Payment fraud prevention is the key to safer and healthier business growth. Let’s see what systems must be in place for it to work.
There’s no way around it: if your business accepts checkout via a CNP scenario, there will be cases of card not present fraud.
Juniper Research forecasts fraudulent transactions will cost ecommerce $50.5 billion by 2024, but every other vertical is equally as badly affected.
We’ll take an in-depth look at all the steps you can take to create a foolproof online payment detection and prevention framework for your company.
What Is Payment Fraud?
Payment fraud refers to transactions made without the cardholder’s consent. The majority of cases happens after credit card details are stolen and appear on the dark web. Other payment methods – such as virtual checks or direct debits, phone payments – can be defrauded as well, as long as the attacker has acquired the proper information. From the criminal’s point of view it’s just a means to an end: to make legal money out of illegally acquired money as quick as possible.
How Does Payment Fraud Happen?
Payment fraud happens when a fraudster has acquired the credit card details or personal information of the victim that’s needed to complete a transaction. While amateur criminals (or card testers) will be caught by most anti-fraud systems, sophisticated attackers will try to make the transaction data – such as the IP address or the browser language, the name on the card, registration email etc. – appear legit in order to fool the system. If they succeed, you will lose the item / service you are selling, and are now liable for the cost of a chargeback should the cardholder file a claim at their bank.
6 Types of Payment Fraud
- Identity theft: The most common type of attack. The victim’s card data has been acquired by a fraudster who is now attempting to use it for purchases.
- Refund fraud or double dipping: An increasingly common type of attack, where the buyer claims that they never received the goods they ordered and want a refund from your customer service. They will use the money to buy a new item or might even be offered a replacement product, while they sell the original.
- BIN attacks: The fraudster generates a large number of card numbers based on the card’s BIN, and use them to attempt purchases in hopes that some will go through.
- Card testing: Fresh credit card data doesn’t come with budget information – so the fraudsters have to test it somewhere to see if they have funds on them.
- Triangulation fraud: A more complex type of fraud where the criminal will set up a web store or list items on big marketplaces at unrealistic discounts. When they receive an order for an item, they will use the unsuspecting customer’s information as well as the shipping address and a stolen credit card to purchase that item from a different store, pocketing the fees paid to them.
- Account takeover fraud: Colloquially known as hacked accounts. A fraudster will log in to an existing customer’s account and use their stored billing details to make purchases or use up their reward points – or just re-sell the account. These accounts are frequently used to leapfrog into more complex scams.
How to Detect Payment Fraud
Detecting payment fraud requires a complete overview of both the customer and the payment data. This is done via specialist technology, such as: device fingerprinting (to learn the customer’s configuration of software and hardware); BIN lookup (to check the card validity); IP lookup (to understand how they connect to your website); and reverse email and phone lookup (to gather extra data based on an email address and phone number).
Broadly speaking, there are three key steps when that information should be gathered:
- User sign up: The first time you’ll be able to log their submitted data. This is important because you can already check if their data matches with your digital footprint analysis (more on that later).
- User login: The point when you can confirm that the user, who signed up, is the same one who is using the account. Checking this stage helps prevent ATO (account takeover), which could lead to transaction fraud.
- User transaction: The checkout stage, when users pay. This is, most likely, the first time they enter their credit card info. There is a wealth of information you can gather here, and check it all against the data you’ve previously accumulated.
The data aggregated at these steps is then fed through risk rules, which help you gauge how risky the payment is likely to be. Using a traffic light system, you can automatically block high-risk payments, manually review medium-risk transactions, and simply block the ones that are obviously fraudulent.
SEON offers a complete set of fraud fighting tools that grow with your business
Ask an Expert
It’s not just about checking the card details. The more data you have beforehand, the more secure you can be about who you are dealing with. Also, with a fraud detection software the more data you have the better.
