• United States




In the new ecommerce fraud landscape, every vertical is now at risk

Sep 07, 20185 mins
Data BreachFraudSecurity

Fraudsters are not just targeting small merchants or inexpensive items anymore – virtually any vertical or product can be a worthwhile target for online fraud, and the losses could cause irreversible damage to a retailer’s bottom line. Every online retailer needs to know if they are at risk, what that risk means, and ways that they can minimize their vulnerability right now.

stolen credit card
Credit: Thinkstock

Fraudsters have known for years that small merchants can make easier targets than big-name online retailers with better security. Now they’re finding that virtually any vertical can be a worthwhile target, not just the high-profile niches like electronics and designer goods. The reason? Thanks to data breaches, there’s a glut of low-priced consumer data, including payment data and account credentials, for sale on the dark web. For example, a stolen credit card number with the CVV goes for as little as $5 now, while a card number plus bank information costs about $15. As the cost barriers to fraud fall, fraudsters are expanding into new areas—like hailing rides and ordering dinner with stolen data.

New risks for previously “safe” verticals

It’s no longer safe or wise to assume that fraudsters will pass you by if you sell inexpensive items or everyday necessities. The risks for nontraditional fraud targets, like ride share providers and food delivery services, are magnified by the fact that they typically have lower margins than, for example, luxury goods and apparel retailers. This means that even small fraud losses have a big impact, especially when chargeback fees are factored in.

Not only can transportation, food, and other “low-risk” merchants lose money to thieves using stolen card data and hijacked accounts, they can be hurt by CNP fraud in other ways. Card-testing fraud, committed by humans or botnets, can cause small losses along with costly chargebacks as thieves try to match card numbers with other data like CVV numbers and billing zip codes. Card testing increased by 200 percent in the first third of 2017 compared to the same period in 2016, and it targets verticals you might not expect.

For example, it’s hard to imagine charities as targets for CNP fraud, but thieves have learned that making online donations can be an easy way to test card data before they move on to bigger, more lucrative fraudulent purchases. Card-testing can affect charities’ cash flow, skew budget planning, and raise their expenses as chargeback fees add up. Small retailers and B2B sellers are frequent targets for card-testing, too, because they often don’t have controls to limit the number of data-entry attempts a customer can make during checkout.

The bottom line is that any merchant who takes card payments can and should expect fraud attempts. The LexisNexis 2017 True Cost of Fraud Survey found that “regardless of industry segment,” businesses that sell online face more fraud attempts, on average, than businesses that do not sell through digital channels.

Traditionally risk-prone verticals still face fraud threats

This increase in fraud in “low risk” verticals doesn’t mean that fraudsters have turned away from higher risk, higher reward targets. Travel, jewelry, luxury goods, apparel, beauty, electronics and health and wellness are still frequent fraud targets, because thieves want to avoid spending their own money on big-ticket items or because they want merchandise for black-market resale. Worldwide, ecommerce fraud losses reach as much as $40 billion each year, largely due to fraud against these higher-profile verticals.

Rather than a shift in targets, what we’re seeing now is an expansion of the fraud playing field thanks to the law of supply and demand. Stolen data and credentials are so cheap now that there’s little economic incentive to reserve them for major scams. E-commerce fraud is now, unfortunately, an affordable everyday habit for criminals.

Now’s the time to step up security

The trend toward more widespread CNP fraud is bad news for businesses of all kinds. The good news is that the best practices that protect businesses in higher risk verticals can also help businesses who find themselves newly at risk. No matter what vertical your e-commerce business occupies, your fraud prevention program should include:

  • Limits on the number of times a customer can try to enter correct data into your online checkout form.
  • Consideration of the order itself, such as the order value and shipping method requested.
  • Validation of customer data using continuously updated two-way datasets.
  • IP, geolocation, device, historical, and behavioral validation.
  • Manual screening of suspect orders to identify fraud and avoid false declines that can cause your business to lose customers.
  • Real-time scalability to reduce vulnerability during seasonal sales peaks and botnet attacks.

If you’re wondering whether a low-risk business really needs to develop this sort of multi-layered approach, consider the main lesson of CNP fraud history: Fraudsters go where it’s easiest to commit fraud. In the same way that the EMV liability shift for point-of-sale transactions pushed thieves to shift their attention to CNP fraud, and in the same way that fraudsters often target smaller merchants because they know their defenses are weaker than enterprise-level retailers, criminals will continue to exploit vulnerable businesses in low-risk verticals because they can. As those businesses tighten their fraud controls, the merchants who haven’t taken protective steps could see even more fraud. The cost of committing CNP fraud is now so low that the cost of going unprotected is simply too high, in any vertical.


As ClearSale’s Executive Vice President, Rafael combines the company’s innovation-driven culture and emphasis on communication with a deep understanding of the statistical tools that underpin excellent fraud protection.

Rafael represents one of the world’s most experienced and largest firms of its kind, with more than a decade of e-commerce fraud detection and prevention services in major international markets. From his base in Miami, he oversees ClearSale’s U.S. anti-fraud operation by leading its commercial, statistical intelligence and IT teams and providing technical and executive management for all the operation’s employees, both in the U.S. and in Brazil.

Throughout the nearly decade he has been with the company, Rafael has also planned and executed ClearSale’s international business unit, directed ClearSale’s statistical intelligence area, and helped manage the company’s growth from 25 to more than 700 employees, including more than 500 highly trained fraud analysts.

Rafael is multilingual (Portuguese, English, and Italian) and has a distinguished academic background. He earned his master’s degree in economics and finance at FGV-SP (Fundação Getúlio Vargas-São Paulo), one of the world’s leading policy and economic think tanks. Rafael holds a bachelor’s degree with great distinction in statistics from UNICAMP (Universidade Estadual de Campinas), internationally recognized as one of the top universities in Brazil and in the world.

The opinions expressed in this blog are those of Rafael Lourenco and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.