7 Types of E-Commerce Fraud & How to Prevent Them

E-commerce fraud is an umbrella term for any type of online fraud that is attempted against an e-commerce business, store, or platform, which can come in many forms.

E-commerce and online transactions have gained popularity throughout the past two decades, with the global pandemic leading even reluctant online shoppers to finally adopt e-commerce transactions. In fact, it is projected that e-commerce sales worldwide will continue growing to reach $7.89 trillion by 2028.

Unfortunately, the rising popularity (and profitability) of e-commerce has enticed cybercriminals to take advantage of new adopters, online shoppers, and popular e-commerce platforms, leading to major increases in e-commerce fraud. 

There are many types of e-commerce fraud: account takeover (ATO), card testing, triangulation fraud, and more. Today, AI agents complicate this further by scraping prices or executing automated tasks that blur the line between helpful activity and fraud. Defending against these mixed signals is increasingly challenging for e-commerce businesses.

This guide will share all you need to know about stopping online fraud attacks, including:

• What is e-commerce fraud?
• 7 different types of online e-commerce attacks
• E-commerce fraud red flags to look out for
• Effective e-commerce fraud prevention strategies you can implement

Key takeaways

• With e-commerce sales expected to make up 22.5% of total retail sales by 2028, the risk for e-commerce fraud continues to grow.
• The 7 most common types of e-commerce fraud include: credit card fraud, card testing fraud, chargeback fraud, account takeover (ATO) fraud, refund fraud, triangulation fraud, and interception fraud.
• Most modern fraud is driven by automation, such as bad bots that can test thousands of stolen credentials in minutes. The rise of agentic commerce further increases the risk of e-commerce fraud.
• Effective protection requires a multi-layered approach, including HTTPS, CVV verification, and a specialized bot & agent trust management solution built to protect e-commerce sites.

What is e-commerce fraud?

E-commerce fraud is a subset of online fraud specifically targeting e-commerce platforms. 

For example, when a cybercriminal uses stolen credit card information (and a stolen identity) to make a purchase in your e-commerce store, it is e-commerce fraud. Unfortunately, in such cases, the e-commerce business typically ends up absorbing the cost of the fraud, which affects revenue.

A unique characteristic of online card fraud (involving stolen credit card information) is that the card does not need to be present for the transaction to go through. Instead, the fraudster will simply enter the stolen credit card information (name, billing address, card number, expiry date, and CVV number), and the e-commerce store treats it as a valid transaction. 

There are many other types of online fraud targeting e-commerce businesses. Account takeover (ATO) fraud, for example, occurs when a cybercriminal has taken hold of a legitimate customer’s login credentials on an e-commerce platform and uses the account to purchase goods. 

Online businesses must understand that e-commerce fraud is becoming even more sophisticated by the second. Cybercriminals continue getting smarter, leveraging more advanced methods over time.

Why is e-commerce fraud common?

Online fraud targeting e-commerce businesses is common for three main reasons: 

1. Cost effectiveness

E-commerce fraud is relatively cost-effective, considering the resources needed to launch an attack. 

To perform “offline” fraud, a fraudster might first need to steal someone’s wallet or break into a victim’s home to obtain their credit card physically. On the other hand, performing online fraud feels relatively easier and less risky to cybercriminals. In fact, criminals today can simply purchase stolen credit card information available on the dark web for cheap.

2. Evasion

Prosecution for e-commerce fraud is still quite rare. It can be challenging for relevant authorities to gather evidence, and cyberattacks can be launched from countries outside the victim’s jurisdiction.

Typically, the amount of money involved in online fraud attacks is relatively small compared to other types of crimes, so from the authorities’ point of view, the resources needed to pursue an online fraudster might not be justified. 

With that said, e-commerce companies can’t rely on governments and authorities to protect them from online fraud. Instead, businesses should be proactive in implementing appropriate defense mechanisms, especially fraud detection technologies.

3. Ease

Online fraud is also common because it is quite easy, compared to traditional fraud. The perpetrator doesn’t have to risk getting physically captured. Attackers can commit online fraud from home with fairly minimal resources—basically, a computer (or even a smartphone) and an internet connection. Due to the easy accessibility, many “beginner” criminals tend to attempt e-commerce fraud as their first crime. 

