Ecommerce Fraud Types You Should Be Aware Of

Ecommerce Fraud Types You Should Be Aware Of

Ecommerce is currently experiencing major growth. Global ecommerce sales are estimated to have surpassed $6.1 trillion in 2021, Statista reports.

This progress means more opportunities for merchants and customers, but they are not the only two interested parties. Ecommerce fraudsters are lurking in the dark, eager to exploit every chance to obtain assets, goods, and payment data.

LThis article defines ecommerce fraud and explains critical ecommerce fraud types that merchants should be aware of, including some practical prevention practices.

Ecommerce fraud is the criminal act of illegally obtaining financial or personal gain from online transactions while negatively affecting the merchant’s ecommerce business. The fraudster’s goal is to break into other people’s online accounts and/or use someone else’s payment or personal information to make illegal purchases without the account owner’s knowledge.

Ecommerce fraud affects a merchant’s revenue and reputation, so every business needs to take all necessary precautions to protect customer information.

Ecommerce Fraud Types

12 ecommerce fraud types

To fight ecommerce fraud, merchants first need to get familiar with the most common ecommerce fraud types.

1. Chargeback Fraud (Friendly Fraud)

Chargeback fraud, also known as friendly fraud, happens when legitimate shoppers buy a product with their credit and debit cards, only to dispute the transaction and request a chargeback from their card issuer.

It is called friendly fraud because the cardholder intentionally uses their verified credit card data to trick the merchant. Friendly fraud and true fraud differ in that with the former, the cardholder’s identity is legitimate, while with the latter, the cardholder’s identity is stolen.

2. Refund Fraud

Refund fraud happens when the fraudster uses a stolen credit card to buy something on an ecommerce website but then asks for a refund, claiming accidental overpayment. They request that the excess amount be refunded, but with a little twist: the fraudster claims that the credit card has been blocked and the money should be returned via an alternative payment method.

In this case, the fraudster seems to be making a legitimate purchase and refund request, but in reality, they are trying to trick the merchant.

Learn more about chargebacks and refunds from our article Chargeback vs. Refund: Differences and How to Handle Them.

3. Account Takeover

Account takeover fraud

Account takeover fraud (ATO) happens when a fraudster gains access to a legitimate user’s account, using it to gather personal and payment data, alter account information, or make non-authorized payments.

An account takeover is considered identity theft if the fraudster opens new accounts, get bank loans, or request credit cards.

It is difficult to detect ATO because fraudsters do not perform any out of the ordinary activities that alert the victims. Customers typically notice their account has been taken over once they can’t access it anymore or they spot suspicious charges on their merchant statements.

4. Identity Theft

Ecommerce identity theft is when fraudsters steal customers’ personal information and use it to conduct unauthorized payments online. For instance, the fraudster may take another person’s identity, request payment cards on the victim’s behalf, and start shopping.

Identity theft does not refer only to payment data but can also include stealing email addresses and accounts, IP addresses, and users’ personal devices. More and more people use mobile payment and shopping apps with stored credit card and identity data. When an ecommerce fraudster gains access to such a personal device, they make purchases pretending to be the owner in question.

5. Synthetic Identity Fraud

Cybercriminals commit synthetic identity fraud by combining real and fake information to generate new virtual identities. This fraud type utilizes AI tools to make new personas from several people’s facial elements.

For instance, merchants relying on facial recognition for identity verification can expect substantial damage if they become victims of such fraud. The good news is, there is cutting-edge identification software that recognizes synthetic identities.

6. Voice Deepfakes

Voice deepfakes

As voice commerce will surpass $80 billion in 2023, digital criminals embrace deepfake audio fraud to imitate buyers’ voices. Hackers can avoid identity verification procedures and tools to buy goods online by acting as someone else.

Merchants need to keep adding voice shopping to the omnichannel customer experience while applying fraud prevention systems that detect voice deepfakes.

7. Card Testing Fraud

Credit card testing or card cracking happens when a fraudster steals or purchases several credit card numbers. They visit an e-store to carry out low-value test purchases, implementing bots or scripts to swiftly test several credit card numbers. At this stage, fraudsters check whether they can use any of the credit cards they have obtained.

Once (and if) they come across a credit card number that works, they start buying more expensive items or services. However, even though they know which credit card number works, they still can’t detect the limit on the credit card in question. Hence, it is a good idea to limit daily expenditure on a single credit card. This prevents substantial losses if a cardholder becomes a victim of this type of ecommerce fraud.

8. Triangulation Fraud

Triangulation fraud includes three participants: a buyer, the fraudster, and an ecommerce store. The fraudster opens a storefront on an ecommerce platform offering popular items at reduced prices.

