Instances of payment fraud are on the rise. Ask most merchants, and they'll tell you they've seen an uptick in attempted online payment fraud against their business and customers.
Several factors are driving this trend. First, there has been an overall increase in online transaction volumes in the last few years. This increase has created more opportunities for bad actors to launch fraudulent attacks against businesses, especially those who've yet to invest in adequate fraud prevention solutions.
Then there is the current economic environment. Challenging economic conditions usually embolden fraudsters to pursue higher value, higher risk opportunities. It also encourages others to chance their luck using chargebacks to commit friendly fraud.
The most significant trend, however, is recent technological developments, not least the sudden availability of advanced AI tools. In the hands of fraudsters, these tools can wreak havoc, increasing the scale and sophistication of fraudulent attacks.
This blog will explore fraudsters' various methods to target businesses and execute payment fraud, and the payment fraud prevention tools merchants have available.
Payment fraud is a catch-all term for any fraudulent activity concluded by an individual or organization to make unauthorized transactions or obtain money, goods, or services by other means illegitimately.
Payment fraud can happen in the physical world by using a stolen card to make purchases. Or it can occur in the digital world through various means, which we'll explore in this blog.
Merchants will lose an expected $48 billion globally to payment fraud in 2023.
65% of organizations were victims of payment fraud attacks/attempts in 2022.
22% of adults in the US were a victim of an account takeover in 2022
60% of merchants have reported increased first-party misuse disputes since 2021
Here are some of the most common forms of payment fraud that merchants experience today. But payment fraud is anything but static. Fraudsters constantly devise new and innovative ways to commit online payment fraud.
Account Takeover fraud is one of the most common forms of fraud. About 22% of adults in the United States have experienced an ATO, resulting in an average loss of $12,000 per incident.
This approach involves fraudsters gaining unauthorized access to someone's account through phishing, credential stuffing, or brute force attacks. Once inside, they change login details and engage in nefarious activity, causing financial loss, data theft, and other unfavorable outcomes.
This fraud doesn't only affect individuals; merchants also bear the brunt. If the fraudster uses saved card details to make purchases, merchants might need to contend with costly chargebacks. There's a risk to the merchant's reputation. Studies reveal that individuals usually blame the merchant for the breach, regardless of fault.
Bank Identification Number (BIN) Fraud poses a significant risk. This strategy involves cybercriminals employing brute-force methods to deduce valid credit card details, including the card number, expiration date, and card verification value (CVV). Once they crack the code, they initiate card testing – executing small transactions to confirm the card's viability for illicit purposes.
One way perpetrators execute these attacks is by gaining control over computers through malware, forming a network of compromised devices called a botnet. They then utilize the collective processing power to test numerous combinations within minutes.
Like the ATO Fraud we discussed earlier, individual consumers are the victims. However, there are implications for merchants who fail to detect the signs of a fraudster executing a BIN Attack. Banks might view such merchants as susceptible to testing fraudulent cards, straining the bank-merchant relationship. Moreover, when spotting it on their bank statements, individuals might associate the merchant's name with fraudulent activity. And then there is the cost of dealing with chargebacks raised due to the attack.
Chargeback fraud occurs when an individual completes a purchase, receives the corresponding goods or services, and subsequently raises a dispute, falsely claiming non-receipt or unauthorized activity to reverse the transaction. This technique is often termed 'friendly fraud,' stemming from misunderstandings leading genuine customers to take this route.
Here's a typical example. A teenager, Sarah, borrows her mum's credit card to purchase a new video game online. Sarah's mom is initially unaware of this. A few days later, Sarah's mom receives her credit card statement and notices the charge for the video game. Not recognizing the charge or the name of the game company, she decides to initiate a chargeback with her bank, believing it might be a fraudulent transaction. In this case, Sarah's mom is committing friendly fraud unintentionally.
