While the internet is an amazing resource for humanity that gives us all the ability to watch hundreds of cat GIFs at any time of day, scams and ne’er-do-wells abound within its borders.
Every WooCommerce shop owner knows the risks associated with fraud, from being slapped with refund fees for a product that isn’t actually returned to logistical hassles, a damaged reputation, and more.
What’s worse is the fact that many fraudsters simply get away with the cash and you’re left footing the tab. Credit card companies almost always refund the buyer when they identify a fraudulent purchase, but there’s very little compensation to be found for shop owners in similar situations.
That leaves you down one sale and one product for every successfully executed instance of a scam.
On top of that, constantly having to deal with legal and chargeback disputes over fraudulent activity on your site can give your business a bad reputation and affect your sales on a larger scale.
Fortunately, there are a lot of ways that you can harden your WooCommerce shop against bad actors, and as always, we’ll walk you through each method one at a time.
An Introduction To eCommerce Fraud
eCommerce fraud extends far beyond the scope of a website security breach, and can include anything from fake WooCommerce orders to identity theft. With so many attack avenues through which malicious parties can harm your business, online store owners have to stay one step ahead of the game at all times.
Since the first step to protecting yourself is knowing thy enemy, let’s walk through some of the creative strategies scammers often employ:
Credit Card Fraud
Credit card fraud is much more common than you’d think. According to Security.org’s 2021 study, approximately nearly half of all American adults have reported having a fraudulent charge on their credit or debit cards.
This type of fraud occurs when a customer’s credit card (or its data) is stolen or cloned in order to illegally purchase items online. In many of these cases, financial information is obtained through phishing, an attack method through which an individual is tricked into providing sensitive personal financial data via email, SMS, or over the phone.
Chargeback Fraud
Chargeback fraud, also known as friendly fraud, takes place when a customer makes a purchase only to request a chargeback after receiving the item or service. Doesn’t sound all that friendly, right?
Chargeback fraud is no fun for anyone and its negative effects extend well beyond the financial losses associated with a fraudulent purchase.
According to Quicksprout, 80% of merchants file disputes for illegitimate chargebacks but less than 20% of store owners manage to win these disputes. If your chargebacks and disputes continue to pile up, your business’ trustworthiness and overall reputation will plummet.
Fake Orders
There’s no shortage of pranksters on the world wide web, so you shouldn’t be surprised if one finds their way to your online store. One of the easiest ways these people target business owners is by placing fake orders on your site, or orders made to invalid addresses or fake identities (which makes the shipped product impossible to deliver).
Fake orders can abound when customers have the ability to choose “cash on delivery” as a payment method.
Why go through all that trouble?! – you might ask. The cold, hard truth is that scammers place fake orders for the sole purpose of causing heaps of trouble for you, the business owner.
The best thing you can do is be aware that fake orders exist and reduce your attack surface by following the steps discussed in this article.
How To Prevent WooCommerce Fraud
Here are some strategies you can consider:
Perform Vulnerability Scanning
The first step to protecting your WooCommerce business is to make sure your website itself is safe. Regularly testing your site to identify potential vulnerabilities that hackers can take advantage of is essential.
There are a variety of WordPress plugins you can use to automatically scan your website for weaknesses, with some of the top contenders being Sucuri and WordFence. Security scanners keep an eye out for malicious data and website errors and monitor the integrity of your site’s core files.
Check out three common security flaws of WooCommerce.
Two-Factor Authentication
Another way to ensure accounts created on your WooCommerce site belong to real customers and are not run by bots or hackers is to set up Two-Factor Authentication. This login process requires customers to enter both a correct username and password set as well as a verification code, security question answer or other sort of additional authentication.
Implement Anti-Spam Measures
Spam can go far beyond trolls in your blog’s comments. For WooCommerce store owners, spam can also mean spam orders, bot accounts, and fake reviews on your products and services. Thankfully, some simple anti-spam measures can help you keep these problems at bay.
You can start by simply changing some of your WordPress configurations. For example, you can configure the general settings so that the “Anyone can register” option is off to keep bots from creating accounts. Likewise, disabling the option to “Allow customers to place orders without an account” on WooCommerce and requiring email verification for customer registration is a simple but effective way to reduce the risk of fake orders.
As far as keeping your product reviews spam-free goes, we also recommend enabling the “Reviews can only be left by verified owners” option in the Products tab of your WooCommerce settings.
Given that online stores are a very attractive target for scammers, changing the registration page URL is also recommended.
Finally, you can also install anti-spam plugins to help you increase your site’s security and trustworthiness. For example, Akismet is a WordPress plugin that will help you ward off comment spam and help you maintain your credibility. If you are using forms to collect customer data, another option is Honeypot Contact Form 7, which identifies bots by tricking them into entering information on fields that human respondents are instructed to leave empty. The plugin also keeps track of form submission time to identify bots and rejects submissions that fall under a user-defined threshold.
Blacklist Users By Location
It’s not uncommon for hackers to use proxies to access a website from a different IP address. Receiving orders from locations where you don’t offer shipping to or don’t do business in is also a red flag for suspicious activity. For these reasons, blacklisting users from certain countries and locations can be an effective way to prevent WooCommerce fraud.
You can blacklist certain countries when you configure WooCommerce directly by configuring your WooCommerce settings by selecting the “Sell to all countries, except…” option.
