see why this isn’t an option for most websites, so the only thing you can do is make sure that your security certificates are up to date. Remember, it’s your responsibility to ensure that SSL encryption is enabled on all of your pages and that a secure server hosts them.
Now that you have done everything possible to prevent ecommerce fraud, all you need to do is make sure that it doesn’t go undetected. The best way of doing this is by regularly scanning your website for files that are out of date or invalid – if something has changed on your server, the hackers will know about it to act accordingly.
You could always follow the mantra of “security through obscurity” because it’s one way of ensuring that your website is as secure as possible. Although you can never be 100% sure that what you are hiding isn’t publicly available information, you will undoubtedly make life much harder for hackers who don’t have the time or resources to look for it.
If you want, you could even treat your website as a honeypot because hackers are always looking for ways to break into websites – if they find yours, you can use this against them. For example, suppose someone were to hack your website. In that case, you could collect all of their data before handing it to the relevant authorities or simply deleting it – you would certainly be doing them a favour because most hackers don’t want their details to be publicly available.
The first thing you should do is make sure that your customers are aware of the situation and that you will offer them free credit monitoring services (or at least recommend that they go and check their current ones!). These days, most major businesses accept this as standard practice and will do everything they can to ensure their customers are protected – even if it is a bank.
You should also report the crime as soon as possible because this means that you won’t have to pay your credit card provider back for the fraudulent transactions. In some countries, you may be legally obliged to inform them of what has happened – it’s worth checking what your country’s laws are to prevent any nasty surprises. Once you have reported the crime, they should cancel all of the cards and issue you with new ones – along with many new numbers and security features (which you will probably need) to make sure it doesn’t happen again.
As you can tell, preventing this type of fraud is not always possible, but you must do everything within your power to protect your customers. The most effective way of doing this is by keeping up to date with the latest security standards and practices – make sure you are never caught out!
Besides doing your duty to protect your website and its customers, the best thing you can do is educate people about phishing so that they can recognize it when they see it. With this in mind, I hope that you found this article helpful and that it will be of some assistance – good luck!