Holiday eCommerce Scams in 2020

Story from Kensium Solutions

The holidays are the #1 time of year for eCommerce fraud. According to Consumer Reports, the first twenty days of November 2019 resulted in over 60,000 potential scams in the U.S., targeting 26 popular brands.

There are two reasons for this. The first is that hackers aim to leverage the massive amount of holiday eCommerce transactions to their benefit. It’s difficult for many companies to detect fraud amongst the volume. The second relies on human error: customers scouring the internet for good deals (especially around Black Friday or Cyber Monday) are more likely to fall for fake sellers offering too-good-to-be-true discounts.

Signifyd Inc., a leader in eCommerce fraud protection, predicts the 2020 holiday season to be noisier than ever before. “COVID-19 will no doubt discourage shoppers from heading into brick-and-mortar stores, leading them to shop more online,” says Stefan Nandzik, Vice President of Product and Brand Marketing. “Our data shows that eCommerce spending in some categories more than doubled at times during the pandemic compared to pre-pandemic sales, and overall online spending has consistently remained 50% above spending a year ago.” When it comes to fraud, the chaos of the upcoming 2020 season provides an even broader opportunity for bad actors.


Our advice to merchants is to start preparing six months in advance. Creating and implementing a successful anti-fraud strategy proactively is a stellar way to mitigate the fraud risks and ensure a smoother holiday sales season.

The lowest hanging fruit is to perform any upgrades on your platforms (eCommerce, hosting, ERP, etc.) because these upgrades include security patches and releases. Then, take a hard look at your current fraud detection capabilities and ask yourself if it’s time for an update there as well. Start with the type of fraud that worries you the most, then research which fraud prevention software may be best suited to address that specific threat.

For example, machine learning-based fraud detection systems analyze customer data to identify unusual user behavior fitting the profile of known fraudulent activity. Alerts are shared with the merchant so they can take steps to shut it down. This type of fraud prevention is especially useful when it comes to what we call “friendly fraud.”

“A learning machine can sift legitimate from fraudulent orders instantaneously. The solution automates the order flow, so that good orders go straight to shipping. Furthermore, the guarantee fully reimburses the retailer for any approved order that later turns out to be fraudulent,” says Nandzik. “Not surprisingly, at Signifyd, we believe a machine-learning solution with a financial guarantee is the best way to tackle the holiday fraud challenge.”


Contrary to the name, friendly fraud is anything but. It is the root cause of over 70% of eCommerce fraud losses, according to It occurs when a cardholder disputes a legitimate purchase. What becomes tricky is figuring out if it’s just an innocent mistake, or a malicious attempt to steal from your company.

One of the most common scams is a buyer falsely claiming with the merchant that their “item was not received” (INR). This type of fraud involves no hacking whatsoever. After making an INR claim, bad buyers are given the benefit of the doubt and awarded a refund or a replacement. This way, they obtain two items for the price of one.

These scammers may also utilize chargeback fraud, in which they contact the credit card company and plead the same sob story of the missing package. If the bank issues the customer a chargeback, it’s up to the merchant to prove the chargeback was fraudulent if they want to recoup the loss.


Friendly fraud is one of the trickiest things to prevent against because if you accuse a customer of fraud, and it’s just a “false positive” (the customer seems like they are committing fraud, but it’s a misunderstanding), you can lose that customer and by extension, your reputation.

Here are a few best practices to follow to prevent Friendly Fraud:

  • Keep Detailed Transaction Records: Store purchase history information such as the details of when, where, and how a purchase was delivered or activated. Merchants can offer customers the necessary information to jog memories regarding the legitimacy of a transaction.
  • Create Household Profiles: Using historical data, Merchants can create “household” profiles that include customer purchasing habits, preferred devices for shopping, and even device IP addresses. This data increases the likelihood of winning a chargeback dispute.
  • Return and Refund Policies Should Be Clear and Easy to Find: Include links to easy-to-understand return and refund policies on your website. Customers are less likely to initiate disputes when you ensure these policies get seen in prominent locations. It also protects you when you conflict with your payment processor over a chargeback.


