Book a Demo
Back to Blog

19 Tips to Beat eCommerce Fraud and Protect Your Site From Scammers

Helen Golubeva
Helen Golubeva Author

Less than 30 years ago no one even knew what Google is. Nowadays people not only fearlessly spend billions of money there but also use it as a handy tool to find the best place to land on Mars.

According to Javelin Strategy & Research Study, by 2020 online payment volume is going to reach as much as $646 billion dollars in total.

Fertile ground for fraudsters, isn’t it?

Yes. That’s why eCommerce fraud is growing fast, too, especially among those selling digital goods.

And despite the efforts of the industry and the increased number of fraud prevention tools, these malicious hackers successfully adapted to net two million more victims this year and stole $16 billion dollars, which is one billion more if compared to the previous year.

$16 BILLION! Just imagine.

Is there your input in it? How much are you losing every year? Get your calculators out and let’s count.

Online fraud costs merchants more than 7.5% of their annual revenue. If you have a growing business and your online annual revenue is around $700K, then you might be losing $52,5K.

Who can afford such expenses on a regular basis? Can you? If not, you should start working on eCommerce security hardening right now (and keep working on it daily!). Don’t be afraid, you do have something up your sleeve.

I. Types of eCommerce Fraud

Black baggy hoodie, sagging pants, aggressive behavior and a huge gun behind the belt. Is that what a typical criminal should look like? Not necessarily, if we talk about cyber criminals.

It can be just a sharp-witted guy sitting on the other side of your laptop screen and making up tricky schemes to steal your credit card numbers.

cyber criminal

According to the study, the most common types of online fraud causing so much fuss among online retailers are identity theft (71%), phishing (66%) and account theft (63%).

There are 9 types of fraud eCommerce retailers should look out for:

  • Credit card fraud — the easiest way to fool merchants around. Scammers use stolen credit card details for shopping online. Later on, the original card owner may seek for reimbursement of expenses.  
  • Friendly fraud has nothing to do with your friends, unfortunately. It happens when a customer orders goods or services, pays for them and then, all of a sudden or most likely not, changes his mind. He claims that his credit card has been stolen and deliberately initiates a chargeback after receiving purchased goods.  
  • In order to commit identity theft, one of the most common types of e-commerce fraud, a user carries out an online purchase using a false name and a stolen credit card.  
  • Clean fraud sounds to me like a dirty soap, as there’s nothing clean in it. This type of fraud usually involves thorough analyses of the fraud detection systems, performing card testing before stealing big, and a great deal of knowledge about the rightful owner. And it’s not the easiest task to detect clean fraud.
  • Another widely distributed type of eCommerce fraud is affiliate fraud, designed to glean more money from an affiliate program. It’s often connected with manipulating traffic or signup statistics.  
  • Triangulation fraud is carried out, as the name suggests, in three steps. First, criminals create a fake storefront to collect credit card data and personal info. Secondly, this data is used for ordering real products and shipping them to the original card owners. Finally, the same info is used for additional purchases.  
  • Card not present (CNP) fraud is about all fraudulent transactions carried out online or over the phone when a merchant cannot personally examine the stolen credit card for signs of possible fraud (i.e. missing hologram).
  • Refund fraud is connected with an overpayment, which is usually made on purpose. Claiming this credit card is closed, the owner asks to send money using alternative payment methods.  
  • Phishing. Scammers are becoming more & more resourceful to find the ways for cheat a wider range of people. They send a bunch of emails or texts to get you share your sensitive information. And a single data breach can lead to millions of dollars in consumer fraud costs.

Solution: Does It Exist?

In many cases, external fraud management systems can be a perfect solution.

But when the fraudsters are especially smart and inventive, it’s only another human being who can single out a cyber criminal. That’s why every merchant should know at least the very basics of eCommerce fraud to be ahead of the game.

Here is the complete list of website fraud protection tips and recommendations that should save your eCommerce website from malicious activity and nip ubiquitous hacker’s attempts in the bud.

As you know, prevention is always better than cure.

II. Ways to Fight Against eCommerce Fraud

1. Monitor Your Online Transactions for Unusual Activity

Let’s put it straight.

Nobody knows your customers so well as you do or has invested as much time and money (as well as blood, sweat, and tears) in it, so you are absolutely the best person to tell fraudulent transactions from legitimate ones. Most likely you know your big spenders and their shopping habits.

For example, if one of your customers has changed his shipping address and is ready to pay extra to ship your products quicker than before, it means that someone has probably taken over his merchant account and trying to cheat.

That’s why it’s important to monitor your transactions for red flags.

