Ecommerce is booming, with global online retail sales reaching $6 trillion last year.
But one major issue continues to impact company revenue.
In the US alone, ecommerce businesses lost about $103 billion to fraudulent returns and claims in 2024. Namely, fraudsters made up 15% of all returns, meaning that for every $100 returned, $15 was linked to dishonest practices.
Online sellers can’t afford to ignore this risk, especially given the lack of specific Know Your Customer (KYC) regulations guiding identity management in retail.
In this article, we’ll look at the most common fraudulent tactics and how digital identity verification in ecommerce helps prevent them.
Identity verification for ecommerce: Its role in today’s landscape
Unlike brick-and-mortar stores, ecommerce businesses must handle what's known as a remote identity. Traditionally, this concept feels out of place in retail. After all, no one needs to register to buy groceries at a corner store.
This is what sets ecommerce apart from other digital sectors like banks, iGaming platforms, and insurers, where serving clients remotely is standardized, secure, and regulated by detailed legal frameworks. These rules cover everything from data privacy and customer due diligence to penalties for non-compliance. Strict regulation does add friction, but it also encourages better security, bringing structure and order to these industries.
Ecommerce, on the other hand, lacks a unified KYC framework grounded in best practices. Moreover, most online shops and marketplaces aim to minimize the personal data they collect, store, or process.
For example, retailers selling age-restricted items like alcohol, tobacco, pharmaceuticals, or fireworks are required to verify age. Yet many still rely on basic age gates, which ask users to confirm they’re over 18 or 21 without any real verification.
However, the less data a digital shop has about its customers, the higher the chance this will be exploited by bad actors.
Subscribe to receive a bi-weekly blog digest from Regula
Common types of ecommerce fraud
Fraudsters use various tactics to target online marketplaces and digital shops. From the identity verification (IDV) perspective, these tactics generally fall into two categories:
Compromising legitimate user accounts
Creating and using fake identities from scratch
As a result, each stage of the customer journey becomes a potential weak point:
Let’s take a closer look at each type of ecommerce fraud:
Synthetic identity fraud
Most ecommerce sites only require a login, password, phone number, and address—no formal ID checks. This lack of strict KYC procedures allows fraudsters to create synthetic identities by mixing real and fake information. These identities can't be traced or held accountable, making them ideal for illegal activities.
Account takeover
Account takeover is a versatile technique that threatens many digital companies. In ecommerce, fraudsters can hijack legitimate user accounts through phishing or by buying leaked credentials on the dark web.
Many users still rely on weak passwords like "123456" or reuse the same login across multiple sites, making these attacks easier. In retail, takeovers often spike during holidays or major sales. Once inside, attackers place fake orders, redeem loyalty points, or resell stolen gift cards.
Credit card fraud
During checkout, fraudsters use stolen credit card details—often tied to synthetic or hijacked accounts—to make unauthorized purchases. This results in lost revenue and potential chargebacks, which can also increase processing fees and damage merchant reputations.
Return fraud
Returns are a normal part of ecommerce. Knowing this fact, fraudsters place high-value orders using fake identities, then file chargebacks or exploit return policies, leaving merchants with both the product loss and financial liability.
This tactic is often exploited for first-time purchases after account creation, since many digital shops often put lower checks in place to earn new customer loyalty.
The result?
E-commerce fraud causes heavy financial losses for merchants, while the fraud cycle is hard to break. Scammers use different techniques to bypass current defenses at their weakest points. Since it has never been easier to generate an identity using advanced technologies like deepfakes, the problem will only get worse in the future.
Ecommerce identity verification: Application scenarios
Modern identity verification typically includes two core components: identifying who the user is through ID document checks, and confirming they’re real using biometric verification, such as selfie verification. IDV can also handle specific tasks like age verification, data entry automation, and biometric authentication.
Some ecommerce-specific IDV scenarios include:
Securing age-restricted purchases (alcohol, tobacco, pharmaceuticals, paints, solvents, pocket knives, fireworks).
Onboarding new users for subscription-based ecommerce platforms.
Let’s look at how online retailers can apply IDV tools throughout the customer journey to protect both their systems and legitimate customers. Each tool can be tailored to specific business needs, but here we’ll examine their core functions.
Complete IDV
The typical IDV procedure involves presenting a government-issued identity document and a selfie. The system checks document authenticity by reading data from the visual inspection zone, machine-readable zone, barcodes, and electronic chip (for biometric documents), and by cross-matching the data.
Advanced digital verification setups also include ID liveness detection, where dynamic security features like holograms are checked to confirm the document is real, not a screenshot, printout, or deepfake.
Next, the system analyzes the user’s selfie. Besides matching it to the ID photo or chip, the key test is liveness detection, which spots presentation attacks like mask use or screen replays.
For age verification, both checks apply: the date of birth is taken from the ID, and the user’s estimated age can be validated during the selfie scan.
Once both checks are passed, the user is successfully onboarded or verified.
How to use it in ecommerce: While full IDV might not suit every online store—such as those selling cosmetics or clothing—it can be valuable for high-value transactions, account upgrades, or access to exclusive deals and services. In these cases, IDV acts as a value-add, not a barrier. It also helps weed out synthetic identities that can’t pass robust checks.
Biometric authentication
Most e-commerce platforms still rely on passwords and SMS-based one-time passwords. But biometric authentication—based on “what the user is”—offers a more secure and frictionless experience.
Using face recognition, the system scans a user’s face via a mobile phone and performs a one-to-many (1:N) match against a biometric database. Importantly, it creates and compares biometric templates based on facial features—not actual images—boosting speed and protecting user privacy.
How to use it in ecommerce: Biometric authentication is a strong defense against payment fraud. It can be used during checkout to confirm that the actual account holder is making the purchase. It also helps secure compromised accounts and enables recovery. As a regular step, it’s ideal for approving changes to sensitive data, such as payment details, particularly in card-not-present transactions.
Turn IDV into your advantage with Regula
Strong IDV may not be mandatory in ecommerce, but it can become a powerful competitive edge.
Regula offers fully customizable solutions to meet the specific IDV needs of ecommerce businesses:
Regula Document Reader SDK verifies documents with liveness detection and supports all types of IDs from 252 countries and territories.
Regula Face SDK performs biometric checks with advanced liveness detection.
Both solutions are cross-platform and can be deployed on-premises, which is crucial for meeting data protection requirements in ecommerce.
Book a call with a Regula representative to learn more about the products and explore successful use cases in the ecommerce space.
