Russian Hackers Aren’t the Only Ones to Worry About: Online Shopping Fraud Report

Russian Hackers Aren’t the Only Ones to Worry About: Online Shopping Fraud Report article image.

Russian hackers and trolls received all the media attention but China and Venezuela were the sources of the most overseas e-commerce fraud attacks in 2017, according to new Experian data. Millions of online transactions were analyzed to identify fraud attacks on online transactions across the U.S for the 2017 E-commerce Fraud report.

Online shopping fraud attacks rose 30% in 2017 vs. 2016, and transactions originating from a foreign Internet Protocol (IP) address were about 7 times riskier than average. An IP address is a unique set of numbers used to identify individual digital devices, allowing them to communicate with other devices on a network.

The growth of e-commerce fraud can be viewed as the last stop on the larger fraud timeline, which often starts with a data breach. The uptick in data breaches, already 278 incidents in 2018, and the increased presence of the dark web marketplace have made personal information more accessible to criminals; that, in turn, makes it easier for fraudsters to access legitimate online accounts.

Identity theft fraud affected a record 16.7 million U.S. consumers in 2017, according Javelin Research. Online shopping fraud is one of the many unfortunate outcomes that can result from becoming a victim of identity theft.


E-commerce Fraud Increased 30% in 2017

Drilling down further, online shopping fraud rose dramatically last year in these two categories:

  • Shipping fraud occurs when a criminal uses their address for the delivery of stolen goods purchased online. Rates of shipping fraud increased 37% in 2017 vs. 2016. From a regional perspective, the Western U.S. saw a nearly 60% increase in attack rates for shipping fraud.
  • Billing fraud occurs when the victim's address is tied to the payment account used to purchase the stolen goods; those rates increased 34%. The North Central region saw a 50% increase in attack rates for billing fraud.

What's a Fraud Attack Rate?

To better understand how shipping and billing fraud take place, Experian analyzed several data points, including geography, IP addresses, and device type and payment method. Fraud attack rates are the number of attempted fraudulent e-commerce transactions against the population of overall e-commerce orders. The figures associated with the rates are basis points; 1 basis point equals an attack rate of 0.01%.

Here is a breakdown of the different hot spots around the country—and around the world—for online shopping fraud.

Beware Chinese and Venezuelan IP Addresses Bearing Gifts

China was the riskiest country based on IP address in 2017. The majority of bad traffic originating out of China hit Oregon and Delaware, followed by California. Beaverton, Oregon's 97079 ZIP code had the highest shipping attack rates in the U.S. last year, and it's shipping and billing attack rates were the highest from an IP address in China.

Venezuela would have been the riskiest IP country if weren't for the fact they have 60% lower volume of online transactions compared to China. Venezuela is nearly 30 times riskier than the population average would otherwise suggest. The 33198 Miami ZIP code, which was in the top 10 for both billing and shipping fraud in 2017, suffered it's highest shipping attack rates (46.2%) from a Venezuelan IP address.


The 10 riskiest U.S. ZIP codes encountered fraudulent activity from many other countries; the attack rates in 2017 from Iran, Syria, and Sudan, for example, far exceeded the average for other countries with similar populations and volume of transactions.

How Can I Spot a Fake Website?

Trying to determine whether a site is fake or not can be tricky these days as scammers have become really good at creating branded websites and URLs that look nearly identical to the real thing.

Finding the location of an IP address can be even trickier for most. If your gut feeling is making you unsure whether a site is legitimate or not, here are a few tips to keep in mind to spot a fake website:

  • Look at the domain name to see if it is the site that you wanted to go to or different domain name.
  • Check the contact page to find the name of the owner and use a lookup service on the URL to find additional information about the site.
  • Google the site and owner to check what the search results say. You can also visit Google's Transparency Report to find out the safety rating.
  • Find reviews of the site or owner of the business from other users to read what they said.
  • Is HTTPS supported? Make sure the website is HTTPS supported and secure if you decide to make a purchase.
  • Are there typos and grammar mistakes on the site? If so, that could be a sign that the site is not on the up and up.
  • Are the prices really low? If so, compare those prices to others sites. If it is still much lower that could be a bad sign that it is a scam.

Wasn't My Chip Card Supposed to Prevent Fraud?

Credit card technology is constantly changing to address consumer needs and combat fraud. In the fall of 2015, people across the U.S. began switching to new credit cards with computer chips embedded to help prevent point-of-sale (POS) fraud. The U.S. rolled out the new EMV (Europay, MasterCard, and Visa) cards to help counter the increasingly large in-store data breaches and rising counterfeit credit card fraud.

While advances in EMV card technology have made life easier for consumers and card issuers, fraudsters are following the path of least resistance by shifting their attention from POS transactions to online shopping.

While POS or in-store fraud is down, card-not-present (CNP) fraud is on the rise. In 2017, nearly twice as many consumers had their cards misused in a CNP transaction as they did at a store, according to Javelin Research. CNP fraud or online shopping fraud is when a criminal leverages stolen payment information or fraudulently acquired card accounts to attempt online retail transactions without the account owner's knowledge.

Credit card fraud was the most common form of identity theft (133,015 reports) in 2017, according to the FTC. According to Experian, credit cards were used in 92% of fraudulent transactions last year, while 7% happened through direct billing, third-party transfers, or prepaid gift cards.


Riskiest States and Cities for E-commerce Fraud

Riskiest States for E-commerce Fraud are Delaware and Oregon

Delaware and Oregon were the riskiest states for both billing and shipping fraud for the second year in a row. Both states saw a significant increase in shipping attack rates in 2017, with Delaware increasing over 300% and Oregon just under 300%.

Delaware and Oregon are both natural high-risk areas for fraud because they have cities near large ports and international airports. This combination makes an ideal location for the reshipping of fraudulent merchandise, enabling criminals to move stolen goods more effectively.


That said, e-commerce fraud is not confined to large, coastal cities since fraudsters can ship items anywhere: Montana, South Dakota, Colorado, and Utah each saw their attack rates double from 2016.

Riskiest States: Billing Fraud

The five riskiest states for e-commerce billing fraud were Delaware, Oregon, Washington D.C., Florida and Georgia. The top five states for billing fraud made up about 18% of overall fraud attacks.

  • Delaware and Oregon ranked as the riskiest states for billing fraud for the second year in a row.
  • Vermont, Washington DC, Montana, South Dakota, Colorado, and Utah all saw their billing fraud attack rates double from 2016.
  • Only one state, Florida, saw a decrease in billing fraud attack rates.

Riskiest States: Shipping Fraud

The five riskiest states for e-commerce shipping fraud were Delaware, Oregon, Florida, New York, and California. Nearly half of all shipping fraud attacks happened in these states.

  • Delaware and Oregon were the riskiest states for shipping fraud for the second-consecutive year.
  • Vermont, Washington DC, Montana, South Dakota, Colorado, and Utah saw their shipping fraud attack rates double from 2016.
  • 19 states had a decrease in shipping fraud attack rates; however, most of the states already were below the average attack rate.
  • New York and California represented 25% of all shipping fraud attacks. The two states also accounted for 19.6% of overall e-commerce transactions.

Riskiest Cities: Billing and Shipping Fraud

South El Monte, CA continues to be the riskiest city in America for shipping and billing fraud as there was 230% increase in attack rates for shipping fraud in 2017 vs. 2016. The attack rate for billing fraud did drop 50%.

There were five other cities—New Philadelphia, PA, Minden, NV, East Walpole, MA, New Castle, DE, and Portland, OR—that ranked among the top 10 for both billing and shipping fraud. Four of those cities all have relatively easy access to major transportation hubs via air or sea.

  • The five riskiest cities for billing fraud were South El Monte, CA, New Philadelphia, PA, East Walpole, MA, Carnegie, OK and Fort Benning, GA.
  • The five riskiest cities for shipping fraud were South El Monte, CA, Minden, NV, Hillsboro, OR, Westminster, CA, and Port Reading, NJ.
  • Washington D.C. fraud attack rates doubled year-over-year in 2017.

Riskiest ZIP Codes: Billing and Shipping Fraud

The top riskiest ZIP codes in America for online shopping fraud were all near international airports and seaports because these are ideal locations for reshipping stolen merchandise before victims or card issuers can take action. Oregon and Florida combined for 18 of the top 20 riskiest ZIP codes in the U.S. for 2017.

  • Beaverton, OR is home to the 97079 ZIP code that has the highest shipping attack rates among all eligible ZIP codes in the U.S. with billing fraud rates at 21.8% and shipping fraud rates at 27.4%.
  • 11 of the top 100 riskiest ZIP codes in the U.S. are in Miami.
  • Oregon and Florida have a combined seven zip codes that ranked in the top 10 for both billing and shipping fraud: 97252, 33198, 33166, 33122, 33195, 97250, and 97251.

Safest States for Online Shopping Fraud

Safest States: Billing and Shipping Fraud

Nebraska ranked as the safest state for both billing and shipping fraud in 2017. South Dakota, Rhode Island, Connecticut, and Kansas all ranked among the safest states for both billing and shipping fraud. The five safest states for billing fraud were Delaware, Oregon, Washington D.C., Florida, and Georgia. The five safest states for billing fraud were Nebraska, Wyoming, South Dakota, Connecticut, and Wisconsin.


Safest Cities: Billing and Shipping Fraud

The five safest cities for billing fraud were Eastaboga, AL, Apo, AE (Army Post Office for Armed Forces in Europe), Arverne, NY, Hyde Park, MA and Brookneal, VA.

The five safest cities for billing fraud were Washington, IN, Remington, VA, Ripley, OH, Point Roberts, WA, and Elmont, NY.


Safest ZIP codes: Billing and Shipping Fraud

The five safest ZIP codes for billing fraud were in Hebbronville, TX, Chicago, IL, Springfield Gardens, NY, Vernon, FL, and Nashville, TN.

The five safest cities for shipping fraud were in Hartwell, GA, Los Angeles, CA, Lockbourne, OH, Miami, FL and Oregon City, OR.


Automation Drives Growth of Synthetic ID Theft

"The volume of data breaches each year combined with the easier access to the dark web has made stolen personal information residing in those marketplaces more accessible for criminals," said Mike Gross, Experian director of fraud product strategy. "The availability of compromised data—both payment and identity—allows fraudsters to gain access to legitimate online accounts and create synthetic identities."

Synthetic ID theft is when a fake identity is created using either a Social Security number, name, address, and date of birth—then merged with real and fake consumer data to create a fresh identity to open a new credit card account in someone's name.

Much of this personal data is captured by fraudsters via data breaches, then bought and sold on dark web marketplaces. The automation of that process is driving the growth of e-commerce attacks, resulting in the increased use of synthetic identities, Gross says.

"The dark web used to take a strong understanding of technology, now it simply takes downloading a file and automating the submission of thousands of applications or transactions simultaneously spread across multiple websites," he says. "Criminals use both real and fake identity information to open up fake credit card accounts in people's names to automate online."

Gross says synthetic ID fraud is "very hard to uncover because no one is calling to report unusual account activity because they are unaware of the new account and card issuers see these transactions as being legitimate. On the surface, it appears as a victimless crime despite there being very real consequences for both the victim and the business."

How Can You Prevent Online Fraud?

You can help to prevent online fraud by not using the same username/password combinations across sites, monitoring your financial statements monthly for irregular activity, and regularly checking your credit report.

Additional steps you may want to consider to help prevent online fraud include:

1. Limit Your Data Exposure

Various sites may ask you for personal information that isn't actually necessary for you to share. You should behave with the mindset that your personal data has already been compromised and limit the amount of exposure your data receives so it doesn't fall into the wrong hands.

2. Don't Overshare

Audit your social media accounts to make sure you haven't overshared any information on social media sites where people can collect your data. A fraudster can find information to answer ‘challenge' questions on your accounts and use it to gain access to your financial accounts or other sites with your personal information.

3. Only Use Trusted Sites

When shopping online make sure you see the ‘lock' icon before purchasing items, which indicates a secure site. There should be authentication steps as well to protect your information. Look for ‘HTTPS' (Hyper Text Transfer Protocol Secure) in the web address of sites you visit.

HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website you are connected to. The 'S' stands for 'Secure' and means all communications between your browser and the website are encrypted.

4. Check Your Login Credentials

If you suspect your login credentials were stolen you can change your password to that site or other sites where that same password is used. You should also consider changing your security questions as needed; it may seem useless, but those answers have value to thieves trying to take over an existing account of yours.

How Can I Protect Myself From Online Fraud?

Criminals are becoming incredibly sophisticated with the method of fraud attacks and it can make us all feel helpless. Here are a few suggestions to keep in mind when making decisions about protecting yourself from online fraud:

  • Call Your Bank Immediately: If any of your financial information may have been breached, call immediately so you can cancel a credit card or change your password. If your bank account numbers were caught up in a breach, close that account and open a new one.
  • Use Multi-Factor Authentication: Adjust your account setting so that a one-time passcode via SMS messaging is sent to your mobile device. While the additional login step takes a few extra seconds it can help to protect your personal information and money.
  • Perform a Dark Web Scan: See if your name or information is for sale on the dark web marketplaces

E-commerce fraud is a clue that other types of fraud have already taken place. Usually, it is a result of a larger data breach that creates a trickle down of criminal activity. Whether a credit card has been stolen or personal credentials have been compromised, fraudsters will go to great lengths to implement complex fraud schemes that can cost people and companies millions of dollars in fraud losses.