As ecommerce grows to dominate an ever larger segment of the global economy, it’s inevitable that criminals will follow the money.
Payments providers, merchants, and ecommerce platforms are locked in a perpetual arms race with fraudsters, who are constantly developing ever more sophisticated ways to swindle and deceive.
For example, bot attacks, which deploy automated agents to mimic malicious human behaviors, and click farms, which exploit large numbers of low-paid workers to similar effect, both allow criminals to massively ramp up their efforts, leaving merchants akin to participants in an eternal game of whac-a-mole.
Nevertheless, merchants must use every method at their disposal to fight payment fraud. Failure to do so will not only cost you financially, but expose you to reputational damage.
Now you've learned how to accept payments online, you need to know the common types of payment fraud and how to prevent them.
Online payment fraud is a significant problem for everyone who buys and sells over the internet. According to Statista, online fraud grew by a dizzying 285% in 2021 alone. And in a recent report, Juniper Research estimated that online payment fraud could exceed $48bn in 2023.
There are two main types of card transactions. Card present transactions, where both the cardholder and their card are physically present at a payment terminal (such as in a retailer or restaurant). A card-not-present (CNP) transaction is a remote transaction, conducted online, over the phone or by mail, where neither the customer or their card are physically present.
Card-present fraud (or in-store payments) is predicted to decline over the next decade. However, card-not-present transactions - such as payments conducted online or over the phone - are continuing to grow as a percentage of total spend, and these are far more at risk from fraudulent activity.
These fraudulent activities, such as identity theft, phishing, and account takeovers are becoming more complex and increasingly hard to detect, especially when fraudsters gain access to genuine shopper accounts making it increasingly difficult for fraud tools to identify the fraudulent purchase as suspicious. That’s why it’s more important than ever for businesses to implement robust security measures, such as fraud detection software, to protect themselves and their customers.
As mentioned above, fraud involving CNP transactions is far easier than card present transactions. Why is that? The main reason is simply that the cardholder isn’t physically present to verify their identity.
Fraudsters just need to steal their card details, which can be willingly given away in a scam, in order to commit the crime. On top of this, the Internet provides a vast amount of personal information - including social media profiles, and information stolen in data breaches - that can be used to impersonate someone.
Stealing someone’s card online is essentially identity theft. Identity theft involves a fraudster stealing someone’s personal details, such as their name, social security number, credit card number, or any other sensitive info, and using it to make purchases in their name.
There are a number of ways that identity thieves can obtain this personal information:
The loss to the customer is clear - but what about for merchants? Firstly, you’re likely to have to refund the purchase and incur any chargeback costs as a result. In addition to these refund and chargeback costs, you could also incur severe financial penalties if your chargeback ratio exceeds the card scheme limits for consecutive months.
You may also suffer reputational damage if the customer holds you responsible for not protecting their personal information. As well as putting off new or returning customers, at worst, this could lead to lawsuits and fines for falling foul of compliance regulations.
Chargeback fraud, also known as ‘friendly fraud’, is when a consumer disputes a charge on their credit card, which means you have to reverse the charge and refund the customer.
Because chargebacks are often initiated by a customer making a legitimate claim, chargeback fraud can be difficult to detect and prevent, and it can also be hard to prove they had dishonest intentions.
If fraudulent, a customer could falsely claim that:
These chargebacks can be costly for merchants, as they can result in lost revenue, chargeback fees, and increased processing costs - as card schemes penalize merchants with high levels of fraud through increased fees and lower authorisation rates.
The best way to prevent chargeback fraud is to have clear policies and procedures in place for handling customer complaints and disputes, and to document all transactions and customer interactions so that you can use them as evidence in the event of a claim.
You should also require signatures upon receipt of goods, provide tracking information for deliveries, and clearly communicate your return and refund policies to customers.
For known customers who have committed friendly fraud, you can add these to your decline lists in your risk engine to automatically block the customer should they try to transact with you again.
Learn more: What is a merchant of record?
Card testing fraud is a type of credit card fraud where fraudsters use automated software to test the validity of stolen credit card numbers. They do this by generating a large number of transactions, each for a small amount, to establish which credit card numbers are valid and which aren’t. For every successful transaction, the thief knows they have valid credit card details, and can then use the card to make larger purchases or even resell the information on the black market.
