Ecommerce fraud prevention

Balancing ecommerce fraud prevention and customer experience across the customer lifecycle in EMEA.



With ecommerce sales across Europe expected to surpass £885 billion come 2027, fraud teams across the continent are on high alert; with increased sales comes increased fraud. Indeed, global e-commerce fraud is growing, with two out of every three online retailers in Germany and over 85% of online merchants in Switzerland reporting a surge in attacks.

This blog post is inspired by a recent panel discussion held during Identity Connect London. Moderated by Mastercard’s Meagan Sarratt, the panel featured Martin Sweeney, CEO of Ravelin, Adam Sherlock, Fraud & Payment Manager of FitFlop and Matt Wilson, Sales Director UK&I, Identity, Mastercard.

While we recently did a deep dive into the latest fraud trends affecting the ecommerce industry worldwide, it’s worth reemphasizing just how insidious specific fraud threats are. Below are the three key trends highlighted by both Sherlock and Sweeney during the Identity Connect panel discussion.

First, there’s promo abuse, which has been on the rise, with 52% of companies reporting an increase over the past year, according to Ravelin. In fact, 44% of companies in the UK rank promo abuse as one of their top 3 fraud threats for 2023.

Next, there’s friendly fraud, also known as first-party fraud. Friendly fraud occurs when a genuine transaction is mistakenly or intentionally challenged by a cardholder.  Expert Market reports that friendly fraud is increasing every few years at a rate of approximately 41% – with 86% of chargebacks considered probable cases of friendly fraud.

Finally, account takeover fraud (ATO) occurs when a bad actor illegally accesses a user’s ecommerce account. This can be achieved in a variety of ways, including purchasing stolen passwords and personal identifying information (PII) off of the dark web, or successfully implementing a phishing scheme. Once access to an account is gained, fraudsters can make purchases, withdraw funds and even gain access to more accounts from the same user.

Europol recently reported on a successful coordinated crackdown by the European Cybercrime Centre and the Merchant Risk Council on ecommerce fraud. The action saw 59 scammers arrested, along with new investigative leads triggered across Europe. Still, criminals are constantly evolving, coming up with sophisticated new ways to target merchants and abuse the online shopping experience.

Fighting fraud with friction

As Sweeney of Ravelin states,

“It’s easy to stop fraud. We all know that. Just tighten the thumb screws and make it unpleasant for everybody… But I don’t think your business would be very happy with that.”

With 32% of consumers stating they would walk away from a brand they love after only one bad experience and 20% of customers abandoning carts if they face too much friction, the numbers speak for themselves. While every customer has unique preferences and varying levels of tolerance for friction, merchants must also strive to avoid false positives. The cost of false positive losses is so significant, that global businesses in the U.S., U.K., France and Germany missed over $50 billion in revenue in 2022 due to falsely declined payments. Meanwhile, in 2021 in Europe, CMSPI estimates false positive losses to be 11 times greater than the cost of fraud.

More than anything, this illustrates the risk of implementing a fraud-fighting strategy that doesn’t prioritise the customer journey. Indeed, in today’s ever-competitive, ever-evolving digital marketplace, merchants must provide both a great experience and a secure one.

So, how can fraud teams get this balance right?

Access all data

The key to fraud prevention that doesn’t negatively impact good customers is investing in data that enables end-to-end identity risk assessment across the customer lifecycle, from account creation through to checkout. As Sweeney states,

“Generally fraud teams stay in their lane – and focus on checkout. (Therefore) the data they have access to refers to chargebacks and payments. (However), fraud that occurs at login, within the account, via the device, or post-payment – that data is equally important.”  

In other words, to perform their job sufficiently and to truly identify legitimate customers versus bad actors, fraud managers need access to all the data. This means making a case to those stakeholders, such as product teams and engineers, for complete access.

Woman reviewing her mobile device after making purchases

Enter the Mastercard Identity Engine

 Built on a combination of dynamic data across the five core identity elements of name, email, phone, address and IP and their usage patterns, the Identity Engine relays real-time validity checks, risk scores and behavioural linkages to enable merchants and their internal fraud teams to confidently make risk decisions. In other words? The Identity Engine helps merchants understand who their customer is and how their information is being used online.

Importantly, the Identity Engine powers all our APIs and SaaS solutions, including our account opening solution and our manual review tool, Pro Insight. The former is a tool that enables merchants the ability to assess fraud risk before a customer even gets to the checkout stage. By sorting customers into low-risk and high-risk buckets at account opening, not only is the customer signup experience streamlined, but promo abuse can be mitigated.

Meanwhile, Pro Insight empowers fraud managers to quickly approve or deny transactions faster and with greater confidence. This is due to the immediate access granted to manual reviewers of identity data and critical insights to accurately determine the risk level of any transaction.

In conclusion

Fraud isn’t going anywhere. If anything, the advances in AI technology will increasingly enable unsophisticated criminals to perform highly sophisticated fraud attacks.

By fighting fraud with identity verification data and insights across the entire customer lifecycle — from account sign up to payment — businesses across industries have a much stronger chance of mitigating attacks, without putting customer experience at risk.

Related content