Much like the year that preceded it, 2021’s holiday season looks to be unprecedented for online shopping. Unemployment is low and government economic stimulus checks are helping to give consumers the confidence needed to do a little extra spending on their friends and families this year. At the same time, supply chain issues are real and concerns about inflation loom, driving many buyers to get their shopping in as early as possible.
Overall, this spells a strong holiday season for both in-person and online shopping. While eMarketer predicts that brick-and-mortar sales will increase 7.9% over 2020’s numbers, eCommerce sales will see nearly double that, increasing to 14.4% or $935.79 billion in holiday sales in the U.S. alone.
That will spell an increase in the percentage of sales done online as a whole. Holiday eCommerce sales in 2019 were only 14% of the total. With the pandemic, that number rose to 17.5%. And in 2021? The number is expected to increase again, with eCommerce holiday sales approaching between 18.4 and 19% in North America.
As an online retailer, it can be easy to get caught up in the prospect of increased sales and kept busy with the day-to-day operations of maintaining your eCommerce storefront, inventory, shipping, etc. However, it’s important to acknowledge you aren’t the only ones paying attention to the opportunities that this year’s holiday season presents.
Another group paying close attention to this? Fraudsters. Online shopping already opens the chances for fraud. At the same time, new shopping modalities, like Buy Online Pickup In-Store (BOPIS), social media shopping, and Buy Now Pay Later — the very strategies that spell more sales for eCommerce — are making it easier for thieves to steal cards, cash, and merchandise.
To make matters worse, in trying to fix the problem, merchants can cause bigger issues by adding friction to the process and providing poor customer experiences. In an attempt to protect customers and revenue, online merchants stand the chance of alienating legitimate customers if they don’t approach fraud intelligently.
Doing so requires that eCommerce merchants understand the threats that exist to their stores as we head into the holidays. A clear picture of the biggest holiday shopping fraud schemes — from new methods to tried and true tactics — will make it easier for merchants to choose how to address fraud while still keeping customers delighted with their experience.
7 Holiday eCommerce Fraud Schemes
1. Gift Card Fraud
Gift cards are an incredibly popular and common gift during the holidays. It’s easy to grab a gift card for your co-workers, friends, even family members who are hard to shop for or who you think would rather choose their own gift.
Like many forms of fraud, the strength of gift cards is also the gateway to fraud. Gift cards are convenient and accessible for both the gift-giver and recipient — just run to the store or grab a few while buying your morning coffee. They are easy to use, and they act just like cash.
In fact, in the eyes of a merchant, they are for all intents and purposes, cash. There is no name associated with these cards, and little in the way of tracking. Fraudsters use that to take advantage of these easy-to-share gifts.
It’s simple for fraudsters to steal the code and PIN off of a card in a store and then monitor it for activation online. Once activated, thieves can quickly drain the funds on the card, purchasing merchandise or trading it for cash. This can happen within minutes of becoming active.
The same can be said for digital gift cards. Using security holes in your eCommerce solution or in poorly coded forms, fraudsters can use tactics like SQL injection and email monitoring to snatch gift card numbers before they ever reach their recipients.
In addition to using fraud solutions to monitor for suspicious activity, eCommerce retailers should track gift card data from purchase to redemption, and ensure data protocols on your site are current and that all software is fully patched and secured. Additionally, don’t be afraid to look inward. Gift card fraud can be perpetrated by employees even easier than it can be by thieves.
2. Buy Online Pickup In-Store (BOPIS) Fraud
Between March and June of 2020, Buy Online Pickup In-Store (BOPIS) and curbside pickup order volume increased more than 500%. The reason for this is simple — it was a safe and easy way to shop without waiting for items to ship to your location. Just order online and within minutes or hours pick the items up at the store.
That trend is unlikely to decrease during the holiday season. BOPIS is a holiday shopper’s dream come true. They can order exactly what they need and have it almost immediately, without waiting in long lines or being concerned with health and safety protocols.
Because this is a fairly new shopping strategy, BOPIS is an easy one for fraudsters to take advantage of. In addition to being able to combine other schemes, like Card Not Present fraud, thieves can get access to items quickly and have returned the items or sold them before the cardholder even knows there has been a fraudulent charge made to their card.
Integrating your systems across brick-and-mortar and online is one layer of protection for BOPIS fraud. Another is using a fraud detection solution that can flag suspicious purchase activity. A low-tech means of prevention, and one that can be implemented immediately, is validating customer identity at pickup. While this is only one layer of protection, it is one that can be added to your BOPIS process quickly and will prevent some, but not all, BOPIS theft.
3. Buy Now Pay Later (BNPL) Fraud
The rise in Buy Now Pay Later (BNPL) availability coincides with the continued increase in Millennial and Gen Z buyers. When shoppers from these generations are making a purchase, it’s a good bet that they are doing so on their phones. There’s also a decent chance that they don’t have their wallet — or their credit card — close by. According to a ClearSale survey, respondents only had their credit card within easy reach while shopping online 32% of the time.
BNPL allows buyers to rapidly apply for credit terms with your third-party service, which manages paying the business and later collecting from the shopper. While youth research firm YPulse found that 17% of 18 to 24-year-olds have used BNPL, 10% of Gen X have used these services as well. They help buyers manage purchases outside of their budgets, avoid credit card interest, or make a purchase even when their credit cards are maxed out.
BNPL is more or less a low-lift loan with a limited credit check and the simplicity of connecting your bank account to the BNLP service for easy repayment. That makes this a fertile field for fraudsters to insert themselves using account takeover as their scheme of choice.
Merchants need to be wary of transactions that show classic signs of fraudulent activity, such as logins from new devices, multiple transactions in a short period of time, and changes to shipping addresses.