Account takeover fraud occurs when the fraudster uses a piece of someone else’s identity, such as their Social Security number, email accounts, or credit card numbers to take over the identity of a genuine customer and gain access to their accounts. Any online login could be taken over by fraudsters, including eCommerce accounts, subscriptions, banks, credit cards, emails, and so on. Depending on the attack, they may change the account details, then use the account to order goods, or sell the account data elsewhere.


The best way to prepare is by knowing the signs an account has been taken over by a rogue actor. Look for multiple failed login attempts or multiple logins from new devices. Signifyd, an e-Commerce fraud protection firm, offers these broad recommendations for fending off bad actors:

  • Unique Transaction Signatures: Create unique transaction signatures using data such as account numbers, transaction amounts, and time stamps. These signatures are difficult to fake, and they create digital trails for fraud investigators to follow,
  • Enable Two-Factor Authentication (2FA): This increases the safety of online accounts by requiring two types of personal information from the user before they can log in. Many companies stand by 2FA as the best defense against most hackers, with good reason. According to a 2019 Google security study, 2FA prevents 100% of account takeovers by bots and is 96% effective at shutting down phishing attacks.
  • Risk Analytics: During an account takeover, risk analytics can pinpoint atypical account behavior and trigger an emergency authentication process that will immediately put a stop to flagged transactions.



Determined thieves can steal shipping account number to divert large shipments from merchants to wherever they want. Once these account numbers can be accessed, they are often used in the same manner as stolen credit cards and resold on the dark web. Hackers target all sizes of businesses. They’re looking for vulnerabilities and seeing how diligently the shipping accounts are monitored. Hackers also use fake shipping invoices to trick recipients into wiring money to the fraudster.


A dependable way to prevent hijacked shipping account numbers is to implement a central shipping management system that includes these features:

  • The ability to make account numbers accessible only to specific and trustworthy employees.
  • A reporting system that allows these users to schedule pickups and track packages regularly.

A tracking system that cross-references user activity with shipping order activity to determine any suspicious behavior.


If you are a merchant on Magento 1 (M1) and you haven’t already begun planning for the platform’s end-of-life (EOL) in June 2020, you need to start now. EOL means all online stores deployed on Magento 1 will no longer have access to new features, new security patches, functionality updates, and support from Magento. Your online store will remain functional but become more vulnerable to bugs and security breaches.

General security vulnerabilities tend to increase t longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This increases the possibility of exposing personally identifiable customer data, which in turn can destroy an eCommerce company’s reputation.

This is not the time to be taking any chances on cybersecurity. Hackers around the country take advantage of the holidays to increase phishing and cyberattacks. These attacks are likely to increase, given the fact that the M1 EOL timeline is well-known and widely publicized. We recommend migrating to a new platform after June 2020 and receiving regular support and security updates from the software provider.


Tracking down evidence of fraud (whether it’s wire-fraud or shipping) takes time and effort. However, shipping scams can be a legitimate threat to merchants, their customers, reputation, and profits. That’s why it’s of dire importance to begin preparing as soon as possible.

Fraud protection companies like Signifyd dedicate themselves to creating software that identifies and alerts users to fraudulent activity and providing chargeback-management solutions.

Their flagship product, the Commerce Protection Platform, harnesses machine learning and artificial intelligence to protect merchants. The platform automates online order flows, instantaneously sorts fraudulent orders from legitimate ones, triages abuse chargebacks stemming from customer disputes, and future-proofs the enterprise against rapidly evolving payments compliance issues. It also includes a financial guarantee backing the platform’s decisions.

Signifyd’s Commerce Protection Platform now protects the largest network of merchants globally, so contact them if you’re serious about protecting your company from holiday scams.