A Guide to Protect Your Retail Business Against CNP Fraud in eCommerce

Last Updated: December 11, 2020

Lawmakers and the retail industry together have worked hard over the past several decades to minimize credit card fraud in brick and mortar stores. New POS payment technology such as EMV chips, contactless payments, dynamic data, and thorough encryption have almost entirely eliminated card-present fraud.

But, of course, criminals aren’t stupid and they have found new ways to steal. eCommerce retail stores have opened new avenues for electronic theft. Card-not-present (CNP) theft has grown each year. Thanks to 2020’s global pandemic, there has been an incredible 250% rise in digital transactions that will in turn speed up the growth rate in CNP fraud. It is estimated that retailers will lose around $130 billion in Card-not-Present fraud between 2018 and 2023. And the impact is even more than just dollars lost.

Retailers must be vigilant, following anti-fraud best practices and adhering to all industry regulations. So let’s take a look at what CNP fraud is, its different types, how to spot it, and how to best prevent retail fraud in eCommerce.

What Is Retail Fraud in eCommerce?

CNP fraud is rather self-explanatory: a criminal conducts some sort of operation on your online store that takes either product, currency, or financial data from your business. The concept certainly isn’t new, but this channel is still in its infancy. And businesses are working hard to keep it at bay.

Unfortunately, small businesses are at particular risk for fraud. In fact, a survey from the Association of Certified Fraud Examiners (ACFE) estimates that over half of small retailers suffer from some version of online fraud. For many SMBs, it can be too expensive or time-consuming to institute the proper protection against the risk of theft. But additionally, a theft or security breach can be even more crippling. Certain types of fraud can come accompanied with fines if your business was found to be in violation of certain standards. Plus, a security breach that compromises your customers’ financial security will lead to a loss of trust, even among your most loyal shoppers. Many smaller retailers simply can’t afford to recover from these added insults to the injury.

See also: Retail Fraud and its Impact on Business

10 Different Types of Card-Not-Present eCommerce Fraud

Online fraud can come in various forms, making it even tougher to stop. It’s a faceless crime so it’s harder to trace, and it can even come from across the world. Because it’s common and difficult to solve, authorities are less inclined to spend time trying to catch the criminal.

But as they say, knowledge is power. And it’s important to familiarize yourself with each of the types of eCommerce fraud so as to better protect yourself from it.

an infographic showing different 'types of CNP fraud'

1. Clean Fraud

One of the most common, clean fraud in eCommerce involves a criminal using a stolen credit card to complete a purchase. It’s more difficult for the webstore retailer to identify this as fraud since the criminal has all necessary bank information to unsuspiciously complete a purchase. Typically, the card information is stolen through online data breaches, though it can also happen with a stolen physical card that is then used online. In either event, the merchant is responsible for chargebacks and the lost merchandise.

2. Friendly Fraud

Anything but friendly, this technique only involves the criminal and retailers. A person makes a purchase and then claims that the product was never delivered, they’re card was stolen, or that they never actually placed an order. This is also sometimes referred to as chargeback fraud.

3. Refund Fraud

Rather than using a stolen number to order the product itself (clean fraud), refund fraud makes an exceptionally large purchase and then asks for reimbursement. Of course, they claim the original account has been closed or compromised and request that the money is returned to a separate account.

4. Merchant Fraud

This type of card-not-present fraud is reserved for online marketplaces that are responsible for both the seller and the buyer, as well as for facilitating the transaction (like eBay). The criminal sets up a fraudulent platform in this marketplace, receiving payment for items that they will never ship. These are short-lived schemes but can rake in a lot of money. In the end, the marketplace is responsible for recompense.

5. Card Testing Fraud

A more advanced technique, card testing often uses multiple eCommerce stores and relies on bots. Many e-retailers specifically highlight the incorrect parts of the credit card information in an attempted order. For instance, a declined order might show that the thief is only missing the expiration date, narrowing the missing information down. With bots automating these attempts, the correct information can be identified surprisingly quickly. Often they will use card testing on one site before using the data to make the purchase at a separate eCommerce store.

6. Identity Fraud

Criminals can also find their way into a store’s database, allowing them to steal usernames, passwords, credit card data, and sometimes even more personal information (driver’s license, passport, and SSNs). This information can be used right away to make a fraudulent purchase, but oftentimes, this information is sold to secondary thieves who open new accounts with the victim’s identity.

7. Reshipping Fraud

Perhaps the most frustrating of the bunch because it involves two criminals, reshipping starts with a clean fraud purchase but has it shipped to an alternate address. This minimizes the initial fraudster’s risk since it’s not going directly to their address. They often pay the resident at this secondary address to ship the product to the final destination.

8. Triangulation Fraud

One of the more complicated forms of online fraud, triangulation criminals set up a fake store, often times selling products at an outrageously cheap price. This false storefront has the sole purpose of farming card data. Once collected the fraudster will either make purchases for themselves, or use the customer card to buy the goods from an actual merchant, charging the shopper twice, and keeping the initial discounted price.

9. Interception Fraud

This starts with creating orders that match billing and shipping addresses to the address attached to the compromised card. By doing so, they don’t raise any red flags. Following the order placement, they have several different tactics. Often they ask for an address change through either the retailer or the shipping company. In a more rudimentary tactic, they simply wait at the address for the delivery and then steal the package.

10. Account Takeover/Phishing Fraud

Many online retailers offer their shoppers the option to store their card data on the website. Benefiting both the customer and the retailers, this option adds convenience to the shopping experience and lowers the rates of abandoned carts. Fraudsters find various ways to infiltrate these accounts, usually through phishing scams. Most commonly, they send emails to past customers tricking them into revealing their passwords. Once the account is compromised the theft is remarkably easy to complete.

