How To Detect (And Prevent) Online Credit Card Fraud — And Why You Need A Solid Strategy To Manage Fraud For Your eCommerce Business To Succeed
It’s hard to overstate the significance of the impact that eCommerce has had on the quality of our lives here in the early 21st Century. While in the past, consumers were limited to the choices provided by their local retailers and the closest big-box store, today anyone with a computer, an internet connection, and a credit card can obtain nearly any product or service they want from just about anywhere in the world. Unfortunately, it also makes it much easier for criminals to steal goods and services if they have access to these same tools.
Online payment fraud is simply any false or illegal transaction committed via the internet. It deprives the victim of goods, services, funds, or sensitive information – often without them being aware that this has happened to them until much later. In many cases, there will actually be two victims: the consumer whose information was stolen, and you, the merchant. Online fraud can involve not only fraudulent transactions, but also lost or stolen merchandise, or falsified requests for a refund. Fraud can be committed through email, instant messaging, or online auction sites. It can also occur through text messaging or even phone calls.
One common misconception among small business owners that we’d like to clear up right now is that they aren’t as lucrative a target for cybercriminals as the larger retailers, and therefore don’t need to be as thorough in protecting themselves from fraudulent activity. Unfortunately, this “it will never happen to me” attitude can make it far more likely that it will happen to you sooner or later.
The truth is that large businesses are a “hard target,” because they have the resources to fully defend themselves against fraud. Smaller companies lack these resources, and thus often present a much easier target to cyberthieves. A cybercriminal knows that he or she can make more money by exploiting several inadequately protected smaller businesses than by wasting time trying to break into a fully-defended larger business. Fortunately, there are many tools available to even the smallest companies that can dramatically lessen the likelihood that you’ll become a victim of online fraud.
In this article, we’ll discuss the various types of online payment fraud, whether it’s committed via credit card, debit card, eCheck/ACH, or any other payment method. We’ll also present some sobering statistics about the growth of online fraud in recent years. We’ll discuss the importance of having a strategy to deal with fraud, and describe the many “red flags” that can indicate a fraudulent payment. Finally, we’ll explain the numerous tools available to you that will help to protect your business from fraud. While the risk of becoming a cybercrime victim can never be completely eliminated, the use of all of these tools can protect your business and dramatically reduce the chance that you’ll experience a loss due to online payment fraud.
Table of Contents
- What Is Credit Card Fraud? Eight Types You Need To Beware Of
- The State Of eCommerce Fraud
- Why Not Having A Strategy To Deal With Credit Card Fraud Could Put You Out Of Business
- Six Red Flags That Can Signal Online Credit Card Fraud
- How To Prevent Credit Card Fraud: 19 Tools For Detecting & Preventing Fraudulent Transactions
- The Final Word On Credit Card Fraud Detection
What Is Credit Card Fraud? Eight Types You Need To Beware Of
Credit cards are usually the easiest and most convenient way for consumers to pay for their online purchases, so it’s no surprise that the majority of incidences of online fraud involve credit cards. However, other payment methods (including debit cards, eCheck/ACH payments, etc.) are just as susceptible to being used fraudulently if the consumer’s account information is compromised. Here’s a brief rundown of the eight most-commonly recognized types of online payment fraud:
Account Takeover Fraud (Phishing)
You’ve probably already heard of phishing (more formally known as account takeover fraud). This is when a hacker obtains a victim’s online account information and uses it to make a fraudulent purchase. Unfortunately, phishing attacks often work by convincing the victim to voluntarily disclose this information. While a hacker might not break into your credit card account directly, they can sometimes get into other accounts for major online shopping sites and gain access to your stored payment method information.
Card Testing Fraud
Sometimes thieves will “test” stolen credit card information by attempting to make a small, insignificant purchase. If the transaction is approved, they go on to make larger, more lucrative purchases with the valid card information. Sometimes thieves will file chargebacks on each of these purchases. At around $15-25 per chargeback investigation, this can quickly get very expensive for merchants, with the cost in chargeback fees vastly exceeding the value of the stolen merchandise.
“Friendly” Fraud
Sometimes, a cybercriminal doesn’t have to steal someone else’s credit card information to commit fraud. With “friendly” fraud, a thief will use their personal credit card to make a purchase, then file a chargeback, claiming that the goods were never delivered. They get the goods for free after the issuing bank refunds their money, and you’re out the cost of the products and a chargeback fee.
