Case study: preventing fake orders on the e-shop

One of the risks of running an e-shop is that not every order will work out. The motivations of those who create fake orders can vary - they may be competitors trying to paralyse your e-shop, or they may be "jokers" who laugh gleefully at someone else's misfortune. In all cases, however, fake orders, which is what one of our recent cases involved, are undesirable for an e-shop.

The client's request

Our client decided to start an e-shop. This client now transacts primarily with businesses (i.e. not consumers). It also expects that businesses will also be the e-shop's main customers. However, the client was concerned that many e-shop orders would be fake. The client wanted to know whether such fake orders could be prevented and, if so, how.?

Our solution

First, we imagined all the situations that could theoretically lead to a fake order and thought about them carefully. The two main possibilities were that someone would:

1. would impersonate an entrepreneur who does not have a customer account on the e-shop yet (or would impersonate an authorized representative of such an entrepreneur, for example his employee), or?
2. misuse an existing customer account of an entrepreneur (who already had been a costumer of our client).

To avoid the case mentioned in the first place, we have proposed various solutions to verify the identity of new customers. We took inspiration from solutions used by large and established e-shops and came up with our own suggestions. We have searched for, and found, solutions that enable unambiguous and secure identification of the e-shop user and that cannot be easily misused.?

In the case referred to above in the second place, we reasoned that such an order would, in certain circumstances, bind the very entrepreneur whose account was misused. Simply put, this would be the case if the entrepreneur in question had contributed to the misuse of his account through his fault (i.e. even negligence) (in which case the conditions for the application of Section 444 of the Czech Civil Code would be fulfilled).

Thus, for example, a company would be bound by the waiter's order if a managing director of that company forgot a slip of paper with the login data for the customer account in a restaurant where he was having lunch, and a waiter from the restaurant made a fake order as a joke.

In this context, we also advised the client to emphasise in its general terms and conditions (and other customer documents) that customers should adequately secure their accounts and adequately monitor for potential misuse.?

In addressing these issues, we have also relied on knowledge from abroad, particularly Germany, where entire specialized publications deal with fake orders.(1) These, for example, describe in great detail the extent to which customers should secure their accounts so that potential misuse of their accounts is not to their detriment.

Results

We summarised all our suggestions and recommendations to our client in a well-organized memorandum. The memorandum included both a detailed description of the risks and theoretical solutions and a brief summary in which the client found all the most necessary information. For the sake of clarity, we also included in the memorandum our interpretation of who all is legally entitled to act on behalf of the entrepreneur (especially to order and take over delivery of goods).

(1) Cf. e.g. HOSSENFELDER, M. Pflichten von Internetnutzern zur Abwehr von Malware und Phishing in Sonderverbindungen. 1. Auflage. Nomos, 2013; MüLLER-BROCKHAUSEN, M. Haftung Für Den Missbrauch von Zugangsdaten Im Internet. 1. Auflage. Nomos Verlagsgesellschaft mbH, 2014, p. 345; or ST?BER, M. Die analoge Anwendung der §§ 171, 172 BGB am Beispiel der unbefugten Benutzung fremder Internet- oder Telekommunikationszug?nge. Juristische Rundschau, No. 6/2012; et al.