Fraud Prevention for Ecommerce: Protect Your Store From Fraudulent Orders
Before You Start
Understand the three types of ecommerce fraud you are defending against. True fraud involves stolen credit card numbers used by someone other than the cardholder, and it accounts for approximately 60% of ecommerce fraud losses. Friendly fraud involves legitimate customers who dispute valid purchases to get refunds while keeping the product, accounting for roughly 30% of losses. Account takeover involves attackers accessing legitimate customer accounts to make purchases with saved payment methods, representing the remaining 10% but growing rapidly. Each type requires different prevention strategies, and an effective fraud program addresses all three.
You need admin access to your payment processor settings and your ecommerce platform order management. If you process fewer than 100 orders per month, basic AVS/CVV verification and manual review of flagged orders is sufficient. At 100 to 1,000 orders per month, automated fraud scoring becomes necessary because manual review of every order is no longer practical. Above 1,000 orders per month, a comprehensive fraud stack with automated decisioning, velocity checks, and chargeback alert services is essential.
Step-by-Step Fraud Prevention Setup
Address Verification Service (AVS) compares the numeric portion of the billing address entered at checkout with the address on file at the cardholder's bank. If the customer enters "123 Main Street" and the bank has "456 Oak Avenue," the AVS check fails, indicating the person placing the order may not be the cardholder. CVV verification requires the 3-digit code (4 digits for Amex) printed on the physical card, which is not stored in any database and cannot be obtained from most data breaches. Together, AVS and CVV checks block the simplest form of fraud where an attacker has a stolen card number but not the physical card or the cardholder's address. In your payment processor settings (Stripe Dashboard under Radar settings, PayPal under Payment Receiving Preferences, or your gateway's admin panel), configure the system to decline transactions where AVS returns a non-match and CVV verification fails. Most processors allow you to set these rules independently, declining on CVV failure while flagging (but not declining) AVS mismatches, which is the recommended starting configuration because AVS has a higher false-positive rate due to address formatting variations.
Fraud scoring tools analyze dozens of signals for each transaction and produce a risk score that predicts the likelihood of fraud. Stripe Radar is included with every Stripe account at no extra cost for basic rules, with Radar for Fraud Teams at $0.07 per screened transaction for advanced machine learning and custom rules. Signifyd ($1,500+/year) provides a guaranteed fraud protection model where they reimburse you for chargebacks on orders they approve. Sift ($0.01 to $0.05 per decision) offers machine learning fraud scoring with customizable thresholds. For Shopify stores, Shopify's built-in fraud analysis provides basic risk indicators, and apps like NoFraud ($0.04 per transaction) and Signifyd integrate directly. The signals these tools evaluate include: IP geolocation versus billing address distance, email address age and history, device fingerprinting, purchase velocity, proxy or VPN detection, order pattern analysis, and hundreds of additional data points. Configure your fraud scoring tool to auto-approve low-risk transactions (scores below 20 on a 100-point scale), flag medium-risk transactions for manual review (scores 20 to 60), and auto-decline high-risk transactions (scores above 60). Adjust these thresholds based on your false positive rate after the first 30 days.
Manual review catches sophisticated fraud that automated tools miss, particularly social engineering and targeted attacks. Define specific rules that hold orders for human review before fulfillment: first-time orders above your average order value times 3 (if your AOV is $75, flag first orders above $225), orders where the shipping address is in a different country than the billing address, orders with expedited shipping from new customers (fraudsters want products delivered quickly before the card is reported stolen), multiple orders from the same IP address within 24 hours, orders using free email addresses (gmail, yahoo, hotmail) with mismatched billing and shipping addresses, and orders shipping to freight forwarding addresses. Train your review process: call the phone number on the order and verify the customer placed it, verify the email address exists by checking for a social media profile or business presence, and check the IP geolocation against the billing and shipping addresses. A 2-minute phone call prevents thousands of dollars in fraud losses and chargebacks.
