Payment fraud prevention is the key to safer and healthier business growth. Let’s see what systems must be in place for it to work.
There’s no way around it: if your business accepts checkout via a CNP (card not present) scenario, there will be card fraud.
Juniper Research forecasts fraudulent transactions will cost eCommerce $50.5B by 2024, but every other vertical is equally as badly affected.
Now, if you want a quick answer, transaction risk scoring is the only way to ensure you have a decent payment fraud detection system in place. But today, we’ll take an in-depth look at all the steps you can take to create a foolproof payment detection framework for your company.
Table of contents
- What is Online Payment Fraud
- How Does Online Payment Fraud Happen?
- What to Check for Online Payment Fraud?
- What are the Challenges in Payment Fraud?
- 6 Examples of Online Payment Fraud
- Difference Between Payment Fraud and Friendly Fraud
- Key Solutions For a Better Framework: How to Prevent Online Payment Fraud?
- How to Choose a Payment Fraud Solution?
- API Integration
- Whitebox System
- Dynamic Friction
- Productivity Enhancement
- Pricing Model
- Online Payment Fraud Detection – Key Takeaways
What is Online Payment Fraud
Online payment fraud refers to transactions made without the cardholder’s consent. The majority of cases happens after credit card details are stolen and appear on the dark web. Other payment methods – such as virtual checks or direct debits, phone payments – can be defrauded as well, as long as the attacker has acquired the proper information. From the criminal’s point of view it’s just a means to an end: to make legal money out of illegally acquired money as quick as possible.
How Does Online Payment Fraud Happen?
Online payment fraud happens when a fraudster has acquired the credit card details or personal information of the victim that’s needed to complete a transaction. While amateur criminals (or card testers) will be caught by most anti-fraud systems, sophisticated attackers will try to make the transaction data – such as the IP address or the browser language, the name on the card, registration email etc. – appear legit in order to fool the system. If they succeed, you will lose the item / service you are selling, and are now liable for the cost of a chargeback should the cardholder file a claim at their bank.
What to Check for Online Payment Fraud?
With fraud detection software, the more data you have, the better. Here are three user things you should always monitor for payment fraud prevention:
- User sign up: the first time you’ll be able to log their submitted data. This is important because you can already check if their data matches with your digital footprint analysis (more on that later).
- User login: the point when you can confirm that the user, who signed up, is the same one who is using the account. Checking this stage helps prevent ATO (account takeover), which could lead to transaction fraud.
- User transaction: the checkout stage, when users pay. This is, most likely, the first time they enter their credit card info. There is a wealth of information you can gather here, and check it all against the data you’ve previously accumulated.
It’s not just about checking the card details. The more data you have beforehand, the more secure you can be about who you are dealing with. But there’s even more…
What are the Challenges in Payment Fraud?
The main challenges in payment fraud are not just telling good transactions from bad ones – but to differentiate between what needs human to review it and what doesn’t. Ideally, you should be accepting as much transactions as possible automatically, while reviewing only a relatively small number. If your team is fast and well equipped, you can do more manual reviews faster.
Telling a good transaction apart from a bad one is simple in theory – you know your ideal and typical customer profiles, and whatever deviates from that should be considered risky. Most fraud transactions will seem irrational from a user story point of view: shipping address too far from an IP address, mismatches in the machine settings compared to the cardholder information and so on. But advanced fraudsters will try to cover these gaps, and you have to be vigilant in checking for any discrepancies that could be a giveaway for fraud, and set your transaction rules accordingly.
SEON offers a complete set of fraud fighting tools that grow with your business
Book a Demo
6 Examples of Online Payment Fraud
- Identity theft – The most common type. The victim’s card data has been acquired by a fraudster who is now attempting to use it for purchases.
- Refund fraud or ‘double dipping’ – An increasingly common type of attack, where the buyer claims that they never received the goods they ordered and want a refund from your customer service. They will use the money to buy a new one or are offered a replacement product, while they sell the original.
- BIN Attacks – The fraudster generates a large number of card numbers and use it to make purchases in hopes that some will go through.
- Card Testing – Fresh credit card data doesn’t come with budget information – so the fraudsters have to test them somewhere to see if they have funds on them.
