Payments Fraud Table of Contents

What is Payment Fraud?

Payment fraud is the process of stealing or otherwise acquiring someone’s payment information and using it to make unauthorized purchases. It is a common occurrence on the internet but can happen in brick-and-mortar stores, as well. Payment fraud can happen with several different payment types, depending on what the cybercriminal is able to gain access to.

Types of Payments

Here is a brief overview of the types of payments that can be used for fraudulent purchases.

  • Card Payments: This includes credit and debit card payments. A criminal can steal payment details, or a physical card and commit fraud through card-present or card-not-present transactions, depending on where they are making their fraudulent purchase.
  • ACH Payments: If a criminal acquires the account number and ACH routing number for a specific bank account, they can use that information to make fraudulent ACH purchases.
  • Wire Payments: These require a bank account number just like an ACH payment but must have an accompanying wire routing number that is different from the routing number used for ACH payments. If a criminal acquires these numbers, they can make wire transfers fraudulently.
  • eWallet Payments: Gaining access to PayPal, ApplePay, or other types of eWallet can allow criminals to make purchases using these methods. It can be more difficult to gain this information, but not impossible.

This is not an exhaustive list of payment types, but they are the most common. The majority of online payment fraud is committed through fraudulent card transactions. As a result, both merchants and cardholders should be careful and protect their card data as much as possible.

Types of Payment Fraud

There are also several types of payment fraud to watch out for. Once a criminal acquires the payment information of their victim, they can make fraudulent purchases in a variety of ways.

  • Credit Card Fraud: Card fraud is the most prevalent because it is the easiest for a criminal to commit. The hardest part in this process is acquiring the card information. Once a criminal has that information, they can make purchases online with it. Once the cardholder realizes what happened, they typically file a dispute. Unfortunately for merchants, they lose the money and the products in this scenario.
  • ACH Payment Fraud: ACH fraud happens in the same way as credit card fraud, but the payment type is different. Instead of using stolen card information, the criminal uses stolen bank account information to make their fraudulent purchases.
  • Phishing: In the phishing scenario, cybercriminals use emails, text messages and other forms of communication to try to fool the cardholder. The communication will often have a link to a fake website and request sensitive information from the cardholder such as usernames, passwords, credit card numbers, etc. Once the criminal has acquired the information, they can commit payment fraud online.
  • Card Testing: Card testing happens when a criminal tests stolen card information by making a series of small purchases first. Testing the card information with a smaller transaction amount helps criminals to avoid being red flagged by fraud-prevention software. Once the small transactions go through, the criminal can progress to making larger purchases with less risk of being detected.
  • Denial of Product Receipt: Calling the merchant or the bank to say the merchandise was never delivered is another form of fraud. In this case, the criminal makes an online purchase and waits for the merchandise to be delivered. Once the criminal has the merchandise in their possession, they will file a dispute saying they never received it and request a full refund.
  • Chargeback Fraud: Also called “friendly fraud”, chargeback fraud occurs when the cardholder or cybercriminal calls the bank to request a transaction reversal or refund. This can happen for a variety of reasons, but almost always results in a loss of revenue and product for the merchant. Cardholders avoid talking to the merchant by going straight through their bank, and therefore bypass the traditional refund and return process.
  • Triangulation Fraud: Triangulation fraud is a scenario in which a criminal sets up false online stores and sells products for extremely low prices. They collect credit numbers and email addresses during the process. They will then use the acquired information to make fraudulent purchases elsewhere.
  • Merchant ID Fraud: Criminals commit merchant identity fraud by setting up merchant accounts that are similar to legitimate ones. Then, they make purchases using stolen credit card information. They close the merchant account and disappear before being caught.
  • Pagejacking: Pagejacking is a phenomenon in which cybercriminals route traffic from a legitimate online store to a false version of the same store. The customers don’t realize they are entering their payment information into the wrong website. Criminals then steal the information and use it.
  • Interception: Some criminals purchase merchandise online with stolen payment information and then reroute the package during shipping. When placing the order, they allow it to be shipped to the cardholder’s address to avoid being flagged by anti-fraud software. Then, during the shipping process, they reach out to the shipping company and re-route the package to a different location.

