If it looks too good to be true...

WePay Staff

Payments Expert

The COVID-19 epidemic has created new kinds of e-commerce payment security issues for platforms and merchants. In all forms of commerce, there are always malicious third-party actors looking for new victims. Their latest approach is to take advantage of people desperately looking for PPE and other supplies or rushing to find a quick cure-all. Plus the epidemic has also led to unpredictable supply-chain delays and unintended consequences.

E-commerce payment security: Growing risks

At WePay, we have seen a spike in support calls around issues concerning PPE and other essential items related to the crisis. We handle risk issues around payments for the platforms we support and are seeing a big rise in queries for these items. 

The FBI has twice issued warnings about potential fraud around PPE fulfillment. The FTC has done the same with a focus on consumers and fake charities.

Besides fraudulent suppliers, there are unintended delays that are leading to serious problems with fulfillment on certain merchandise. For example, merchants selling PPE, especially masks, are typically using a drop-shipment model. They get a commitment of supply and fulfillment from the manufacturer, sell the product online and then rely on the manufacturer to fulfill the order. A similar model is to collect multiple smaller orders and put them together into a bigger order to the manufacturer, then break that shipment down and pass the product along. In the current environment, there are numerous risks including fraud, delays and misunderstandings along with supply chain uncertainties. 

An evolving challenge

In addition, the issues and areas of concern are evolving rapidly as everyone adapts to changes in the crisis, potential re-opening, and an ongoing change in the way everyone does business. These changes will continue for the foreseeable future, so we all need to work together and adapt to keep consumers, businesses, platforms, and ISVs safe.

E-commerce payment security: what WePay is doing 

Because of these risks, many e-commerce sites and payment processors (including WePay) are instituting a higher level of scrutiny and checks to lower the level of risk for our customers. However, this does bring additional delays in evaluating transactions. The goal is to carefully approve all appropriate transactions as fast as possible and put a hold on those that have a higher risk of fraudulent activity.

WePay's Trust and Safety team is continuing to optimize our review processes to ensure we identify any merchants selling PPE or COVID-19 related supplies. This higher level of scrutiny may involve direct email outreaches where our team requests specific information regarding the merchant's business to ensure we can verify their legitimacy.

We recommend following the guidance of the CDC and WHO. There are no current vaccines or cures for COVID-19, and any merchants claiming to sell such items should be avoided. Increased risk of fraud will likely continue in other areas surrounding  the COVID-19 crisis, as vaccines and treatments are tested and become available. 

What businesses can do

As with all transactions, it is always important to research the background of business partners and suppliers thoroughly, investigate details and terms for transactions, and follow up on all potential issues to ensure that transactions are safe and secure. Some questions and best practices to be mindful of in transactions for merchants, platforms and even consumers include:

  • How long has the merchant been operating? Are they brand new and appear to have set up shop just in time to take advantage of increased needs for PPE and other supplies? 
  • Check the age of the website. If the business is on Facebook, pages now show the date the page was created. OpenCorporates is another free, open-source tool that anyone can use to see when a business was formed. Try searching Google for potential bad reviews or complaints against the merchant.
  • Is the business soliciting you directly? If someone is reaching out to you directly by email, phone, or another means online, be extra cautious and ask yourself why they're taking extra time for outreach to prospective buyers. This is an uncommon e-commerce approach. 
  • If a transaction seems like an unbeatable deal it might be too good to be true; especially watch out for 419-type scams. This scam is where copies of documents that can establish identity, or a small advance fee is requested in exchange for something else (money or material goods).
  • Be wary of unusual payment methods being requested such as bitcoin, gift cards, or wire transfers.
  • Avoid interacting with anyone claiming to be with a government agency, no matter what they ask you to provide and reach out to the agency directly via another method.

Other general security and safety precautions to take include:

  • Maintain email safety - make sure that you are protecting your business and employees from exposure to email attacks like phishing
  • Revisit password and other security. Go over your basic security procedures and protocols to make sure you aren’t exposed and have a plan in place for a response if you discover a problem.
  • Maintain web security. Make sure your business and staff understand and follow safe web practices. Watch for fake websites. Make sure that any sites asking for credentials are using valid security certificates. Do not allow employees to use public computers or WiFi connections. Implement ad-blocking, script-blocking and other solutions to prevent malicious attacks. Make sure everyone signs out of and shuts down systems when not in use.
  • Maintain devices and make sure that anti-malware scans and checks are performed regularly.

By being extra careful we can all navigate through these issues and risks together.