Top fraud schemes threatening e-commerce

According to Juniper Research data, global e-commerce turnover surpassed $7 trillion in 2024, and is projected to grow by 1.5 times over the next five years. But cybercriminal interest in this field is growing even faster. Last year, losses from fraud exceeded $44 billion — and they’re expected to reach US$107 billion within five years.

Any online platform — regardless of size or industry — can become a target, whether it’s a content marketplace, a hardware store, a travel agency, or a water park website. If you accept payments, run a loyalty program, and allow creation of customer accounts, fraudsters will definitely come knocking. So which attack schemes are most common, what kind of damage can they cause, and how can you stop them?

Account theft

Thanks to infostealers and various database leaks, attackers have access to billions of email-password combinations used on various sites. They can try these combinations on any other site with user accounts, on the assumption that humans often use the same password for different services. This attack method is known as “credential stuffing”, and if successful, attackers can place orders using the victim’s linked bank card or spend loyalty points. Criminals can also use compromised accounts to make fraudulent payments with other credit cards.

Testing stolen cards

Just as with login credentials, attackers may have a database of credit-card data stolen using malware. They need to test which cards are still valid and can process online payments — and for this, any e-commerce site will do. These “test” purchases are usually small. Working cards are then resold to other criminals, who go on to drain the funds in various ways.

From the store’s side, this looks like a customer adding a bunch of random inexpensive items to their cart and repeatedly trying to check out, each time with a different card. Even small stores can end up with hundreds of abandoned carts. Eventually, the payment gateway may block the store for exceeding the allowed number of failed payment attempts.

Buyer fraud

Sometimes real customers may complete an order, only to later tell their bank they never made the purchase — and demand a refund. This could be a case of deliberate fraud, or simply one family member using another’s card without permission — for instance, a teenager using a parent’s card. Although such incidents are usually small-scale, they can still cause serious damage — especially if the store becomes known in “lifehacker” communities as a site that easily refunds money.

Fraudulent purchases

Depending on your store’s niche, location, and other factors, criminals may try to use stolen credit cards to “cash out” by purchasing goods or services. This can result in a wave of orders followed by a flood of disputes and cancellations. In some extreme cases, the volume alone becomes a threat — one store received 118 000 fraudulent orders, with criminals placing a fake order every three seconds.

Gift card attacks

If your store accepts gift cards, bots may attempt to brute-force thousands of card numbers and verification codes to find valid ones. Once found, they’re either used to make purchases or resold on the secondary market.

Loyalty points theft

If your store allows purchases using accumulated loyalty points without requiring additional verification via SMS or other methods, attackers can either immediately drain any account they manage to access, or wait for the victim to accumulate more points. The latter often happens with stores that sell high-value products and have a loyal customer base.

Scalping exclusive products

If you sell, say, tickets to popular concerts or limited-edition sneakers, be prepared for resellers. Scalper bots can snap up all exclusive stock within minutes, triggering justified outrage from loyal customers. There’s an active black market for bots designed for popular e-commerce platforms, such as Shopifybot.

Mass account registration

To successfully run the schemes described above, attackers often create hundreds or thousands of accounts in your store, increasing operational costs — for instance, by triggering welcome SMS messages and follow-up email campaigns.

Direct and indirect business losses

Even if neither you nor your customers lose money or goods, any of the above schemes can lead to a wide range of problems and expenses:

• Costs from fraudulent transactions and repeated failed payments. Depending on the situation and the terms of your agreement with the payment gateway, you might have to cover transaction and chargeback fees, fines, and other costs. You might also exceed your transaction limits and temporarily lose access to the payment gateway — effectively paralyzing normal operations.
• Advertising costs and distorted analytics. Bots often arrive via referral links, paid search ads, and other forms of online advertising. This means your real advertising budget may be wasted attracting fake users. Even if the bots don’t consume your budget directly, their activity can mess up ad platform algorithms, resulting in lower-quality traffic to your site.
• Costs for marketing campaigns and promotions that are misused by exploiting newly created accounts. Already registered users create new accounts to spend welcome bonuses for the first purchase, and fraudsters look for vulnerabilities and try to obtain bonuses en masse by dishonest means. As a result, the marketing budget allocated for attracting and increasing user loyalty is wasted.
• Poor planning. Numerous fake orders can be hard to filter out of your analytics — especially if you rely on the default analytics tools built into your e-commerce platform. As a result, planning for demand and stock becomes much more difficult.
• Wasted time. Dealing with hundreds of abandoned carts, thousands of bogus accounts, and countless failed payment attempts consumes your employees’ time and energy, leading to operational delays and losses.
• Customer dissatisfaction. Depending on the attack type, customers may suffer direct losses (money stolen, loyalty points drained, fraudulent activity on their account) or indirect inconveniences (product shortages, failed transactions). Whatever the issue, your support and marketing teams will have to handle it — offering discounts, compensation and so on. But many customers will simply walk away and never come back.

It’s no surprise that, according to some estimates, for every hundred dollars in fraudulent orders, businesses lose over double that in total costs.

How to protect your online business

The days of blocking bots by filtering IP addresses or adding a CAPTCHA at checkout are over. The AI boom has empowered not only automation in marketing and customer support — but also a new generation of dangerous fraud bots that easily bypass traditional protection.

That’s why businesses of all sizes need next-generation security technologies that monitor every user session from the moment they land on the site until checkout. This kind of continuous protection helps detect any anomalies — whether it’s a compromised legitimate account, abuse of the payment gateway API, mass fake account creation, or attempts to circumvent security measures.

A leading solution in this space is Kaspersky Fraud Prevention. By continuously analyzing the user’s device, behavior, environment, and metadata in real time, it builds a profile of a legitimate user, detects anomalies early on, and protects against account compromise and fraud. Kaspersky Fraud Prevention can be tailored to the specific needs of your store using flexible rules that leverage both your own data and global analytics. The solution does not require installation on the user’s device and is integrated into an existing website and mobile application with minimal effort.

Many site owners report that advanced anti-fraud analytics actually improve the customer experience — since legitimate users encounter fewer CAPTCHAs, SMS verifications, and other friction points. And ultimately, your business faces fewer losses — and can focus more on developing your product range and service.