WooCommerce Fraud – How to Prevent It?
Every now and then we hear of an eCommerce giant falling victim to some form of fraud. Most commonly, it’s payment fraud, which means someone making an unauthorized transaction or a purchase.
While today we have many tools and mechanisms that protect online shops from fraud, no one should think they’re immune to this sort of trouble. Fraudsters keep coming up with new methods, and the only way to prevent them from stealing what isn’t theirs is to keep your shop well protected, secure and updated.
In this article, we’re going to look into different types of fraud, specifically WooCommerce payment fraud, and go through some tips that will help you make your shop safer and more secure for you and your customers.
Classic Credit Card Fraud
The oldest trick in the book is not even a trick – it’s simply that someone somehow gained access to a credit card number and the credentials. These may have been purchased through the dark web or the card may be stolen. Either way, the fraudster completes unauthorized purchases until the fraud is discovered and the card is blocked.
The tricky part for the fraudster can be the delivery, but these obstacles are usually solved by directing the goods to a reshipper or using residential proxies.
These days, many banks and credit card providers use two-factor authentication to prevent classic fraud. With this sort of mechanism, the payment needs to be confirmed, for instance via a token or a PIN code that is sent via sms.
Credit Card Testing
Card testing or card cracking is when a fraudster completes a few smaller purchases to make sure the card is valid and to learn what the limit is. For this, they often use websites with donation forms or websites where you can set the payable amount yourself. Oftentimes, however, they make purchases via eCommerce websites that sell cheap products. After these transactions are completed successfully, the fraudster can move on to making more considerable purchases or withdrawals.
Despite its name, there’s nothing friendly about the friendly fraud. It’s not having your card abused by a friend, either. Also known as chargeback fraud, friendly fraud is a situation in which a fraudster makes a seemingly legitimate (but essentially false) claim in order to receive a chargeback or a refund. He may say, for instance, that the goods never arrived (although they did) or that he sent the goods back (which he didn’t). This constitutes a basis for a chargeback, in which case the bank or the credit card network refund the sum to the fraudster, and the eCommerce business through which the purchase was completed still has to pay the same amount to the bank.
Note that with this method the fraudster uses his or her own credit card – there’s no need to use stolen card details to complete the fraud.
These sorts of fraud can be particularly harmful to your WooCommerce shop as the customers may lose trust in your ability to protect their sensitive information.
This is a more complex method of fraud that involves three parties – a fraudster, an actual shopper and a legitimate eCommerce shop.
The basis for this fraud is a fake storefront on an eCommerce platform or a marketplace like Amazon. The fraudster sets the fake shop up and offers high-demand products usually at prices lower than normal. A customer purchases a product and the fraudster intercepts their credit card details which he can then use to make unauthorized purchases.
But that’s not all. The fraudster uses the stolen card to buy the same product with another merchant (a real one) and sends it to the customer who originally bought it. At first, the customer doesn’t suspect anything since they got the product they purchased. But the stolen card is charged twice, and for a higher price too, so the customer reports the issue and raises a dispute against the legitimate merchant. The merchant then has to issue a chargeback, plus the penalty fee. If this fraud isn’t discovered soon, it can lead to significant losses for the merchant.
There are other types of fraud as well, for instance the fake refund, goods interception, and so on, but they are all based around the same or similar principles.
Let’s now check out some things you can put in place in order to prevent WooCommerce fraud in your own store.
When it comes to eCommerce fraud, prevention is worth a thousand times more than any measure you can implement to minimize the damage after the fact. Now, you can’t possibly make your shop 100% safe and secure. No one can. But there sure are some very efficient ways to make sure the risk is reduced to minimum. Let’s check them out:
Perform Regular Shop Audits
A WooCommerce audit means looking for defects and holes in your system before the fraudsters find them and use them. We’ll be covering the subject of WooCommerce audits in more detail soon, until then, here are some basics (some of which we’ve talked about in our guide to keeping your WooCommerce shop secure):
Check if everything is up to date. This means your version of WooCommerce and any plugins you might be using.
Make sure all WooCommerce data is backed up.
Check your SSL certificates.
Make sure all transactions and communications have an end-to-end encryption.
Scan your site for malware on a regular basis.
Require CVV/CVC Number for All Payments
CVV/CVC stands for Card Verification Value/Code (depending on the card issuer) and it’s the three- or four-digit number you’ll find on the back of any credit card. It serves as part of the two-factor authentication. These days, it’s common practice to make this piece of data a requirement for all online transactions, since only the person holding the actual card can know the CVV/CVC number.
Implement a Strong Login Process
A weak password is also the weakest link in the eCommerce security chain. It may be tricky to get the password requirements right, since a weak password will be easy to break and a too complex one may cause the users to forget it and to have it written down somewhere where it’s not safe.
Instead of requiring a password with nine characters minimum, special characters and a combination of upper and lowercase (which, don’t get us wrong, is an excellent and important practice), you can make your login stronger and more resilient by adding a second factor. Two-factor authentication for WordPress can be introduced in several ways and it’s a great way to add an extra layer of security to your site.