Red Flags for Transactions

Source: Allsec Tech

If the same person places multiple orders using different credit cards, it’s also quite suspicious. Or if the phone number he specified doesn’t match the area code of his billing or shipping address, that’s no good either.

If possible, configure system alerts for when suspicious activity or fraud occurs.

2. Make PCI Compliance a Priority


This jaw-breaking abbreviation is unlikely to be new for you, even if you have no idea what it really means.

But no matter whether you know it or not, this Payment Card Industry Data Security Standard is not optional at all, especially for online retailers who handle card data.

What is more, a lack of PCI-compliance may result in a fine of $5,000 to $100,000.

What’s that all about? Launched back in 2006, this standard was designed to help eCommerce businesses protect themselves and their customers from fraudulent transactions.

The good news is that you do not always have to care about it all — eCommerce software, such as X-Cart, or payment gateway providers often guarantee compliance with PCI security mandates, significantly lower the chances of the data breach and ensure you won’t be hit with a fine for non-compliance.

3. Countercheck Your Site Security

Now that the most sensitive spot of your eCommerce website — the checkout — is fully-secured from online fraud with PCI DSS, it’s high time to make sure that the level of your website fraud protection is also high.

There’s no use locking down your checkout without building a huge metal hedge around your whole website.

It’s like building a house and leaving a back door open hoping that housebreakers will never enter it in the middle of the night. They will break in anyway if you don’t take your eCommerce security seriously. Thankfully, you’ve got a couple of effective methods to lock down your site:

  • Install SSL certificate to encrypt the data (e.g. passwords) passed from your customers’ browsers to your store and prevent your store from “man in the middle” attacks. Google loves HTTPS-sites, so sooner or later you’ll want to install this certificate anyway. 
  • Consider updating your passwords regularly.
  • Think of hiring a security auditor who will check if there are any vulnerabilities in your eCommerce website.
  • Try using monitoring software, such as OSSEC, that provides real-time fraud prevention.

4. Use Tracking Numbers and Require a Signature Upon Delivery

Negotiators know to never take things at face value. And they are right. No matter how good a person appears to be, he can always cheat on you.

The same perfectly applies to your eCommerce site. Claiming that you never received a package and then asking for a refund is a no-brainer… only if your eCommerce platform does not require tracking numbers.

Aliexpress Tracking number

Source: Reddit

Ironically, this type of fraud is called “friendly” — without being friendly to you, your purse, and your business at all.

Tracking numbers and signature upon delivery will save you from chargeback fraud.

5. Stay Away from Sensitive Customer Data

If you have no data to steal, then scammers have no reason to rob you. Does it make sense? It does, especially when the question is the safety of your customers’ credit card data and personal information.

The best fraud prevention tool here is just getting rid of all that sensitive data.

But what about recurring payments? In this case, there’s no other alternative for you but to deal with PCI-compliance requirements and storage guidelines.

Luckily, you can use X-Payments to safely and conveniently store your customers’ credit card information.

This addon, that works with X-Cart, Magento, ZenCart and other eCommerce shopping carts, can be a handy tool for processing new orders, reorders and recurring payments.

It’s like your shark-proof cage in the deep ocean of eCommerce fraud — sharks are rushing around it, feeding their eyes on you but unable to catch their trophy.

6. Educate your Staff on eCommerce Security

Using automated fraud prevention tools is a good practice, but it’s not safe to fully rely on them.

Your employees should also be aware of fraud risks and regularly receive anti-fraud training. Pay attention to the passwords they use daily and whether they’re falling into the “0987654321” or “QWERTY” traps.

Teach them to uncover potential red flags and implement the right fraud detection techniques. One soldier won’t make the battle against fraud. Consider educating those whom you are working with.

7. Learn from Experience

Experience is the biggest golden brick in the world, that’s true. When you fall into a ditch hundreds of times, bruised all over, you’ll build a bridge or a safety net not to be hurt once again next time.

What I mean here is that creating and maintaining a file of past fraudulent transactions and attempts is always a good idea. Fraud protection is possible when you take necessary precautions and keep a record of what’s going on in your business.

Should your system ever be hacked or compromised, record the unfortunate event in your black anti-hacker notebook. You’ll be able to use that file to compare with future transactions and thus improve your website security.

You may notice that fraudulent activity come from certain countries, unusually large orders and shipping addresses that don’t match the billing address.

Having a grudge-holding personality is not that bad, isn’t it?

8. Create Super-Strong Passwords and Force Your Customers Do the Same

“12.03.1985”, “password”, “nickiloveyou”

People are lazy password-creators and hackers know that.