A common scheme is for a thief to order a pizza, then file a chargeback after it’s been delivered. In this case, the thief has literally eaten the evidence! Unfortunately, “friendly” fraud is becoming more common as thieves have learned to take advantage of consumer-friendly policies in the processing industry. (And it’s not just thieves who commit friendly fraud — unhappy customers do too!)
Merchant Identity Fraud
Sometimes, the merchant is the criminal. Merchant identity fraud occurs when hackers present themselves as a legitimate business. They then solicit funds from unknowing victims or offer goods or services that are never delivered. While merchant services providers have gotten better at sniffing out this sort of activity, it’s still possible for a cybercriminal to sign up with a legitimate payment processing service and collect money from unknowing victims. If the hackers cannot be identified and held responsible, the merchant services provider will end up being held liable for the losses. This is one reason why a prospective merchant services provider will go to great lengths to investigate the nature of your business before approving you for an account.
Refund Fraud
Sometimes cyber thieves don’t want a particular product – they just want cash. Buying something online with stolen credit card information and then returning it for a refund that’s issued to the thief is an easy and increasingly popular way to score some quick cash at someone else’s expense.
True Fraud
True fraud is more commonly known as identity theft, and it’s probably the form of online fraud that you’re most familiar with. This type of fraud involves the classic scenario where a hacker illegally obtains a victim’s online account information (i.e., username and password) or their credit card information, and then uses that information to make purchases. They get the goods, and the victim gets the bill. Because issuing banks have made it relatively easy for victims of this type of fraud to dispute transactions they didn’t make, liability for the illicit purchase usually falls on you, the merchant.
Website Redirection
This form of fraud is also known as “pagejacking.” Sophisticated hackers are able to redirect traffic from your website onto a similar site that they’ve set up, where they’re able to obtain personal information or credit card data from unsuspecting customers.
Wire Transfer Fraud
This form of fraud involves the use of the banks’ wire transfer services for fraudulent purposes. A cybercriminal will pose as a legitimate business or government agency, then contact a victim and attempt to induce them to send money to a fraudulent address. These types of solicitations usually occur over the telephone, but can also occur online through email. Common scams of this nature typically involve telling the victim that they have won a large sum of money, but need to pay a “fee” to have it released.
The State Of eCommerce Fraud
Ever since eCommerce began in the 1990s, online fraud has been a problem. Online merchants can never have access to a customer’s physical credit or debit card, relying instead on account information such as card numbers, expiration dates, and CVV codes to authenticate transactions. While this information is sufficient to confirm the authenticity of an account, it’s never enough to firmly identify that the customer making the purchase is indeed the true owner of that account. Although many steps have been taken over the years to improve the security of online transactions, a 100% foolproof solution has yet to emerge.
In 2015, credit and debit cards with EMV (Eurocard, Mastercard, and Visa) or “chip” technology were introduced in the United States. Although the transition from the older magstripe technology to EMV hasn’t been very smooth, it has resulted in a dramatic decrease in card-present fraud due to the encryption features available with EMV. Retail credit card fraud rates dropped a whopping 82% between 2015 and 2018, and continue to be very low.
Unfortunately, the drop-off in card-present fraud has resulted in a dramatic increase in card-not-present fraud since EMV cards were introduced. Put simply, criminals who’ve been shut out of opportunities to commit retail fraud are now setting their sights on the lucrative (and still relatively vulnerable) eCommerce market instead. In 2016 alone, online fraud rates rose 33%. In 2017 and 2018, they rose an additional 30% per year.
According to LexisNexis, online fraud cost the eCommerce community 2.38% of total revenue in 2018 alone, and this rate continues to rise. Online fraud is expensive on both a per-transaction basis and as a percentage of total revenue. As of this year, the average online fraud incident costs a merchant $408 in lost goods or services. In comparison, the average legitimate online transaction is only $213. However, the cost of fraud far exceeds just the value of the stolen merchandise or services. On average, a merchant will suffer a loss of over $1100 per incident of fraud due to chargeback fees and other expenses incurred in fighting the chargeback.
Why Not Having A Strategy To Deal With Credit Card Fraud Could Put You Out Of Business
It’s far too easy for merchants to stoically accept that an occasional fraudulent transaction is just part of the “cost of doing business.” However, the statistics above show that total losses due to fraud can far exceed the cost of the fraudulent transaction itself. Chargeback fees, expenses incurred in investigating and fighting the chargeback, lost shipping costs, and other expenses can add up to far more than just the amount of a fraudulent order.