On the bright side, implementing an e-commerce fraud prevention solution can be just as easy as it is necessary for any e-commerce business.

7 types of e-commerce fraud

While numerous different types of online fraud can be launched against e-commerce platforms, here are the top threats:

1. Classic online credit card fraud

Online credit card fraud is the most common type of e-commerce fraud, and is typically performed by beginner fraudsters. 

In this type of attack, the fraudster obtains stolen credit card information in one way or another (e.g. purchasing stolen credit card credentials from the dark web or gaining access to someone’s credit card and noting the credentials), and then uses the acquired credit card credentials to purchase a product from an e-commerce store.

The fraudster may use various tricks to ensure they can retrieve the goods (e.g. sending the goods to reshippers), and may also use various techniques (e.g. residential proxies) to mask their identity.

2. Card testing fraud

A little bit more advanced than straightforward credit card fraud, card testing has become popular in recent years. Card testing is when a fraudster has gained access to some, but not all, stolen credit card credentials. It could be just one card, or it could be hundreds, if not thousands, of cards.

Attackers who attempt card testing fraud typically don’t know two things:

1. Whether the card is still valid (not blocked yet) and can still be used to complete a transaction.
2. The limit of the credit card, or the maximum amount of money they can use on the card to purchase goods.

To find out, the fraudster will then test the card by making small purchases on e-commerce sites. Once a transaction has been approved, the fraudster will then move on to making bigger purchases and will try to get as much value as possible from each card.

Scentbird, a leading perfume subscription service, was struggling to manage carding fraud before implementing DataDome:

“In e-commerce, the number of fraudulent orders and cyberattacks have gone up like crazy … The other day, I saw that there are now ‘bots as a service’ offers that allow people to rent a botnet for various kinds of attacks. With the swipe of a card, they have a pretty large botnet, and that’s scary,” said Andrei Rebrov, CTO and co-founder.

Since adding DataDome to their tech stack, Scentbird has dramatically decreased the number of scraping, fake account creation, and fraud attacks they see on a daily basis.

3. Chargeback fraud

Chargeback fraud happens when a fraudster purchases goods from an e-commerce store and then requests a chargeback after the item has been received. In such cases, the acquirer bank or credit card network will refund the transaction to the “customer” (the fraudster), but the retailer must still pay the same amount to the credit card network or bank. 

In chargeback fraud, the attacker makes disputes that appear to be honest claims. For example, they may argue that the item never arrived or tell the payment processor that they returned the item to the merchant (but never did). 

Due to the nature of the claims, chargeback fraud is also often called “friendly fraud”. Because chargeback fraud may be attempted by legitimate credit card owners, detection can be challenging.

4. Account takeover (ATO) fraud

Account takeover, or ATO fraud, occurs when a cybercriminal gains access to a legitimate user account on an e-commerce store and uses the account to make a purchase. 

Fraudsters can use various techniques to obtain accounts: 

• Brute force attacks
• Credential stuffing
• Purchasing credentials on the dark web
• Phishing schemes against legitimate customers 

ATO fraud can cause serious damage for both the e-commerce store (retailer) and the customers. For customers, ATO may result in more serious identity theft attacks, and the customer might blame the e-commerce store. Successful ATO attacks result in long-term and even permanent damage to a brand’s reputation.

For example, before using DataDome, a leading office supplies enterprise was facing account takeovers through compromised credentials, totalling over $500K in ATO fraud with an estimated $173K in lost product costs. Not only did this represent a tremendous financial loss, but it also required a large investment of the customer service team’s time.

After implementing DataDome, the retailer saw a drastic reduction in payment fraud, account takeovers, and scraping, resulting in lower costs and fewer chargebacks for the customer service team to handle.

5. Refund fraud

Refund fraud is often used when the fraudster cannot get goods delivered to their address and can’t withdraw cash from a stolen credit card. 

In refund fraud, the fraudster uses stolen credit card credentials to make an online purchase and then contacts the e-commerce store to request a reimbursement. 

