A new approach to checkout fraud prevention

Criminals are always discovering new ways to target ecommerce firms. Fraudulent exploitation of promotional incentives has increased massively over the past few years, for example. Attackers are also using AI tools to carry out sophisticated social engineering attacks at scale, generate deepfakes that can get around verification systems and automate credential-stuffing attacks.

Chargebacks and refund abuse are an ever-present threat too. There are also recent examples of device takeover (DTO) attacks, primarily using Linux, that target high-value ticketed events. Meanwhile, other fraudsters are using various proxy IP addresses and credit card BINS to scam retailers into sending items to reshipper addresses.

All of this fraud comes at great cost. Indeed, one new study from Juniper Research revealed that the value of ecommerce fraud will rise from $44.3bn in 2024 to $107bn in 2029 – an increase of 141%.

“Retailers are facing a barrage of fraud attempts on multiple fronts – from returns fraud and promo abuse through to chargeback fraud and account takeover,” says Philip Plambeck, managing director at Computop UK, an international payment service provider. “It’s a huge challenge, as they often lack the resources to log and report every fraudulent transaction.” 

The sheer persistence of modern fraudsters only compounds the problem. “Criminals know that if they get away with it once, they will get away with it again,” says Plambeck.

Many ecommerce merchants have deployed stringent security systems to try and block fraudulent orders. But without an intelligent approach, there’s a risk that legitimate customers will also be turned away.

“As fraud tactics become more complex, we're seeing a real tension emerge between risk management and customer experience," says David Capezza, interim chief risk officer at Visa Europe. "Merchants, understandably, want to protect themselves – but if that results in good customers being wrongly declined, it's counterproductive.”

Like an over-zealous bouncer, traditional rule-based systems turn these good customers away at the door. “Due to the lack of nuance, a lot of false positives will be generated along with genuine fraud being prevented,” says Nick Maynard, vice-president of fintech market research at Juniper Research.

Someone shopping on holiday, using a different device or buying a high-value item for the first time might trigger red flags that have nothing to do with fraudulent intent, for example.

In other words, a blunt ‘yes/no’ approach to fraud prevention doesn't reflect the reality of modern, global ecommerce. “If a decision engine can't distinguish between risky and unfamiliar, it puts the business in a lose-lose situation,” says Siobhan Blagbrough, financial crime manager at Ocean Finance. “Either you block genuine sales, or you let fraud slip through the cracks.”

Avoiding personal rejections

Increasing competition in the ecommerce space means that few merchants can afford to be complacent about the way they handle potential fraud. When they’re rejected for reasons they can’t comprehend, a legitimate customer may see it as the end of any future relationship with the merchant, for instance. “Even if the transaction eventually goes through, the damage is done,” says Blagbrough.

Capezza also notes that: “Customers don't see the fraud filter behind the scenes; they just see a brand that didn't let them pay. That moment of friction can undo a lot of hard-earned trust, and many customers won't return after a declined transaction.”

The psychological impact of payment rejection runs deeper than mere inconvenience. Matt Johnson, professor of neuroscience and consumer psychology at Hult International Business School, says that consumers may interpret a declined transaction as a personal rejection, “especially when they know their payment method is valid.”

Excessive checkout friction or a wrongly declined payment also creates what consumer psychologists call ‘cognitive load’: the mental effort required to complete a task. “When that effort is onerous or feels unnecessary, consumers experience frustration, which triggers negative emotions and reduces their overall trust in the brand,” says Johnson.

Amazon's dominance has reshaped consumer expectations by minimising this mental effort. “Features like one-click purchasing, auto-filled payment details and even voice-activated orders via Alexa have created a standard of seamless, almost invisible transactions,” says Johnson. “As a result, customers now expect fast, intuitive and error-free checkout experiences everywhere.”

In this landscape, checkout friction or a failed payment doesn't just cause momentary annoyance – it can feel like a broken promise. "It disrupts the consumer's momentum and undermines their sense of control, both of which are crucial for creating positive brand associations," Johnson explains. 

"Worse, it often happens at the moment of peak purchase intent, making the damage even more acute. Over time, repeated failures or frustrations at this stage can erode loyalty, drive customers to competitors and do lasting harm to the brand’s reputation.”