Who is Affected by Payment Fraud?

Cardholders and merchants are both affected by payment fraud. It can be a frustrating experience for both parties and is sometimes hard to rectify. Here’s a look at some of the key impacts that payment fraud has on the cardholder and the merchant.

Cardholder

Merchant

Loss of cash from a checking or savings account

Loss of sales revenue

Funds held on credit cards for long periods

Loss of merchandise

Inconvenience of getting new cards

Fees incurred for chargebacks and returns

Inconvenience of closing accounts

Damage to their reputation

Psychological distress

Damaged relationships with customers

This is a small sample of the effects that fraud has on merchants and cardholders. Some cases are more severe than others and could result in greater impact. The important thing to understand is that fraud impacts everyone in a negative way and should be handled appropriately.

How to Prevent Payment Fraud

The most effective way to prevent payment fraud is to have the right systems in place. Detection and prevention of fraud starts with proper cybersecurity measures. As a merchant, having these in place can save you a ton of headaches and loss on the backend. Here are some things to consider in your business to reduce and prevent payment fraud.

  • PCI Compliance: Following all PCI-DSS standards is a non-negotiable part of being an eCommerce merchant. Implementing these protocols into your daily business practices is essential to protecting your customers and building trust. Here are some of the things that PCI compliance will require of your business.
  • Secure network: Following PCI compliance standards will help you maintain a secure network that will protect cardholder information from potential cybercriminals
  • Anti-virus software: Installing and activating anti-virus software will help protect against potential hackers who could get into your network and steal your customers’ data.
  • Internal controls: Use some internal controls within your company to restrict access to certain information. Your entire workforce doesn’t need access to consumer data. Instead, choose a select few people who will be able to access this data and monitor the activity closely.
  • Fraud Screening: Fraud screening tools help identify patterns in the purchasing habits of your customers. They can detect when a purchase is unusual or high-risk. A good screening tool can also detect other patterns that are tell-tale signs of fraud. Here are some of the things that could be red flags for fraudulent activity:
  • Larger than usual orders: If an order is placed on your site that is larger than the average customer spends on your site, it could be fraud. Similarly, if an order has multiple units of the same SKU number, that could be a sign, as well.
  • Several orders in a short time: Another red flag for criminal activity is when multiple orders are placed in a short period of time. This is not typical behavior for online shoppers and should be investigated promptly.
  • Multiple shipping addresses: Even more obvious than multiple orders is multiple shipping addresses! If a buyer places multiple orders with the same billing address but sends them to various shipping addresses, that is a huge red flag. It is likely that the cybercriminal is dispersing their stolen goods to make them harder to recover.
  • International IP addresses: This is not always a sign a fraud but should definitely be monitored. It can be difficult for American payment processing systems to verify international transactions, so these purchases should be treated as high-risk.

Identity Verification

The nature of online business is anonymous, which makes it a huge target for cybercriminals. They appreciate businesses that don’t take the necessary steps to ask for additional ID. Don’t be one of those businesses! Here are some of the ID verification tools available:

  • Address Verification System (AVS): This is a tool that will ask the customer to input their billing address on the payment screen, along with the card information. During the payment processing operation, the card issuing bank will decline the transaction if the addresses don’t match.
  • Personal Identification Number (PIN): Some payment processing systems have a feature that will ask the customer for their PIN number when using a debit card or certain types of purchasing cards. This is another great way to verify the identity of the person inputting the card information.
  • Card Verification Code or Value (CVC/CVV): This is the security code on the front or back of a credit card. It’s typically a 3-digit code on the back of a Visa or MasterCard or a 4-digit code on the front of an American Express card. Requiring the customer to put in this code at the time of purchase is another layer of security that helps identify the cardholder.
  • Reverse Directory Services: Another tool that can be implemented is a reverse directory service. This type of service uses a third party to verify all the information that was entered by a customer, including name, phone number, and physical address. This is an increasingly popular tool for eCommerce businesses to use.

Final Thoughts

Understanding payment fraud and how to prevent it can protect your business from major impacts. Talk to your payment processor and business advisor to find the right solutions for you. Protecting your business and your customers should be your number one priority.