7 Red Flags That Can Help You Identify Digital Fraud

There are some easy ways to identify fraud on your website. It’s best to educate yourself on these to prevent them from happening, or at least to catch them as quickly as possible. The faster your response time, the better the chances are of recouping your losses and protecting your customers. Keep in mind that a transaction with one of two of these conditions is probably nothing to worry about, but if a single order contains several, it is probably worth investigating. Take any necessary precautions and integrate CNP fraud prevention into your daily business operations.

1. Big Orders

Credit card thieves don’t expect to have use of the stolen card for long. So to take advantage of it, they typically will place unusually large orders.

2. New Shoppers

Criminals are more likely to shop at unfamiliar places that they’ve never associated with before. Once they make one fraudulent purchase, they’ll likely move on to another store.

3. Strange Delivery Address

If you see an order to a region or country that you don’t typically ship to, check it out further. It might just be a sign that business is great! But it should initially raise an eyebrow.

4. Different Orders to One Address

If you receive multiple orders with different names going to the same address, this is most commonly due to a fraudster having stolen a handful of cards. They place orders using each and address them to random names, but all will be going to a single location.

5. Different Cards on One IP Address

Similar to the previous red flag, this scenario also indicates that someone has stolen several cards. Even if going to different addresses, various orders from a single IP address doesn’t make too much sense.

6. Back-to-Back Transactions

Repeated transactions is another thing to watch out for. Especially if it’s multiple orders for the same product. This is another indication that the person is trying to purchase as much as possible before the card is shut down.

7. Overnight Shipping

Again, this alone isn’t necessarily a great indicator of CNP fraud, but, combined with one of the others on this list, could be a sign of suspicious activity.

11 of the Best Ways to Protect Your Business From Online Fraud

In many of these cases, the burden of responsibility is on the retailer, so it’s critical that you set up your web business with the right protections and safeguards. It might be impossible to stop every single instance of fraud, but minimizing the occurrences is still productive.

1. Follow PCI Compliance

We recently talked about how PCI Compliance works. For a more in-depth look, check it out here. But let’s just do a tl;dr for the sake of this blog: stay up-to-date and follow the rules. The easiest way to do this is to use an eCommerce platform and merchant service that is fully adherent to industry regulations. WooCommerce, Shopify, and Magento are all fully set up as PCI Compliant (and all three integrate with KORONA!).

2. Require Card Verification Values (CVV) with Each Purchase

These three little numbers on the back of credit cards actually prevent a fair number of fraudulent transactions (confusingly, you might also see this referred to as Credit Code Verification, or CCV). You might also use Address Verification Service (AVS) to check the billing address of the purchase against the billing address the credit card association has on file.

3. Keep Purchase Histories

Not only is this great for your marketing and loyalty programs, but tracking past purchases through user profiles can help you identify theft or fraud. A shopper who normally has orders addressed to Minneapolis but is suddenly ordering 1,800 cases of wine to Kazakhstan just might have a compromised account.

4. Require Signatures for Deliveries

It’s not a surefire defense against fraud, but a signature will deter some thieves who will just go to an eCommerce store that doesn’t require this step.

5. Encourage/Require Strong Passwords

Be smarter than some of your customers. Don’t let anyone log in with “1234” or “password.” Set up standard requirements for a minimum length, capitalization, numbers, and symbols.

6. Automate Screening Suspicious Behavior

Depending on your eCommerce platform, you can configure your system to automatically flag suspicious activity. Typically, you should be able to easily identify orders from the same account with different credit cards, back-to-back purchases, quick changes to shipping addresses, among a handful of others.

7. Keep Checkout Pages in “HTTPS”

This is a simple encryption step that keeps all checkout page information in the hands of your browser and server. Just be careful not to implement this site-wide.

8. Iterate Clear Anti-Fraud Policies

At the very least, this will serve as a warning to potential thieves that you are aware of their presence. It can also protect your business from chargeback fraud. Announcing that you track numbers allows you to contact the issuing bank to validate any customer claims that might be friendly fraud.

9. Update All of Your Software

Keeping your software current will help ensure that you’re using the smartest and latest system. Credit card processors and POS systems are always updating their software to protect business owners against new threats.

10. Learn From Your Mistakes

Track all past fraudulent activity. Even if you lost product or cash through the ordeal, you can use this information to prevent a similar episode from happening again. You can also implement the issue into your training to new staff members.

11. Put Together an Online Fraud Prevention Plan

Create a unique prevention plan customized to your own online store that focuses on identifying the different types of CNP fraud that can happen to all eCommerce sites and a guide to follow for preventing them.

You can include here examples of past fraudulent activity that your store has experienced and ways they were handled or could have been handled. Again, you can utilize this for staff training and have on hand to refer to for best practices.

Read More: How To Prevent eCommerce Fraud- 10 Proven Tips For Retail Online Merchants

Take The Time to Protect Your Small Business

Though the digital world has made our lives easier in many ways, it’s also opened the door to new dangers. Online fraud can drive a small business to bankruptcy so it’s vital that you take the right precautions to keep your business safe. To find out more, contact us at KORONA POS. Our retail POS system integrates with the safest eCommerce platforms and we only work with merchant services that promise full PCI Compliance. Click below to start a free trial and demo!

Get Started with KORONA POS today!

Tell us a little bit about your business and explore all features that KORONA POS has to offer. And there’s no commitment or credit card required.

About the Author

Photo of author

Michael Chalberg

Michael has long focused his writing on the world of retail and small businesses. He''s been a part of the KORONA POS team since 2018 and loves helping entrepreneurs find ways to adapt and succeed. In his spare time, you'll likely find him hiking somewhere in the Southwest.

Leave a Comment