Securing customer loyalty

With customer loyalty in the ecommerce era more fragile than ever, few merchants can afford to take these kinds of risks. Even when a failed payment or friction-heavy checkout experience doesn’t outright end a customer relationship, it can harm the brand in other ways. 

For example, a rejected customer may feel compelled to share their dissatisfaction on social media channels, which seem almost precision-engineered to amplify these negative experiences. Old-fashioned word of mouth can also undermine a retailer’s efforts to win new customers.

“Ensuring that processes work the first time is essential to avoiding long-term brand damage,” says Maynard. “This is particularly important in an era where social media can spread stories of failures faster than ever before, potentially creating long-term damage to brands that is difficult to fix.”

At the same time, merchants cannot afford to open the door to increasingly serious fraud threats. The challenge is therefore to achieve the right balance between security and seamless checkout experiences: a more intelligent defensive stance that speeds legitimate customers through the checkout process.

By evolving beyond rigid, rule-based fraud detection systems toward more sophisticated, context-aware ones, retailers can meet this challenge and ensure good customers aren’t turned away at the door. “The key is using layered fraud detection that adapts to the situation, rather than blocking based on fixed rules,” says Blagbrough.

When an order is flagged as suspicious, merchants should also endeavour to use transparent and helpful customer messaging. “Transparency can make a big difference: clear, respectful messaging when something goes wrong helps reduce uncertainty and preserves customer trust,” says Johnson.

At the end of the day, the choice is clear: evolve your fraud protection strategy to match the sophistication of both modern criminals and the needs of modern customers, or risk losing both the battle against fraud and long-term customer loyalty. While criminals will never cease in their attacks, customers whose trust is broken by a declined payment will likely never return either.

Long gone are the days when retail fraud relied on criminals queuing up in stores with a forged cheque or stolen credit card. A potent combination of automation, data leaks and the black market has enabled today’s fraudsters to launch high-speed, coordinated and increasingly sophisticated attacks at scale, all from the anonymity of a computer screen. 

Such is the pervasiveness of online fraud that retailers worldwide face well over 200,000 cyber attacks on their stores each month.

Why online shopping appeals to fraudsters

Matze Engelen, associate director of cybersecurity at S-RM, says: “The number of ecommerce sites and online transactions is ever increasing, presenting more and more opportunities. And unlike physical stores, online shops are reachable from everywhere in the world. Anonymity is also much easier to maintain.”

In short, the very aspects of online shopping that have made it so appealing to consumers, including ease and convenience, have made it equally attractive for nefarious activities. 

Vast amounts of customer data being processed online means cybercriminals can access collections of login credentials and credit card data on the dark web, while consumers’ laxity with their security, such as weak passwords and same password usage, makes them an easy target.

For organised criminal gangs, checkout fraud is highly scalable, explains chartered security professional James Bore, with criminals able to automate it across dozens of sites with consistent attempts. The complexity behind global transactions also presents opportunities for criminals to exploit weaknesses in interfaces between systems.

“Checkout fraud is low risk and high reward for criminals. Retailers tend to prioritise convenience at the point of sale, opening options for abuse. There are automated tools, freely available, which can find and exploit weak points in checkout flows,” says Bore. 

And while technology and the defences deployed by retailers have advanced and evolved in recent years, so too have the methods used by fraudsters, creating a game of whack-a-mole. 

Some of the more popular tactics used by fraudsters include account takeover and synthetic identity fraud, both of which are relatively easy to perpetuate and highly effective. 

Account takeover occurs when a fraudster gains access to an existing account, often by stealing login credentials. 

“There are tools and login credentials available on the dark web that enable even non-technical fraudsters to gain access to details that can then be exploited,” says Engelen. “Account takeover attacks are largely only possible due to customers using the same passwords across multiple systems and not having multi-factor authentication enabled for their logins.”

Equally insidious is synthetic identity fraud, where a fraudster creates new accounts using a combination of fake and stolen identity information. 

As Bore points out, with no central identity register to check against, this is easy pickings for anyone who knows the right information to re-use from genuine sources and the fake information that can be mixed in to create new personas.

Fraud defences falling short

With fraudsters finding a myriad of ways to commit checkout fraud, traditional defences are struggling to keep pace. 

