Payment fraud affects any business conducting transactions online that are vulnerable to chargebacks, friendly fraud, abusive users, and stolen payment data easily purchased on the dark web.
Have you recently received an SMS detailing how you’ve miraculously won thousands of dollars? Or maybe you’ve received an email asking for personal information to allow you to collect a million dollar inheritance? These are different types of payment fraud in our country. What are they and how do they work? Let’s learn.
What is payment fraud? To answer simply, payment fraud is the act of completing a transaction with a stolen credit card or unauthorized payment information that deprives a victim of payable funds or property. Payment fraud can also occur when a user knowingly chargebacks a legitimate purchase, known as "friendly fraud".
How Many Types of Payment Fraud Are There?
But, payment fraud is not limited to the archaic email fraud that we’re so used to now. In fact, with the high rate of internet adoption, the various tactics and technologies used, have also evolved.
According to a study conducted in 2016 by ACI Worldwide, the United States is placed third in the list of total card fraud rates, just behind Mexico and Brazil..
As long as there are loopholes in any system, there will also be criminals there waiting to exploit them. Then, is there no way to protect customers and businesses? There is. But first, let’s understand some of the most common instances of payment fraud.
Online Phishing
Online phishing, also known as spoofing is generally referred to as a process where a person’s personal information is gained through emails or websites that acts like legitimate sources. This information includes names, addresses, email addresses, bank account numbers, credit card numbers, etc.
The friendly email from an African country offering you millions in inheritance is generally an example of online phishing. The same can also be done using SMS and WhatsApp. The user is offered some bait of monetary benefit or freebies like smartphone giveaways and tricked into revealing personal information.
The user is then directed to a site for payment which looks legitimate but is created so that your debit card or credit card details can be captured.
Data Theft
Data theft basically happens due to insider jobs. In these cases, there’s an insider man working with an online business who siphons off customer information. This information consists mostly of personal details such as name, address, and payment information.
However, of late, these have become somewhat rare since most e-commerce companies use technologies like tokenization and data encryption to ensure that the data cannot be read or siphoned off.
Encryption technologies code the data in a manner so that the data cannot be read or edited directly from the database. In a way, it uses complex algorithms to protect the data in the same way as military messages were protected during the Second World War. Most reputed payment processing companies take data encryption very seriously to ensure data theft does not occur and that personal information is not stored.
Chargebacks
Chargebacks are some of the most simple and yet difficult to stop frauds. A chargeback can be literally explained as an order from the bank to the business to refund the amount paid by the customer.
How does a chargeback fraud take place? Well, the customer places an order for an item and pays for it (legitimately). Now, once the product arrives, the customer will report the transaction to the e-commerce company and the bank saying that the transaction was made fraudulently and that he/she has received no product.
The bank will order a chargeback to the business and the business will be forced to refund the amount. However, the product will still be with the customer and the e-commerce company will be forced to conduct an investigation to identify who took the product and where the lapse happened.
Since it is not completely possible to prove that the customer did not receive the product, it often leads to huge GMV (gross merchandise value) loss of the company. Real-time chargeback prevention is the best way to manage this type of abuse.
It's also important to note that chargebacks are often due to stolen credit cards and hacked payment information, for sale on the dark web. Cybercriminals can purchase this data to make fraudulent purchases and ship the products to a mail forwarding address or even their own address.
Friendly Fraud
Friendly Fraud occurs when a user knowingly makes a credit card chargeback for a legitimate transaction in order to deceive the bank into refunding the purchase. Typically, this is performed for a product or service that was successfully delivered by the merchant, yet the customer chooses to not pay for the item.
Surprisingly, friendly fraud is even more costly than stolen credit card data for merchants on an annual basis.
Did you know that false-positives cost over 100 billion per year in lost sales. According to the 2018 AFP Fraud Survey, over 78% of institutions that process transactions were victims of payment fraud.
Product Replacement Fraud
Another kind of fraud that is found on e-commerce sites is product replacement fraud. You’ll like a new smartphone model and order it online. You have paid for the product and await the delivery.
The e-commerce site ships the product and it reaches you in due course. But when you unbox it, you find that instead of your new smartphone, there’s a brick or a low-cost digital phone inside it.
These frauds usually take place due to inside men. There’s somebody working inside the company who replaces the real product with a fake counterpart or a bogus product. In most of these cases, the packaging is just like a new product.
As a result, it’s hard for someone from the delivery services to replace the product and re-package. Though not entirely impossible, it is improbable.
These cases are extremely hard to identify since the company has to go through all the steps that the product undergoes in a delivery lifecycle.
Fraudulent Credit Card Payments
This is an off-shoot of the data theft cases. The personal information stolen from data theft is then used to make transactions which make it seem that the process is legitimate, even though it’s stolen.
However, online credit card transactions have become increasingly secure with the use of OTP (one-time passwords) which are used to verify if the credit card owner did, in fact, initiate the transaction.
Access to stolen credit card data continues to grow year over year, as it becomes easier for cybercriminals to purchase this data on the dark web, often times in bulk. The worst part about this type of fraud, is that it often goes unnoticed for months before the legitimate card holder then files a chargeback with their bank. In that time period, a fraudster could have been receiving months of free products or services.
How Payment Fraud Affects Businesses?
In order to understand how payment frauds affect businesses, first, we need to know how banks look at payment fraud. Why do we need to start with banks? Because they’re the ones who issue the card, dictate the flow of money and the refund procedure.