As a merchant, you should also consider that a single incident of fraud can lead to further fraudulent transactions. Once a cybercriminal does a “test run” and determines that you’re relatively unprotected, you can and should anticipate that you’ll be subject to many follow-on attempts to defraud your business. If you suffer a fraudulent transaction – even a very small one – it’s imperative that you identify the shortcoming in your security procedures that led to the incident and immediately take steps to strengthen your defenses before the cybercriminals try again.
Suffering from fraud can also lead to the loss of your merchant account, and with it the ability to accept credit and debit cards. Fraudulent transactions inevitably lead to chargebacks, and too many chargebacks over time may cause your provider to close your merchant account – often without prior warning. If this happens, you might be able to get a high-risk merchant account from a different provider, but these accounts are much more expensive than traditional low-risk accounts. If all of your sales are online, however, being without the capability to accept credit or debit cards for a significant length of time can quickly put you out of business altogether.
Six Red Flags That Can Signal Online Credit Card Fraud
Any online transaction can potentially be fraudulent, but some transactions should raise your suspicions more than others. Unusual transactions should be scrutinized more carefully than others before being approved and processed. While not constituting conclusive proof of fraud, the following “red flags” indicate a higher probability of fraud and should merit further investigation:
- Different shipping and billing addresses. Obviously, there are any number of legitimate reasons why a customer would want to ship an order to a different address. However, fraudsters almost always ship orders to somewhere other than their victim’s billing address. It’s in your best interest to verify the shipping address – just in case.
- Multiple orders of the same item. It’s not out of the ordinary for a customer to order multiple quantities of an item. However, if you see an order for an unusually large number of the same item from an individual customer (not a B2B order), you might want to check it out before you ship anything.
- Abnormally large orders. If an order represents a much larger ticket size than what your business normally averages, you should probably confirm that it’s legitimate before processing the transaction and shipping the goods. This not only protects you from fraud, but might also save you from having your merchant account shut down or the transaction held by your processor due to the unusually large ticket size.
- Multiple orders to the same shipping address with different payment cards. Again, we have to emphasize that there are plenty of legitimate reasons why a customer might want to do this instead of just putting all orders on the same card. However, it’s a hallmark of fraudulent activity and you should definitely make an inquiry with the customer before processing the orders.
- Unexpected international orders. If your business normally only processes orders in your home country, a sudden order that needs to be shipped to a foreign country should get your attention and warrant further inquiry before approval. As we’ll see below, some countries have significantly higher rates of online fraud than others.
- Velocity attacks. A velocity attack occurs when a hacker makes multiple attempts to run different credit card numbers in rapid succession. Often using bots, the idea is to keep trying until a number is found that works. While this is obviously fraudulent, a customer who’s having a hard time typing in their credit card number correctly can resemble a velocity attack.
How To Prevent Credit Card Fraud: 19 Tools For Detecting & Preventing Fraudulent Transactions
If the above information has you convinced that there’s nothing you can do to prevent online fraud from impacting your business, don’t worry. There are plenty of tools – both manual and automatic – that can flag suspicious transactions for you and lower the risk of a fraudulent transaction slipping through. While it’s not possible to ensure 100% total protection, using all of the tools described below will give you the best level of protection available today. Be aware, however, that this list is not inclusive. Processors are continually working to develop new anti-fraud tools, and your provider might have other services available to help secure your account than just the ones listed below.
- Use a verified merchant services provider. Although all providers claim to offer a complete suite of automated tools and features to protect against fraud, some are more effective than others. Look for good reviews (like ours!) and watch out for complaints from other merchants regarding poor account security. You’ll also want to determine whether a prospective provider offers anti-fraud tools as a standard account feature, or if they’re only available as an optional add-on. While it’s definitely worth paying a little extra for additional security, we generally prefer to see providers offer fraud protection without charging extra for it.
- Use manual (human) screening. Both you and your employees should understand how to spot suspicious buying activity that raises one of the “red flags” we’ve discussed above. In most cases, it’s a better idea to contact the customer directly to verify the order, rather than blocking it automatically and potentially alienating a legitimate shopper.
