What is online payment fraud and how to prevent it

Online payments have contributed to an innovative business environment, yet they have also attracted unwanted attention from fraudsters. Payment fraud is a constant risk for any business that takes payments online. Likewise, that means payment fraud detection is an ever-necessary concern, as well as a smart investment.

Whether you're selling physical goods and services, or are a purely online business, payment fraud is nonetheless a genuine concern. Naturally, we understand the importance of protecting your customers, as well as your own business.

A lot of information suggests that activity - and thus, the dangers and impact on your business - is on the rise. The increased reliance on e-commerce and digital payment methods has exposed vulnerabilities that fraudsters exploit to their advantage. According to recent statistics, consumers reported losing nearly USD 8.8 billion to fraud globally in 2022. Furthermore, it was estimated that e-commerce losses to online payment fraud were around USD 41 billion globally in the same year. These figures highlight the alarming scale of the problem, underscoring the urgent need for robust fraud prevention measures. After all, these losses not only affect the bottom line of businesses, but can also cause financial hardship for individuals who fall victim to fraudulent activities.

Payment fraud happens when someone obtains and uses another person's information to conduct online transactions. This can include making fraudulent payments, applying for credit cards or loans, and more. In all cases, fraudsters are committing payment fraud through identity theft, and they usually exploit less secure platforms in doing so.

Fraudster innovation is much more prevalent in the online space, and this is where the real battle against payment fraud takes place. Payment fraud detection has made leaps and bounds over the decades but, in response, clever fraudsters are finding more innovative ways around these security measures. They learn what information companies need to make payments, and then develop ways to commit online fraud that specifically gather that necessary data.

Given that this article is about the impact of fraud on merchants, ultimately, someone, somewhere, makes a fraudulent or deceptive purchase. However, there are several ways this may actually occur once private information is obtained.

Data as an asset and trading commodity

It should be noted that those who gather this information often are not those who later commit fraudulent transactions. Thanks to the likes of the dark web, there is an active market for this information, which can be quickly passed on to others.

Fraudsters are resourceful and intelligent individuals.  They know not to simply make money transfer transactions into their own accounts, or do anything that would lead to their own identity being exposed.

This is why they either purchase goods or use other scams. Most notably, airline ticketing is a common situation. Clever fraudsters have learned to buy expensive airline tickets and then sell them at a discount - making a net profit, since the actual money was of no loss to them, after all.

Next step: CNP fraud

Regardless of who ends up with the data, fraudsters still need to make unauthorized payments. Here, fraud managers generally split actions into two categories:

• Card present (CP) refers to fraud committed with the physical card that was previously stolen. Here, many security checks can be passed if the card is set up to allow small transactions without additional measures - at least until machine learning algorithms detect unusual activity.
• Card not present (CNP) refers to most forms of online payment fraud, as well as those on the phone, where fraudsters use private information, such as names, passwords, and other details, to bypass simple protective measures.

Once fraudsters get access to consumers' data that are useful for unauthorized transactions, a series of unfortunate events unfold. Actually, somehow, payment fraud sits somewhere between other fraud challenges. Because before making a transaction on one's behalf, other steps are involved.

In many cases, the sequence begins with social engineering as a means to gain access to data or accounts. Then, the process advances to account takeover fraud, followed by the actual occurrence of payment fraud. And finally, in the post-payment stage, there's chargeback fraud or first-party misuse. Let's delve into each of them.

Social Engineering

In fraud, we can identify a trifecta of schemes known as phishing, vishing, and smishing. While the details differ, all use fake messages and communications to trick innocent people into voluntarily entering their personal information. Social engineering is a major fraud risk with multiple ramifications.

Phishing happens online. Fraudsters often impersonate a bank or store, often with very authentic-looking email messages and websites. These work when unassuming victims enter their credit card details, bank account information, name, address, and more.

Vishing uses similar deception over the phone. Disguised as customer services, again either from a bank, store, or another urgent service such as a vehicle warranty service, fraudsters put pressure on those they call to give the exact personal details.

And finally, smishing is done via text (SMS) on the phone. The messages appear automated, asking users to enter their login details, thus giving fraudsters access to enough confidential information.

Card testing

Card testing fraud refers to the use of stolen credit card information to test the validity of a card or to commit fraudulent transactions. This type of fraud typically occurs when a criminal obtains a victim's credit or debit card information through illegal means, and then uses that information to make unauthorized purchases. 

Account takeover

If the previously described methods of phishing, vishing, smashing, and triangulation are all designed to obtain confidential information, account takeover fraud is often the worst-case consequence for users.

When a fraudster has access to enough information, they can gain entry into financial accounts, store accounts, and other areas where money can be spent. They don’t always need every password either, as they can obtain email access to reset most means of entry. This is so impactful not only because of how much damage a fraudster can cause once inside, but also how often it goes unnoticed. After all, most processes for resetting accounts utilize automated technologies, and it doesn’t come up as a red flag in systems that aren’t actively monitored (more on that later).

