Managing fraud can cost a merchant millions, and online retailers are too reliant on verifying purchases with a username and password, according to a new study.

E-retailers spend more than 7% of their total annual revenue combatting fraud, according to a new study from research consulting firm Javelin Strategy and Research LLC.

Between fraud management costs, false positives and chargeback losses, e-retailers are losing a significant portion of their revenue to fraud, finds the October 2016 report “The Financial Impact of Fraud: Merchants Challenged As E-Commerce Fraud Rises Post-EMV.” Javelin Strategy’s findings are based on an online study it conducted in June of 500 e-commerce merchants generating $1 million or more in annual sales.

Of the merchants surveyed, the average yearly financial expense due to fraud and fraud prevention was $14.6 million and that represents 7.6% of annual revenue across all channels, including online and offline sales. Of that $14.6 million, 7% is attributable to chargebacks; 74% is for fraud management software, hardware and employees; and 19% comes from false positives.

“We consider this to be a very high percentage of revenue to lose to fraud and fraud mitigation expenditures, especially considering the lost opportunity for investing that money in revenue-generating activities,” says Al Pascual, research director head of fraud and security at Javelin. “It signals a very aggressive fraud environment, especially in the digital space.”

False positives are legitimate transactions that are declined because rules—often overly rigid ones—flag them as fraudulent. For example, a transaction may be declined if the shipping and billing addresses don’t match. False positives affect retailers because they not only prevent sales, they also give consumers a negative view of the brand, Javelin says. Of a retailer’s transactions that are declined because of suspected fraud, 30% are actually legitimate, according to the report. Plus, that 30% is likely understated, as a consumer may give up without making a purchase and it is difficult for a retailer to determine the actual fraud on all transactions, according to the study.


49% of chargeback losses originate from online sales and an additional 16% are from transactions made on mobile devices. Only 17% of chargeback losses stem from in-person or physical store transactions. The remaining chargeback losses are by telephone, mail or self-service kiosk.

38% of merchants said fraud losses increased in the past 12 months, 22% said it was lower and 40% said it stayed the same. Consequently 35% of retailers say they plan to increase spending on fraud prevention next year, 49% will spend the same and 16% will decrease spending.

Javelin recommends retailers use fraud-fighting tools that inspect a consumer’s device, behavior and purchase activity, such as fingerprinting that uses data to identify individual PCs, phones or tablets to verify a shopper’s identity, because these elements are harder for a criminal to overcome. Retailers should rely less on such static data elements as the security code on the back of a credit card and physical address verification. Plus, using geolocation and device fingerprinting requires minimal to no effort from shoppers, Javelin says.

The survey finds that retailers are overly reliant on usernames and passwords to secure customer accounts, Javelin says. Here are the ways respondents say they authenticate purchases (they could choose more than one response):

  • 65% username and password
  • 41% dynamic security question, such as a questions from the customer’s shopping history.
  • 40% two-factor authentication, such as one-time passwords
  • 34% static knowledge-based authentication, such as preselected security questions
  • 30% geolocation
  • 22% device fingerprinting

A retailer’s fraud management staff also should be routinely trained so they are up-to-date on current fraud threats, tactics and solutions, according to the report, which was commissioned by payments processor Vesta Corp.