- Use the Address Verification Service (AVS). An AVS mismatch is a strong indicator that the order is fraudulent, as a hacker using stolen payment information is unlikely to know the actual card owner’s physical address. Most merchant services providers mandate the use of AVS for all eCommerce transactions, so this tool is already part of your merchant account.
- Confirm the buyer’s location. Geolocation and IP address verification tools can confirm with reasonable certainty that the customer’s IP address matches the billing and shipping addresses provided. This method of detecting fraud will not be 100% effective if a legitimate customer is placing an order while traveling, but can often catch suspicious transactions in most other circumstances. Unfortunately, some countries have significantly higher rates of online fraud than others. The “usual suspects” include countries such as Russia, Nigeria, Pakistan, and Indonesia. However, other countries such as Romania, Bulgaria, and even Israel also have high rates of online fraud. Note that “proxy piercing” technology provides some defense against hackers who intentionally mask their IP address using tools available on the Dark Web.
- Use CVV (and CVC) checks. Card Verification Values (CVV) and Card Verification Codes (CVC) are three- or four-digit codes that are printed on the back of all credit and debit cards. Whenever possible, you’ll want to obtain and match the cardholder’s code against the value submitted with an order. Unless the card in question has been physically stolen, it’s unlikely that a hacker will have access to this information. As with AVS, many merchant services providers will require the use of CVV/CVC checks before accepting any online transaction.
- Use Verified by Visa and 3D Secure. These anti-fraud tools allow customers to create a unique Personal Identification Number (PIN) to authenticate their identity when placing an online order. For more information on these two programs, see our article, What Are Verified By Visa And 3D Secure?.
- Use device fingerprinting. Device fingerprinting looks at a computer device’s operating system, unique device identification number, and other available information to see if that device has been used to make fraudulent transactions in the past. Device fingerprinting tools are usually available via third-party providers, such as ThreatMatrix.
- Use tokenization and encryption. These security measures are now standard features of most modern payment gateways. Both methods protect your customers’ credit card data from being stolen during a legitimate online transaction. The use of tokenization and encryption is an essential step in keeping your merchant account PCI compliant.
- Use velocity attack protection tools. As we’ve noted above, velocity attacks involve repeated attempts to place an order with different credit card numbers, often with the use of a bot. These types of attacks can be detected and blocked by IP address using payment gateway security tools.
- Use biometric identity verification tools. As you might imagine, biometric tools, such as fingerprint readers, are not ordinarily available to eCommerce merchants. However, they can be set up if you allow users to pay on your site using digital wallets, such as Apple Pay on the Web or Google Pay. In this case, the user’s device becomes the biometric tool, using a built-in fingerprint reader or Face ID technology to authenticate the consumer’s identity.
- Set flexible refund policies. Buyers are more likely to file a chargeback if they can’t return an item due to an overly strict refund policy (i.e., the allowed refund window is too short). You can cut down on “friendly” fraud by giving your legitimate customers a reasonable amount of time to complete a return.
- Emphasize order fulfillment. Ensure that all orders ship promptly and verify that they’ve been delivered. Delivery tracking can provide proof that the goods were delivered and received, helping to protect against “friendly” fraud.
- Ensure high-quality customer service. Quite frankly, offering poor customer service will increase your risk of fraud as customers become frustrated with doing business with you. Strive to provide the best possible customer service during business hours, and, if you have the resources, offer 24/7 customer service via both telephone and email. After-hours customer service can be outsourced (just in case you like to be able to sleep at night).
- Provide high-quality employee training. Employee training goes hand-in-hand with manually screening all orders (see above). You must ensure that all employees who handle orders are adequately trained to spot signs of fraud and know what to do if they see something suspicious. This training needs to be an ongoing process, with frequent refreshers to remind employees of what to look for and to update them on the latest developments in anti-fraud procedures.
- Ensure that your merchant account is PCI-compliant. This one is not optional. You must maintain PCI compliance standards to safeguard your customers’ credit card data. Being out of compliance will increase the risk of a data breach, which in turn will result in more incidents of fraud as hackers exploit the data they’ve stolen. Even if you don’t suffer a data breach, your merchant account provider will penalize you with a PCI non-compliance fee (on top of whatever they’re charging you for PCI compliance) for every month that your account is out of compliance. Note that following the proper PCI compliance steps will not completely eliminate the chance of a fraudulent transaction. However, it serves as a strong defense when an incident occurs. The most critical steps in PCI compliance include configuring and using a firewall to secure your website, performing frequent antivirus scans, following good password security measures, and using SSL certificates (i.e., “https:”) for your site.