First-party misuse

A lot of the damage in payment fraud occurs after the transaction is completed. When a customer finds out someone is committing fraud with their details or has already made a fraudulent purchase, they notify their banks and ask for refunds.

During this process, the vendor or merchant can pay additional chargeback costs, investigation fees, and more, making it a very costly ordeal.  Unless both parties are protected, the merchant is at a loss when a customer gets a refund or vice versa. In which case, the burden goes on those providing the protection.

Yet chargebacks can also be illegitimate. First-party misuse (previously known as friendly fraud ) occurs when customers falsely initiate chargebacks, claiming products ordered online were not received. When this is done fraudulently, the customer gets their money back, but still keeps the physical goods, making a net profit at the expense of the original business. Once again, in addition to chargeback expenses, the merchant account is now down in physical goods, which directly impacts costs.

As a consequence of this threat, virtually all major card services have fraud monitoring schemes that merchants can be placed on if enough fraudulent activity occurs in a given period. We need to note here that it is not so difficult to enter either company’s monitoring system - or both. While on these programs, merchants are subject to additional expenses. From the standard tier of the VFMP onwards, after six months, merchants face Monthly non-compliance assessment (NCA) fees of either EUR 21,750 or USD 25,000.

Due to the increased risk of online payment fraud, along with the general increase in online shopping, there is a range of rising fraud prevention methods available today. So, how do you pinpoint the right solution for your needs? With such a wide market of options, there are a few key elements you should focus on. And remember, that the ultimate goal is to get real-time fraud detection with the highest precision and with no harm to UX.

Know your users

The more you know about your users, the more you'll learn about their real intentions, and the better you can refine your fraud detection mechanisms to distinguish between legitimate transactions and potential risks. It all comes down to what data to collect and what patterns are identified.

Risk signals

There are dozens of indicators that point to fraudulent activities, which are known as risk signals, yet detecting them involves a lot of research and data analysis. By collecting and processing large volumes of data from multiple sources, including transaction data, user behavior patterns, historical data, and external threat intelligence sources, we can uncover patterns, identify anomalies, and develop algorithms to flag suspicious activities.

Data attributes

With thousands of data attributes available to analyze - unique hardware, software, device, network, and behavioral data - you get actionable insights into who should move further with the transaction. Moreover, we go beyond data made available by the user by digging deep into your customers' sessions to discover fraudsters. It's all about increasing the data stream that describes users' behaviors, environment, and devices.

Know Your Fraudsters

Yearning to grasp fraudsters' tactics requires an active exploration of the tools and methods they employ to make unauthorized payments. It's all about understanding their mindset and strategies, giving you an upper hand in spotting and stopping potential fraud scenarios. Our insights come from digging into both the Darknet and clearnet. Firsthand Darkent intelligence allows you to put yourself into the fraudsters' shoes and act before fraud reaches your business, but also to use that intelligence to reverse engineer their tactics.

Omnichannel approach

Depending on how much traffic you get from browsers and mobile, make sure you are able to detect fraud with the highest precision on both channels. Especially if you have a lot of mobile-native consumers, you should consider a mobile-native fraud prevention solution as well, with risk signals specific to mobile devices and more focus on behavioral biometrics.

Hybrid model

At a broad level, machine learning can prevent rising fraud by identifying patterns and blocking locations and their means as and when such fraudulent incidents occur. Scam artists and fraudsters often work in mass, so machine learning algorithms can find patterns quicker than humans and act appropriately.

Whether it's by blocking certain transactions automatically or adding human input to address verification concerns, this helps businesses reduce fraudulent incidents as quickly as possible.

Such solutions are trained on your existing customer base. You know your business, after all, and by knowing who your customers are and where they're likely to be, you know when something isn't quite right. Machine learning can achieve the same thing with historical data.

One piece of advice we will offer here is that, while you definitely need automated solutions, a control switch is still essential. With multiple solutions, there’s a greater chance of risks being detected, and you also have to manage the impact on customers and your expenses.

This is why the hybrid model - using both advanced solutions and rules and validations - is often preferred. This way, you can scale your protection up and down as required.

Activating or disabling your fraud detection modules is necessary for a smooth-running business, as you can control the volume of data processing.

Online payment fraud happens in the third stage of your user lifecycle, called 'transaction attempt'. To secure this stage, you must ensure a safe journey for the previous stages as well, which are user acquisition, and user login and registration. Because all fraud threats that come before the actual payment directly affect your consumers' journey further. Social engineering leads to ATO, which in turn leads to payment fraud, which in turn leads to chargebacks. For this reason, we recommend the complete suite that includes: a profiling solution, darkweb intelligence, and a hybrid model.

If you want to learn more about how we can secure your user journey with no harm to UX, schedule a call with us.

If you want to see our product in action, try it for free - a no-pressure way to see how it works and explore its benefits.