- Triangulation Fraud – A more complex type of fraud where the criminal will set up a web store or list items on big marketplaces at unrealistic discounts. When they receive an order for an item, they will use the unsuspecting customer’s information – as well as the shipping address – and a stolen credit card to purchase that item from a different store, pocketing the fees paid to them.
- Account takeover – colloquially known as hacked accounts. A fraudster will login to an existing customer’s account and use their stored billing details to make purchases or use up their reward points – or just re-sell the account. Frequently they use such accounts to ‘leapfrog’ into more complex scams.
Difference Between Payment Fraud and Friendly Fraud
Not all transaction fraud is performed by organized criminal organizations. Sometimes, your legitimate buyer is also to blame for unwarranted chargebacks.
It’s called Friendly fraud, and the problem is growing at a rapid rate. It is near impossible to catch as the transaction is by all means legitimate at the point of purchase.
Broadly speaking, there are three kinds of friendly fraud you might come across:
1. Innocent or Accidental Requests:
You might also call it family fraud because the cardholder often triggers a dispute after a relative purchased something without their authorization. Children buying skins with their parents’ credit card or unapproved in-app purchases fall into that fraudulent category.
2. Opportunistic Friendly Fraud
This could be because of a store policy they disapprove of (offering travel credit instead of refund), or simply because they express regret after their purchase.
3. Malicious Friendly Fraud
The process blurs the line between friendly and standard transaction fraud. This happens when the buyers know in advance that they’re going to request a chargeback.
These bad customers have every intention to have their cake and eat it, by receiving an item, claiming it never arrived, and getting their money back.
Key Solutions For a Better Framework: How to Prevent Online Payment Fraud?
- Social media lookup: we can see if the cardholder’s details match those of the online social profile. It helps extract extra info such as a profile picture, full name, bio, etc…
- IP analysis: beyond checking geolocation, you can also tell if your user is hiding their connection behind a VPN, proxy or emulator.
- Email analysis: even a single data point such as a phone number or email address can reveal a trove of data. Was it created from a suspicious domain (free or disposable address)? How hard was the authentication process? Has it appeared on any data breaches? Find out more about reverse email search lookup modules here.
- Phone analysis: likewise, a phone number can be checked against a records to get a clearer idea of who you’re dealing with. Is it a landline or mobile? Is the carrier location close to the shipping address? Is your user relying on a disposable phone number?
All these extra data points will help you connect the user with the credit card information, and make a more intelligent decision when accepting or rejecting a purchase.
How to Choose a Payment Fraud Solution?
For instance, you could have:
- On-site monitoring, with external data enrichment tools.
- Outsourced end-to-end solution.
- External end-to-end solution combined with third-party data enrichment from another provider,
- and many more options…
When it comes to risk management services for business payments, it’s rare to find a one-size-fits-all solution. This is why you might sometimes need to mix and match your tools to create the perfect risk tech.
We like to call this process multi-layered. It’s a useful term because it implies that all the tools are working on top of each other, and not creating bottlenecks within your framework.
Bonus points if your fraud solution offers modules that you can enable or disable as needed. This will give you more control over how much information is processed, but also pricing if you are buying a pay-per-API call system (more on that below).
Most companies start out by building their own risk stack on top of the transaction system – and the more advanced tools come in via API-s.
In true SaaS fashion, most modern detection software will be completely cloud-based. So how do you integrate their tools into your company’s system? One answer is to use API calls.
This is important because you can:
- Benefit from protection in real-time.
- Get regular updates and fixes without downtime.
- Scale your operations without bottlenecks.
- Tailor the system to your needs with customization options.
More importantly, all the technical IT is taken care of from the vendor’s side. And with well-written API documentation, your own developers should have all the information they need in self-serve mode, so you won’t need to ask for extra support.
Whitebox systems need more manual tinkering, but they come with the advantage that your team understands what it does and why. The learning curve is a bit more steep, but when it comes to communicating with your customers or between departments, you want to know what’s undeer the hood.
We’re now getting on the topic of fraud rules and transaction risk scores. This is the core of your fraud engine, and will allow you to gauge how safe a customer login, checkout, or signup is for your business.
