4 Types of eCommerce fraud that retailers should look out for

Care to share?

With the increase in the number of eCommerce stores, it’s a no-brainer to expect eCommerce transactions to increase in volume. Unfortunately, this increase in volume creates more chances for successful eCommerce fraud attempts. Statista reports eCommerce fraud resulted in losses of up to $20 billion in 2021. Meanwhile, credit card chargebacks reportedly increase every year.

The term fraud is used in the business world to refer to any act of criminal deception to achieve financial gain. eCommerce fraud occurs when an individual conducts a business transaction on an eCommerce site using fraudulent means, such as fake credit cards. This leaves the store without payment for the sales made.

There are various eCommerce frauds, but in this article, we will focus on the following four.

1. Account takeover fraud

This online fraud occurs when a hacker gains access to a legitimate online account and uses the account to carry out malicious commercial activities. Account takeover (ATO) fraud can help attackers impersonate legitimate customers by gaining access to their accounts. As a result, the hacker gains access to monitor official activities and the chance to carry out financial attacks.

The image below shows the stages of the ATO fraud attack.


The steps above show how an impersonator can attack an eCommerce site by shopping online from a hacked account. This is a form of identity theft where the hacker is shopping with the personal details of a genuine user.

Data exfiltration can also result from ATO attacks. In this case, the scammer gains access to sensitive organizational information and uses this information to direct company purchases to another billing address.

There are ways to avoid ATO fraud. First, set password requirements and apply app updates to reduce the chances of ATO attack success. Next, use two-step verifications where possible, such as confirming logins with one-time passwords (OTP). Using different passwords for different accounts and using password management tools are also highly recommended.

Finally, eCommerce brands should also ensure potential employees have a working knowledge of this fraud to easily identify and avoid it. The best way to do this is to have a strategic recruitment plan that helps hire the right talent. Couple this with continuous training to ensure your team is continually updated with the latest threats.

2. Clean fraud

Clean frauds are fraudulent transactions that appear legitimate and are very difficult to detect. It is especially challenging for retailers because it uses legitimate cardholder details. For example, imagine a regular customer makes a purchase, and you deliver the items. Weeks later, they dispute the transaction as an unauthorized charge.

These fraudsters analyze your brand's fraud detection system and find a variety of methods to navigate around them. For instance, they can upload spyware and malware that steal customers’ card security details when they’re carrying out transactions from a compromised platform. The image below shows the stages of a clean fraud.


First, these online criminals acquire cardholder information which they use to make online purchases. This results in the loss of merchandise and cash through the chargeback for the merchant.

eCommerce websites should be wary of this kind of online payment fraud, especially on special sale days, like Black Friday and Cyber Monday. There are greater chances of eCommerce fraud occurring on these occasions due to the sheer volume of transactions that make it more challenging to authenticate transactions on a one-on-one basis.

There are several strategies you can implement to prevent clean fraud or at least reduce your risk of falling victim to it. You can make use of the address verification service (AVS) offered by banks and credit card processors, for example. AVS compares the address submitted by a card user to your site for a purchase with that cardholder’s billing address registered with the bank. If the two addresses don’t match, the transaction is declined or flagged.

You can also require customers to input the card verification value (CVV) or card security code (CSC) for their purchases to be completed. The CVV or CSC refers to the three-digit security code found on the back of Visa and MasterCard debit and credit cards. Iit’s four digits for American Express cards. 

For customers to be able to supply the CVV or CSC, they’d need to have the physical card they’re about to use for the transaction with them. This means a fraudster who just managed to steal a cardholder’s personal information won’t be able to input it and buy from you unless they managed to steal the physical card, too.

3. Friendly fraud

Friendly fraud can be credit card fraud resulting from clean fraud. In other words, the cardholder doesn’t recognize the transaction made with their debit or credit card and initiates a chargeback. For example, the regular buyer in the clean fraud example above could initiate a chargeback process when they discover what they think is a fraudulent transaction. 

It can also be first-party fraud. This happens when a family or house member of the cardholder uses the physical card or the card user's login details to make purchases. The actual cardholder might then report it as billing fraud. So when the cardholder initiates a chargeback, it’ll result in friendly fraud, and the eCommerce store loses the goods.

The image below shows some chargeback claims and what businesses can do to reduce these frauds.


Friendly fraud can appear in various forms, such as when a buyer claims not to have made a purchase or never received the goods. Asking for refunds for false claims can also be an avenue to carry out friendly fraud. 

How can you protect yourself from friendly fraud in eCommerce? First, you can use a B2B or B2C marketplace with blockchain technology to fraud-proof your transactions as an online store.

Online merchants should also communicate in plain language with their customers. This is because friendly fraud can also result from cardholders initiating a chargeback simply because they failed to recognize the transactions on their statement. 

Finally, make it mandatory for users to fill in details such as email address, delivery address, and the IP address of the user's transaction where possible. Besides that, here’s a process your eCommerce company can follow to resolve friendly fraud.


You stand a better chance as an online store if you can provide compelling evidence of the transaction. So use the company's associated logos, and include all transaction details in the transaction report. You should also insist that buyers sign upon delivery to ensure concise documentation.

4. Triangulation fraud

Triangulation fraud, as the name implies, involves three parties: the fraudster, eCommerce sites, and the legitimate buyer.  The fraudster, fronting as the seller on third-party eCommerce sites, like eBay or Amazon, hijacks the buying process on an eCommerce site. So when legitimate buyers make purchases in their stores, they receive the money and then use stolen card details to purchase the product for the legitimate buyer. 

But once the original cardholder initiates a chargeback, both the online store and the cardholder lose money. However, the online store loses money twice. As you can see from the image below, the legitimate eCommerce store loses money for the goods sold and the money paid as a refund for the chargeback. 


To protect yourself from triangulation fraud, you can follow the complete guide to Shopware 6 to update your stores to the latest eCommerce ecosystem. With the latest eCommerce ecosystem, purchases go through various verified platforms such as DHL shipping, Google shopping extension, and secure payment channels. Because of this, it becomes more difficult for a fraudulent seller to breach your system.

In closing

eCommerce fraud exists in various forms. Retailers should be aware of the multiple forms in which it can occur in order to be well prepared to deal with it. Though the risks of these eCommerce frauds can’t be 100% eliminated from the ecosystem, you can reduce them with prudent security practices.

In addition, companies should verify third-party websites seeking to work with them. This is especially helpful against triangulation fraud. Finally, a clear and understandable policy will also help protect your store from clean and friendly fraud, especially when it results from a buyer's carelessness. 

Follow these security practices to keep your eCommerce business safe.


David Pagotto is the Founder and Managing Director of SIXGUN, a digital marketing agency based in Melbourne. He has been involved in digital marketing for over 10 years, helping organizations get more customers, more reach, and more impact.

Published December 5, 2022