Addressing E-Commerce and Website Fraud for the Massage Therapy and Spa Industries

Addressing E-Commerce and Website Fraud for the Massage Therapy and Spa Industries

by Selena Belisle, Founder/Instructor, CE Institute LLC

Massage therapy and spa business primarily operates with in-person transactions, where you are face to face with the customer who pays you.  But, sometimes an individual or "representative" pays for a service prior to the appointment with a card in-hand. Unfortunately, in an extremely small majority of times, these massage therapy payments may be illegitimate.  The person has paid with a credit card number that is not there own, and will eventually be challenged and lost when its determined that someone's credit card was illegally used.

The largest scam massage therapists usually face is when someone contacts you stating they want to send a large group of people, or clients for regular appointments for large sums of income. The discussion will then turn to the person requesting your bank information, or asking you to make a payment to a driver or another individual to secure the work.  These are the types of financial scams that massage therapists and spa practitioners primarily face within our industry.  In our experience, we have never seen this type of "opportunity" turn into a legitimate massage therapy work experince.

The e-commerce website company Shopify, has provided new and up-to-date information about e-commerce fraud, including statistics, types of fraud and some identifying factors. While much of what Shopify has written and distributed (below) mostly relates to products and not services, it is great information that may help you avoid some of the the fraudulent trillion dollar business tactics. The following information is direct from Shopify, and edited in some places to show massage and spa industry issues:

In 2021 alone, approximately $20 billion in ecommerce losses were reported in the US due to online payment fraud. North American merchants have seen a 68% increase in fraud attempts throughout the COVID-19 pandemic. 

What is e-commerce fraud?

Ecommerce fraud happens when scammers intercept transactions happening on your online store. Also known as payment fraud, it’s a criminal act in which scammers hijack transactions and steal money from either the customer, the merchant, or both. 

With global ecommerce sales tipped to reach $5.55 trillion in 2022, there’s plenty of opportunity for scammers to hijack customer data and commit fraud. Let’s take a look at the seven types of ecommerce fraud you’re likely contending with an online store: 

Friendly fraud (does happen in the massage industry)

Friendly fraud happens when a customer pays for your massage service, and later files a chargeback with their bank. Shoppers illegitimately claim their they didn't receive the service or some other illegitimate execuse such as they canceled the appointment shortly after placing it. A complaint to their bank prompts an investigation, causing 2.9% of enterprise brands’ ecommerce orders to result in a chargeback.

Card testing fraud (also happens in the massage industry)

Card testing is a tactic fraudsters use to determine whether a stolen credit card works. Scammers often make a small, low-value purchase so the fraudulent transaction goes under the radar of the card holder. Once the card is verified to still work, they go on to make more expensive purchases using the stolen card. 

Card testing is the second most popular type of ecommerce fraud for all merchants. Not only is it frustrating for customers, but should most of your online payments be blocked due to card testing fraud, your business will be subject to extra fees and disputes. 

Refund abuse (not typical in the massage industry)

Refund abuse is a type of ecommerce fraud where customers return broken, damaged, or stolen items to a retailer in exchange for a refund. 

While many merchants have strict return policies that determine what qualifies for a refund, it’s still a costly problem. The National Retail Federation found that retailers lose $5.90 for every $100 in returned merchandise due to this type of fraud. It’s the type of online fraud that saw the biggest increase, with merchants reporting a 60% uplift in refund abuse last year. 

Online payment fraud (does happen in the massage industry)

Online payment fraud happens when scammers steal another person’s payment details and use them to make purchases. I was working in a spa where some young customers walked-in for several hundred dollars of massage and spa services, and then used a credit card that did not belong to them to pay for the services. We received a charge-back.  

Because the customers' spa services exceed $500, we asked for identification with the credit card and the person holding the card stated he did not have his license on him.  His friend who also received a massage appointment offered his identification so we accepted that, and provided this with the chargeback to the police. The police did nothing about it other than take a report and tell us other merchants in the area were subjected to the same fraud with the same group of customers. We were never paid.

Credit card fraud can also result when scammers create duplicate versions of your website and encourage customers to unknowingly purchase items through a fake website. Hijackers recoup their cash and store their credit card number for future scams. 

Retailers worldwide suffer from online payment fraud, though it’s most prevalent in Mexico, where merchants saw a 77% increase in online payment fraud last year. 

Account takeover fraud

Account takeover is a type of fraud that happens when scammers break into a your online account or website to use stored credit card numbers to make fraudulent purchases else where. 

