How to Write A Clear-cut eCommerce Fraud Prevention Policy


The aim of eCommerce fraud prevention is not to 100% eradicate fraud. Doing that is easy – just switch off your website, lock your doors and go completely out of business.  In doing that you are guaranteed that you’ll never experience fraud again. Instead the goal of fraud prevention is to find the balance between maximising sales and accepting a manageable amount of fraud for your company.

As a merchant you want to create the best possible customer experience, without exposing yourself to too much risk. A fraud-prevention policy is the first line of defense in combatting fraud and protecting profits.  

You may think that writing a fraud-prevention policy is a disproportionate measure against the fraud risk faced by your company. Yet it is a necessary document to educate your teams on how your company tackles eCommerce fraud.   Unfortunately, there is no such thing as a one-size fits all policy, yet addressing a few key questions may help you build a comprehensive policy.

What qualifies as fraud in your business?

There may not be one simple answer to this question. Fraud comes in many forms: payments fraud, account-take-over fraud, returns and exchanges fraud, delivery and returns fraud, employee fraud and loyalty scheme fraud to name a few.  

Also, because there may be more than one type of fraud within each category of fraud - for example payments fraud may be credit card, e-wallet fraud or direct debit fraud, and delivery and returns fraud might be wardrobing, bait-and-switch, stolen merchandise, employee fraud – you may be required you to develop, in your eCommerce fraud prevention policy, a specific fraud prevention strategy for each of the different types of potential fraud.

Who is your audience?

Different versions of an eCommerce fraud prevention policy may be necessary depending on who the audience is. For example, a fraud prevention policy developed for senior management may focus on things like financial loss, strategic overview of systems in place or a short to long-term plan to tackle the issues. On the other hand, a fraud prevention policy developed for your call centre employees may likely focus on warning signs, areas of exposure, process and procedures. Remember that the depth of details when writing for client-facing employees differs from when writing for senior management.

When developing a fraud prevention policy for client-facing employees, you want to choose your vocabulary with caution both to be clearly understood by your audience and to raise employees’ awareness on fraud without paralysing them. It’s also important that the reader keeps in mind that more than 98% of customers make honest transactions and interactions with your company, and that your fraud prevention policy focuses on a very small minority and therefore shouldn’t have an impact on your good customers.

What are the risks associated to your industry?

Each industry is exposed to specific fraud risks. For a travel company risk can be around last minute bookings; for a retailer it can be freight forwarders or returns fraud; for a financial institution it can be around money laundering. Again the key is to find the balance between providing enough context and not hindering your employees approach to their day to day job.  

Alongside the website, many companies also operate customer call centres. These are ideal targets for fraudsters and because of this call centres potentially carry increased fraud levels. For these types of teams, an eCommerce fraud prevention policy can be adapted and turned into a training manual. The manual can help employees understand the types of questions they might ask and the typical answers they should be looking out for to help them identify a high-risk transaction.

What is your anti-fraud framework?

A comprehensive anti-fraud framework consists of fraud prevention, fraud detection and fraud response.

For fraud prevention, list out processes in place to prevent fraud. This can be a description of the rules being used, or scenarios/data elements a fraud analyst shall be looking for, or it can be a set of questions a call centre employee can ask to gather more information. This shall link back to what fraud looks like in your organisation.

For fraud detection, list the type of "tools" available to detect fraud within the company. Ideally a multi-layered approach should be in place. It can be a rules-based scoring system, a machine-learning statistical model, a profiling platform recognising good customer behaviour or a manual fraud review team and a well-educated front line call centre. Also, convey the message that there isn’t a “silver bullet” in detecting fraud and that a multi-layered approach should provide the best opportunity to identifying fraud. The goal is to try and auto-accept as many transactions as possible, whilst having the ability to intercept transactions with human intervention where needed.  

For fraud response, tailor this section according to your audience. Make sure to give clear instructions on what an employee should do if they believe that they are witnessing an attempted fraud against your company by an external party.

Furthermore, consider what language is used when suspected fraud is found. Take a fraud team for instance – they might be able to link this attempt with other known confirmed fraud and therefore prevent it. But what notes do they write in your systems about this? Has the call centre been trained on not using potentially harmful words such as “fraudster”, “high-risk”, “suspicious”.   Do employees know not to read out notes such as “you didn’t get your parcel because ‘you used the same email address 5 times in 24 hours” As a general rule, it may be best to use a coded language when writing notes, to avoid employees raising fraudsters’ awareness when responding to suspected fraud or potentially insulting a genuine customer who has a high-risk order.

Writing a clear–cut eCommerce fraud prevention policy demands a thorough analysis of the risks faced by your business and how to best address them internally and in your relationship with clients.

Key Takeaways

  • Regularly review and amend your fraud-prevention policy.
  • Make sure your policy is read: use a clear simple style and vocabulary and include case studies and examples relevant to your business.
  • Broadcast your policy widely: make sure your policy is sent to all employees involved in the process. Target the people who are dealing with fraud daily.
  • Educate/ train your employees on fraud: organise workshops with case studies and role playing to help bring the fraud-prevention policy to life.