Online shopping has become part of our daily lives. Adding products to the cart from our sofa and receiving them at our doorstep in a few days is something common for many people who opt for the convenience of the digital store over the traditional one.
The benefits are more than obvious: availability 24 hours a day, seven days a week, and anywhere in the world. This represents a great advantage, not only for consumers, but also for entrepreneurs and self-employed individuals who have been able to expand their business from a local to a global level, thus growing their customer base more quickly.
But, in this context, opportunities have also arisen for those willing to jeopardize the security of companies: cybercriminals.
Just as a malicious person could enter our physical store to take something without paying, cybercriminals use our online business, slipping in among our legitimate customers, to attack us.
We cannot prevent these malicious users from trying to use our online business as a means to commit fraud, but we can learn to detect the signals or clues that should make us suspicious when facing a fraudulent purchase.
How can we detect fraudulent purchases in our online business?
Learning to detect fraudulent purchases is essential for the security of any online business and the information of its legitimate customers. And, although no security system is 100% foolproof, with a combination of preventive and reactive measures, we can avoid suspicious transactions.
The first step to avoid them is, of course, to detect them. For this, it is necessary to have a management and control of the purchases made in our online business and to analyze in detail those that may seem suspicious to determine if it is a legitimate purchase or not.
- Behavior patterns: Analyzing purchase patterns can provide information and show us unusual behaviors that could be a sign of suspicion. For example, in terms of quantity, frequency, or location. If a customer tries to make several purchase attempts with different cards, it could be fraud.
- Credit card information: When making an online purchase, it is normal to be asked, in addition to the shipping address, for the billing address. This way, it can be verified that the location of the billing address matches the buyer’s IP address.
- Large orders or urgent shipping: Large purchases are more prone to fraud, if we are faced with an order that exceeds by far the average amount of regular purchases, we should do some additional verification. The same applies when receiving a purchase with the option of urgent shipping. If this option significantly increases the order cost, we should check that they are not taking advantage to receive the purchase before it is detected that the card is stolen.
- Suspicious locations: If our business has not expanded in certain countries, receiving a purchase from them could be a sign of fraud. We may also encounter the case where different customers or cards use the same delivery address for their purchase, using the recipient as a “mule” to leave no trace.
- Delivery information: In addition to location, other data from the delivery form can provide us with information about the veracity of the purchase. For example, checking that the phone number and email exist. Although it could be a customer error, finding inconsistencies in this data can also be a reason for suspicion.
Once we know these indicators, it will be easier for us to differentiate between legitimate and fraudulent purchases. A good practice for managing purchases in our online store is to create customer lists. This way, customers who have never had any issues are included in a whitelist, while those identified as fake or fraudulent are included in a blacklist, to improve and facilitate the shopping experience for the former and prevent it for the latter.
What measures to implement to protect my company from fraudulent purchases?
- Use secure payment gateways: When choosing a payment gateway for an online business, it is very important to ensure that it offers high security standards. Reliable payment gateways must be certified and comply with industry security standards, such as PCI DSS (Payment Card Industry Data Security Standard). This ensures that customer data is encrypted during transactions, making it much more difficult for cybercriminals to intercept card information.
- Enhance security with CVV code: The CVV code is the three-digit number found on the back of credit cards. Requesting this code provides an additional layer of security, as it is a way to verify that the customer physically has the card.
- Establish strong passwords for customers: When signing up for an online service, customers must create an account with a username and password. If our online business has this option, forcing customers to create secure passwords when registering is crucial to protect user accounts. Establishing a robust password policy that includes a combination of uppercase and lowercase letters, numbers, and special characters will make it difficult for cybercriminals to access customer accounts through brute force or dictionary attacks. Additionally, whenever possible, it is advisable to implement two-factor authentication and recommend that customers change their passwords regularly.
- Prevent chargeback fraud: This fraud occurs when a customer requests a refund directly from their card issuer instead of from the online business. To prevent this, it is essential to keep records of all transactions and properly authenticate customers. It is also advisable to establish clear return and refund policies, requesting proof of purchase to process returns and setting time limits for claims.
- Continuous monitoring: Establishing a system of continuous transaction monitoring to quickly detect and respond to any suspicious activity such as multiple purchase attempts with different cards but the same IP address or unusual purchases of large quantities of high-priced products. It is also advisable to verify that the billing address matches the shipping address, as discrepancies could indicate fraud.
If you believe you are facing a fraud attempt, remember that you can contact INCIBE at any time and report it to the State Security Forces and Corps.
Remember that you can contact us through INCIBE’s Cybersecurity Help Line (017), the instant messaging channels of WhatsApp (900 116 117) and Telegram (@INCIBE017), or the contact form (selecting the option of business or professional user) that you will find on our website. Experts in the field will resolve any online conflict related to the use of technology and connected devices.
Source: MiMub in Spanish