A common refund fraud tactic is for the fraudster to deliberately make an excess payment, then request a refund for the excess amount while requesting that the money be sent via an alternative method (e.g. by claiming the credit card was closed). This way, the fraudster can receive the “excess” amount without having the original credit card charge refunded, which could result in a chargeback when the original owner of the credit card makes their dispute.

6. Triangulation fraud

In triangulation fraud, a fraudster will require another shopper to launch the attack. The attack involves three parties: the fraudster, a shopper, and the e-commerce store. 

To perform triangulation fraud, the fraudster first sets up an e-commerce store (e.g. via Shopify) or a storefront on an e-commerce marketplace (like Amazon or eBay). A common tactic is to sell high-demand products at a very affordable price to attract customers quickly. 

However, when a legitimate customer makes a purchase from the store and enters their credit card information, the fraudster will intercept the information and use it to purchase the requested goods from a legitimate e-commerce store.

The customers who receive the goods may think that they have gotten a bargain, but actually, they are paying the normal price, and their credit card information is now stolen.

7. Interception fraud

Interception fraud happens when fraudsters place orders from an e-commerce store using the valid billing and shipping address linked to the card, so the transaction can go through. However, the fraudster then attempts to intercept the goods for themselves. 

Attackers use various techniques for interception fraud, but here are some of the most common ones: 

• Making seemingly legitimate claims to an e-commerce store’s customer service, so they change the address before shipment.
• Waiting for the delivery to arrive and attempting to physically intercept the package (e.g. when the fraudster lives close enough to the real credit card owner).
• Contacting the shipper directly to reroute the package to another address.

E-commerce fraud red flags to look for

We can’t prevent e-commerce fraud if we don’t know they’re coming. The success of e-commerce fraud depends on how well the fraudster can fool your system. 

On the other hand, how effectively you can defend against cybercriminals depends on how quickly you can identify fraud attempts. In short, you have to know the “tells”—the red flags to look for—and here are some of the most common: 

• Multiple orders from multiple credit cards: When an account (or different accounts with similar signatures, like the same IP address) makes multiple purchases with multiple credit cards, it’s a clear red flag for fraud, especially card testing fraud.
• Data inconsistencies: Look for any inconsistencies, albeit small ones, like when the city and the zip code entered don’t match. Another example is when a shopper with a Singaporean IP address makes a purchase for a credit card with a US billing address.
• Unusual purchasing behaviors: If the credit card owner isn’t a first-time shopper, then you can check their purchase history and look for suspicious activities. For example, when the account suddenly makes an order far larger than what the customer typically spends. It may also be worthwhile to invest time in gift card fraud prevention.
• Unusual location: Again, if the customer has purchased from your business before, check for unusual activities from different locations than usual. For example, if the customer always purchases from an IP address in Japan, then a new purchase from an IP address in Angola would be unusual. The account owner may simply be on vacation, but better safe than sorry. 
• Multiple orders from unusual locations: For example, when you’ve never received any orders from Indonesia, but suddenly you receive 10+ orders from Indonesia. 
• Multiple shipping addresses: Another red flag is when a buyer makes multiple purchases under one credit card (one billing address), but ships the products to multiple different addresses. In general, when a shopper requests to ship the goods to an address other than the card’s billing address, you should be reasonably suspicious. 
• Declined transactions: Yes, even legitimate shoppers may forget their PIN or use up a card’s limit without realizing it. However, if an account makes more than five attempts without getting the credit card credentials right (number, expiry date, name, CVV), then you should be suspicious.
• Fast, back-to-back transactions: While multiple purchases back to back from a single customer may be possible, it could also be a fraudster card testing on your site.

How to protect your business from e-commerce fraud

One of the keys to protecting your e-commerce business from online fraud is to recognize the attack as soon as possible. However, there are cases where it’s already too late once you’ve identified the attack. That’s why it’s better to implement preventative measures to reduce or even eliminate any possibility of fraud. 