“Most traditional tools rely on known technical information, such as re-used credit cards, known IP addresses and blacklisted accounts,” says Bore. “Attackers are able to use ghost addresses, such as residential proxies, virtual mailboxes and virtual cards with no fraudulent history, as well as fresh email addresses each time.”

Kristina Holt, managing associate on the commercial, tech and data team at Foot Anstey, points out that traditionally, fraud defences have focused on solutions such as multi-factor authentication and in some cases, this has been to the detriment of defence in depth. 

“Multi-factor authentication is important but can be gamed by criminals, especially as factors used for authentication are often readily available in databases of breached personal data,” she explains. 

In their fight against fraud, retailers also face a delicate, often precarious, balancing act between enhanced security and customer experience. It’s no great secret that consumers have increasingly little patience with anything that slows down their shopping experience, with cart abandonment rates notoriously high. 

Bore says: “The Net Promoter Score rules supreme, which means limited time to detect fraud. Ultimately, attackers have improved their methods while large retailers have been voluntarily lowering their guard in pursuit of ‘good customer experience’.”

Merchants need to be careful that the fraud solutions they use can accurately catch fraudulent transactions without impacting the customer experience. However, the two are not mutually exclusive. Retailers who face fraudulent attacks not only have their profit margins to worry about; they also need to consider the wider reputational risks.

As well as staying abreast of the ever-changing threat landscape, executing regular code reviews and checking for vulnerabilities, adopting end-to-end adaptable solutions will be critical for merchants to strike the right balance.  

“Businesses should be mindful of the end-to-end transaction process and implement security measures that do not rely solely on authentication at entry,” says Holt. 

Unlike legacy solutions that are often based on binary approve/decline decisions, leaving retailers dangerously exposed in the face of growing threats, solutions that are able to intelligently adapt the checkout process to the risk level of each transaction will form the bedrock of robust security going forward. 

Additionally, by adopting solutions that are able to leverage hundreds of millions of data touchpoints through a global network, retailers will be better able to balance fraud prevention with the need to approve as many legitimate transactions as possible. 

As fraudsters use ever-more innovative tactics, retailers need to ensure that their defences are adaptable, robust and can respond with the same level of sophistication as the threats they face. As the saying goes, those who fail to plan, plan to fail.

Sometimes the simplest solution isn’t the best. Take traditional yes/no fraud protection systems, which follow a rigid set of rules to approve or decline orders. On paper they sound fit for purpose: stop the fraudulent orders, let the good ones through. But this binary model often fails to correctly identify those that fall into the grey area between “obvious fraud” and “legitimate customer”.

“Some transactions are not statistically safe enough to just approve and send through to authorisation,” says Zahava Dalin Kaptzan, product marketing manager at Riskified, an AI-powered fraud and risk intelligence platform. “But they don't meet recognised patterns of fraud either.”

Some of them will be fraudulent, and some of them will be fine. “But when you're limited to two actions to take – approve or decline – you don't have the sophistication that you need to cherrypick the good orders from a statistically risky order segment,” Kaptzan explains.

This leads to false declines: perfectly safe orders wrongly flagged as fraudulent, which are estimated to cost merchants billions each year. In the US alone, $157bn in ecommerce sales were at risk due to false declines in 2023, according to one report. Of this, $81bn was projected to be permanently lost despite attempts to recover the payments.

In addition, 47% of retailers cited false declines as having a severely negative impact on customer satisfaction. “If you experience a false decline, you might not go back to that merchant because it was such a bad experience,” Kaptzan explains. “So you're losing the entire customer lifetime value, and you’re also losing the acquisition cost.”

These individuals may discuss an unfair decline with friends, family or colleagues, or share the experience on social platforms, causing further damage to the brand. But with fraudsters deploying increasingly sophisticated tactics, merchants can’t afford to take a more relaxed approach to potential red flags.

Instead, they need more nuanced ways to sift risky but legitimate orders from the bad, while also ensuring a seamless checkout experience for valued customers. And that requires a smarter form of fraud protection.

Smarter analysis at speed

Intelligent checkout solutions like Riskified’s Adaptive Checkout use AI and machine learning to gauge which checkout pathway is right for each order’s risk level, either directing them straight to authorisation, declining them as fraudulent or requesting additional verification. 

