Table of contents
- Part 1: What are Chargebacks?
- Part 2: Understanding Chargeback Fraud
- Part 3: Chargeback Fraud Prevention
- Part 4: Chargeback Fraud Detection
- Data Enrichment
- Device Fingerprinting
- Behaviour Analysis
- Considering False Positives / Customer Insult Rate
- How Chargeback Fraud Prevention works with SEON
If you browse the online forums for Shopify, the largest online store builder in the world, you’ll find hundreds of comments from new merchants who are baffled by a sudden apparent rise in chargeback rates.
The key takeaway? Chargebacks are inescapable, damaging, and often come completely unexpected.
The sad reality is that for pretty much every online business offering Cardholder Not Present (CNP) payments they are a fact of life.
However, It doesn’t have to be this way.
In this guide, we’ll deep dive into the problem of chargeback fraud, why it happens, and what you should do to solve it.
Part 1: What are Chargebacks?
Chargebacks occur when a credit-card provider requests that a retailer processes a refund due to a fraudulent or disputed transaction.
The chargeback process is ultimately designed to protect customers. At their core, chargebacks are a force for good, but they’re also a piece that fits within a complex payment ecosystem and can be used for fraudulent purposes.
How do Chargebacks work?
Chargebacks occur either when someone is dissatisfied with a product they bought online or over the phone or when someone maliciously uses a card without the owner’s knowledge. In these instances, the account holder can claim a forced reversal of funds back to their bank account – or chargeback.
The funds have to be taken from the merchant’s account and sent back to the customer. This can take weeks or months and costs a great deal in administrative fees, which are always passed on to the merchant by the acquiring bank.
Four Reasons Why Buyers Request Chargebacks
- Merchant error: shipped the wrong item, forgot a discount, or technical mistake.
- Unauthorized payments: usually by family members, such as children who purchase mobile games without their parent’s consent.
- Clear fraud: card details have been stolen by fraudsters who purchased goods without the original cardholder’s authorization.
- Friendly fraud: also known as chargeback abuse or liar buyer. This is a growing problem which we will break down in detail below.
Since the COVID-19 pandemic, merchants have also seen a rise in chargeback requests used as a weapon against stores. For instance, customers use chargebacks to protest against a return policy they disagree with.
What is Chargeback Law?
In 1974, the Fair Credit Billing Act, in the US, decreed that consumers who noticed a suspicious credit card transaction could contest it with their bank. The goal was to boost trust in the credit card system and to de-incentivize merchants to commit fraud. Similar legislation was also put in place in other territories for example the Consumer Credit Act in the United Kingdom.
Who is Involved in the Chargeback Process?
To understand why chargebacks are so expensive, it helps to visualize who is involved in the process:
- Buyer, or customer: the person who files a chargeback request. Also known as the original/legitimate cardholder.
- Merchant: the online store or business that sold the goods or services. They can either accept the chargeback or fight it through a dispute.
- Issuer: The bank connected to the buyer’s credit card.
- Acquirer: The bank or financial institution that processes card payments for the merchant.
- Payment Gateway: the software used to transfer transaction data from the merchant to the acquirer.
- Credit card company: The organization that oversees the whole chargeback process. As we’ll see, major credit card companies have different procedures for dealing with chargebacks.
Key Chargeback Scenarios
After a chargeback is initiated, there are three potential scenarios:
- The merchant accepts the chargeback and loses the funds, plus a fee
- The merchant disputes the chargeback and loses their appeal. The same outcome occurs as above – they lose the funds, plus a fee
- The merchant disputes the chargeback and wins.
The dispute process is in no way straightforward and can be extremely time-consuming. It may take weeks, requires extensive knowledge of chargeback codes for specific reasons, and there can be a second chargeback or pre/arbitration stage.
Risk teams can lose hours fighting one single dispute, which is why many merchants opt to simply deal with the loss rather than wasting energy challenging the chargeback.
What are the costs of Chargebacks?