Here are a few actionable tips for preventing e-commerce fraud in your online store:

1. Audit your e-commerce platform’s security regularly

Online fraud technically happens when fraudsters and cybercriminals find flaws in your system that you aren’t aware of. If you identify your vulnerabilities before attackers, you are already one step ahead. 

While an e-commerce security audit can be a pretty deep subject, here are some important elements you should assess regularly:

• Make sure everything is up to date, ideally as soon as updates are available, especially if it’s a security fix.  
• Check your website’s SSL certificate (HTTPS). If you haven’t implemented HTTPS, you should do so right away, and regularly check whether your SSL certificate is working well.
• Check whether all data transmissions and communications between your business and your customers feature end-to-end encryption.
• Check whether your e-commerce store stays PCI-DSS compliant.
• Make sure your data is backed up regularly.
• Scan your e-commerce website regularly for malware with appropriate antivirus/anti-malware solutions.
• Monitor activities of malicious bots and block them right away to prevent account takeover attempts and other bot-related threats.

2. Implement an adequate fraud detection solution

To really protect your e-commerce platform from online fraud, you should implement a robust fraud detection solution that can automatically identify red flags and block suspicious users’ activity, effectively preventing the fraud from happening. Implementing advanced e-commerce fraud detection systems helps businesses proactively monitor transactions and detect anomalies before fraud occurs.

As a comprehensive bot & agent trust management platform, DataDome acts as a traffic control plane for your business. It rapidly analyzes intent—whether the visitor is a human, a good bot, or an AI agent—to stop fraud in under 2 milliseconds. DataDome automatically blocks malicious intent before attacks unfold, effectively preventing fraud without negatively impacting legitimate customers or helpful AI agents.

3. Require CVV numbers for all credit card transactions

It’s standard practice nowadays for any online transactions to require the CVV (Card Verification Value) numbers. 

The CVV numbers are the three or four-digit security code on the back of the credit card, which acts like a second-factor authentication for online purchases. By requiring online shoppers to supply the CVV number, you can have an extra guarantee that the shopper actually has the physical credit card in possession, which can effectively reduce the risk of e-commerce fraud.

4. Make sure to use HTTPS

Make sure your e-commerce website uses HTTPS instead of standard HTTP. Using HTTPS means that the data transmission from an online shopper’s web browser to your website will be encrypted, so sensitive information like customer names and credit card numbers stay secure. 

Also, if you are still using HTTP, Google may mark your site as unsecured for users who use Google Chrome, which may reduce traffic to your e-commerce store.

5. Set limits on total purchases

Assess your store’s average revenue, and set a limit for the number of purchases (both in items and dollar value) an account can make in a single day. This way, should a fraudster succeed despite all your preventive measures, you can mitigate the impact and avoid significant financial damage to your business. 

6. Reject invalid shipping addresses

Online fraudsters may attempt to avoid detection by using PO boxes, virtual addresses, or other anonymous locations so their actual address isn’t recorded. It’s best to never ship any orders to virtual addresses and PO boxes. 

7. Only collect the necessary sensitive customer data

Any customer’s sensitive data that you’ve collected becomes your responsibility to protect. So, it’s best to avoid collecting too much sensitive data. That way, in the unfortunate event of a data breach or successful account takeover attack, you can reduce exposure to a minimum. 

As a general rule of thumb, you should only collect the data you absolutely need to ship the product and validate the transaction.

Conclusion

Protecting an e-commerce site is often a challenging task, and online fraudsters are only getting smarter as they adopt new techniques and technologies. Whether your e-commerce business is a big enterprise or a small store, it will continue to be targeted for e-commerce fraud.

Be proactive in protecting your e-commerce website, mobile app, and APIs. The tips above can definitely help you build a comprehensive e-commerce fraud prevention strategy.

Most importantly, constant monitoring of your site for potentially fraudulent activity is critical. Effective bot & agent trust management, like DataDome, proactively monitors your incoming traffic for red flags.

On autopilot, DataDome helps you distinguish between users, bots, and AI agents to prevent e-commerce fraud from happening—protecting your business and customers from potential financial, legal, and reputational damages.

Book a demo to learn more about DataDome’s e-commerce fraud solutions.