The buyer looking for a bargain comes to the storefront, eager to purchase the items at a discount. When the buyer purchases on the fraudster’s website, the lawbreaker uses the credit card data to buy the same things on the merchant’s ecommerce website and ship them to the buyer.

Even though the buyer obtains real items at too-good-to-be-true prices, their credit card number has been stolen, and the ecommerce website has been scammed. Now that that perpetrator has the stolen credit card data, they can change the account information and order goods to be shipped to their address.

9. Interception Fraud

In interception fraud, the fraudster orders goods from an ecommerce website using a stolen credit card and intercepts the package along the way.

To do this, the fraudster may contact a sales representative at the merchant’s company to change the address on the package before shipping. In this case, the fraudster receives the ordered products, and the cardholder (the victim) makes the payment.

Some fraudsters may call the shipping company to deliver the package to another address, while others physically intercept it upon delivery.

10. Pharming Fraud

Fake website fraud

Pharming happens when hackers develop fake copies of ecommerce websites and redirect customers to them. Customers usually do not realize they are providing their payment information on a fake website.

Merchants need to work with website developers to improve antimalware protection on their ecommerce websites and protect their landing pages from such harmful activity.

11. Unauthorized Use of Inactive Accounts

Some merchants launch promotional campaigns and discounts for repeat customers, recurring customers, and one-time buyers. The latter groups often include shoppers with inactive accounts on ecommerce websites.

Inactive customer accounts are perfect targets for fraudsters planning to take over users’ accounts and steal personal data or assets. Merchants need to apply additional tracking of idle accounts to curb suspicious activity from otherwise passive customers. To deter potential scammers, merchants must require that returning customers update their personal data and use two-factor authentication.

12. Advanced Account Takeover

In an advanced account takeover, the fraudster does not only steal the user’s account credentials to pay for goods and services, but they also sell this account data to third parties.

What is more, Experian predicts that cybercriminals will apply stolen information from one breach to control other accounts owned by the victim (credential stuffing). They will also use fraudulent information to automatically open accounts (script creation). To stop this kind of activity, merchants need to ensure impenetrable protection for their login procedures.

New fraud types emerge all the time as fraudsters try to think of new ways to trick unsuspecting online shoppers. To be up to date, check out our article on Ecommerce Fraud Trends to Beware of in 2021

How to Prevent Ecommerce Fraud?

Merchants can prevent ecommerce fraud by applying the following practices:

  • Apply address verification service (AVS). Implement the Address Verification Service (AVS) to detect potentially risky credit card transactions and prevent fraud. The AVS system automatically compares the cardholder’s billing address provided at the issuing bank with the billing address added by the payer. When the addresses are not the same, the system either blocks the transaction or requests additional data/actions.
  • Insist on CVV. Every credit and debit card issued by Mastercard, Visa, American Express, and Discover comes with a three-digit (four-digit for AmEx cards) card verification value (CVV) on the back of the card. Require that all buyers enter this code for every card-not-present transaction. It prevents ecommerce payment fraud by ensuring that all payers physically possess the card they are paying with, which is not the case when fraudsters have only credit card data, but not the card itself.
  • Find a reliable payment processor. Working with a dedicated and experienced payment processor ensures a high level of protection against ecommerce fraud. When shopping around for the perfect processor, ask about their protection measures, such as PCI compliance and PSD2. Also, inquire about their fraud-prevention tools and fraud detection systems. Payment processors must provide top-notch tools and strictly follow current regulations to provide round the clock protection.

CCBill offers Smart Checkout, an effective anti-fraud system that thoroughly scans every transaction before the payment data is sent to credit card associations and banks. It reduces fraud risk and lowers the chargeback rate.

  • Use an SSL certificate. Hypertext Transfer Protocol Secure (HTTPS) encrypts all personal data, meaning that sensitive information, such as customer names and addresses, as well as credit card numbers, are protected during the transit. Even if hackers intercept the data protected and encrypted by HTTPS, they will not be able to decipher it.

Learn more details about HTTP and HTTPS from our article HTTP vs. HTTPS: What Are the Differences.

  • Rely on AI. Artificial intelligence will play a more prominent role in ecommerce fraud detection and prevention. AI assists in predicting and identifying fraudulent activities by collecting and interpreting data from previous cases and gathering information in real-time to immediately detect suspicious activity. These solutions are now widely used to accept and monitor orders, saving merchants’ time and improving overall business efficiency.

For more information on ecommerce fraud prevention, read our article Ecommerce Fraud Prevention: Best Practices.


As ecommerce keeps growing, fraudsters will come up with innovative methods for stealing payment information, customers’ data, and tangible goods. Therefore, merchants need to take all possible measures to protect their business assets and customer information from ecommerce fraud.

This guide will help ecommerce merchants and customers identify the biggest threats and act on time to build a secure ecommerce environment.