Protect Margins With Security Tools in Ecommerce

Security apps to prevent fraud

Update: Starting now, all eligible US merchants can receive free fraud protection on Shop Pay with Shopify Protect.

Fraudsters are a challenge in commerce, and brands must continually adapt to defend against malicious and fraudulent activity. A recent report highlighted that fraudulent attempts are up 55% since the COVID-19 pandemic began, with retailers spending as much as 10% of their annual budget on fraud prevention. Stopping bots and fraudsters is important, as there’s a risk of upsetting legitimate shoppers.

33% of U.S. consumers say they would never shop again with online stores that reject their legitimate purchase attempt. - Sapio Research

As stores grow, additional team members and external partners are added to help manage increasingly complex operations. But this can introduce risk of over-writing work, making accidental changes or keeping access open after a team member has left.

By implementing tools and processes to reduce fraudulent orders, cancellations, and rework, brands can improve the buying experience for their most loyal fans. This post explores how brands can protect margins with trust and security apps.

  1. Protect store access with SAML, SCIM, and two-factor authentication
  2. Bot mitigation
  3. Free up support and finance teams from investigations
  4. Reduce false positives in risk management
  5. Turn back time with complete store backups
  6. Ecommerce security apps

Protect store access with SAML, SCIM, and two-factor authentication

Typically, the larger the ecommerce company, the more people have access to the site. A Verizon Data Breach and Investigations Report (DBIR) reported that 69% of security breaches were caused by outsiders and 86% of those breaches were financially motivated, leading to stolen credit card information.

The “Least Privilege” principle works by providing store access only to those who need it to perform their job. Conducting audits on who has access, including unused third-party apps may increase the security and stability of the store. 

The Verizon report confirms that password reuse is a widespread problem as stolen and reused credentials are implicated in 80% of hacking-related breaches.

“You wouldn’t leave the door of your home unlocked overnight,” says Colin Bodell, VP of Engineering at Shopify Plus. And as a business scales with more stores and staff over time, forgoing these security measures is equivalent to leaving multiple brick-and-mortar stores around the world unlocked at once.

To protect store access on Shopify Plus, the most secure action a brand can take is to turn on SAML and SCIM to authenticate users and manage, add/remove new ones.

If there isn’t an existing integration with a third-party identity provider, the next best thing is to enable an organization-level two-factor authentication (TFA) to ensure that only authorized staff can log in to the backend. 

Shopify also supports direct integrations with industry-leading identity providers such as Okta, Azure, and OneLogin, allowing organizations to securely manage the authentication, creation, and removal of users securely through platforms they already use.

Bot mitigation

Product drops build significant anticipation among the brand’s fan community, and it’s a critical event that brings in surges in traffic and sales. During popular product releases, such as Jeffree Star’s Cremated Collection, or exclusive product releases, like with Union x Jordan, bad actors may be creating and deploying bots to purchase items, only to resell them for many times the original value.

Not only can this mean that items aren’t available for the brand’s legitimate fans, but it also clogs up the website and can lead to problems in resolving fraudulent or broken orders. When fans can’t purchase, they can air frustrations on social media, or put strains on customer support teams.

Shopify’s bot protection is an out-of-the-box solution for Shopify Plus brands that protects stores from bad actors. It levels the playing field to make sure that all customers have the same opportunity to purchase.

It combines industry-standard protection—e.g., blocking known bots from completing a checkout—with Shopify’s exclusive Checkpoint solution. With Checkpoint enabled, all buyers must complete a unique challenge and qualify as a human before they can enter the checkout. 

Security tools: bot mitigation

Protection can be turned on for 60 minutes at the store level with the flip of a switch, or can be scheduled in advance for peak periods, such as new product drops or BFCM and holiday sales. Once the time period is over, the coverage is turned off.

Security tools: Shopify Bot protection

In late August, Union Los Angeles released a new collaboration with Jordan Brand Online. The unique product generated a lot of buzz and the team worked with Shopify Plus to ensure the shopping experience would be as fair as possible. They added a simple but fun question (In this case: What color is an orange?) that shoppers had to answer to get to the product. This, combined with other protections running in the background helped keep the store operating smoothly as it successfully coped with massive volumes—over 800,000 visitors were on the store during this peak period.

"Our launch went off without a hitch and the Shopify team was instrumental in making sure that real live people were able to purchase manually," says Chris Gibbs of Union Los Angeles.

Free up support and finance teams from investigations 

Brands experiencing rapid growth no doubt enjoy seeing increased order volumes, however this often brings with it the need to review orders for fraud. Even a very small percentage of risky orders can add up to a large number, and often brands assign customer support or finance teams the task of manually reviewing orders. This is time-consuming and tedious work, and distracts teams from tasks that can add more value for customers.

While the amount of time manual order review requires varies widely by brand and depends on the fraud system a brand has in place, retailers have reported spending as much as 120 hours a week reviewing orders. 