Risk rules can be customized manually, of course, but your payment fraud detection software can also suggest these rules for you. More often than not, this is done by analyzing your historical data and feeding it to an AI data science process, or ML (machine learning) engine.
The problem? The machine learning rules you will get aren’t always insightful. That is unless you ensure your system is whitebox, meaning it will show exactly what is happening with the score calculation.
This gives fraud and risk managers more control and insights into the solution, helping them accept, reject, or even tweak the rules offered by the system.
We want our user journeys to be frictionless as possible. Security would rather have everyone ID-d on signup. Dynamic Friction is a balancing act in between the two: doing most of your security checks in the background, and only triggering ID checks on very risky transactions. It’s the best of both worlds.
In today’s business landscape, friction is the battleground where the customers will win or lose. Put too many obstacles between your users and your site, and they’ll quickly go find a less stringent competitor.
This is particularly damaging when it comes to authentication checks for KYC or AML purposes. Fintechs succeed or fail based on their user experience, which is why you want to block risk, without slowing down legitimate purchases.
The best strategy to employ is what we call dynamic friction. A good way to think about it is to split verification into light and heavy KYC checks (know your customer).
Here is what happens: after analyzing the user’s digital footprint, your system will provide a risk score. You can automate what happens based on it:
- If it’s low enough, your user can continue to the next payment stage immediately.
- If too many red flags are raised, you can proceed with additional authentication such as a selfie ID, 2FA, OTP, or document upload.
While even these extra steps aren’t foolproof against hardened fraudsters, they are certainly enough to deter casual and opportunistic cybercriminals.
At the end of the day, you want your fraud fighting tools to enhance the analyst’s decision making ability. Your system needs to integrate with your other systems, it must present information in a clear and concise manner, and it shouldn’t just dump data at you, but highlight what’s important and why.
A quick system integration is essential when deploying an anti-fraud system, but you can go one step further by adapting it to your industry productivity needs.
For instance, you could combine payment analysis with another workflow to reduce the risk of money laundering. We’ve seen examples of businesses, who trigger alerts when a purchase is above a certain threshold, so the risk team can manually have a look at it, for instance.
When it comes to risk management, the pricing model can make or break a solution. Beyond the price tag there lies different incentives that define the relationship between you, your customers and your vendor. It quite literally can change your organization’s risk appetite.
This is why you should carefully weigh different options when it comes to your transaction fraud system’s pricing model.
Many vendors operate on a chargeback guarantee model, which means they essentially pay back your chargeback fees if a request goes through.
However, it creates a strong incentive for the fraud management company to be as conservative as possible. If you’d rather leave the headaches of managing chargeback fees to them, it can work well.
But if you want a bit more control over how you mitigate risk to accept more conversions, it could be in your best interest to look at other pricing models, such as pay-per-API-call.
This will let you control your ROI based on the number of transactions your process monthly, which is great for scaling your operations and for seasonal upticks in payment processing.
Online Payment Fraud Detection – Key Takeaways
Transaction fraud shows no signs of slowing down. Curbing your chargeback rates isn’t simply a matter of boosting profits any longer, it’s now a primordial business decision and competitive advantage. The good news is that fraud detection software has evolved in leaps and bounds over the years. You now have increased flexibility when it comes to integration, pricing model, and how your service chooses to mitigate risk.
SEON offers a fully modular fraud solution and the support of a team that are experts in online fraud
Book a Demo
Frequently Asked Questions about Online Payment Fraud Prevention
Have proper risk scoring in place so you can block or review suspicious transactions before approval.
Have your CS team informed about past customer behaviour and their connections to other users who have requested refunds multiple times.
Generally you should be screening signups, transactions and logins, but you can screen other critical actions as well – like address or password changes.
A simple social media lookup performed on the registration email address can tell you if the customer is indeed who they say they are on the card or not.
Simple: verify your customers in the background and only require ID-s from suspicious users via dynamic friction.
Depends on your risk appetite: chargeback guarantees mean that the system will be more conservative and block more good transactions that appear risky. This appears as a cost on your end as your support will have to deal with it, or the customer will turn to a different service out of spite.
You might also be interested in reading about:
Learn more about:
See a live demo of our product
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.