Curious to see how much extra profit Tontine can add to your bottom line? Try the new ROI Calculator >
Curious to see how much extra profit Tontine can add to your bottom line? Try the new ROI Calculator >


The ultimate playbook on how to combat fraud on Shopify: how to identify and realistically protect yourself against these 5 types of fraudulent activity

The key to protecting your online store from fraudulent credit card transactions, affiliate fraud and other types of e-commerce fraud isn’t just recognizing these activities when you see them—it’s taking preventative measures that will reduce your fraud risk in the first place.


The news for online merchants is good and bad.

The good news is that e-commerce sales are expected to grow to more than $6.5 trillion.

Ecommerce sales
This is the expected growth prior to the pandemic; now just imagine how many people aren't going back to malls even after the pandemic is over

The bad news? This growth in online sales will be matched by a growth in e-commerce fraud.

Online retailers currently deal with around 206,000 attacks on their stores each month. As the popularity of online shopping grows, so does the opportunity for cybercriminals and unscrupulous consumers to scam online businesses.

If you own or operate an online store, you must protect yourself against fraudsters who steal from you, wreck your online reputation, alienate your customers, damage your brand, and hurt your profits.

This comprehensive guide tells you everything you need to know about e-commerce fraud protection—what it is, how it works, and what you must do today to protect your online store from the growing threat of online fraud.

Let’s get started.

What is E-Commerce Fraud?

Before you can protect yourself against e-commerce fraud, you need to understand what it is.

So, let’s define our terms.

When we talk about e-commerce, of course, we’re talking about commercial transactions conducted electronically over the Internet, typically through an online store. These transactions are usually made from desktop computers, laptops, tablets, and phones. When we talk about fraud, we’re talking about criminal deception intended to result in financial or personal gain.

E-commerce fraud, then, is criminal deception conducted during a commercial transaction over the Internet with the goal of financial or personal gain of the fraudster while negatively affecting the bottom line of the merchant. E-commerce fraud is also called payment fraud.

Two things to remember about e-commerce fraud are that the target is an online merchant and the deception is intended to remain undiscovered.

Why Does E-Commerce Fraud Take Place?

Online payment fraud takes place for several reasons, some of them historical, some of them geographical and some of them legal.

1. Ease.

Before the Internet, fraudsters generally had to steal physical credit cards and make purchases with them. Breaking into homes and cars and robbing people on the street with the aim of obtaining credit cards was a risky business in itself. Occasionally, fraudsters were lucky enough to obtain credit card slips that a store had carelessly discarded and would use those card numbers to fraudulently order merchandise over the phone.

Today, fraudsters have it much easier. They simply visit a website on the dark web and buy as many stolen credit cards as they need. During the first half of 2019, there were at least 23 million stolen credit cards for sale on the dark web.

2. Anonymity.

Payment fraud is also popular because it is conducted unseen. The fraudsters don’t have to walk into a store, say a word to anyone, or risk getting captured on store cameras. All they need is a computer and an Internet connection. They can operate from any location, at any time of day, unseen.

Online fraudsters typically create fake email accounts and rent post office boxes using aliases that reveal no personally identifiable information about themselves.

3. Evasion.

E-commerce fraudsters know that police departments do not make e-commerce fraud a priority. For one thing, the amounts of money involved in each fraudulent transaction are typically small relative to other types of crimes. Plus, online fraud is increasingly conducted across international borders, making it hard for the police to locate and prosecute online criminals in other countries.

All 5 types of fraud, ranked

When you hear the term “e-commerce fraud,” you likely think of stolen credit cards being used by criminals to buy products from online stores. But credit card fraud is just one of the most common types of fraud. Here are the top five... including one particularly insidious one.

1. Credit card fraud.

Credit card fraud is the umbrella term for fraud that is committed using a credit card or debit card. In the context of e-commerce fraud, credit card fraud is also known as card-not-present fraud and payment fraud. In credit card fraud conducted online, the fraudster uses stolen credit card information to purchase products or services from a web merchant.

In a typical scenario, a criminal visits a site on the dark web that sells stolen credit cards. The criminal buys the card data and visits an online store, using that stolen card number to buy a product or service. This initial transaction defrauds the cardholder whose card was stolen. But eventually it defrauds the store owner, who must refund the purchase (and sometimes pay a chargeback fee to the bank that issued the card). Merchants can also become victims to card testing scams, where multiple credit cards are attempted to test which are still active and will allow for purchases. These types of purchases are usually small, low-risk orders, but can add up to a big hit on a merchant’s bottom line.

2. Affiliate fraud.

Affiliate fraud is illegal activity intended to generate affiliate commissions. In affiliate marketing, online merchants pay affiliates a commission for sales that affiliates refer. The merchants give affiliates a unique, trackable web link that points shoppers to the merchant’s store pages. When a shopper clicks on one of these links and makes a purchase, the merchant rewards the affiliate for the referral by giving the affiliate a commission (typically a percentage of the sale price).

