Payment fraud can be devastating for merchants as well as e-commerce customers.
As the volume of e-commerce transactions continues to increase, so too does the risk of fraudulent activity when making or accepting payments online.
With many different forms of fraud on the rise, merchants need to be prepared. One surefire strategy for protecting an e-commerce store is using a fraud management system that can detect and protect against fraud while also helping to manage any disputes. Merchants can also take advantage of many more tools that fight fraud and separate legitimate transactions from the illegitimate to keep them secure.
This article is a comprehensive guide to payment fraud. It lists the most common forms of payment fraud most merchants encounter today. Later, we offer practical advice on how to prevent fraud from compromising your brand and damaging your business operations.
Why is Payment Fraud a Serious Issue for Every Merchant?
When Does Payment Fraud Occur?
7 Tactics for Fighting Payment Fraud
Research shows that the volume of fraud is growing, with cybercriminals becoming increasingly sophisticated and successful.
On average, merchants deal with some 206,000 web attacks per month. In a given month, daily attack volumes in online retail shops can reach up to 75,000 on Days 15 and 30 alone. Why those two days? Many companies issue paychecks at the middle and end of the month, which leads to increased online shopping volume – and a great opportunity for fraudsters to get away with their activities.
Cybercriminals are also getting better at their job. In 2020, the rate of successful monthly fraud attempts increased by 43% to 48% for mid-to-large retailers and 27% for smaller retailers.
How much does fraud cost e-commerce businesses? A study from Juniper Research found that losses caused by online payment fraud will exceed $206 billion cumulatively for the period between 2021 and 2025.
At the same time, merchants are experiencing a 9% average year-over-year increase in the volume of fraud attacks they see every month.
Fraud can occur for e-commerce merchants in many different ways. The use of stolen or fake cards as well as false identities, fraudulent advertising, and affiliate fraud can all harm your online shop.
When a customer engages in fraud, the retailer absorbs this cost, impacting revenue. Unlike in-store fraud, cybercriminals can conduct online fraud with personal and credit card information, and the card doesn’t need to be present for the transaction.
In some cases, fraudsters steal personal and financial information and sell it on the black market. This type of criminal fraud is the most severe – but merchants also face other types of customer fraud, such as chargeback fraud, where the customer intentionally files a chargeback to gain a free product and avoid payment. In some cases, the consumer will even claim the item didn’t arrive at all or that they never purchased it in the first place.
Why is e-commerce fraud so prevalent today? One reason is that prosecutions are rare due to time and resource constraints as well as the burden of gathering evidence. Since fraud occurs online, the perpetrators often reside in other countries.
As online payments become ever more prevalent, high-quality fraud detection and prevention management systems are essential to protect your store’s reputation and prevent e-commerce revenue from being lost to malicious actors.
Before you start implementing more payment security tools and strategies, let’s look at the types of fraud that can occur on a typical e-commerce site.
Fraudsters can use identity theft to commit another crime or as an end goal in itself. Credit card information gets stolen in 41% of identity fraud cases. For example, a criminal might steal credit card information to purchase more goods online or open fake accounts. Fraudsters will also impersonate real customers to create fake accounts and trigger fraudulent transactions.
Clean fraud involves using stolen credit card information to impersonate cardholders without alerting businesses that a particular account has been compromised. This allows criminals to purchase goods online without raising suspicion.
Fraudsters can get hold of credit and debit card details by tricking people into making purchases on a fake website, intercepting messages between the two parties of a transaction, or buying them on the dark web.
When fraudsters are part of an affiliate program that generates commission, they can manipulate traffic or signups to make the company running the program think they’re getting actual attention and business when they’re not.
This can be as simple as refreshing a webpage multiple times or sending multiple spam emails or pop-ups.
Triangulation fraud requires the cooperation of three different parties: a fraudster, a customer, and an e-commerce site.