CurrentBody is spearheading one of the fastest growing trends in the world of beauty: electrical beauty devices for at-home use. Their impressive growth over the past few years accelerated dramatically in 2020, particularly in international markets. It added more regional online stores as it expanded globally, finding new customers but also facing challenges. The nuances of each market made identifying fraud more difficult. Furthermore, the brand wanted to fight back against unauthorized resellers, who would attempt to make bulk purchases to sell at profit.

“International orders often look suspicious when really they are legitimate orders. Shoppers may use WeChat IDs and often don’t have email addresses. They buy multiple electronic beauty devices at the same time, says Lyn Carbine, Head of Trading at CurrentBody. “We knew that typically more than 70% of declined orders were actually legitimate and we couldn’t let those slip through the cracks. That burden was taxing.” 

With a decline rate of 7%, and the customer support team spending 10–20 hours per week manually reviewing declined orders, CurrentBody implemented Signifyd to automate and improve the accuracy of the review process. Signifyd’s Commerce Protection Platform uses machine learning and big data to sift fraudulent orders from legitimate ones. It also provides the tools to identify unauthorized resellers and abusive behavior including promotion abuse and false claims that an ordered package never arrived. Signifyd backs its decisions with a financial guarantee. 

Signifyd commerce protection platform
Signiyfd’s Agent Console module allows users to review cases with machine learning and Signiyfd’s Decision Center module allows users to configure business policies to compliment machine learning and simulate outcomes. 

While sophisticated machine learning and automation can go a long way toward managing risk, there is always a role for human expertise. Illegitimate chargebacks, based on claims that a package never arrived or that a product was not as promised often result from a poor customer experience. Brands can minimize those claims by designing beautiful and informative websites. 

Clear product descriptions, detailed product photos, sizing guides, explainer videos, and customer reviews reduce the likelihood that a consumer will be disappointed with the product they receive. Clear and prominently displayed return policy will make it less likely that a customer will find it so difficult to return a product that they’ll file a chargeback to get a refund instead. According to Signifyd’s January Consumer Sentiment Survey:

28.9% of consumers said they filed a false chargeback either because they couldn’t figure out how to return a product or because returning it would be too much trouble.

The same survey underscored the importance of clear communication in avoiding illegitimate chargebacks. Of the respondents who had filed a false claim, 29.4% said they filed the claim because the product they ordered arrived, but later than promised. Retailers would be wise to immediately contact a customer at the first sign an order might be delayed. Frequent updates are reassuring. And brands might consider offering a gift card or making some other thoughtful gesture if fulfillment promises are broken. 

After implementation, CurrentBody’s order approval rate surged to over 98% and their chargeback rate fell from 0.5% to just 0.04%. Signifyd’s solution also significantly cut the time the customer support team spent reviewing orders.

“After establishing clear policies within Signifyd, our unauthorized reseller rate effectively dropped to zero,” says Carbine.

“The impact of this on our brand and partnerships can’t be overstated. We’ve regained control of millions of dollars worth of product that would have flowed through the wrong channels.”

Reduce false positives in risk management

It’s often challenging to find the right balance between convenience and security, and in some instances, legitimate shoppers may be flagged at a risk level that impacts their purchase. Certain industries are more susceptible to being flagged for higher risk, with footwear, apparel, sporting goods, smoke and vape, and nutritional supplements likely to experience an incorrect decision over 20% of the time.

A false positive that leads to a legitimate transaction being declined affects more than just that one order. It can be disappointing for the customer and may lead to increased volume to the merchant’s customer support team. A survey of 3,200 U.S. consumers revealed that 33% of respondents would not shop with a merchant again if their purchase was declined. 

Established in 2002, Urban Industry is a British streetwear retailer that sells high-quality footwear, clothing, and accessories from more than 90 brands. As a brand working in an industry that sees higher than average fraud, the company was relying on internal teams to screen for fraud, using a combination of clunky payment gateway filters, lots of online research (e.g. social media profiles and public housing records) coupled with intuition (i.e. feeling out the fraudsters). Facing increasing volumes, the brand implemented an automated fraud solution which reduced fraudulent orders, however they began to experience an increase in customer complaints about cancelled orders. This led the team to begin double-checking transactions that the automated solution had flagged, ironically doing as much, if not more work than before. 

Urban Industry turned to NoFraud, hoping for a better experience, specifically around order approval rates. They decided to run both solutions in tandem so they have a real apples-to-apples comparison. Using their AI powered fraud analysis, NoFraud’s proactive review process helped increase the order acceptance rate and virtually eliminating the customer service inquiries related to false declines.

NoFraud dashboard screenshot showing their approval process

After implementation, the impact was significant. During the testing period, NoFraud was able to increase the order approval rate a whopping 6.9%, from 84.3% to 91.2%. On orders with an incorrect billing address, the approval rate jumped from 46% to 95%.