In affiliate fraud, criminals game the system and defraud the online merchant using fake activity to either generate commissions or to increase the amount of the commissions.

A common form of affiliate fraud is “typosquatting,”in which a criminal registers domain names that match commonly mistyped versions of an online store’s legitimate URL. The fraudster then redirects that domain name to the merchant’s website—but with an affiliate link.

3. Chargeback fraud.

In the world of credit card transactions, a chargeback is a demand that a credit card provider makes to a retailer to refund a fraudulent or disputed transaction.

In the online commerce world, chargeback fraud occurs when an online shopper makes a purchase with their credit card, receives the purchased goods or services, but then requests a refund from the credit card company, who pushes that through the issuing bank (the bank that issued their credit card, also known as the card issuer). Commonly referred to as “friendly fraud,” this type of fraud results in the payment processor demanding that the retailer refund the purchase amount to the issuing bank. When a bank demands a chargeback, the online merchant is responsible for refunding the purchase.

In a typical scenario of chargeback fraud, a shopper makes a purchase from an online store. After receiving delivery of the goods or services, the criminal waits weeks or months, then contacts their bank and disputes the transaction, claiming it to be unauthorized or fraudulent. The fraudster hopes that the merchant lacks the time and resources to dispute the claim, or simply gives them the benefit of the doubt.

4. Interception fraud.

In interception fraud, fraudsters use stolen credit cards to make online purchases, ship the goods to the address that’s on file for the credit card at checkout, but then intercept the package before it is delivered. For example, a criminal will visit an online merchant such as Amazon and use a stolen name, address, and credit card to purchase an item. After the transaction is completed, the criminal calls customer service before the item has shipped and changes the delivery address to the criminal’s desired pickup location.

5. Lastly, the most insidious of it all... Triangulation fraud. Here's why.

Triangulation fraud uses three steps to defraud online merchants. In the first step, criminals create a fake online storefront, typically one that offers popular brand-name goods at bargain-basement prices. The only goal of the site is to steal names, addresses and credit card numbers from unsuspecting shoppers.

In the second step, the fraudsters use the stolen customer credentials and credit card numbers to visit a legitimate online store, buy exactly what the victim purchased from the fake store, and ship it to the customer.

The third step is the payoff for the fraudsters. They use the stolen customer data to make additional online purchases that they ship to themselves. This type of fraud typically remains undiscovered for a longer time than other types of online fraud because the original purchase (from the fake site) raises no suspicions on the part of the victim.

Using Common Sense to Identify Fraud

As an online merchant, you can spot e-commerce fraud in a number of ways. Just remember that the success of e-commerce fraud depends on the skill and ingenuity of the fraudsters. As merchants increase their defenses against online criminal activity, online crooks also up their game and devise cunning ways to defraud their targets. Here are the most common red flags to look for:

  • Inconsistent order data: The zip code and city entered don’t match. Or the IP address of the shopper and their email address don’t match.
  • Larger than average order: The order is far larger than your customer typically spends. Other red flags include multiple units of the same SKU in one order, and expedited shipping (the crook wants to receive the order before getting caught).
  • Unusual location: Your customer always purchases from an IP address in North America but suddenly makes a purchase from an IP address in an unusual location (Nigeria, for example).
  • Multiple shipping addresses: The buyer makes multiple purchases under one billing address but ships the products to multiple addresses.
  • Many transactions in a short timeframe: The fraudster makes multiple purchases back to back—and it’s not the holiday season.
  • Multiple orders from many credit cards: Someone makes multiple purchases using multiple credit cards (either in one day or over a longer period.
  • Multiple declined transactions in a row: The purchaser makes not just one or two attempts (honest shoppers make mistakes, after all), but four, five, six, seven, eight or more attempts without getting the card number, expiry date, and card security code correct.
  • Strings of orders from a new country: You’ve never received a single order from the Kingdom of Bhutan, and then you suddenly receive 11 orders from that country in the space of a week.

11 Realistic Steps You Can Take

The key to protecting your Shopify store from fraudulent credit card transactions, affiliate fraud and other types of e-commerce fraud isn’t just recognizing these activities when you see them—it’s taking preventative measures that will reduce your fraud risk in the first place.

You have several tools at your disposal for fraud detection and prevention: some technical, some non-technical, some based on software and some based on good-old-fashioned know-how. Here are the steps you can take today to implement e-commerce fraud prevention strategies for your online store.

1. Conduct regular site security audits.

Want to discover flaws in your security before criminals and fraudsters do? Conduct security audits—often. Ask yourself these questions:

  • Are our shopping-cart software and plugins up-to-date?
  • Is our SSL certificate current and working?
  • Is our store PCI-DSS compliant (Payment Card Industry Data Security Standard)?
  • Are we backing up our online store often enough?
  • Are we using strong passwords for admin accounts, hosting dashboards, CMS, database, and FTP access?
  • Are we scanning our website regularly for malware?
  • Are we encrypting communication between our store and our customers and suppliers?
  • Have we removed inactive plugins?