The fraudster sets up a storefront that sells high-demand goods at competitive prices. Once customers place orders on the fraudster’s website, the fraudster uses stolen credit card numbers or other types of payment data to purchase legitimate goods from your e-commerce website.
While the fraudster’s store customers may be receiving real goods for an unbelievably low price, the victims are those whose credit card information has been stolen. Your business also loses as you end up shipping real items our to the fraudster.
Phishing scams are as old as the internet itself. A phishing scam is often based on email solicitations asking for sensitive account information.
Recently, there has also been an increase in scammers posing as e-commerce retailers. They send emails disguised as order or delivery confirmations and ultimately aim to extract sensitive account data or lead victims to a fraudulent site.
Links in phishing emails often go to trap sites loaded with viruses, malware, or other hacking-related misfortunes. Experts recommend hovering over suspicious links rather than clicking on them immediately.
Pagejacking is when hackers create a fraudulent web page that mimics an existing site. More advanced cases involve pagejacking a high-ranking site and siphoning off its search engine traffic.
Pagejacking can also go hand-in-hand with “mousetrapping,” in which a page prevents users from exiting by opening a new window every time the user tries to close the browser or flooding their computer with endless pop-ups.
As far as e-commerce is concerned, pagejacking is another effective technique for phishing, for example by mimicking a site’s login page to collect usernames and passwords.
In addition to the very real consequences for customers, the last thing an e-commerce brand wants is their customers second-guessing their store’s legitimacy due to a fraudulent impersonator.
Chargeback fraud is a scam where scammers purchase large online orders from merchants and then cancel their payments after the goods have been shipped. They keep the merchandise without paying for it.
Popular techniques include calling the bank and telling them that they had their identity stolen, or pretending that the delivery never arrived. Even in the best situations when the scam is caught in time, the merchant still has to waste time and resources investigating a false claim.
To make matters worse, merchants also have to differentiate so-called “friendly fraud” from actual chargeback fraud. Friendly fraud is when a legitimate customer accidentally causes a chargeback fraud, such as missing a package delivery or entering the wrong payment details. Merchants, meanwhile, are stuck in the dark about whether a chargeback had malicious intentions or was just an accident.
Card testing (also called card cracking) is one of the most widespread e-commerce fraud tactics. In this scenario, cybercriminals either steal credit card data themselves or purchase stolen credit card data on the dark web.
They then test the credit cards online by making small purchases to see if they can use the card to complete a transaction.
Once they know that the credit card number works, they begin making larger purchases.
Gaining access to a user’s account online is not uncommon, but it happens less frequently across e-commerce stores than through other gaming or content sharing sites.
Some examples of how accounts get hacked include purchasing stolen passwords or security codes on the dark web or successfully orchestrating a phishing scam against a specific user. Once they have gained access to a user’s account, they can make fraudulent transactions on the merchant’s site and withdraw funds.
Account takeover fraud can be costly both in terms of a store’s reputation as well when it comes to the loss of customers. Having a secure platform and giving users easy tools to secure their accounts helps merchants combat account takeover fraud.
Technology advancements are unfolding faster than ever. And cybercriminals are ready to take advantage of any new payment methods or security gaps. That’s why merchants must stay on top of fraud trends and understand the novel strategies used by fraudsters related to payments and other areas of e-commerce.
By adopting the latest fraud prevention and identity technologies, top payment providers allow merchants to provide a safe and secure shopping environment for their customers.
PayU combines industry-leading identity, fraud management, and AI-based tools to offer frictionless payments while at the same time protecting merchants and their customers from risks in the digital payments sphere.
Our payment security tools manage and simplify the essential aspects of the industry and regulatory compliance – giving merchants the time, space, and peace of mind to focus on growing their business rather than fighting fraudsters.
The PayU Anti-Fraud Module uses a sophisticated machine-learning scoring system to reduce customer friction and ensure that preventing fraud doesn’t get in the way of accepting payments from legitimate customers.
We provide this set of flows and services as out-of-the-box on our payment platforms or as a standalone module which you can integrate with other payment systems.
