eCommerce Fraud PreventionA Comprehensive Checklist of Tips & Best Practices to Stop Fraud Attacks

You don’t want to make it overly difficult for customers to sign up…but you also don’t want to let bots in. At the account creation stage, it’s best practice to require both an email address and a phone number, which you can verify by sending an email and a text message, respectively, with a one-time code.

It’s hard to verify whether your buyers are authorized to use the payment method they’re transacting with.

There’s no surefire way to guarantee the person you’re dealing with is who they claim to be. But, using an AVS — which checks to see whether the user-provided address at checkout matches the one on file with the cardholder’s issuing bank — can increase the chances that a customer is a legitimate cardholder.

You should always ask for card verification values (CVVs) or card verification codes (CVCs) prior to checkout. These three- or four-digit codes printed on the front or back of a payment card function a bit like a PIN. A correct entry means that the buyer is likely in physical possession (and thus likely an authorized user) of the payment method used at checkout.

Multi-factor authentication makes user accounts less susceptible to account takeover and adds an extra layer of security to the checkout process. After providing a username and password, buyers will have to enter a one-time code, which can be delivered via SMS or an authenticator app.

Repeat orders submitted in rapid succession should set off alarms. It could be a scammer trying to purchase as many things as possible using a stolen payment method before they’re locked out of the account for good. Velocity checks are tools that can either automatically block back-to-back transactions, or flag them for manual review.

Fraud scoring can be paired with other transaction monitoring tools to help your fraud analysts quantify risk and make better decisions.

Every time a fraud detection tool screens a purchase, the system assigns a risk score to the order. These scores, which account for multiple risk factors and can be manually calibrated to meet the needs of your business, let you conduct more systematic and data-informed risk assessments.

If you receive thousands of orders per month, you shouldn’t try to manually review all of them. But, you can examine a subset of high-risk purchases; for example, orders that contain certain restricted or dangerous products, transactions above a certain dollar amount, or those flagged by fraud scoring should be manually reviewed for signs of fraud.

If you’re unsure whether an order is suspicious or not, reach out to the buyer for clarification, or err on the side of caution and decline the order.

Device fingerprinting technologies can help you identify users — and their devices — by collecting a variety of hardware, software, and behavioral data about each device that interacts with your business.

If a device is involved in fraudulent activity, you can isolate and blacklist it, so that the user behind it can no longer buy from you. Device fingerprinting is considered superior to browser- and cookie-based tracking techniques, as it’s harder for scammers to circumvent via VPNs or spoofing.

Legitimate buyers typically place orders while located close to their billing and shipping address. Geolocation tools that track a device’s GPS or IP address data can help you pinpoint a buyer’s location, identify an IP address’ reputation, and highlight checkout discrepancies.

There are exceptions, of course; customers can place orders while traveling abroad, or ship a product to friends or family members living in a different state. Still, a mismatch between a buyer’s billing address and their location during checkout can be a sign of fraud.

CAPTCHAs are text-, audio-, or image-based challenges that can help you distinguish humans from bot users. By blocking orders that fail CAPTCHA tests, you can protect your business from scripted, bot-enabled scams like Distributed Denial-of-Service (DDoS) attacks and card testing fraud.

3-D Secure 2.0 is a protocol that adds an additional authentication layer to the checkout process by collecting a variety of transaction and biometric data points. This information is then shared with your payment gateway and the cardholder’s issuer, allowing both parties to make better-informed authorization and authentication decisions.

The result is a more secure and less frictionless checkout process for genuine buyers.

Sensitive information, like buyer details and credit card numbers, are most likely to be compromised when they are in transit.

Tokenization protects cardholder data by replacing it with an unique identifier called a token. This method can prevent personally identifying information (PII) from being compromised in data breaches when it is transferred between acquirers and issuers.

Staying in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) isn’t optional; it’s mandatory. These cybersecurity best practices help safeguard cardholder information from checkout through the end of the payment lifecycle.