Velocity checks limit how quickly actions can be repeated, blocking automated fraud tools that test stolen cards or create fake accounts at scale. Configure limits on: maximum card authorization attempts per IP address per hour (set to 3 to 5, because legitimate customers rarely retry more than twice), maximum orders per customer account per day (set to a reasonable number for your business, typically 3 to 5), maximum new account registrations per IP per day (set to 2 to 3), and maximum failed login attempts per account per hour (set to 5, then lock the account temporarily). For card testing attacks where fraudsters use your store to verify whether stolen card numbers are valid by attempting small purchases, set a minimum order value of $1 to $5 and flag any sequence of small-value orders from the same IP or with incrementing card numbers. Stripe Radar includes built-in velocity rules, and most fraud scoring platforms support custom velocity configurations. For platforms without built-in velocity limiting, Cloudflare's rate limiting rules can restrict request frequency to your checkout and login endpoints.
Chargebacks cost you the transaction amount, the product you already shipped, and a chargeback fee of $15 to $100 per dispute. Your chargeback rate must stay below 1% of transactions or your payment processor may increase your fees, hold your funds, or terminate your account. Defense starts with evidence collection: save order confirmation emails, shipping tracking showing delivery to the correct address, delivery confirmation signatures for high-value orders, IP address and device information from the transaction, any customer communication acknowledging the order, and screenshots showing the customer's account activity. When you receive a chargeback notification, respond within the deadline (typically 7 to 30 days) with organized evidence addressing the specific dispute reason code. For friendly fraud prevention, use a clear billing descriptor that customers will recognize on their statement (your business name, not a generic payment processor name), send detailed order confirmation emails, provide easy-to-find customer service contact information so customers contact you before their bank, and consider enrolling in chargeback alert services like Ethoca or Verifi that notify you of disputes before they become formal chargebacks, giving you the option to issue a refund and avoid the chargeback fee entirely.
Fraud Prevention for Specific Product Types
Digital products and gift cards are the highest-risk product categories because they deliver instantly, cannot be recalled, and have no shipping address to verify. Fraudsters specifically target stores selling digital downloads, software licenses, gift cards, and digital currency because they can monetize the stolen goods immediately. For digital products, add delivery delays of 1 to 24 hours for first-time customers, require email verification before delivering downloads, limit gift card purchases to $100 to $200 per transaction and $500 per day per customer, and apply stricter fraud scoring thresholds than you use for physical products.
High-value physical goods like electronics, designer products, and jewelry attract fraud because of their high resale value. For orders above $500, require signature on delivery, consider address verification through a third-party service, and add a manual review step regardless of fraud score. Some merchants also require a photo of the customer's ID for very high-value orders, though this adds friction that may reduce legitimate conversions.
Subscription and recurring billing is vulnerable to trial fraud where fraudsters sign up for free trials with stolen cards, and to account takeover where an attacker changes the shipping address on an existing subscription. Use 3D Secure on the initial subscription payment to verify the cardholder, monitor for shipping address changes on subscription accounts, and flag any account that changes its shipping address immediately before a renewal charge.
Measuring Your Fraud Prevention Effectiveness
Track four metrics monthly. Fraud rate is confirmed fraudulent transactions divided by total transactions, with a healthy target below 0.5%. Chargeback rate is total chargebacks divided by total transactions, with a critical threshold of 1% (above this, your processor may take action). False decline rate is legitimate orders that were incorrectly blocked, which is harder to measure but can be estimated by reviewing declined orders and checking for subsequent successful purchases by the same customer. Manual review rate is the percentage of orders flagged for human review, which should stay below 5% to be operationally manageable.
Review your fraud rules quarterly and adjust based on the patterns you see. If a specific rule generates many false positives (blocking legitimate customers) with few true positives (catching actual fraud), loosen or remove it. If a new fraud pattern emerges that your current rules do not catch, add a rule to address it. Fraud tactics evolve constantly, and your prevention system must evolve with them.