And despite several large-scale data breaches, not much has changed today. It looks like people just can’t learn the lesson and still take website fraud protection for granted. If your password is also easy to guess, why not making it just “HackMe”?

The following steps may be the best strategy to reduce online fraud risk and save your online shops from almost all types of fraud:

  • Create passwords that are at least 10 digits long;
  • Use combinations of different characters, numbers, and letters (for example, “F1gur471v3ly 5p34k1ng” — did you guess what is written here?);
  • Do not share your passwords among employees;

You don’t have to write all your passwords down or keep changing them once a month — such password managers as Dashlane, KeePassX or RoboForm will save all the time you spend filling out forms and logging into websites.

9. Set Limits on Purchases

Imagine a Jon Johnson, who has never ever bought anything in your online shop, has just made a humongous order.

Doesn’t it look suspicious? It does, as this formidable purchase can be nothing more than fraud, that can eventually lead to massive chargebacks.

Setting the limits for the number of purchases or the total sum you can accept from one person in a single day can be a good solution.

If some evil-minded person comes to your eCommerce site and tries to buy 365,200 socks for his little child, you’ll be immediately notified.

This way, you’ll be given a chance to look at the transaction, and a criminal might be even scared away.

10. Use AVS to Check Billing Addresses of Your Customers

Address Verification System (AVS) is another proven tool to help prevent fraudulent credit card purchases. It is used to verify if the billing address of a person matches that of the address on file for the credit card.

For example, if an Indonesian cyber gangster tries to use a credit card of the guy living in Canada, the system will immediately trigger a warning for you.

The AVS option is usually included in most payment processing solutions, like PayPal, Skrill, or Stripe (all of them are available on the X-Cart Marketplace).

Ask yours, if they support this feature or not, and enable it if they do. Even if it costs extra, don’t be penny-wise but pound-foolish.

11. Use Credit Card Security Codes

Have a look at the back of your credit card. There you will find a three (in some cases, four) digit code that gives you an extra level of security.

Master Card calls this code CVC 2, VISA — CVV2, American Express refers to it as CID and Discover calls their code CID2.

CVV code

Source: MoPlay

But despite different names, all these codes serve the same function — they help you avoid online fraud and identity theft.

PCI rules prevent online retailers from storing these CVV/CVC/CID codes. That’s probably why it’s extremely hard to steal them without stealing the physical credit card. And that’s why they are so effective in preventing eCommerce fraud.

12. Always Have a Back-Up Plan

Though payment fraud and phishing do not usually cause any problems with your website, only with your money and personal information, you should be prepared for a disaster. And even if you think your eCommerce site is bulletproof, chances are that it can be hacked.

In this case, you may need to restore your eCommerce site to a working condition from backup files.

X-Cart 5 has a useful tool for that — Backup Master — it creates a copy of your MySQL database, website files and compresses it into a single ZIP file. So if anything terrible happens, you can be sure that this addon will back you up.

X-Cart backup master

Also, talk to your hosting provider — all good guys do regular backups of their clients’ stores. By the way, X-Cart hosting are good guys 😉

13. Try an Automated Anti-fraud Solution

Your eCommerce shopping solution and hosting provider may also have some fraud detection techniques in store for you.

In addition to 100% PCI-DSS compliance, X-Cart offers a pack of other useful security features for your store such as:

  • HTTPS/SSL support for secure connections and safe checkout, cryptographically strong SHA 2 sensitive data encryption;
  • XSS- and CSRF-attack protection, protection against SQL-injections meaning that each query to DB is secure and all the variables are being checked;
  • Failed login attempts notifications;
  • Database backup and restore feature;
  • Two-factor authentication that adds an extra layer of security to your store

Such fraud prevention tools as KountNoFraud or Signifyd can also help you save your store from scammers.

14. Keep Platforms and Software Up to Date

There’s nothing that cannot be improved, and that’s especially true for software and applications. As time passes, we implement new features, reveal and patch vulnerabilities, and make the interface more friendly for users.

Thus, bit by bit, our software is getting closer to perfection.

For example, X-Cart 5 is famous for its easy upgrades

That’s why 62% of our users keep their software fresh and regularly install major updates between branches. Minor ones, within the branch, with bug-fixes and the latest security patches, are installed by 80% of users.

Moreso, if you host your eCommerce site on secure VPS hosting from X-Cart, you are safe as the Bank of England, as you can enjoy automatic security patches and effortlessly weed out viruses.

Think of it and make sure you are running the latest version of your eCommerce platform, fresh and shining, immune to hacking attacks and other types of internet nasties. And we will help you if needed.