Friendly fraud, however, is becoming friendly. Recent research shows that more customers are deliberately gaming the chargeback mechanism to combat the cost of living crisis. The data from Sift found one in four consumers admitted to committing friendly fraud. And overall, merchants noted they've experienced a 35% rise in chargebacks between Q1 and Q4 2022.
And it comes with a considerable cost, with merchants estimating they have to spend (USD) $35 to manage friendly fraud for every $100 they face in disputes, according to the MRC’s latest report.
Coupon Abuse: Coupon abuse involves using coupons in ways the issuer does not intend. This can include applying multiple coupons to a single purchase when only one is allowed, altering or forging coupons, sharing unique coupons for individual use, or using expired coupons. Such actions can result in unintended financial losses for businesses and disrupt their marketing strategies.
Discount Abuse: Discount abuse involves exploiting discounts, deals, or promotional offers in unethical or unintended ways. For instance, individuals might manipulate online shopping carts to get more significant discounts than intended, use discounts on items they are not eligible for, or combine discounts inappropriately to obtain products or services at significantly reduced prices.
Refund Abuse: Refund abuse involves exploiting a business's return or refund policy. This can include returning items that have been used, damaged intentionally, or without a valid reason for the sole purpose of getting a refund. Some people might repeatedly buy products, use them briefly, and then return them to take advantage of a lenient return policy.
In the long run, such abuses can lead to financial losses for businesses, which might result in stricter policies or higher prices for all customers to compensate for the losses.
This is very much what it says on the tin. Fraudsters gain access to an individual's card, either digitally by purchasing their credentials on the dark web or by stealing a physical card.
The fraudster will then make purchases using the card, which the merchant will accept and ship unknowingly. Once the legitimate cardholder becomes aware, they will raise a dispute, seeing the business lose the payment amount and the cost of any goods or services already provided.
Synthetic Identity fraud is a newer, advanced, and fast-growing form of fraud. In short, it sees fraudsters combine a mixture of genuine personal information—usually stolen or purchased on the dark web—with fake details to create an entirely new, fictitious identity.
Once the identity is established, the fraudster usually bides their time, acting like any other individual, opening accounts, taking out credit cards and loans. Then, they will strike, maxing out all their accounts and riding off into the sunset.
Not only is this form of fraud incredibly destructive. It's tough to detect because it involves a combination of real and fake information, making it difficult for traditional verification processes to identify these cases. Additionally, the fraudulent activity might only be discovered once significant damage has been done.
Triangulation fraud is an incredibly complex form of online fraud. It sees fraudsters wedge themselves between a merchant and a legitimate customer. They pose as merchants, taking in orders. However, instead of managing their inventory, they exploit stolen cardholder information to buy products from a third party and send them to the buyer. When the cardholder eventually recognizes the fraudulent activity, they initiate a chargeback to reclaim their funds.
Defining an effective fraud strategy to fight fraud goes beyond the simple goal of preventing fraudulent activities. It's a delicate balancing act. While stringent measures might deter a vast majority of fraud attempts, they could unintentionally discourage legitimate customers, leading to costs potentially higher than the fraud losses themselves.
On the other hand, adopting a lenient approach brings its own set of problems. This can result in penalties, increased processing costs, damage to reputation, and, in extreme cases, the suspension of card payment acceptance by payment schemes.
The key lies in assembling a cross-functional team encompassing fraud, payments, go-to-market, risk, finance, and leadership experts. Collaboratively, this group must determine where the business stance aligns on this spectrum and define its risk tolerance. It should reconvene a few times yearly to ensure this aligns with the overall business goals.
The next step involves ensuring the company has the appropriate tools to carry out fraud monitoring and implement its strategy to prevent payment fraud. There are plenty of options to choose from.