A fraud protection solution integrated with your eCommerce platform can help, but you’ll need to be careful in choosing one. Many eCommerce solutions and some fraud detection applications rely heavily on blacklists and filters, but these can lead to false declines.
You may think that declining a purchase in the name of protecting your business seems like a good trade-off — in reality, it’s a dangerous and costly one. False declines can be devastating to your business, with shoppers opting to abandon a purchase and leave negative feedback for a retailer who declines their transaction. The ClearSale survey found that 19% of respondents said they would never place an order with a merchant that declined their credit card ever again.
4. Account Takeover (ATO) Fraud
Setting up accounts with a merchant opens a world of possibilities for consumers, including easy checkout and loyalty perks. For the retailer, it offers the chance for deeper customer understanding and more opportunities for marketing and promotion and to earn a repeat customer.
For thieves, it’s another means of potentially committing fraud against an online merchant. Using a variety of techniques, hackers can use lists of leaked usernames and passwords, brute force attacks, phishing attacks, and even weak passwords to access a customer’s account.
From there, they can convert loyalty points into purchases, access a customer’s credit card and personal information, and even change the password to lock the original owner out of the account completely.
Online retailers can take a few steps to reduce their exposure to ATO attacks:
- Limit the number of login attempts and lock accounts that exceed it
- Flag those accounts that log in from new devices or from new locations
- Block requests from IP addresses known to support automated hacking bots
- Train employees on phishing techniques fraudsters use and how to recognize compromised accounts
- Encourage customers to change their passwords regularly
- Use fraud protection software to help review and approve only legitimate transactions
5. “Friendly” Fraud
During the hustle and the bustle of the holidays, it’s easy to lose track of what was bought and what wasn’t. Couples who share a credit card may not recognize purchases that the other has made. These, and similar situations, can lead to what is commonly known as friendly fraud.
Friendly fraud is when a consumer disputes a valid transaction with their credit card company. According to Mastercard, 75% of credit card users will research a purchase that they don’t recognize before disputing it. Even after researching it though, 27% of those that dispute a charge later realize that they actually did make the purchase.
While the purchaser doesn’t intend to defraud the retailer, the result is the same — the merchant is out the products or services, as well as shipping costs and the fees associated with chargebacks from the credit card companies.
Preventing friendly fraud is largely about clear communication. Be sure that your store name is recognizable on customers’ card statements. Clearly state all refund policies and make them easily available on your website. Provide great customer service that is responsive.
Not all chargebacks are suspicious, but they can be harmful to your business. Consider also a fraud solution that offers a chargeback guarantee so that you aren’t on the hook for purchases that become chargebacks.
6. Chargeback Fraud
Friendly fraud is when a consumer accidentally disputes a charge. Chargeback fraud, on the other hand, is intentional and malicious. The purchaser disputes the transaction, knowing full well that they made it and with every intent to keep the items purchased without paying for them.
Certainly, the cost of losing goods is detrimental to online merchants, especially for small and medium-sized businesses. In addition to the merchandise, retailers must deal with the fees associated with chargebacks, of which there are many. In 2018, every dollar of fraud costs the merchant $2.94 in fees and loss. For online retailers selling digital goods, that number is closer to $3.29. Worse, chargebacks can hurt your standing with credit card processors — too many and you can be rated as a high-risk merchant, raising your transaction fees and eating into your profits.
Because of this, it’s crucial that you take chargeback fraud seriously. Integrating a fraud solution as part of your eCommerce platform can help, but many err on the side of declining a suspicious purchase, causing the same issues with false declines noted above. False declines cost merchants $13 for every $1 in credit card fraud. Ensure that your fraud protection doesn’t do blanket declines based on filters and blacklists alone, but instead reviews transactions for legitimacy and stands behind their decisions with a guarantee.
7. Card Not Present (CNP) Fraud
Card Not Present (CNP) fraud is, of course, a significant problem for online retailers. Every transaction is a CNP one, increasing the chance that these payments could be fraudulent.
Unsecured mobile devices, weak passwords, phishing schemes, and hacked servers have all given bad actors access to millions of credit card numbers that can be used for fraudulent purchases. In 2020 alone, the Federal Trade Commission tagged 393,207 identity theft reports via credit card fraud.
Balancing a good user experience with protection from fraud can be tough. The more information you require from a customer, the lower the chance of CNP fraud, but the higher the chance that the additional friction in the process will result in an abandoned cart. Automated fraud protection and account creation can help, as does validation of card owner information and shipping data.
Protect Your Business This Holiday
Spurred by the events of the last 18 months and the shopping preferences of Millennials and Gen Z, consumers’ appetite for holiday shopping online is growing by leaps and bounds. Meeting these needs often means offering new ways to shop, but also creates opportunities for eCommerce fraud.
Without proper attention to fraud tactics, and without putting the right procedures and solutions in place, fraudsters can wreak havoc on a business’s bottom line. More importantly, addressing fraud schemes with an iron fist or the wrong solution can do irreparable harm to a merchant's reputation and cost far more than a few bad sales ever could.
When designing your fraud prevention processes and choosing deterrent solutions, do so carefully. Balance customer experience with protecting your business. Fraud prevention starts with business processes and your employees, but it shouldn’t end there.
Ensure that fraud detection and protection solutions are easy to implement or integrate with your eCommerce platform and that they aren’t one-dimensional in how the solution approaches both identifying fraudulent purchases and protecting your business after the fact. Ideally, choose a solution that uses advanced technology solutions to identify fraud patterns and human intelligence to assess real risk, while offering chargeback protection and minimizing friction in the purchase process. Combined, these elements will help you protect your revenue and your reputation as you make your way through the holiday season.