Staying in compliance has obvious benefits for you, too. For instance, it can help you avoid fines and penalties, and avoid getting listed on an acquirer blacklist due to noncompliance.

A plain-language return policy that helps customers understand when and how long they have to request a refund or exchange can allow you to prevent confusion and reduce ambiguity.

A flexible, customer-friendly policy that errs on the side of issuing refunds can also help you prevent friendly fraud chargebacks and refund abuse resulting from misunderstandings or buyer’s remorse.

Policies aren’t effective if they aren’t put into action. In practice, this means team members in customer service, fulfillment, and finance roles at your company should receive rigorous and regular training about your billing, return, and fraud reporting policies.

Additionally, invest in ongoing fraud awareness training for your staff, and ensure that you and your organization are kept up-to-date about the latest fraud trends and scams.

Policies aren’t one-and-done administrative endeavors. Instead, they should be living documents that respond dynamically to emerging fraud risks.

Audit your policies and fraud prevention efforts regularly (ideally on a quarterly basis). That way, you can identify and correct past deficiencies, account for current trends, and anticipate new threats.

Send an automated order confirmation email or SMS to every customer immediately after a purchase is completed. This reassures legitimate buyers that their order was received successfully and provides a clear record of the transaction details, such as the total cost, items purchased, and the recipient’s shipping address.

Order confirmations also serve another purpose: they can help cardholders remember what they purchased, reducing confusion and the risk of friendly fraud chargebacks.

Provide customers with tracking numbers and links as soon as their orders ship. This allows buyers to monitor their package's progress and gives customers confidence that their orders will arrive.

Documented proof of delivery through a carrier's order tracking system can also serve as compelling evidence against false claims of non-delivery. This can help you challenge invalid chargebacks with greater ease, and make it more likely that issuers will reverse disputes in your favor.

Establish clear channels for customer support across multiple points of contact, including email, phone, and live chat. Commit to responding to inquiries quickly and empathetically.

Addressing concerns about orders, billing, or product issues professionally, patiently, and honestly gives you a chance to de-escalate and resolve customer grievances before they flare up into full-blown chargebacks.

Chargebacks don’t happen in a vacuum, so you should develop and implement a system that meticulously tracks every chargeback you receive.

Note details like the reason code, the products or services involved, the transaction value, and the customer’s personal and geographic information. Analyze this data to identify recurring patterns or trends; for example, are certain items frequently involved in disputes? Do chargebacks spike after specific holidays or promotions?

Understanding these patterns can reveal vulnerabilities in your processes or highlight specific fraud tactics targeting your business and enable you to adjust your prevention strategies accordingly.

When a customer files a chargeback, you’re given a limited window of time to respond. You’ll typically have as little as 5 or 10 —days to submit a well-organized rebuttal package that contains compelling evidence that demonstrates a transaction's legitimacy.

To be compelling, evidence must be tailored to the chargeback reason code and address the fact pattern involved in the dispute. You can increase your chances of winning a dispute by augmenting your representment package with a chargeback rebuttal letter, which should summarize the evidence presented and explain why the customer’s claim is false.

Chargeback alert services like Verifi CDRN and Ethoca Alerts can give you a heads up when a customer disputes a transaction with their bank. Typically, you’ll have 24 to 72 hours to preemptively refund a buyer before their dispute escalates into a formal chargeback.

While losing out on a sale is unideal, doing so means avoiding even costlier chargeback fees and can help you keep your chargeback ratio in check.

Preventing and responding to chargebacks manually is a hassle. Knowing what fraud detection tools to use, how to interpret reason codes, and what sort of evidence to provide in representment is a time-consuming and resource-heavy process.

Chargeback911®’s dual-layered, end-to-end chargeback management solution handles the heavy lifting associated with eCommerce fraud prevention, allowing you to refocus on running your business and growing your top and bottom line. Curious to learn more? Reach out for a no-obligation ROI analysis today.