Protect your small business from e-commerce fraud

September 07, 2023 | 6 minute read

The spending habits of consumers have changed dramatically in recent years, with massive shifts to online shopping reshaping the global marketplace. In fact, U.S. e-commerce retail sales reached nearly $1.06 trillion in 2022, a 77% increase from 2019’s $597 billion in sales.1 What’s more, the growing number of digital solutions are making way for an array of payment options. While this may sound like good news, this kind of change can attract criminals.


Today, e-commerce merchants are facing ever-increasing risk from fraudulent activity. Indeed, e-commerce losses to online payment fraud will exceed $48 billion globally in 2023, an increase of nearly 17% over 2022 losses.2 That’s why it’s important to learn more about the types of fraud impacting small businesses, as well as how to combat them.


Why managing fraud risk is important

There was a time when large corporations were the primary victims of online fraud, which compelled many of them to make massive investments in solutions to detect and prevent fraud. In turn, fraudsters have turned their attention to small and midsize businesses — particularly those that don’t have the budget or technical resources to implement full-featured anti-fraud technologies. And with the growth in payment options, there are more ways for scammers to exploit businesses that aren’t fully using fraud management capabilities.


Without strong fraud detection, a business may never know what happened until it’s too late. In some cases, it may even result in the closure of the business. “Consider a local small business that receives an unusually large order. In their excitement, they may not stop to think about the risks and rush to complete the order,” says Christina Bradshaw, vice president of fraud and identity authentication services at Bank of America. “In the unfortunate situation where that order is fraudulent, the owner receives a chargeback and is out the cost of goods sold plus fulfillment costs. They can also face some severe penalties that result in them going out of business.”


For small businesses that fall victim to fraud, the risks can include:


  • Loss of business or customer loyalty due to reputational harm
  • Time lost responding to disputes, issuing refunds or training employees
  • Financial loss due to chargebacks, cost of goods sold and shipping expenses
  • Noncompliance with payment card industry standards and card brand requirements, which may include penalties if fraud rates become excessive or customer data is compromised


Common types of online fraud

Over the years, there are certain types of fraud that have become more prevalent among small e-commerce businesses. According to Bradshaw, popular targets often include charities, order-ahead restaurants and small retailers that sell luxury goods or popular electronics. She adds, small businesses should understand the various forms of fraud and risks that come with each type.


The most common forms of fraud impacting small e-commerce merchants are as follows.


Auth testing

Also known as carding, card testing or card checking, auth testing is when a criminal tries to validate payment card information to be resold for use in unauthorized purchases online. Often the fraudster uses long lists of compromised card numbers and enters them into websites with unsecured checkouts to test whether the cards are valid. Criminals then use this information to sell the cards for higher profit. In more elaborate scenarios, culprits aggregate the card information with other compromised personal data found publicly or purchased off illicit markets and resell this data for even more money. This scheme doesn’t always conclude immediately in a completed sale that might look suspicious. So often, a busy merchant is unaware of this activity until they see a report or statement from their payments service provider with an unusually high number of authorization fees.


Account takeover

Account takeover happens when criminals compromise the online e-commerce accounts of consumers using stolen credentials. While many online merchants offer customers the opportunity to set up accounts and save credit cards for faster transactions, this may further entice fraudsters to attempt account takeovers in hopes of using their unauthorized access to pose as a legitimate customer and buy goods, steal gift card balances or rewards points, or to scrape additional personal information from consumers for purposes of attempting other types of identity theft schemes.


Friendly fraud

Unlike “normal” fraud, friendly fraud is conducted by the actual cardholder or someone, such as a family member, authorized to use the card. Some common examples are refund fraud, which happens when a customer completes a legitimate transaction but files a chargeback with the bank, claiming dissatisfaction with the seller or product. Another common scenario is a child or family member using the card to make purchases the cardholder didn’t approve. The account owner then disputes the charge, thinking their card was stolen. As a result of these scenarios, the bank often issues a credit to the cardholder, believing actual fraud has occurred.


How to protect against e-commerce fraud

The first step in protection is detection. When thinking about how to detect fraudulent activity, it’s most important to understand what is normal business activity and what isn’t. “Do you usually get small, repeat orders from locals but suddenly receive a very large order from a new customer and location where you don’t typically do business? Does the customer have an order history with you? If it’s unusual for your business, it could be an indication of fraud,” says Bradshaw, who dealt with many types of fraud firsthand as a small business owner.


6 red flags that help spot e-commerce fraud

Protecting your business from e-commerce fraud doesn’t have to be an expensive undertaking. There are many data points that merchants have at their disposal that can be used to detect fraud. Some of the more common red flags include:

  1. Unusually large orders
  2. Multiple credit cards used for a single purchase
  3. Orders for high-demand products that can be easily resold for cash
  4. Multiple separate orders in a short time frame
  5. Unnecessary requests or payments for expedited shipping
  6. Orders to locations outside your typical delivery area, especially overseas

To the extent possible, businesses should look to technical solutions that automate fraud detection and prevention. Instead of scrutinizing every purchase, small business owners can rely on software and machine learning to repel blatantly fraudulent activity and draw attention to abnormal orders. Do your research before deploying any new solution, and choose from established, reputable vendors.


Fortunately, there are several technical mitigations that can protect against fraud. These include:


  • Credential security, such as multifactor authentication
  • Challenge-response tests on your website, such as CAPTCHAs, and other plugins
  • Payer authentication solutions
  • Device intelligence or fingerprinting
  • Rules-engine or machine learning-based fraud detection systems
  • Staying up to date with all hosting and platform software


Merchants should dedicate time and attention to developing fraud awareness, whether for themselves or to train employees. Bradshaw points out that there’s a huge need for small businesses to learn more about e-commerce fraud. “Fraud is one of those things that, until it happens to you, you don’t always understand or appreciate the risk,” she says. Small businesses must understand their strengths and weaknesses where payments security is concerned, discuss risks and trends with employees regularly and engage with their payment service provider to get insights and recommendations.

1. St. Louis Fed, U.S. E-commerce Retail Sales, updated May 19, 2023

2. Juniper Research, “Online Payment Fraud: Market Forecasts, Emerging Threats & Segment Analysis 2022-2027,” October 12, 2022

Important Disclosures and Information


Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.


Not all materials on the Center for Business Empowerment will be available in Spanish.


Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.


Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.


Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.


Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.


“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.


Investment products: