CyberSource’s annual report notes an average fraud rate of .9% of online revenue.

Retailers’ revenue lost to online fraud increased over the past two years to reach an estimated $3.5 billion, up 3% from $3.4 billion in 2011 and 30% from $2.7 billion in 2010, CyberSource Corp., a provider of payment processing and risk management services, says in its 2013 Online Fraud Report.

But the news isn’t all bad. The estimated loss of $3.5 billion last year is down from the recent highs of $4.0 billion in 2008 and $3.7 billion in 2007, CyberSource, a unit of Visa Inc., says in its annual report. The report is based on a survey conducted for CyberSource by Mindwave Research of 312 online retail companies in the United States and Canada.

The average fraudulent online order ticket value dropped 20% to $200 last year from $250 in 2011. By comparison, the average valid orders ticket value dipped to $149 in 2012 from $150 in 2011.

When looking at the percentage of fraudulent orders in the context of total revenue, the average online fraud rates remain relatively low. The average percentage of online revenue lost to fraud was 0.9% last year, down from 1.0% in 2011. The 10-year high was 1.8% in 2004.

Moreover, the average percentage of online orders that proved fraudulent last year was 0.8%, up from 0.6% in 2011, but down from 0.9% in 2010 and lower than every other year since 2003. The highest rate over the past 10 years was 1.3% in 2003 and 2007.


Still, other trends are raising concerns, CyberSource says. It notes that mobile commerce showed a higher 2012 rate of revenue lost to fraud, 1.4%. Although CyberSource didn’t report a mobile order fraud rate for 2011, it notes that 28% of retailers tracked mobile commerce fraud in 2012, up from only 8% in 2011.

The report adds that mobile devices are subject to many of the same threats that hit PCs, including malicious software, or malware, that can enter a device through e-mail or other means and steal credit card account data and other confidential information.

International online orders also have a higher fraud rate, the report says. For the 54% of survey respondents who accept international online orders, the fraud rate last year for orders placed outside of North America was 1.6%, twice the overall e-commerce fraudulent rate of 0.8%.

The reports notes that respondents rejected 7.5% of international orders for suspicion of fraud in 2012, up from 7.3% in 2011, compared with domestic order rejection rates of 2.9% in 2012 and 2.8% in 2011.


Noting that e-commerce sales are projected to grow 12% this year over 2012, citing data from research firm eMarketer Inc., the report says that less than a quarter of retailers are expanding their risk management spending. 73% of respondents said that risk management budgets would remain the same this year, while 4% said they would decrease their budgets and 23% said they would increase them. For average spending allocations, the report found that companies this year will spend 52% on order review staffs, 29% on third-party risk management tools and 19% on internal tools.

The report notes that 73% of respondents conducted manual review of online orders last year, down from 75% in 2011. These merchants manually reviewed 25% of orders in 2012 and 27% in 2011. The average time to conduct a manual review in 2012 was five minutes, though small merchants, those with less than $5 million in annual sales, took an average of 15 minutes per review.

Respondents reported using an average of 4.9 fraud management tools, such as fraud-scoring calculators that rate an order’s level of risk by looking at data such as order value and past fraud associated with a card account number, and device fingerprinting that identifies computing devices associated with past fraud.

The report lists the following fraud management tools and methods cited as most effective by respondents, with the percentage of respondents citing them as most effective:


For checking customer history:

Fraud-scoring model, 54%

Customer order history, 34%

Order velocity monitoring, 28%


Negative (in-house) lists of risky accounts, 20%

Customer web site behavior, 10%

Positive lists of trusted accounts, 5%

Purchase device tracing:


Device fingerprint results, 50%

Device fingerprinting, 48%

IP geolocation, 16%

Multi-merchant data/purchase history:


Multi-merchant purchase velocity, 35%

Shared negative lists, 24%

Validation services:

Paid-for public records services, 32%


Contact customer to verify order, 31%

Card verification number, 29%

Payer authentication, 29%

Address verification services, 27%


Social networking sites, 18%

Two-factor phone authentication, 17%

Contact card issuer, 15%

Telephone number verification/reverse lookup, 9%


Postal address validation services, 9%