The 10 Worst Fraud Scenarios in E-commerce Apps

The success of an e-commerce mobile app or website does not hinge on good marketing and product quality alone. Warding off threats is also essential, as failure to do so can lead to you falling victim to fraud, and suffering significant reputational and financial losses. If not prevented, fraud can ruin even the most promising app.

What is Fraud?

Only 60% of internet traffic is human, with the remainder generated by various bots, software designed to automate certain tasks.

There are the so-called good bots that perform useful online tasks (for example, Google's web crawler), but most bots are used in fraudulent activities such as stealing traffic, imitating user activity, carding, DDoS attacks, and password cracking, often causing loss of revenue for app developers one way or another.

It is important to know about different types of internet fraud to take adequate measures to improve your earnings and boost your app’s efficiency.

Ad Fraud

There are two main types of fraud – ad (before and during an install) and in-app fraud.

Ad fraud means tampering with ads to make a profit. As a result, app developers suffer from less effective campaigns, messed-up targeting, and a needless cost increase. Bot creators usually have nothing against any specific products and simply see ad fraud as easy money. That said, some market players use click fraud against their competitors, sending bots to click the ad so that fewer real users can see it and thus damaging the marketing effort.

If not detected by ad networks or app owners, bot-generated fraud can eat away up to 21% of the dedicated budget. The ad fraud rate is as high as 28% in Australia and 36% in India, and the figure is climbing. By 2025, ad fraud is expected to double and become the biggest market for organized crime worldwide.

With earnings from fake clicks estimated at some USD 50 bn annually, it is highly unlikely that this type of fraud would dissipate on its own.

The key threats are the following:

  1. Device farms (25% of ad fraud). Low-paid workers or automated systems simulate real users, which may lead to high install rates and even in-app activity, causing developers to invest more in such ads while generating no actual profit.
  2. Bots/emulators (18%). The app is installed by programs emulating your audience rather than real users.
  3. Click spamming and click injection (9% and 8%). Fraudulent networks send large numbers of click reports in the hope of delivering the last click prior to an install. This leads to inaccurate attribution rates and overestimation of installs unless the developer uses fraud monitoring tools.
  4. SDK spoofing (13%). Using security weaknesses, fraudsters get access to data exchange channels between the server and app SDK, which enables them to intercept ad clicks from the mobile device and create fake installs.
  5. Unwanted traffic (27%). Your ads get published in unwanted sources without your knowledge or promoted using misleading content, generating random clicks, or bringing in an unwanted audience (for example, from countries you don’t target).


In-app Fraud in E-commerce

Bots that operate inside apps are designed to imitate human activity. They click, sign up, interact with content, create accounts and go to the cart while performing certain tasks to benefit the fraudster. Acting at high speed and in large numbers, they make a very efficient tool, especially in the case of the app having no fraud protection. They are often used by market players who want to gain an unfair competitive advantage.

Malicious bots may cause harm to your app in the following ways:

  • Reduce the user retention rate as real users will not be able to beat the bots
  • Create never-used spam accounts
  • Hack user accounts or use the app’s payment system for carding.

In most cases, e-commerce app fraud has a significant negative impact on user experience. Failure to quickly detect bot activity using the relevant metrics may lead to more serious damage to your business than the partial loss of revenue. Bots increase order processing time and slow down your app, and it can take a lot of effort to restore your reputation and user trust after an overlooked fraud attack.

Here are the types of malicious bot activity in e-commerce apps:

1. Collecting product and pricing information

Competitors may use bots to monitor your prices and product range to make better offers and poach your customers. Another problem is collecting the proprietary content – in other words, the unique app content that you paid for to be developed gets copied by bots.

To get around bots, some brands feed them fake prices and product information.

2. Cart manipulations and inventory depletion

Bots can add hundreds of items to the cart without ever completing the purchase in the hope that the app would automatically keep these items out of the available inventory. This creates a fake depletion of inventory, preventing real users from buying the items. Your actual sales drop, while the conversion rate and other indicators get skewed, weakening the brand reputation.

3. Product and promo scalping

Malicious bot activity rises during sales and seasonal discounts. Bots get there first and buy up in-demand items (fashion sneakers, designer clothes, new video cards, game consoles, and consumer electronics) to re-sell them at a higher price.

This practice is very widespread. To illustrate this, for several days in March 2019 the No. 1 paid app in the App Store was the Supbot, which helped users buy Supreme products ahead of others.

Bots are often employed to buy tickets to popular events the moment they are released for sale. If you do not take measures to detect these bots and improve fraud monitoring, there would be no room in your app for regular users who are likely to return and become your loyal customers.

4. Attacks at the login stage

Bots may try to steal data when users log in to your app to access their accounts, with a view to collecting and selling personal information, including the purchase history.