It analyses every transaction based on the order’s risk level, the identity’s shopping history, and millions of touchpoints across Riskified’s merchant network. This allows it to identify subtle patterns invisible to traditional rule-based approaches and route the order accordingly.

“We all have different things that make us recognisable at checkout – whether it's our credit card, our phone, our IP location,” says Kaptzan. “There are dozens of such data points, and then you have the different connections between the data points. Multiply this by all the different sites where you make an online purchase, and that translates into  an insurmountable number of clues, pointing to whether we are who we say we are - but only if we can find the patterns within the data.” 

In fact, there are simply too many for a human to keep up with. “But AI and machine learning can spot these patterns and immediately implement them into its decision-making.”

The fact that Adaptive Checkout identifies and declines obvious fraud prior to sending it to the issuer eliminates the transaction fees for fraudulent orders. Sending enriched order data to issuing banks also means they can place more trust in the merchant’s customers.

Good customers enjoy slick, seamless checkout experiences too. Under binary approaches to fraud prevention, many merchants always request additional information in an effort to protect themselves – for example, asking for CVV every time a shopper checks out. But Riskified’s solution enables a more intelligent approach. 

“We have the ability to selectively request CVV in cases of potential fraud, meaning we only request it where we see it’s necessary,” says Kaptzan. “For everyone else, we don't. So that removes a little bit of friction.”

In cases of possible account takeover, for example, the suspected fraudster won't have the card's CVV, so it’s worth asking for it. When there’s a risk of credit card theft, however, the criminal will probably have the CVV data.

“Then we can check if the phone number is trustworthy, based on our merchant network data and additional information from multiple sources. If so, we send a one-time password via SMS to the shopper saying: 'Almost there! Before you check out, just verify that it’s you.’

“If the shopper confirms, it's a safe order. If they don't answer, the order is declined. If they say no, it wasn’t me checking out, then it's an immediate sign of fraud.” If the phone number can’t be trusted, then 3D Secure authorisation can be requested instead.

Verification flows for every market

These tiered verification flows can greatly reduce the number of false declines that fashion retailers experience, for example. Many of them sell expensive products that have a high resale value on the black market. This often encourages them to adopt the kind of conservative fraud strategy that can generate excessive false declines.

A solution that can understand the patterns that characterise legitimate ecommerce purchases – and if more authentication is needed, request an appropriate level of verification – is therefore a game-changer.

For example, “In luxury fashion, you often have client advisors (like a personal assistant) making an order on behalf of the customer,” says Kaptzan. This might be flagged as fraudulent by a binary system. But with Adaptive Checkout, such a buyer might simply be asked to provide additional verification prior to authorisation.

Ticketing also has lots of first-time customers making high-value purchases. Major events can trigger a flood of orders in a short timeframe, making it difficult to distinguish between enthusiastic fans and organised fraud rings. 

Traditional systems tend to either block too many good customers or let too much fraud through. Routing risky orders to one-time password (OTP) verification can help to solve the problem, however, leading to higher approval rates and more revenue for the merchant.

In fact, after implementing strategic analytical touchpoints in their checkout flow, one of Riskified’s ticketing merchants was able to approve as much as $3m in incremental revenue that would otherwise have been declined due to fraud risk.

Retailers also face some unique challenges when it comes to fraud. Seasonal sales periods create spikes in both legitimate and fraudulent orders, for instance, while expanding into new markets can introduce unfamiliar risk patterns. 

Adaptive approaches can help retailers navigate these complexities without ramping up false declines. With Riskified’s SMS Recover, for example, one retailer moved from reclaiming around 20-30% of declined transactions through the customer calling the contact centre to recovering these sales in real-time, reducing operational costs while also keeping customers engaged.

Riskified also enabled a major digital trading platform to maximise acceptance rates and eliminate the need for 3DS in the US, where customers are less friction-tolerant. “US customers are very averse to friction, so we help merchants be very selective about when they're having to ask for verification,” says Kaptzan. 

Ultimately, "There's no one-size-fits-all solution – it's about finding what's going to work best for each merchant, for each order segment and for each region, in order to maximise conversion.” In other words, they need a tailored – not simple – solution to a complex problem: one that speeds good customers through the checkout process while protecting their bottom line from fraud.