One approach is to build an in-house customized fraud prevention system. While this could yield a tailored set of tools aligned with the specific business requirements, the development and maintenance costs can be substantial. Alternatively, businesses can leverage the expertise of specialized fraud prevention tools available in the market. These tools generally come in two main categories:
Fraud prevention tools from Payment Service Providers (PSPs):
Many comprehensive PSPs offer advanced fraud prevention solutions. Notable examples include Checkout.com's Fraud Detection Pro, Adyen's RevenueProtect, and Stripe's Radar. These tools typically provide robust functionalities, utilizing the PSP's network data to identify and prevent fraud within the merchant's defined risk threshold. However, these are often considered "value-added services" and come with associated costs. Additionally, they are limited to preventing fraud only on transactions processed through that specific PSP.
Fraud prevention tools from Specialized Third-Party Providers:
Companies like Forter, Riskified, Sift, and Signifyd also provide fraud prevention solutions. These providers offer a range of tools to combat payment fraud, incorporating AI and traditional rules-based fraud detection methods. The advantage here is that these solutions are vendor-agnostic, allowing merchants to channel their entire transaction volume through the system, providing a more comprehensive level of protection. Moreover, these tools have expanded their offerings beyond payment-related fraud to encompass broader risk management solutions.
Merchants should forge alliances with law enforcement, vendors, and industry bodies to exchange insights and promote cooperation. This joint endeavor is pivotal in building a secure digital economy that benefits all its participants.
There is no one-size-fits-all approach to prevent payment fraud. There are, however, a number of tools at a merchant's disposal. These include:
3DS Secure (3DS): Using 3DS Secure adds an extra layer of protection to online credit and debit card transactions, requiring the cardholder to provide an additional authentication step, usually a password or code, to verify their identity.
Address Verification System (AVS) checks: AVS checks compare the billing address provided during a card transaction with the address on file with the card issuer to help verify the transaction's authenticity.
Card Verification Value (CVV) checks: CVV checks involve entering the three-digit code on the back of a credit or debit card during a transaction, adding an extra layer of security by confirming the cardholder's physical possession of the card.
Blacklisting & Whitelisting: Blacklisting involves identifying and blocking known fraudulent entities or activities from accessing a system or making transactions while whitelisting permits only approved entities or actions, enhancing security and reducing risks.
ID Verification: ID verification is a process where a person's identity is confirmed by presenting official identification documents, such as a driver's licence or passport, to prevent unauthorized access or fraudulent activity. Tools to effectively identify customers are offered by providers such as Onfido.
Network Tokens: A network token is a substitute value used in place of sensitive card information during transactions, enhancing security by reducing the exposure of actual card data.
Robust policies and procedures: In the context of chargebacks, robust policies and procedures refer to well-established and thorough guidelines that organizations have in place to manage and address instances where customers dispute or reverse credit card transactions, ensuring a consistent and effective approach to handling such situations and minimizing financial losses.
Specialist fraud prevention providers: Companies such as Riskified, Forter, Sift, and Signifyd specialize in offering advanced tools, technologies, and expertise to help businesses detect and prevent fraudulent activities in their operations.
Transaction monitoring: This involves continuously observing and analyzing transaction data in real time to identify unusual patterns, behaviors, or inconsistencies that could indicate fraud or other illicit activities.
See how Primer allows you to set Monitors and Alerts to react in real-time to changes in payment performance.
Two-factor authentication: Two-factor authentication (2FA) requires users to provide two different authentication factors, usually something they know (like a password) and something they possess (like a smartphone-generated code), increasing the security of online accounts.
Velocity Checks: Velocity checks monitor the frequency and volume of transactions originating from a specific source, helping to identify and prevent unusual spikes in activity that might indicate fraudulent behavior.
As a unified payments infrastructure, Primer provides merchants with various tools to combat fraud. These include allowing merchants to seamlessly integrate with specialist third-party fraud prevention providers and availing their services across all their payment flows without making multiple integrations.
Primer also offers features such as Adaptive 3DS, Network Tokenization, Observability Monitors and Alerts, as well as customizable workflows that enable merchants to set a rule to automatically decline payments that stem from a particular market, issuer, or individual cardholder.