Some 23% of brands experienced account takeover fraud last year, with scammers accessing customer accounts that use weak passwords, phishing emails, or malicious software on the device used to purchase. 

Promo, affiliate, or loyalty abuse

Ecommerce brands use promotion, affiliate, and loyalty programs to attract new customers and engage existing ones. But their popularity means promotions attract scammers who rinse your business of cash through fraud using tactics like:

  • Affiliate fraud. Affiliate marketing gives customers who refer friends a percentage commission on their order. However, some affiliates bend the rules. They send spam traffic to the website or use stolen credit cards to get paid out—even though the customers they’ve referred aren't legitimate. 
  • Loyalty fraud. Research suggests that $1 billion in rewards value is lost every year to fraud. It happens when customers join your loyalty program, earn points through stolen credit cards, and resell them for a percentage of their value on the dark web.
  • Promotion fraud.Almost half of ecommerce businesses have experienced a rise in promo abuse since the start of the COVID-19 pandemic. It happens when scammers find loopholes in a retailer’s promotions to claim products for free. 

Triangulation fraud

Ecommerce businesses that sell through various sales channels often fall victim to triangulation fraud. It happens when:

Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price. 

  • Fraudsters list your products for sale on marketplace such as eBay or Amazon
  • Customers purchase the lower-than-RRP item from the scammer using their legitimate credit card
  • The scammer uses a separate fraudulent credit card to buy the real product from your store using the customers’ shipping address
  • The customer receives their order but their credit card information is compromised

Triangulation fraud is a serious problem for both ecommerce merchants and customers. Marketplace shoppers unknowingly have their credit card details stolen. Retailers also process fraudulent orders without recognizing the invisible middleman using stolen cards and netting the difference between the marketplace price and actual product price.

How to Identify Possible Fraud on Your Website:

Ecommerce fraud is an expensive problem, both in terms of lost revenue from intercepted online orders and customer loyalty. Shoppers are unlikely to return to your website if they were a victim of fraud the last time they purchased through it. 

Here are some red flags to spot possible fraudulent activities on your own website:

  • Higher order volumes. Scammers using stolen credit cards often purchase high-ticket items since the cash they’re spending isn’t their own.
  • Low value orders. “Be on the lookout for low value transactions, especially if they’re only around $1,” says Ben Hyman, CEO and co-founder of rug brand Revival. “Fraudsters will purchase low value products to see if their stolen card works.”
  • Different credit cards. It’s a warning sign when one customer makes several purchases, each using a different credit card. Scammers often do this to test whether stolen credit card details work. 
  • Repeated declined transactions. Fraudsters might not have the information they need to make purchases from a stolen card. If a payment declines repeatedly due to security code errors, for example, it’s unlikely to be an honest mistake from a genuine customer.
  • Unusual IP locations. Look out for several orders from the same IP address, or suspicious orders from an IP address in a location that isn’t familiar. If most customers are in the US, for example, an attempted high-value order from an IP address in Indonesia is a warning sign of ecommerce fraud. 
  • Different billing and shipping addresses. This is especially common with triangulation fraud, where fraudsters use stolen card details to ship items to legitimate customers. 
  • PO box shipping addresses. While this type of shipping location is popular with businesses, PO boxes allow scammers to ship online orders to an anonymous location. Be wary of shipping too many orders to a single PO address. 

Here are some fraud prevention strategies to minimize the likelihood of fraud happening through your website. 

1. Manually Review Risky Orders

Ecommerce software exists to flag risky orders. Manually review orders that raise a red flag, reaching out to the customer for further information if you’re unsure whether it’s legitimate. 

If you’ve received a low-value order from an unusual IP location, conduct a manual review and reach out to the customer for further verification. Failing to hear back means there’s a strong chance that the order was made using a stolen credit card. 

Similarly, consult a customer’s purchase history to determine whether a risky transaction is ecommerce fraud. It’s likely not a cause for concern if a shopper who usually makes orders from the US makes one purchase from an IP address in Spain. But there’s a strong chance their account has been compromised if they’re making orders bigger than usual, using a different credit card, from a different location. 

Be vigilant when it comes to new customers. Take a closer look at orders from new customers, and be prepared to cancel or refund them if something looks suspicious.