2. Make sure your store is PCI compliant. Shopify does this by default, but if you're not on Shopify...

If you operate an online store that accepts credit card payments, you must be PCI compliant. PCI stands for Payment Card Industry. PCI standards for compliance are developed and managed by the PCI Security Standards Council to ensure the security of credit card transactions in the payments industry. PCI compliance means your online store and your businesses processes meet these PCI standards. If you operate a SaaS-based e-commerce store, your platform will typically provide this compliance.

3. Monitor your site regularly for suspicious activity.

Bricks-and-mortar stores hire fraud prevention officers to catch shoplifters. You can protect your online store against fraudulent transactions by monitoring your store for suspicious activity. Monitor your accounts and transactions for red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers. Use tools that track customer IP addresses and alert you to any addresses from countries known as a base for fraudsters.

4. Use an Address Verification Service (AVS).

Credit card processors and issuing banks will usually offer an Address Verification Service to detect suspicious credit card transactions in real-time and prevent credit card fraud. The Address Verification Service checks the billing address submitted by the card user (the customer) with the cardholder’s billing address that’s on file with the issuing bank. This check takes place as part of the merchant’s request to the payment processor for authorization of the credit card transaction. When addresses don’t match, the system either declines the transaction or flags it for investigation.

5. Require Card Verification Value (CVV) numbers for all purchases.

The three-digit security code on the back of VISA®, MasterCard® and Discover® credit and debit cards and the four-digit security code on the back of American Express® credit and debit cards is called the Card Verification Value (CVV) or Card Security Code (CSC). By requiring all purchasers to supply this code for every transaction, you ensure that customers have the physical credit card in their possession. This helps to keep you safe and reduces fraud.

6. Use Hypertext Transfer Protocol Secure (HTTPS).

HTTPS is the secure version of HTTP, which is the primary protocol used to send data between a customer’s web browser (like google) and your online store.  HTTPS encrypts this data to protect sensitive information, such as customer names, addresses and credit card numbers. Using HTTPS prevents your online store from having its transactions broadcast in a way that’s easily viewed by hackers, cybercriminals, and fraudsters. You use HTTPS by buying an SSL certificate.

7. Avoid collecting too much sensitive customer data.

One way to protect your store in the event of a data breach or hack is to collect and store as little customer data as possible. Hackers can’t steal what you don’t have. So only collect the data you need to complete a transaction and ship the product. Avoid collecting Social Security numbers, birth dates and other unnecessary sensitive customer data.

8. Set limits on purchases.

Based on your order and revenue trends, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. This reduces your exposure to a minimum should fraud occur.

9. Try an anti-fraud solution.

When it comes to detecting and preventing online fraud, there are a variety of software solutions to suit your needs and your budget. Additionally, the tools you select may vary widely when it comes to how much work is involved in installation and ongoing management. Some may prefer a more hands-on solution, while others would rather leave it in expert hands.

  • Rudimentary anti-fraud tools perform a specific, single function. They are typically integrated into online shopping carts and platforms like Shopify. These tools use machine learning algorithms to identify fraudulent transactions through IP geolocation, validate email addresses, conduct device fingerprinting, and verify addresses.
  • Mid-level anti-fraud tools offer a wider variety of functions, including chargeback guarantees, auto declining of high-risk orders, protections against new account fraud and account takeover protection.

10. Double check that the IP address and credit card address match.

Every order placed on your online store comes from a unique, public IP address (a string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over the Internet). From the IP address, you can generally detect the city or region of the world where the purchaser is making the purchase. If this city or region does not match the address of the credit card being used, that’s a red flag.

11. Avoid non-physical shipping addresses.  

Fraudsters commonly avoid detection by protecting their physical address, preferring to use a PO box or other anonymous location. After all, the police can’t come knocking if there’s no door to knock on.  

If you are an online merchant, and if you want to prevent this type of fraud, never ship online orders to PO boxes and other virtual addresses, such as those of freight forwarders. You can spot addresses that belong to freight forwarders because they have a container number in the address, such as 726 Dock Road Suite 300 #KXQ-582899328.

Conclusion: Knowledge is Power

Yes, fraudsters are getting more sophisticated in how they attack online merchants. And the number of attacks on web stores is increasing as e-commerce grows in popularity. But e-commerce merchants are also getting more sophisticated in how they detect and deter online crooks.

Once you understand what e-commerce fraud is and why it is so prevalent, and once you learn how to detect online fraud, you are empowered to take the necessary steps to prevent fraud on your online store.

Make informed pricing decisions, not guesses

We’ll either increase your profit margins, or give you your money back. Requesting a consultation could be the most profitable thing you do this week, and you don’t need to spend a thing!

Secure Free Consultation
100% risk-free with Recoup Guarantee™
Honest & transparent pricing
No-fuss setup: get up and running in 48 hours