If you’re only just starting your WooCommerce business, this abbreviation may not mean much to you. But it stands for a very important element of website security and you should make sure to have it in your shop instead of just HTTP.
HTTPS is a combination of Hypertext Transfer Protocol and SSL/TLS (Secure Socket Layer/Transport Layer Security). It’s a way for you to make sure all sensitive info, like passwords, credit card details and account details) that are transferred through your website are encrypted and therefore secured. As such, HTTPS is essential for any eCommerce website.
To learn how to add HTTPS to your shop, check out our detailed guide.
Make Sure Shipping Addresses Are Valid
Since a lot of eCommerce frauds are committed using invalid or non-existent shipping addresses, one of the ways to keep your shop secure is to always check the addresses to make sure they’re legitimate.
In addition, you may want to disable shipping to anonymous locations, virtual addresses and PO boxes, as these are commonly used by fraudsters looking to remain anonymous in their nefarious work.
Set Purchase Limits
A skilled fraudster will always avoid drawing attention to himself by making too many purchases. However, not all fraudsters are very good at what they do, and many of them will make an unreasonable or suspicious number of purchases through a single site once they get their hands on a stolen credit card.
Therefore, it may be a good idea to set a limit on the number of purchases (or the dollar value of purchases) that an account can make over a single day. This will make your shop less attractive to fraudsters and also, if you don’t succeed in keeping them out, you will at least limit the material damage they can make.
Only Collect Essential Customer Data
When you collect customer data, it’s your responsibility to protect it. If something happens, for instance if an account gets hacked or credit card info gets stolen, you may be considered accountable, and even sued. This causes both material damage and harms your reputation, so it’s best to minimize exposure by collecting only the data that is absolutely essential and necessary for completing a transaction.
Limit Login Attempts and Install CAPTCHA
Too many unsuccessful login attempts may be a sign that someone is trying to break into an account with an especially designed script, and make an unauthorized purchase. If they have an unlimited number of attempts at cracking a username and password combination, they obviously won’t stop until they succeed. If, however, you put a limit on the number of those attempts, they will be forced to take breaks, which is impractical and possibly costly, so they’ll most likely move on. Follow the link in the previous sentence to find out how to set it up.
And while we’re on the subject of malicious scripts and bots trying to break into your website, you should also consider adding CAPTCHA, a simple tool that weeds out bots from humans. CAPTCHA adds an extra layer of security to your website and it’s quite easy to set up.
But this is not all you can do to protect yourself from fraudsters. As it’s always the case with WordPress, there are plenty of plugins and tools you can use to make your shop more resistant to fraud.
While there are plugins, addons and tools designed specifically for WooCommerce, you should also check out a selection of the best identity theft protection tools which are not limited to eCommerce uses and can help you achieve a better overall security and reliability of your WordPress website. Also, check out our guide on the best WordPress security plugins and learn what to do in case your website gets hacked.
Synctrack – Auto Add PayPal Tracking Info
Synctrack is a free and incredibly useful addon for WooCommerce. The concept is simple yet genial: the addon integrates with PayPal and Stripe and then passes the tracking info, so that the merchant can’t be subject to disputes and chargebacks in case there’s fraud. The tracking information is passed from your carrier to PayPal or Stripe regardless of the volume and frequency. In case someone makes a false claim, you will have easy access to the data to support your side.
YITH WooCommerce Anti-Fraud
YITH WooCommerce Anti-Fraud is a YITH extension that allows you to create safety rules and minimize exposure to fraud. It is based on variables such as geolocation, IP address, email address and more, and creates cross-checks that prevent unauthorized transactions. The extension, which costs around $87, promises to block any orders placed by potential scammers and thus protect your shop’s reputation. Users get to set their own risk values and rule importance, check for excessive order amounts and be notified of orders made by a proxy.
Eye4Fraud Online Fraud Protection Software
Eye4Fraud is a customizable fraud protection software that promises to protect merchants from deceitful transactions and chargebacks at just $2.42 per month. The merchant creates an Eye4Fraud account and downloads the app. If a chargeback claim is made on a registered account, the company reimburses the total amount within 24h.
The WooCommerce Anti-Fraud extension scans all transactions in your shop and provides a score based on a set of rules. It automatically blocks or pauses the fraudulent transactions until review, allowing you to authorize those you deem legitimate. It checks customers behind VPN or proxy, applies reCAPTCHA to protect from velocity attacks, makes pre-purchase assessments, checks emails from risky domains, sets limits on the number of orders within an hour range or within a day, and much more. This popular extension costs $8.25 per month.
Wrapping It Up
There’s no universal, fail-safe way to keep your WooCommerce shop 100% safe against fraud. Fraudsters are cunning and persistent and they keep coming up with new ways to make illegal profit. But if you keep informed on new methods of fraud and keep your shop updated, backed up and equipped with all the available security tools, you will at least minimize your chances of falling victim. It will protect your earnings, your business and, ultimately, your reputation as an online merchant.