Chargebacks add insult to injury for retailers. They lose a sale, a physical or digital item, and also have to pay a fee of $20 – $100 on top. If chargebacks occur too often then merchants can even incur additional penalties as well.
Failing to meet credit card company’s requirements for chargebacks means merchants will be considered high-risk, fined, and in extreme cases, prevented from accepting the company’s payment methods altogether.
In fact, it has been estimated that every dollar lost to a chargeback costs merchants $2.40. This means a $100 chargeback can result in losses of more than $240 due to the extra fees.
And that’s before we even consider the additional time and effort lost as a result of chargebacks for the sales team, IT or customer support agents – and fraud managers.
Part 2: Understanding Chargeback Fraud
There is limited published data regarding chargebacks as involved parties tend to keep information on them to themselves.
Issuing banks and card networks refuse to publish essential data. Merchants are also worried it could damage their reputation.
However, generally, there are four key reasons why buyers request chargebacks.
What is Chargeback Fraud?
Chargeback fraud is when a customer attempts to receive goods for free – either by directly requesting an illegitimate chargeback or by using a stolen credit card that subsequently is charged back by the legitimate cardholder.
The biggest problem for businesses is accepting a payment from a stolen credit card. These card numbers are either:
- Physically stolen
- Acquired via phishing techniques
- Bought on the dark web
By the time the legitimate cardholder issues a chargeback request, your business has dispatched the goods and has to foot the bill.
The fraudster disappears with stolen goods and you’re left with one missing sale, less cash in the bank, and an angry potential customer.
This is what it costs you:
- Merchants lose $2.40 (£1.70) for every $1 (71p) a fraudster takes
- There’s almost one chargeback for every 49 legitimate transactions
- Chargebacks increase 41% every two years.
It’s possible to do the calculations based on your own business finances but suffice it to say, it’s enough of a problem to be worried about.
What Types of Fraud are Associated with Chargebacks
Whilst some chargebacks will stem from merchant error, i.e. poor customer service, there are situations where the complaint can also be filed both intentionally and accidentally.
Criminal fraud is where a stolen credit card or infiltrated account is used to purchase goods and services without the actual cardholder’s permission. This legitimate customer will then dispute that the transaction was not authorized and trigger a chargeback process.
This is the most common type of fraud related to chargebacks. Friendly fraud occurs when a customer purposefully goes directly to a bank to initiate the chargeback claim in order to abuse company policies and ultimately keep the purchased products without paying for them.
It is worth noting that honest disputes can lead to chargebacks, often due to a breakdown in communication between both parties and poor customer service.
How Stolen Credit Card Numbers End Up On Your Site
Unfortunately, fraudsters have access to a growing number of methods with which to obtain other people’s details.
Most people will already be familiar with phishing, where fraudsters pose as legitimate companies via email, SMS or phone to get people to submit their details voluntarily often on fake websites
One trend we’ve seen develop in the last few years is to create fake job posts and gather information through online application forms and videos.
Credit card skimmers are also on the rise, and FICO estimated a 70% increase in compromised credit cards between 2016 and 2017.
These malicious card readers are installed to “skim” the physical card information and send it back to criminal servers and can particularly be found at gas stations and ATMs.
Abusing zero-day vulnerabilities in e-commerce platforms continue to be the major source of credit card theft.
In these cases, the fraudster exploits a bug in the e-commerce system before the developer has the opportunity to create a patch fix.
Point of Sale (PoS) malware is also something to watch out for, and so are other viruses, trojans, and malicious software found on tablets, phones, and personal computers.
Data breaches, which show no sign of slowing down, can also contain credit card information along with personal details. This data usually ends up on the darknet where fraudsters are able to purchase it.
This is all before the challenge of friendly fraud is taken into account, when the legitimate cardholder becomes part of the problem.
How Does Friendly Fraud Work?
Friendly Fraud happens when a cardholder initiates a chargeback for a purchase made with their physical card but the card was not stolen. It tends to fall into three categories:
- Innocent or accidental requests: the refund request is made by customers who do not recognize a purchase made with their own credit card. It is known as friendly, or first-party, fraud because the card is indeed in the legitimate cardholder’s possession at the time.