- Analyze actual incidents of fraud. If you experience an actual fraudulent transaction, you’ll want to go back and determine how it happened and what you can do to make it less likely that it will happen again in the future. If you uncover any weaknesses in your defenses, you’ll obviously want to make some changes.
- Practice good chargeback mitigation strategies. Chargebacks and fraud are two separate subjects, but they tend to go hand-in-hand in many cases. You’ll want to implement the commonly recognized best practices to prevent chargebacks and successfully defend against them. See our article, The Complete Guide To Preventing And Winning Chargebacks, for more information.
- Upgrade to the latest in payment technology. If your business also makes retail sales, you’ll want to use EMV-compliant equipment exclusively for accepting credit and debit cards. EMV has been the default standard in the United States for card-present transactions, although there are still many businesses that haven’t adopted it and are putting themselves at risk for fraud. NFC payment methods (such as Apple Pay and Google Pay) should also be added, if you haven’t done so already. NFC is more convenient for consumers and even more secure than either magstripe or EMV payment methods.
- Use multiple fraud detection tools. It’s essential that you don’t rely exclusively on any one tool we’ve discussed above. Instead, use a layered approach that incorporates firewalls, good password security measures, use of AVS, and CVV/CVC checks to protect your business. Automated fraud scoring tools, such as IP geolocation, AVS, CVV, and device fingerprinting tools can be used together to determine a fraud probability score. You can then set your payment gateway to automatically flag or decline transactions that score high enough to raise a reasonable suspicion of being fraudulent. Also, be sure to re-screen orders that are modified by the customer after being placed, but before the goods have been shipped. At the same time, don’t be too trigger-happy when it comes to blocking transactions. Frequently screening out legitimate transactions will frustrate your customers and cost you their business. In an era where anyone can post their opinion of a business online, this could really hurt you in the long run.
The Final Word On Credit Card Fraud Detection
As you’ve probably gathered from all the information we’ve presented so far, payment fraud is a real and growing threat to your online business. While it’s not possible at this time to build a completely foolproof defense against it, you can minimize your chances of letting a fraudulent transaction slip through by following common-sense practices and implementing the anti-fraud tools we’ve discussed above.
Protecting your business from fraud is an ongoing process, as fraudsters are constantly finding new ways to get around the latest anti-fraud measures. They aren’t going to give up just because one particular avenue of attack has closed on them, and neither should you. Securing your account is a never-ending effort that will require coordination between you, your employees, and your merchant account provider.
Many of the tools we’ve discussed above can be implemented by you as the business owner without the help of other parties. At the same time, a lot of the newer anti-fraud measures available today will require installation and configuration by your merchant services provider or gateway provider.
One thing we’ve noted over the course of reviewing dozens of merchant services providers is that they all take payment security and anti-fraud measures very seriously. This includes even the worst providers on the market (of which there are quite a few). The difference is that a low-quality provider will often offer you only the most basic anti-fraud tools, and they’ll usually charge you extra for them. Protecting your account from fraud is extremely important, but you shouldn’t have to pay an unreasonable amount of money for anti-fraud tools – especially when other providers include the same tools as a standard feature with your account.
In evaluating a potential merchant services provider, look carefully at what types of anti-fraud tools they offer, and whether these come with your account. The best providers will include a full range of essential anti-fraud tools with your account, although more specialized services might be offered as an optional add-on for a reasonable fee. Paying a little extra to secure your account against payment fraud is a worthwhile investment, especially considering the potential costs of suffering a data breach or a fraudulent transaction that slips through your defenses. For some recommendations of great merchant services providers that specialize in serving the eCommerce community, check out our article, The Best Online Credit Card Payment Processing Companies.
My ecommerce site was hacked and used for card testing, 40k transactions were processed in a 2.5 hour peroid. My card processor EVO charged me $10,084 for processing fees and will not return it, is this fair.. legal? I am looking for solid advice to help me, David to understand if there is legal recourse dealing with this Goliath. Thanks
Hi Dan,
That’s terrible! Unfortunately, we don’t offer legal advice; you’d be much better served by reaching out to an attorney in your area that specializes in this area of practice. We are so sorry this happened to you and hope you can get it resolved! Best of luck to you.