15. When in Doubt, Eighty-six It

When a red flag goes up, it’s always worth giving an order a closer look. But think twice before blocking a suspicious user. It can be your future heavy buyer, or a friend of your friend, who looks just a little bit shady.

For example, eBay has rather strict fraud management rules at hand. So strict that they regularly brush away even legitimate transactions and get negative feedback from innocent customers. That’s good for combatting eCommerce fraud, but can be disastrous for customer relations.

eBay Account suspended eCommerce fraud

Source: eBay Community

Try to find an excuse to speak with the cardholder — you can request the details of the order or ask him a couple of questions. Shoppers using stolen credit cards rarely provide a real phone number, so you will hardly get through to them.

16. Double Check if IP Address and Credit Card Address Match

Yes, sometimes shoppers make purchases while traveling. But usually, these are some small items. No right-minded person will travel miles away from his country to order a new refrigerator for his family.

So double-check the IP address, shipping and billing addresses. Ideally, they should belong to the same location.

Let’s see. You’ve got an order from Canada. Billing city is Toronto and shipping city is New York. Someone living in Canada is going to send a gift to his friend from New York. Everything looks fine but the IP address —

Let’s google it.

IP address

The IP address belongs to Jupiter Telecommunications Co., Ltd. (Tokyo, Japan).

Doesn’t that seem strange to you?

The IP address from an anonymous web proxy service is yet another reason to worry about.

Keep a close eye on the things like that.

17. Brush Away Non-Physical Shipping Addresses

Though wearing a mask and a black hood won’t save cyber criminals from being noticed, these guys do their best to remain invisible online and offline.

Some of them assign PO boxes and drop shipping locations so that the package arrives anywhere but a real physical address.

That’s a well-thought-out plan for a scammer. And that’s a sure-fire sign of online fraud for a merchant.

You might just save yourself a lot of headache if you deliver your products only to physical addresses. If you combine this delivery with a required signature, that would be a way safer.

No friendly fraud. No fraud risks.

18. Take Another Look at Quickly Shipped Items

“I want it all, and I want it now” — that’s what the guys from a famous British rock band Queen broadcasted to the world back in 1989.

You won’t believe it but the same thoughts pop into fraudsters’ heads as well.

They do not shy away from the opportunity to overpay for expedited shipping — the sooner they get your products, the faster they will let you know that the item they ordered was “lost in transit”.

Keep it in mind that orders with expedited shipping (especially if the shipping and billing addresses do not match!) are signals of eCommerce fraud.

A simple check could be all you need to protect your eCommerce store from another fraudulent transaction.

19. Handle Orders from Suspicious Email Addresses

Do you think it’s OK to accept an order from hdsds89ddsg$jhsgd@yahoo.com kind of email?

Not for me.

The guy hiding behind this mailbox must have a very fertile mind to make up such a sophisticated name for his mailbox. Or it may be just a random sequence of letters, which is more probable.

Anyway, this order should strike you as suspicious. The email looks like a temporary one, so if you come across the things like that, double check the shopper’s identity, or block him right away, as he is a 99,99% thief, ready to fool you around.


Don’t let hackers steal your holy eCommerce grail.

If their attempt is a success, along with losing the money you will also say goodbye to your perfect reputation, lose loyal customers and thus sales. And to finish you off Visa may pay a visit, after which you pay penalties. And it’s not fun at all, at least for a merchant, who feels furious, or upset, or both.

Hope these tips will help you fight against these bad guys and move your website fraud protection to the upper level.

Hold the fort!

P.S. (some funny stuff)

Can anyone tell the difference between ‘Completed’ and ‘Finished’? No dictionary has ever been able to define the difference between ‘Complete’ and ‘Finished.’ However, in a linguistic conference, held in London England, Thulaseedharan B, an Indian British, was the clever winner.

His response was: When you marry the right woman, you are ‘Complete.’ If you marry the wrong woman, you are ‘Finished.’ And, when the right woman catches you with the wrong woman, you are ‘Completely Finished.’

The same applies to fraud prevention. Make sure you’re complete before you discover you’re finished!

Helen Golubeva
Helen Golubeva Freelance SEO and Content Marketing Specialist

Helen is an SEO and Content Marketing Specialist. She has been creating and planning content for over 10 years, with 5+ years specializing in eCommerce.

Want to See Your Store in Action?

Leave your contact details and we will reach out to set up a personal demo.

    By proceeding, you agree to the Terms of service, and authorize X-Cart to send you promotional messages via SMS and Email. You can opt out any time.

    Thanks, you’re booked!

    We’ll get in touch with you shortly.

    Case Image

    Meanwhile, learn how LittleDiode doubled down on efficiency and increased revenue with X-Cart.

    Read More