Currently, banking policy does not hold cardholders responsible in case of card-present and card-not-present frauds. This is practice to ensure that the cardholders are not victimized and safeguarded in case of fraudulent activity.
As a result, whenever there’s a card fraud activity, the investigation always turns towards the other concerned parties, which in case of e-commerce are online sites.
The sites are forced to refund the money and then start an investigation to identify the culprit. However, the mounting chargebacks take a serious toll on the financial health of the company. As a result, it cripples the ecosystem and the experience offered to the customer. It’s even more alarming for product lines which have lower profit margins.
A recent release by Razorpay shows that subscription-based sites or online businesses face the highest rates of fraud. They have to encounter 1.4 fraud transactions for every 100 subscriptions. This is mainly because subscription businesses are majorly card-based.
Unlike e-commerce which offer pay-on-delivery options, subscription businesses cannot. As a result, the customer can later claim that the card was stolen and the site will be stuck with chargebacks.
Culprits use subscription services to test cards. Since subscription services generally offer trial subscriptions at low cost, it’s good enough to go unnoticed by the card owner but at the same time allow the hackers to ‘test’ it.
How To Protect From Payment Fraud?
In order to prevent payment fraud, there are a few steps which can help you. While all of them are fairly easy to understand conceptually, it takes extensive development and security testing experience to implement them.
Eliminating Risky Task Combos
It’s very important to be a multi-tasker these days. You need to be able to juggle different balls at the same time if you want to be a success.
But, it can also be a risk. Back-end POS systems work by assigning roles to users to ensure that each and every step of the customer lifecycle is properly monitored. However, overtasking resources can sometimes lead to burdening them with conflicting roles.
For example, the person creating a new payment in the system also has the right to approve it. These mistakes can take a toll on the credibility and financial health of the business. It’s always best to ensure a double approval process, where another set of eyes can verify the process. For example, changes in vendor data, payment approval, etc. should all require double approval.
Inculcating Payment Best Practices
A payment gateway should inculcate the industry best practices to ensure it’s intuitive, easy-to-use and at the same time secure. No one likes to use a gateway that has frequent page time out or OTP validity of only 30 seconds. These tend to create more problems than solve them.
Similarly, people don’t feel safe when they’re asked to transact on a platform without SSL encryption or double-step verification. As a result, the best payment gateway is one which meets all the factors. In a drive toward safer transacting in this way, search engine platforms like Google are now moving toward providing more authority to those websites who enable an SSL certificate on their site. There are a couple of levels to SSL security, but the base method does allow for a safer transacting platform.
Are you suffering from payment fraud? Easily deploy IPQS fraud prevention tools in just a few minutes.
Eliminate Payment Process Loopholes
You’ll be surprised to know how many companies leave loopholes in their systems. For example, a company’s vendor payment file needs to be uploaded to the bank’s server. In order to do so, they upload the file using a shared drive. However, this allows access to the file to any person with access to the drive.
As a result, anyone with access to the drive can make changes to the file. One of the ways to address these issues is by removing manual interventions and implementing automated processes. Automated processes reduce human errors, negate the need for human handling of files and the contents of those files, as well as save time and money for the company.
Improve Transparency
Introducing best practices and standard operating procedures (SOPs) remove inconsistencies in dealing with vital processes. As a result, it reduces error and allows the company to plug operation loopholes, and recognize inconsistencies in the system. One of the key facets of identifying fraud is being able to distinguish them with real transactions.
As a result, creating a company-wide standard operating procedure will allow you to find the most efficient and disciplined route for your business. These aspects are key to good data protection, data transfer, and system management methodologies.
Keep an Eye on Transaction Deviations
Extending from the previous point, while creating a disciplined operating procedure allows you to plug holes and create an efficient methodology, it also allows you to create a baseline.
This baseline will allow you to read activity and understand the markers of what constitutes a genuine transaction. The markers will also allow you to distinguish between those transactions which are genuine and those which are fraudulent in nature.
A versatile risk management policy helps, in this case, to sort and filter the noise from the real deal. Using machine learning and artificial intelligence can be the next big step to allow applications to identify fraudulent transactions in real-time.
Parting note
Online fraud will remain a contentious issue even in the days to come. The more we connect and transact online, the bigger the threat. Moreover, since we cannot eliminate it, the solution must be to remain on constant guard every single second. The only way to prevent online fraud is through vigilance, regulation, with the use of robust systems, third-party checking organizations such as ours and with little human interactions with the systems.
A good example here is the 3D Secure (3DS) protocol that VISA had developed to keep its customers safe, and which has since been adopted by other card companies like American Express, MasterCard, and JCB International.
A similar process is the 2FA used in India, which is mandatory for all cardholders and card-issuing banks. The RBI has also mandated online alerts for all card transactions – even those where the cardholder physically swipes their card at a PoS system.
For all transactions considered suspicious, cardholders have the option to issue a ‘de-activation request’ immediately and hotlist their cards.
While a zero-fraud system will take some days to achieve, we are constantly building new processes to minimize fraud risk for all consumers, it’s a constant fight to understand new ways fraudsters are finding to commit fraudulent transactions and it’s our job to introduce you to the systems that combat them
The very best prevention ultimately requires expertise in the whole subject. This is where IPQS can help save your organization from online threats. If you would like to know more or have a need for tighter controls and prevention of online fraud activities, then contact us today and one of our advisors will be happy to assist, providing the best course of action for your organization.