How to Prevent Payment Fraud
- Social media lookup: We can see if the cardholder’s details match those of the online social profile. It helps extract extra info such as a profile picture, full name, bio, etc…
- IP analysis: Beyond checking geolocation, you can also tell if your user is hiding their connection behind a VPN, proxy or emulator.
- Email analysis: Even a single data point such as a phone number or email address can reveal a trove of data. Was it created from a suspicious domain (free or disposable address)? How hard was the authentication process? Has it appeared on any data breaches? Find out more about reverse email search lookup modules here.
- Phone analysis: Likewise, a phone number can be checked against a records to get a clearer idea of who you’re dealing with. Is it a landline or mobile? Is the carrier location close to the shipping address? Is your user relying on a disposable phone number?
All these extra data points will help you connect the user with the credit card information, and make a more intelligent decision when accepting or rejecting a purchase.
The Difference Between Payment Fraud and Friendly Fraud
Not all transaction fraud is performed by organized criminal organizations. Sometimes, your legitimate buyer is also to blame for unwarranted chargebacks.
It’s called friendly fraud, and the problem is growing at a rapid rate. It is near impossible to catch as the transaction is by all means legitimate at the point of purchase.
Broadly speaking, there are 3 kinds of friendly fraud you might come across:
1. Innocent or Accidental Requests:
You might also call it family fraud because the cardholder often triggers a dispute after a relative purchased something without their authorization. Children buying skins with their parents’ credit card or unapproved in-app purchases fall into that fraudulent category.
2. Opportunistic Friendly Fraud
This could be because of a store policy they disapprove of (offering travel credit instead of refund), or simply because they express regret after their purchase.
3. Malicious Friendly Fraud
The process blurs the line between friendly and standard transaction fraud. This happens when the buyers know in advance that they’re going to request a chargeback.
These bad customers have every intention to have their cake and eat it, by receiving an item, claiming it never arrived, and getting their money back.
How to Choose a Payment Fraud Prevention Solution
For instance, you could have:
- on-site monitoring, with external data enrichment tools
- outsourced end-to-end solution
- External end-to-end solution combined with third-party data enrichment from another provider
- and many more options…
When it comes to risk management services for business payments, it’s rare to find a one-size-fits-all solution. This is why you might sometimes need to mix and match your tools to create the perfect risktech.
We like to call this process multi-layered. It’s a useful term because it implies that all the tools are working on top of each other, and not creating bottlenecks within your framework.
Bonus points if your fraud solution offers modules that you can enable or disable as needed. This will give you more control over how much information is processed, but also pricing if you are buying a pay-per-API call system (more on that below).
Most companies start out by building their own risk stack on top of the transaction system – and the more advanced tools come in via API-s.
In true SaaS fashion, most modern detection software will be completely cloud-based. So how do you integrate their tools into your company’s system? One answer is to use API calls.
This is important because you can:
- benefit from protection in real-time
- get regular updates and fixes without downtime
- scale your operations without bottlenecks
- tailor the system to your needs with customization options
More importantly, all the technical IT is taken care of from the vendor’s side. And with well-written API documentation, your own developers should have all the information they need in self-serve mode, so you won’t need to ask for extra support.
Whitebox machine learning systems sometimes need more manual tinkering, but they come with the advantage that your team understands what it does and why. The learning curve is a bit more steep, but when it comes to communicating with your customers or between departments, you want to know what’s under the hood.
We’re now getting on the topic of fraud rules and transaction risk scores. This is the core of your fraud engine, and will allow you to gauge how safe a customer login, checkout, or signup is for your business.
Risk rules can be customized manually, of course, but your payment fraud detection software can also suggest these rules for you. More often than not, this is done by analyzing your historical data and feeding it to an AI data science process, or ML (machine learning) engine.
The problem? The machine learning rules you will get aren’t always insightful. That is unless you ensure your system is whitebox, meaning it will show exactly what is happening with the score calculation.
This gives fraud and risk managers more control and insights into the solution, helping them accept, reject, or even tweak the rules offered by the system.