These small transactions aren’t often flagged as fraudulent, meaning card testing fraud can go unnoticed for long periods of time. This is particularly harmful to merchants, because, if you don’t have procedures in place to prevent the fraud, you could incur chargebacks and penalties.
You can help prevent card testing fraud by implementing security measures such as Address Verification System (AVS) checks and Card Verification Value (CVV) checks.
Many card testers do not have valid CVV data, so requiring validation will block these attempts. Stolen credit card numbers are also often missing complete address and ZIP code information. The fraudsters will try to transact with random or partial address data resulting in an AVS mismatch.
It’s also a good idea to check for suspicious patterns of small transactions. You could use fraud detection software with in-built machine learning that can detect and that automatically flag potentially fraudulent transactions. Alternatively you can use rules, in particular velocity based rules. Velocity rules check for unusually high instances of an action within a certain timeframe - e.g. a large number of attempted transactions for a particular Bank Identification Number or card in one hour - or for a high number of cards used per device, which are typical signs of bot activity. These customers can then be flagged as risky or blocked from making a transaction.
Marketplace fraud is a wide-ranging term for any fraud committed on an online marketplace, such as Amazon, eBay, or Facebook. It can take many forms, including:
These scams can cause big problems for marketplace platforms as, if a customer complains but the seller has disappeared and the funds can’t be recovered, the marketplace is usually held responsible for refunding the amount.
With the sheer number of transactions taking place on marketplaces every day, this type of fraud can be difficult to fight. The best first line of defense is to implement strict onboarding criteria for new sellers, including comprehensive identification checks, a review of their track record, an assessment of their financial and credit history, as well as their compliance with any relevant regulations and governance.
You should also monitor fraud rates on a per seller basis. That way you can assign more fraud rules and stricter thresholds to your highest risk sellers to make it harder for them to engage in fraudulent activity. Fraud detection software can help you do this.
Alternative refunds involve a fraudster deliberately paying more than they should for a product or service. They then contact you claiming to have accidentally entered the wrong amount, and request a partial refund by an alternative method such as a wire transfer, check, or gift card. Once the refund has been issued, the thief will disappear, leaving you to absorb the loss of both the disputed amount and the amount sent via the alternative method.
Fraudsters have a variety of tactics in their arsenal to convince you to issue the refund in their preferred form. For example, they might claim that the original payment method is no longer valid or that they are unable to receive a refund to the same card or account. They could also impersonate a customer service agent or someone in a position of authority in a particular company in order to gain your trust.
There’s one simple way to protect against alternative refund fraud: never refund payments via an alternative method. If a customer’s card has been legitimately closed, just issue a normal refund and it’s then the customer’s responsibility to contact their card provider and retrieve the funds.
Need help fighting fraud? We’ve launched Fraud Detection Pro, an enterprise-grade solution that’s been designed to help merchants tackle online payment fraud while balancing risk and maximizing revenue.
Fraud Detection Pro offers a hybrid of machine learning and rules. Machine learning acts as your first line of defence, identifying patterns of legitimate and fraudulent behaviour from vast swaths of data. In fact, Checkout processes billions of transactions globally and we incorporate multiple signals on each transaction, such as email, device and IP data, so when a genuine shopper or fraudster tries to buy from you, there’s a strong chance our machine learning has already seen this person before.
As valuable as machine learning is for pattern recognition, it isn’t a silver bullet. It has blind spots, such as identifying edge cases and responding to types of fraud it has not encountered before. This is where rules come in. There are scenarios where you want to block, accept, or send a transaction for further verification, rules give you the granular control to do this.
Secondly, during a live fraud attack, you must act fast to minimize the impact on your business and rules are the ideal instrument for such use cases.
Fraud Detection Pro has a robust rules engine where you can build rules from an infinite range of rule types and combinations, including your own data. You can also assign weighted scores to rules for a more nuanced assessment.
You can also get super granular in how you treat different groups of customers by building custom segments. For example: new versus repeat customers and high-risk versus low-risk products. Then you can apply unique risk strategies to each segment based on the individual risk profile.
Fraud Detection Pro also empowers you with powerful fraud analytics, reporting, and testing, so you can maximize performance and continually evolve your strategy.
Find out more about Fraud Detection Pro.