{"id":34680,"date":"2025-07-07T16:28:34","date_gmt":"2025-07-07T14:28:34","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/top-ecommerce-fraud-2025-and-protection\/34680\/"},"modified":"2025-07-07T16:28:34","modified_gmt":"2025-07-07T14:28:34","slug":"top-ecommerce-fraud-2025-and-protection","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/top-ecommerce-fraud-2025-and-protection\/34680\/","title":{"rendered":"Top fraud schemes threatening e-commerce"},"content":{"rendered":"

According to Juniper Research data, global e-commerce turnover surpassed $7 trillion<\/a> in 2024, and is projected to grow by 1.5 times over the next five years. But cybercriminal interest in this field is growing even faster. Last year, losses from fraud exceeded $44 billion\u00a0\u2014 and they\u2019re expected to reach US$107 billion within five years.<\/p>\n

Any online platform\u00a0\u2014 regardless of size or industry\u00a0\u2014 can become a target, whether it\u2019s a content marketplace, a hardware store, a travel agency, or a water park website. If you accept payments, run a loyalty program, and allow creation of customer accounts, fraudsters will definitely come knocking. So which attack schemes are most common, what kind of damage can they cause, and how can you stop them?<\/p>\n

Account theft<\/h2>\n

Thanks to infostealers<\/a> and various database leaks, attackers have access to billions of email-password combinations used on various sites. They can try these combinations on any other site with user accounts, on the assumption that humans often use the same password for different services. This attack method is known as \u201ccredential stuffing\u201d, and if successful, attackers can place orders using the victim\u2019s linked bank card or spend loyalty points. Criminals can also use compromised accounts to make fraudulent payments with other credit cards.<\/p>\n

Testing stolen cards<\/h2>\n

Just as with login credentials, attackers may have a database of credit-card data stolen using malware. They need to test which cards are still valid and can process online payments\u00a0\u2014 and for this, any e-commerce site will do. These \u201ctest\u201d purchases are usually small. Working cards are then resold to other criminals, who go on to drain the funds in various ways.<\/p>\n

From the store\u2019s side, this looks like a customer adding a bunch of random inexpensive items to their cart and repeatedly trying to check out, each time with a different card. Even small stores can end up with hundreds of abandoned carts<\/a>. Eventually, the payment gateway may block the store for exceeding the allowed number of failed payment attempts.<\/p>\n

Buyer fraud<\/h2>\n

Sometimes real customers may complete an order, only to later tell their bank they never made the purchase\u00a0\u2014 and demand a refund. This could be a case of deliberate fraud, or simply one family member using another\u2019s card without permission\u00a0\u2014 for instance, a teenager using a parent\u2019s card. Although such incidents are usually small-scale, they can still cause serious damage\u00a0\u2014 especially if the store becomes known in \u201clifehacker\u201d communities as a site that easily refunds money.<\/p>\n

Fraudulent purchases<\/h2>\n

Depending on your store\u2019s niche, location, and other factors, criminals may try to use stolen credit cards to \u201ccash out\u201d by purchasing goods or services. This can result in a wave of orders followed by a flood of disputes and cancellations. In some extreme cases, the volume alone becomes a threat\u00a0\u2014 one store received 118\u00a0000 fraudulent orders<\/a>, with criminals placing a fake order every three seconds.<\/p>\n

Gift card attacks<\/h2>\n

If your store accepts gift cards, bots may attempt to brute-force thousands of card numbers and verification codes to find valid ones. Once found, they\u2019re either used to make purchases or resold on the secondary market.<\/p>\n

Loyalty points theft<\/h2>\n

If your store allows purchases using accumulated loyalty points without requiring additional verification via SMS or other methods, attackers can either immediately drain any account they manage to access, or wait for the victim to accumulate more points. The latter often happens with stores that sell high-value products and have a loyal customer base.<\/p>\n

Scalping exclusive products<\/h2>\n

If you sell, say, tickets to popular concerts or limited-edition sneakers, be prepared for resellers. Scalper bots can snap up all exclusive stock within minutes, triggering justified outrage from loyal customers. There\u2019s an active black market for bots designed for popular e-commerce platforms, such as Shopifybot.<\/p>\n

Mass account registration<\/h2>\n

To successfully run the schemes described above, attackers often create hundreds or thousands of accounts in your store, increasing operational costs\u00a0\u2014 for instance, by triggering welcome SMS messages and follow-up email campaigns.<\/p>\n

Direct and indirect business losses<\/h2>\n

Even if neither you nor your customers lose money or goods, any of the above schemes can lead to a wide range of problems and expenses:<\/p>\n