We want our user journeys to be frictionless as possible. Security would rather have everyone IDd on signup. Dynamic friction is a balancing act in between the two: doing most of your security checks in the background, and only triggering ID checks on very risky transactions. It’s the best of both worlds.
In today’s business landscape, friction is the battleground where the customers will win or lose. Put too many obstacles between your users and your site, and they’ll quickly go find a less stringent competitor.
This is particularly damaging when it comes to authentication checks for KYC or AML purposes. Fintechs succeed or fail based on their user experience, which is why you want to block risk, without slowing down legitimate purchases.
The best strategy to employ is what we call dynamic friction. A good way to think about it is to split verification into light and heavy KYC checks.
Here is what happens: After analyzing the user’s digital footprint, your system will provide a risk score. You can automate what happens based on this:
- If it’s low enough, your user can continue to the next payment stage immediately.
- If too many red flags are raised, you can proceed with additional authentication such as a selfie ID, 2FA, OTP, or document upload.
While even these extra steps aren’t foolproof against hardened fraudsters, they are certainly enough to deter casual and opportunistic cybercriminals.
At the end of the day, you want your fraud fighting tools to enhance the analyst’s decision making ability. Your system needs to integrate with your other systems, it must present information in a clear and concise manner, and it shouldn’t just dump data at you, but highlight what’s important and why.
A quick system integration is essential when deploying an anti-fraud system, but you can go one step further by adapting it to your industry productivity needs.
For instance, you could combine payment analysis with another workflow to reduce the risk of money laundering. We’ve seen examples of businesses, who trigger alerts when a purchase is above a certain threshold, so the risk team can manually have a look at it, for instance.
When it comes to risk management, the pricing model can make or break a solution. Beyond the price tag there lies different incentives that define the relationship between you, your customers and your vendor. It quite literally can change your organization’s risk appetite.
This is why you should carefully weigh different options when it comes to your transaction fraud system’s pricing model.
Many vendors operate on a chargeback guarantee model, which means they essentially pay back your chargeback fees if a request goes through.
However, it creates a strong incentive for the fraud management company to be as conservative as possible. If you’d rather leave the headaches of managing chargeback fees to them, it can work well.
But if you want a bit more control over how you mitigate risk to accept more conversions, it could be in your best interest to look at other pricing models, such as pay-per-API-call.
This will let you control your ROI based on the number of transactions your process monthly, which is great for scaling your operations and for seasonal upticks in payment processing.
Payment Fraud Detection & Prevention: Key Takeaways
Transaction fraud shows no signs of slowing down. Curbing your chargeback rates isn’t simply a matter of boosting profits any longer, it’s now a primordial business decision and competitive advantage. The good news is that fraud detection software has evolved in leaps and bounds over the years. You now have increased flexibility when it comes to integration, pricing model, and how your service chooses to mitigate risk.
SEON offers a fully modular fraud solution and the support of a team that are experts in online fraud
Ask an Expert
Frequently Asked Questions
Have proper risk scoring in place so you can block or review suspicious transactions before approval.
Have your CS team informed about past customer behaviour and their connections to other users who have requested refunds multiple times.
Generally speaking, you should be screening signups, transactions and logins, but you can screen other critical actions as well, like address or password changes.
It depends on the context. A social media lookup performed on the registration email address can tell you if the customer is indeed who they say they are on the card or not. But if you are required by the law to do this, you might need to ask for additional documents, such as a passport or driver’s license.
Simple: Verify your customers in the background and only require IDs from suspicious users via dynamic friction.
Depends on your risk appetite. Though they seem appealing, chargeback guarantees in essence mean that the system will be more conservative and block more good transactions that appear risky. This appears as a cost on your end as your support will have to deal with it, or the customer will turn to a different service out of spite.
You might also be interested in reading about:
Showing all with `` tag
Speak with a fraud fighter.
Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.
Sign up for our newsletter
The top stories of the month delivered straight to your inbox