5. Delivery interception

Even if payment details are well protected on the server, fraudsters can gain profit from accessing user accounts. Malicious software can create orders with the delivery address matching the one linked to the user’s bank card, and this fraud is quite hard to detect. The criminals use the following tricks to intercept the package:

  • Asking customer service to change the delivery address before shipment
  • Requesting the shipper to change the delivery destination to a place where they can safely pick up the stolen goods
  • Waiting for the package at the door in cases where they live close to the payment address.

6. Carding

Fraudsters employ bots to test tens of thousands of stolen credit card numbers using your payment processes. The owners of stolen cards may then claim reimbursement for scam transactions and make you deal with refunds, fines, and, as a result, with a bad history with card issuers.

With a large number of fraudulent transactions, the performance of your own anti-fraud system may also suffer, and you won’t be able to catch all the bots, focusing on payments only as a critical element of your app.

7. Fake accounts

Attackers often use bots to create fake accounts to commit various types of cybercrime, such as spamming, money laundering, and spreading malware.

8. DDoS attacks on websites and apps.

Bots can also target you directly. A sharp increase in traffic can overwhelm product databases and disrupt payment processing, which degrades customer experience and drives up your costs. To make DDoS attacks hard to detect by conventional security systems, botnets have learned to mask them.

9. Distorting analytics

As bot requests can add up to 50% of traffic to an e-commerce website or app, it is crucial to be able to differentiate between fake and real users to obtain data on the actual state of your business. With accurate analytics, marketing teams can make better decisions and get better results from ad campaigns.

10. Fake reviews

Bots can flood e-commerce apps with fake products and bogus product reviews. According to estimates from the UK's Competition and Markets Authority, online [A1] reviews potentially influence GBP 23 bn of British consumer spending every year. Fake and misleading reviews harm app users, encourage them to buy low-quality goods, and cause reputational damage to businesses.

Amazon, eBay, Newegg, and other major e-commerce app owners invest hundreds of millions of dollars in preventing counterfeiting and fake reviews on their platforms by verifying users and purchases and analyzing in-app activity. Yet even Amazon occasionally faces high-profile scandals due to fake reviews. Fraud control and analytics are essential for incorporating reviews into your platform, otherwise, you will have more fake reviews than real ones.

Preventing Fraud in E-commerce Apps

Step 1. Detecting fraud

You will have to find ways to distinguish fraud from real users’ activity, both when purchasing ads and within the app.

A lot depends on the accuracy and efficiency of bot detection. You would not want to accidentally ban real customers, but giving bots six months to profit from your app and scare away all the customers is also a no-go. There are various metrics to promptly detect fraud in apps and on websites, such as:

  • An abnormally low CCR (click conversion rate). Be on your guard if your ad partner is delivering too many clicks on your ad compared to total app installs
  • Extremely high traffic quality indicators from one or several partners
  • Very short sessions
  • Installations without running
  • Low CVR
  • Short or constant CTIT (click to install time). This metrics indicates the time between the click on your ad and the first launch of your app on the user’s device and is useful for detecting click injections and click spamming
  • A high proportion of overlapping clicks, which indicate ad redirects or ad stacking
  • Country and region. Always check where your users come from. This is the easiest way to spot farms and “quiet” DDoS attacks
  • Custom events, which means tracking users’ in-app actions against certain events. Are they deviating from standard scenarios?

To monitor these and other metrics, you will need a mobile tracker, preferably one that can automatically detect anomalies.

The all-in-one (yet free) solution is Fraud Scanner by myTracker.

This is a comprehensive tool that monitors fraud using dozens of metrics divided into three groups – click, hardware, and in-app. The traffic is checked against more than 16 indicators. The collected data can be uploaded to your own system for further analysis.

Fraud Scanner in myTracker
Fraud monitoring in myTracker

To properly assess the threat of fraud, you can use special indicators called benchmarks. These are reference values calculated for each fraud metric based on machine learning and a large amount of accumulated data. When these values are exceeded, the system signals a fraud threat.

A case of fraud detection in a gaming app.

Step 2. Eliminating Bots and Keeping Them Out of Your App

An identified vulnerability needs to be fixed, and the method depends on its type. With ad fraud, it is easy. When you identify a fraudulent platform, just stop working with it and focus on the sources bringing you revenue-generating customers.

How to fight against in-app bot fraud?

You should start by monitoring key events with a mobile tracker. You can track:

  • Purchases
  • Time for switching between screens
  • Time for entering personal data.

Then you can delete or block the accounts/IPs of users showing suspicious behavior.

To learn more about combating fraud, watch out for our next article.

Want help detecting mobile fraud? Create a free account with myTracker or request a personal demo of Fraud Scanner here.