The Payment Card Industry Data Security Standard (PCI DDS) is an industry-led set of requirements which applies to any company responsible for storing and processing credit card details and cardholder information.
PCI compliance requires maintaining a number of basic security precautions – such as creating a firewall in front of any system storing credit card numbers – as well as a number of additional requirements.
Complying with PCI DSS can be confusing, particularly for newcomers to e-commerce. But failure to achieve PCI compliance can result in costly fines and penalties.
That’s why many payment providers make PCI compliance easier – typically by leveraging tokenization in order to shield merchants from the responsibility for safeguarding customer data. In a tokenized transaction, the customer’s actual payment details are replaced with a “token” that is used for the purposes of completing payment. Only the payment provider sees the customer’s real payment data.
Although merchants remain responsible for the security practices of their chosen payment provider, the ultimate responsibility for protecting the customer’s payment data is transferred to the payment provider.
While this limits the merchant’s PCI scope by reducing the number of PCI components for which the merchant is responsible, merchants should still make sure that their payment provider has credible and trustworthy procedures for taking care of sensitive data.
Holiday months can be some of the most critical months for your business, as more people buy in e-commerce stores. Customers also tend to be preoccupied and busy during these times, and may adhere to fewer safety precautions.
It’s common to see fraudsters making an effort to test out schemes like card testing fraud during the holiday months because many merchants are too busy to spot potential suspicious activity.
If you pay for a fraud detection solution (or set one up yourself), you may notice that particular customers are testing credit cards with your e-commerce business.
While a blacklist isn’t a complete solution since fraudsters can keep using new stolen customer identities, by using an internal blacklist, merchants can flag potentially fraudulent transactions before they occur, based on past behavior.
PayU’s Decision Engine helps you block transactions from unwanted sources before they become a bigger problem.
3D Secure is a payment industry protocol designed to add an additional layer of authentication to prevent fraud in online transactions. In addition to lowering the risk of fraud, 3DS also ensures that the issuing bank in a transaction, rather than the merchant, is liable for any chargebacks. 3D Secure 2.0, rolled out recently alongside the European Union’s Secure Customer Authentication requirements, offers further improvements to the original protocol while delivering a better customer experience at checkout.
How can merchants implement 3DS? Ideally, this is done via the payment provider. Choosing a quality payment provider is a good way for merchants to ensure that 3DS is implemented to the highest possible standards and in the most practical possible way when it comes to your e-commerce store.
PayU’s platform helps merchants to implement 3DS (including the latest version) through a combination of customizable rules and smart routing technology. PayU’s Anti-Fraud Module can optimize payment traffic, for example, according to which version of the 3DS protocol delivers the highest approval rates in a given region.
Merchants can take other precautions and impose various security-related standards in their organization to prevent fraud. For example, making sure that customers and employees regularly change all tokens and login credentials.
Creating a policy regarding access to confidential information at your company can help ensure that relatively few people have access to sensitive data.
As e-commerce trends change, so will the future nature of payment fraud. In the coming years, for example, account takeover attacks will likely increase because of many high-profile data breaches which have taken place over the past two years. With customer data already in hand, merchants are likely to see a rise in fraudsters impersonating real people in an attempt to make purchases on e-commerce websites.
Going forward, fraudsters will also increasingly use bots to execute this type of fraud on a larger scale – raising the bar further for merchants and payment providers when it comes to defending against fraud.
Luckily, advances in payment technology are here to help. Improvements across algorithmic and behavioral approaches to fraud detection mean that e-commerce companies will be better equipped to fight against fraudsters for worry-free payment processing. At the same time, predictive and behavioral models powered by machine learning will help e-commerce companies better combat fraud attempts.
With fraud becoming more sophisticated, high quality payment technology has never been more important. By working with a partner who can help merchants easily implement the latest in fraud prevention tools, you can help your business maintain the highest possible standard of online payment security – today as well as tomorrow.