Personnel and technology aimed at preventing fraud account for the biggest chunk of a merchant's expenses, a new study finds.

Online retailers are spending 8.0% of their annual revenue to prevent and manage fraud, according to a new study from research consulting firm Javelin Strategy and Research LLC.

The study “2017 Financial Impact of Fraud Study,” which fraud and payment provider Vesta Corp. sponsored,  surveyed 497 e-commerce merchants that generated $1 million or more in annual sales within the past 12 months. Of these e-retailers, 155 sold only physical goods, 142 sold only digital goods or services, and 200 sold both. The average annual revenue of the retailers was $136.1 million.

Just looking at the retailers that sell physical goods, costs to manage fraud amounted to 7.7% of their annual revenue in the 12 months from June 2016-June 2017 compared with 6.0% in the comparable year period. For physical goods merchants, 21% of their operational costs in 2017 are devoted to fraud management, up from 15% in 2016.

The majority of the cost is not because of actual fraudulent purchases; most stems from the employees, software and technology the retailer invests in to manage fraud prevention. For example, to break down the 8.0% total retailers spend on average in the past year, fraud management represented 5.9% of the cost; chargeback losses, or the actual cost of the item and the transaction fee paid to credit card companies, cost 0.6%; and false positive losses, in which retailers decline to make a sale because they mistakenly flag it as fraud, cost 1.5% of the retailer’s annual revenue.

And this is an increase over last year, the report finds.


In dollars, the study finds that, on average, merchants spent $12.3 million on fraud management in the past 12 months, up from $10.5 million in the year-ago period.

In terms of actual fraud losses, merchants lost $462,355 on average to unauthorized transactions, which is a 33% year-over-year increase. The other types of fraud were roughly the same year over year with $284,797 on average lost to account takeover fraud (when a criminal uses a consumer’s credentials to pay) and $322,602 to friendly fraud, which is when criminals aren’t using stolen information but commit the fraud in another way, for example, by falsely claiming that their package was never delivered.

Fraud costs keeping rising as e-commerce sales are increasing, says Tom Byrnes, chief marketing officer of Vesta.


Other factors also contribute to the increase in fraud expenses, such as more store-based retailers adopting EMV (short for EuroPay, MasterCard, Visa) standards and driving more criminals online to commit fraud because chip-based cards make it harder to commit fraud in stores, and merchants being too reliant on username and password authentication.

75% of merchants say they require a username and a password to authenticate a customer account, up from 65% in last year year’s study. 45% of retailers say they use two-factor authentication and 40% of retailers say they use a dynamic or static security question. Retailers could pick more than one response. Two-factor authentication is when merchants use a second piece of criteria, such as device fingerprinting, customer behavior tracking or device location, to verify a purchase.

Many retailers rely too heavily on a username and password combination because it is the first method retailers use when setting up their e-commerce site, says Al Pascual, research director head of fraud and security at Javelin.

Most new merchants are focused on getting their [products to market rather than thinking about two-factor authentication and biometrics, which could involve a fingerprint on a touchscreen or facial recognition, Pascual says. Then as a site grows, fraud increases, and only then do online retailers start thinking of other security and fraud prevention measures.


Among the surveyed merchants, 46% say they manage fraud by implementing new fraud tools, and 37% say they increase their staff allotted to fraud management.

Only about 24% of merchants say they outsource some or all of their fraud protection efforts. Byrnes says outsourcing fraud prevention would likely cost a retailer less than 21% of its operational budget, which is what the report found as the average cost to mitigate fraud.