Many merchants assume their small, new, or family-run business won’t be targeted by fraudsters in the same way major retailers are. That view is based on the idea that eCommerce fraudsters are individuals who steal a few goods here and there from stores they’re heard of. While anecdotal reports indicate that individual fraud increased in 2020 as financial pressures hit many households, organized fraud is the real threat to the well-being of merchants of all sizes.
Payment card fraud cost merchants worldwide more than $27.85 billion in 2018, even before the 2020 shift to eCommerce created new opportunities for fraudsters to exploit changes in consumer behavior. The figure is so high because eCommerce fraud groups operate like big businesses. Their toolkit includes bots to automate and scale attacks on stores of all sizes, so even small stores can get swept up in big fraud waves.
As a Magento merchant, it’s important to understand the fraud landscape, the impact of fraud on your customers’ experience, and how you can fight fraud and grow your business.
What are the key areas merchants need to watch?
It’s tempting to think of eCommerce fraud as simply something to address during checkout, but issues that contribute to fraud exist outside the checkout process, too.
Your eCommerce platform
The most pressing fraud-related concern for merchants is using the correct Magento version. Magento 1 was deprecated by Adobe in mid-2020, after many months of urging customers to switch to Magento 2 for better performance and security. However, according to Bank Info Security, an estimated 95,000 stores were still running on Magento 1 in September 2020, even though there’s no longer support, updates, or patches for that version.
Fraudsters have exploited that vulnerability. In May 2020, the FBI issued an alert about a Magento 1 plugin vulnerability that put stores at risk of card-skimming. Card skimming, also called formjacking, occurs when fraudsters insert code into web forms to silently steal customers’ payment data as they enter it. Then they can launch large-scale fraud attacks using the stolen card information, sell the data to other criminals, or both.
Despite the alert, about 2,000 eCommerce sites running Magento 1 were hit by an automated card skimming attack in mid-September. Researchers said “tens of thousands” of customers’ card data could have been exposed. For merchants still using Magento 1, the most urgent fraud prevention step to take now is replatforming your store on Magento 2. For everyone else, it’s critical to keep your platform up to date.
Your checkout process
Every merchant, regardless of platform, needs to screen orders for stolen card data and for indicators of account takeover (ATO) fraud. ATO can be hard to detect because fraudsters abuse a trusted customer’s identity and payment data to make purchases. Prevention requires machine-learning tools to compare current customer behavior to past behavior and purchasing patterns on your site.
For example, if a customer who typically visits one Sunday a month to buy about $100 worth of midrange housewares with free shipping suddenly drops in on a Friday night to buy $2,000 worth of high-end items with express shipping to a new address, you could be looking at an account takeover. Such orders should be flagged for manual review.
Post-purchase fraud risks
Most merchants are already familiar with the main post-purchase indicator of fraud: chargebacks. These can be caused by ATO fraud and credit-card theft as well as by individual customers who claim their order never arrived. Screening at the order stage is the key to preventing the first two types of chargebacks. Shipment tracking and delivery confirmation can help fight so-called friendly fraud.
Preventing fraud is a key to merchant survival. So is making sure that your fraud prevention practices don’t make the process frustrating or insulting to good customers.
How does fraud affect the customer experience?
Despite the stress and hassle that fraud creates for customers, they’re more forgiving of fraud than they are of being mistaken for a fraudster. That was one of the main findings of a March 2020 survey of 5,000 online shoppers conducted by Sapio Research for ClearSale.
Ecommerce shoppers in five countries — the U.S., U.K., Canada, Mexico, and Australia — all expressed concerns about fraud and identity protection while they shop. On average across all five countries, 13.6% said they’d never shop with a merchant again after a fraud experience with them. That’s another compelling reason, in addition to chargeback costs, to fight fraud. However, 39% of those same shoppers said they’d never buy again from a merchant who rejected their order.
These numbers show that your fraud prevention process must avoid generating false positives. For example, automatically rejecting every flagged order can prevent fraud, but it will also create an ever-larger group of people who won’t ever shop with you again because you declined their orders by mistake. The solution is to manually review flagged orders, in-house or through a third-party service, to separate the good orders with anomalies from the fraud attempts.
Follow these best practices to protect your Magento store from eCommerce fraud
Fraudsters frequently change tactics to avoid detection, but a few best practices can help you screen them out.
- Keep your Magento platform, extensions, and hosting up to date. This can help prevent card skimming attacks like the ones suffered by Magento 1 stores in late 2020.
- Ensure that your store meets PCI requirements for card transaction and data security. If you sell into the UK and EU, make sure your store complies with the Payment Services Directive’s Strong Customer Authentication Compliance can reduce your liability for card fraud.
- Require strong passwords for customer accounts. This can reduce the risk of account takeover fraud caused by easily cracked passwords.
- If you use the standard fraud prevention tools that Magento provides, set them to allow review of flagged orders so you don’t create false positives.
- Use an additional fraud prevention service that’s approved for Magento. Look for a service that evaluates a range of real-time and historical information for each order, from basics like address matching to purchase history, location, behavioral biometrics, device identity, and other markers. Whichever solution you choose, make sure it’s built to work with the most current version of Magento.
- Manually review flagged orders, in-house or through a solution provider, to reduce false declines while preventing fraud. Use the results of your manual reviews to train your AI fraud prevention solution to get better at distinguishing fraud from good orders.
- Include package tracking and delivery verification on all orders to reduce the risk of friendly fraud caused by false claims that your shipments never arrived.
- Add continuous malware scanning and a managed firewall service to your website to keep would-be card-data thieves out.
- Disable site extensions and functions that you no longer use, to prevent them from being exploited by card skimming fraudsters.
- Keep an eye on your chargeback ratio to spot rising fraud trends, adjust your prevention parameters if needed, and avoid increases in payment processing costs.
- Seek out a chargeback guarantee or chargeback insurance through your fraud prevention provider or through a chargeback mitigation service, to reduce the financial impact of chargebacks on your business.
Fraud is a costly, persistent challenge for merchants of all sizes. So are false declines that drive away good customers. If you keep your software up to date and use tools that stop fraud and prevent false declines, you can navigate between these two risks successfully, keep more revenue and retain more good customers.