2. Collect Proof of Delivery

Have your massage and spa clients fill out an intake form prior to the start of service, and detail notes collected about their appointment on the form. This will help show that the service was indeed provided after the fact. While you cannot show actual medical details to others because this would violate HIPAA, having the intake form in the office will help.

You can also provide surveys for your services after the treatment, and ask clients to fill these out to not only improve your practice, but to also show additional proof of receipt of services. Ask a client to mark the form n/a with their initials if they do not want to fill out the form after the fact - it may be hard for the client to say no to such a basic request after such a personal service.

3. Be PCI Compliant

All ecommerce businesses need to meet Payment Card Industry Data Security Standards if they’re processing online payments safely. These PCI compliance standards include:

  • Changing the default password for software and systems
  • Encrypting cardholder data across open, public networks
  • Using antivirus software to prevent malware attacks
  • Restricting which employees can access cardholder data
  • Regularly testing online security systems 

“Having a firewall between your internet access and any system that stores credit card details is one way to ensure PCI compliance,” says Sina Will, co-founder of Foxbackdrop. “Therefore you must verify that you are adhering to the appropriate PCI requirements to avoid sanctions or penalties.”

4. Post Clear Policies on Your Massage or Spa Website

Post policies on your business website that explain how your business works. Aside from blanket terms and conditions, showcase clear policies on your website to crack down on ecommerce fraud. That includes: 

  • Strong password policy. It’s easier for scammers to commit account takeover fraud if a customer’s login details are easy to crack. Alongside two-factor authentication, Stephen Light of mattress brand Nolah recommends a password policy because, “While some customers find password requirements tedious, it makes it much harder for any fraudsters to hack into our customers’ accounts if their passwords are complex.”
  • Return policy. Build your case against customers requesting chargebacks or refunds with a solid return policy. Explain what qualifies for a return, the documentation needed, and how it’ll be processed (such as a cash refund, exchange, or store credit).
  • Promotions and rewards policies. From limited order quantities to prohibiting the sale of reward points, this type of policy backs up any ecommerce fraud that goes against the terms and conditions of your promotion. 

5. Make Sure You Are Collecting ALL Credit Card Details to Verify Legimate Transactions

A telltale sign of ecommerce fraud is when a customer’s billing, shipping, or card details don’t line up correctly. Automatically identify orders that raise this red flag using verification software, such as:

  • Card verification number (CVN). Scammers only need to see the front of a credit card to make fraudulent online purchases. Add the three or four digit PIN (CVN) as a required field on your ecommerce checkout as an added layer of security. It’s the most popular fraud detection feature used by more than half of merchants. 
  • Address verification system (AVS). This verifies a customer’s billing address against the card they’re using. As Stephen Light, CEO and co-owner of Nolah says, “Many fraudsters will use multiple cards to make purchases to a single address, so an ASV can catch them out.” 

 6. Use IP Fraud Scoring Tools for Greater Protection

One person can commit several types of fraud using the same computer. Detect those serial fraudsters with IP scoring tools such as SEON or Scamalytics. Each detects an IP address that’s been linked to fraud in the past, using signals like:

  • Their location (and whether it matches the country the card is registered in)
  • Whether they’re using a VPN to disguise their true location 
  • The type of internet service provider, such as a residential or public connection 

Orders placed from an IP with a high fraud score are highlighted, ready to manually review risky orders or automatically block them. 

In summary, these are only a few methods that could help avoid fraudulent transactions. Learning about them is a great start to be able to identify and address them when they happen to hopefully prevent an fraudulent incident. Unfortunately, blocking 100% of fraudulent transactions is likely not possible. And while this is not a total exhaustive list of possible fraudulent exercises, it does provide many different examples where a practitioner could fall as a victim.

Fraud exists because it can be used in new and unthinkable situations so it would be extremely difficult to protect yourself from all fraud.  However, some fraud exists because it has been successfully applied in the past, such as asking a trustring massage therapist to share their bank account information for payment, or pay a driver in advance to drop off spa customers, etc.

We hope this information helps enlighten spa and massage industry staff to help avoid fraudulent transactions. Learning more about fraud is one way to help prevent it.

#fraud #preventfraud #spa #spabusiness #massagebusiness #massagepayment #payments #website #healthcare #healthcarepractices #lmt #massage #massagetherapist #massagetherapyethics #bodywork #bodyworker #massagetherapy




Previous post Next Post


  • 스마일벳 - June 21, 2022×28×92734&url=

  • 카지노사이트 - June 18, 2022

Leave a comment