What is payment fraud, and what can business owners do about it?

It would’ve been hard for the average consumer two decades ago to imagine the ease and trust with which many of us use online payments today. In 2020, consumers spent over five trillion dollars sent over the Internet, and the contactless philosophy of pandemic life has only increased the ease of digital payment since then. 

These types of payments have made consumer lives easier, but they also open sellers and buyers up to a new avenue of risk. One of those risks is falling victim to payment fraud. 

What is payment fraud? It's an online illegal transaction committed by a cybercriminal with the goal of depriving the victim of properties, funds, or personal information. Payment fraud can take on a few different forms. 

What does payment fraud look like?

In one example, bad actors get their hands on sensitive financial information, such as a credit card number, through means such as phishing attacks, social engineering schemes, and data breaches. From there, fraudsters will then use the sensitive information to either make purchases or transfer funds. 

These attacks are bad enough for the primary victim, but if a fraudster uses stolen information to buy a good or service, then legitimate merchants might be left holding the bag. 

That’s because card or account holders who discover unauthorized transactions on their accounts have the option of opening a dispute with their financial institution. If victims successfully dispute the phony charges, they can often reclaim any stolen funds. 

The unfortunate downside is that businesses that may have thought they were doing business with a legitimate customer can be cheated out of both assets and revenue from transaction frauds.

In another type of payment fraud known as chargeback or “friendly” fraud, buyers file chargebacks on legitimate purchases in an attempt to scam merchants out of goods and services. Payment fraud can encompass different forms, but the common denominator is fraudulent payments made with the intention of depriving a victim of money or assets.

Types of Payment Fraud

Fraudsters may use any of the different types of payment fraud described below:

Identify Theft

When a criminal steals a victim’s financial or private information and uses it to make purchases as though they were the actual account holder, it’s both identity theft and payment fraud. The actual account owner might lose out on funds or, if they file a dispute with their bank, the merchant suffers the chargeback and associated fees. 

Card-Not-Present (CNP) Fraud

Identity theft can occur with a physical card or with digital banking information, but card-not-present or CNP fraud refers to fraudulent transactions made where a physical card isn’t necessary. 

In an example-based card fraud definition, a criminal will use card details to make illegitimate transfers or purchases over telephone, Internet, or mail–in other words, using any avenue where a card doesn’t have to be physically present. A criminal who uses credit card information from a data breach to make phony online purchases is one example of CNP fraud. 

“Friendly” or Chargeback Fraud

In friendly fraud, also known as chargeback fraud, a consumer places a legitimate order using their own financial information. Then, after receiving the goods or services, the consumer files a dispute with their financial institution to reclaim the money they’ve spent, even though the merchant has already held up their end of the deal. Victims of chargeback fraud lose out on products, resources, revenue, and can even face penalties from their payment processing provider. 

Authorized Push Payment Fraud

In authorized push payment fraud, a consumer is made to think they’re sending money to one place when in reality they’re sending it directly into a fraudster’s pocket. These transaction frauds take advantage of instant or real-time payment methods to literally take the money and run. 

With this type of fraud, a victim may receive an email or push notification they believe to be from a legitimate source, such as their school, a hired contractor, or a landlord. However, when the victim pays the requested amount, they soon realize that the message was fraudulent, with little recourse for reclaiming their money. Fraudsters can also intercept legitimate communications and substitute their own financial information to siphon funds from unsuspecting senders. 

These are a few common types of payment fraud, but they’re by no means the only ways that fraudsters will try to scam consumers and businesses. 

How Cyber Criminals Operate

Fraudsters are quite efficient at finding new ways to steal information online. In just one example, these criminals may attempt to spoof or mask their location to match that of an actual buyer’s and avoid detection by an IP checker. Fraudsters know that anti-fraud professionals have methods of combating them, so most of a fraudster’s toolkit will be ways to circumvent anti-fraud techniques. 

For instance, some cybercriminals will impersonate buyer behavior so that a fraud detection system doesn’t flag their purchases. They may try to replicate a typical customer journey by exploring the site, adding and deleting items from their cart, and following small purchases with larger ones. 

Don’t be fooled by their criminal career path: fraudsters can be very sophisticated in the ways they operate. Below are a few red flags business owners need to watch out for:

• The shipping address doesn't match the billing address of the customer 
• The billing address is different from the contact information on file with the card-issuing bank 
• Many small transactions use similar card numbers
• An unusually large amount of orders or bulk orders of the same item 
• Buyers may request orders to be rushed
• Buyers may attempt to send credit card information by email rather than using the website
• Large orders are placed in a small time frame 

Any small gap in a fraud detection system is a vulnerability that opportunistic fraudsters can exploit, so it’s vital that merchants stay on top of their security measures, as well as keep themselves up to date with the latest payments fraud trends. 

What to do after detecting payment fraud

When it comes to online payment fraud detection, “better safe than sorry” is a smart philosophy to hold. Merchants who suspect a transaction of being fraudulent should cancel it and potentially even bar that account from making orders in the future. In the case of chargeback fraud, merchants should be wary of large first-time orders and block buyers who file excessive chargebacks.  

How to reduce payment fraud

In the world of payments fraud prevention, most experts agree that the best offense is a good defense. Preventing fraud is all about having the proper safeguards in place to recognize and cope with suspicious or high-risk requests.

Automate where possible 

Machine learning grows by leaps and bounds every single day. Merchants can take advantage of the number-crunching capabilities of software and AI to automatically accept or reject orders using a data-based risk assessment. 

These technologies use payment fraud analytics and knowledge of payments fraud trends to learn what a fraudulent transaction may look like and respond by alerting the would-be victim. Far from the faults and slowdowns of manual review, automated fraud detection is a faster, more consistent solution for protecting the transaction process.   

Pay attention to location data 

Location data can be a powerful indicator in online payment fraud detection. For example, if a customer who typically makes orders from the United States suddenly begins making orders from Russia or another faraway country, that can be indicative of fraud. Red flags such as VPN usage or a blocked location can add risk to a transaction, and some fraudsters may even spoof their location to evade detection. 

Additionally, location data can be used as a passive authenticator for ensuring the validity of transactions. That’s why it’s critical that fraud prevention professionals take notice of location data when building their processes. 

Encrypt, encrypt, encrypt  

The less information fraudsters can get their hands on, the better. Many instances of payment fraud occur as a result of data breaches wherein users’ credit card information falls into the wrong hands. Business owners can avoid contributing to the problem by ensuring that they encrypt all sensitive data and keep their cybersecurity measures up to date. 

Use strong authentication processes

A combination of passive and active authentication methods can help merchants confirm whether the person performing the transaction actually has permission to do so. For instance, sellers might request extra information about a credit card such as the CVV number or associated zip code. Other solutions might include sending a code or one-time password to the buyer’s email or phone number to verify legitimacy.  

For less intrusive authentication, sellers can use passive authentication methods such as trusted location and/or trusted device data to verify that the buyer’s current location and device usage match their past history.   

In many ways, the part of the transaction process where money changes hands–whether digitally or in-person–is the most vulnerable piece of the entire payment process. Businesses want to sell their goods and services to legitimate customers, and consumers want to rest assured that they will receive what they paid for without their financial information being compromised. 

Payment fraudsters look for every opportunity to defraud both sellers and buyers, but that doesn’t mean that payment fraud has to be the cost of doing business. By following fraud prevention best practices and securing their transactions, merchants can take an active part in payment fraud prevention.