Optionally, you can use the IP2Location Country Blocker, which allows you to block users from specific IP ranges, certain countries, or anyone using anonymous proxies from accessing your site.
As an added bonus, the plugin doesn’t restrict access to search engine crawlers, allowing you to block spam traffic without hurting your SEO.
Configure Your Payment Gateway For Fraud Prevention
A lot of the points we’re about to walk through may not be settings that you can adjust on your own, so we recommend reaching out to your payment gateway in order to explore/tweak the following:
Mandatory CCV2
This is a no-brainer. Requiring users to input those three little numbers on the back of each card is one of the easiest ways to prevent fraud on your WooCommerce store before it ever has a chance to occur.
AVS Filters
Address Verification Service filters, or AVS filters, are the means by which your payment gateway checks the ZIP code and billing address of the order against the information on file with the card’s bank.
There are different degrees of possible matches ranging from “No Match” to “Full Match”, and you have the ability to do any of the following with each type of match: Accept, Reject, Accept & Report, or Hold for Review.
In other words, this is why your bank asks you to inform them if you will be making purchases with your cards abroad. It’s a simple security measure, but even the most simplistic filters can be highly effective.
Velocity Filters
The purpose of a velocity filter is to measure how many ongoing transactions your store is processing at any given time and start shutting off the valve if they detect something fishy.
Let’s say your store usually does anywhere from 40-50 sales per day and you set a velocity filter for twice that amount – 100 sales. A sudden influx of orders can sometimes indicate that someone is throwing tons of fraudulent junk at your store, so as soon as your daily order threshold is reached, your filter would spring into action for each subsequent purchase.
When activated, a velocity filter can do anything from report a transaction to you (but otherwise process it normally) to hold it for review to block it altogether.
If you have a seasonal product or experience occasional “surges”, this is also something to bear in mind when configuring your velocity filter. The last thing you want to do is frustrate shoppers during peak sales time!
Use An Anti Fraud Plugin
There’s really no such thing as a one-stop-shop solution when it comes to security because the best-protected sites have many diverse layers of prevention, detection, and mitigation measures.
If you’re looking for a good place to start, we recommend taking a look at plugins such as YITH WooCommerce Anti-Fraud – a powerhouse solution for site owners looking to take matters into their own hands and spend time on proper configuration.
This plugin really does more things than we can fit into a single segment, but here’s an overview of what you can do with it:
- Restrict or block orders based on your average expected number of monthly purchases
- Detect, restrict, and block orders made behind a proxy
- Request email verification for orders via PayPal
- Restrict orders by country
- Restrict orders by email domain
- Restrict orders by a customizable risk threshold
…and much more!
Like any plugin, anti-fraud plugins have to be configured properly to be effective, so this one’s more for the DIYers as opposed to a “fire and forget” solution.
Most of the user-side grievances that come from anti-fraud plugins (e.g. lots of false positives, constant checking/tweaking, customers being blocked when they shouldn’t be blocked, etc.) can be mitigated or eliminated altogether by properly setting up and maintaining your anti-fraud solution.
Use A ReCaptcha Plugin
WooTales published an article comparing the efficacy of various reCaptcha plugins for WooCommerce stores, and the aptly (if not underwhelmingly) named “reCaptcha for WooCommerce” came out on top.
What’s the difference between a run-of-the-mill anti-fraud plugin and a reCaptcha plugin, you ask?
A good reCaptcha plugin allows you to put Captcha messages on various pages of your site (checkout page, registration page, “add payment method” page, etc.), customize error messages (for a better UX), and set reCaptcha score thresholds to avoid false positives.
On top of that, this type of plugin protects your site against a more sinister enemy known as carding or the use of malicious scripts to test hundreds or thousands of fraudulent card numbers on your site in rapid succession.
Since carding is a form of brute force attack on your payment gateway, it can slow your site down to a crawl if left unaddressed. Worse still, your payment gateway may block your account if they determine that your response to continued threats is lacking.
The folks at WooTales recommend installing reCaptcha for WooCommerce on your Checkout and Add Payment Method pages, as well as setting a threshold between 0.3 and 0.5.
Consumer Behavior Analysis
As an extra layer of security, we recommend constantly monitoring your customers’ behavior. Keeping an eye on who your customers are, how they interact with your site and what their purchasing habits are will help you easily identify abnormal or suspicious activity on your site. Some of the data you should keep tabs on include your customers preferred payment methods, average number of login attempts, and typical order size.
Using fraud prevention tools that implement behavioral analysis allow you to simplify this task as they automatically identify relationships between user behavior and fraud risk. One anti-fraud tool that is both worth your consideration and integrates with WooCommerce is No Fraud Protection, which uses artificial intelligence to analyze hundreds of data points for your online store transactions.Their software also has a system in place to avoid rejecting legitimate orders, ensuring you don’t lose any revenue as a result of protecting your online business.
A Final Word On WooCommerce Fraud Prevention
Just like you wouldn’t forgo installing an alarm and security cameras for your brick-and-mortar business, WooCommerce users shouldn’t neglect fraud prevention on their online stores. Implementing the solutions listed above can save you a lot of dollars, headaches, and time.
No matter what anti-fraud solutions you ultimately decide to employ, don’t forget to consider your real customers’ needs and user experience. If you are looking for a WooCommerce expert to help you with implementing security on your website, you may get in touch with the WooNinjas.