Preventing fraud should not prevent brands from realizing revenue.

iDrinkCoffee was founded to bring fresh high-quality coffee to everyone. Over ten years, the company has curated a collection of the finest coffee equipment, espresso machines and accessories, as well as roasting its own coffee. By selling premium-priced products, the brand has experienced sophisticated fraud attempts.

“In one case, I was away, and we had an attempt valued at over $65,000. And the card network cleared it. But my staff got nervous and decided to call me. I did some investigating and realized it was fraudulent. I spoke to the card network, and they had flagged it, but would have only started investigating several days later—long after the merchandise would have been in the fraudster’s hands and gone forever.” Slawek Janicki, Chief Caffeine Director

iDrinkCoffee turned to Clearsale, implementing the app on their store for its worldwide sales. This introduced new automated procedures for all website orders. Clearsale immediately reviews information in the order and validates this against device information, external data sources, behavioural and historical data to score the order. Where it falls beneath a predetermined threshold, the order is approved.

If the order falls outside the threshold, the order is sent to a Clearsale fraud analyst, who conducts initial reviews to determine if the order is fraudulent. The team is motivated to approve orders, not decline them, and if a first analyst determines fraud, it is passed to a second analyst to confirm. This happens in as little as a few minutes, with the team operating 24/7/365. This human-in-the-loop reduces false positives, but also helps to prevent highly sophisticated attacks. 

iDrinkCoffee saw a rapid improvement, with an 8.6% increase in approval rates and a 75% reduction in fraud attempts. This provided legitimate shoppers with a better experience, but also lowered the impact from fraudsters, leading to a 27% increase in month-over-month sales within one quarter.

Clearsale also helps brands better prepare, to reduce the likelihood of false positives, sharing information between teams and understanding how changes in the language used on the store and in checkout can help shoppers reduce their risk of being flagged. By giving teams more confidence, brands are better equipped to market to new audiences and secure orders that might be perceived as risky, but with the right tools, can be a new revenue stream.

Turn back time with complete store backups

Brands are having to adapt and move faster than ever. It’s especially true during peak periods such as BFCM and holiday sales. Multiple team members are working at breakneck speed to meet challenging deadlines. This pace is critical to successfully fulfill orders, but the risk of innocent mistakes rises. 

So many different people touch a store; it’s very easy to unintentionally delete a product collection or remove a block of code that breaks a store theme or causes further damage. During BFCM and peak period preparations, making updates via CSV uploads is very common, however, this method can cause issues with pages, posts, menus, and other aspects of the store.

A recent survey indicated that 1 in 4 stores have lost vital data from images, product descriptions, themes, customers orders, and more. Disruptions like these can cost thousands of dollars in missed sales opportunities and hours of manual labor to recover from.

Crossrope re-invented the jump rope workout to give everyday heroes the freedom to pursue their fitness goals on their own terms. With weighted ropes, interchangeable handles, and the highest quality materials, the brand has built an avid community. Crossrope’s digital marketing team learned the value of having a backup strategy the hard way after some routine changes rendered their store inaccessible.

Wanting to give their store a quick makeover, the Crossrope team added a snippet of code to their theme. After running some tests to ensure everything worked, the changes were shipped, and the team went home for the day. The next morning, they quickly realized something was wrong. 

Throughout the night, customers were unable to add products to their carts. This halted all sales and led to a mad rush trying to fix the issues. To make matters worse, the Crossrope team realized their most recent theme hadn’t been saved. Their only option was to revert back to an earlier theme that was over a month old. While that backup got the store back to working order after nearly 24 hours of downtime, it undid over a month’s worth of successful work.

Crossrope turned to Shopify Plus Certified App Partner Rewind to automatically back up their data and swiftly recover from mistakes caused by human error, third-party app integrations, bad CSV files, malicious attacks, and disgruntled employees. Rewind offers automatic, continuous backups, nightly backups, and on-demand backups as needed. If there’s ever an instance where Crossrope needs to correct a mistake their team can easily rewind individual items (e.g. a product), multiple items (e.g. collections), or the entire store.

Security apps: Rewind crossrope

Beyond having a backup strategy, one best practice is to limit store access (as stated above.)

Ecommerce security apps

Brands are using innovative techniques to reduce the impact of fraudsters, while ensuring shoppers have a seamless and hassle-free buying experience. Thousands of Shopify Plus brands use our bot protection features as well as Trust and Security Apps to protect margins and secure customer experience.

About the author

Paul Gray

Paul is a Partner Marketing Lead at Shopify Plus, where he works with an ecosystem of 200+ agency and technology partners, that help high-volume and Fortune 500 merchants launch, grow, and scale their businesses. He's also published several Speculative Fiction stories in Nature Magazine, Andromeda Spaceways, PodCastle, and others. He published the interactive fiction story 'Shadowcast', played by over 300,000 people. He's also working on his first novel.

Check out Paul Gray’s work