- Opportunistic friendly fraud: refunds are increasingly weaponised by opportunistic and dissatisfied customers. This could be because of a store policy they disapprove of, or simply because they feel buyer’s remorse. An example of a customer disapproving of a policy may be that a customer service department has offered some kind of account credit or gift card instead of a refund as a result of a complaint. Wardrobing, which is mentioned above in the return fraud section, also falls under that umbrella.
- Malicious friendly fraud: At first glance, there seems to be a contradiction in terms here. However, the fact is that some buyers will know in advance that they’re going to request a chargeback. These bad customers have every intention of attempting to have their cake and eat it, by receiving an item, claiming it never arrived, and asking for their money back.
The problem, of course, is that detecting friendly fraud is a lot more difficult. We’ll go over how this can be done in Part 3 of this guide.
Understanding Triangulation Fraud for Chargebacks
A recent fraud technique making waves in the eCommerce world has been triangulation fraud. It works as follows:
- A cardholder makes a purchase from a marketplace seller (e.g. eBay)
- The seller, is in fact a fraudster, and buys the same item from a legitimate online store
- They use a stolen credit card number and give the legitimate store the original customer’s shipping address
- This item is shipped to the customer
- The owner of the stolen credit card number notices a transaction they haven’t made and initiates a chargeback
- The legitimate online business attempts to get in touch with the eBay seller, but are ignored. They have no option but to pay the chargeback fee.
In this scenario, the initial seller receives the item they paid for and the marketplace seller appears legitimate.
However, behind the scenes, someone’s money is stolen, and it’s the legitimate online store that has to refund it, after shipping the item(s). This is a great example of how widespread and sophisticated fraud has become.
Fraudsters are always on the lookout for new avenues to exploit especially as online stores and marketplaces are constantly attempting to provide a frictionless and fast payment experience for customers.
So we’ve seen how easy it is for fraudsters to target your business and how bad it could be, but what should you do? Here are some simple steps you can take today.
Part 3: Chargeback Fraud Prevention
Educating buyers goes a long way towards preventing refund requests. Luckily, there are a number of steps that any online business can take to reduce the number of attempted chargebacks.
6 Ways to Reduce Chargeback Fraud
- Be as descriptive as possible: Your products or services should be described as precisely as possible to ensure customers aren’t disappointed, or underwhelmed, by the difference between what they expect and what they receive.
- Be easy to reach: This is particularly useful with buyer’s remorse (or friendly fraud). It is important to have a phone number, live agent or support email for customers clearly highlighted on your website. Your contact details should also be present on receipts, emails and packing slips.
- Respond as quickly as possible: This adds a lot of value and is part of the overall customer service experience any business should offer.
- Ensure you have full authorization for an order: To prevent improper authorization chargebacks, an online merchant should get authorization for each package they ship out from their store/warehouse.
- Wait until shipping before charging: There is a difference between an authorization hold and the time at which the customer is charged. The customer should not be charged until the goods leave the warehouse, or the services have been provided.
How to Prepare for Chargeback Fraud in 3 Steps
Preparing your business for fighting chargebacks is great. Preventing them from happening in the first place is even better.
This is where there’s no match for a good fraud prevention tool. It should give you a good idea of who your buyers really are, by focusing on three key touchpoints:
- Signup: This is the ideal phase to flag fraudsters as if identified they won’t even be able to access your website.
- Login: In the case of Account Takeover (ATO), it’s important to see if customers really are who they say they are.
- Purchase: Your last chance to prevent a fraudulent transaction from taking place. This stage is the one where you should do all possible card checks. This includes ensuring the card is valid (using the BIN number for instance), and confirming the customer’s billing address. All the standard security checks such as 3D-Secure (3DS) should also be put in place at this stage.
Luckily, there is a tremendous amount of information you can leverage to ensure fraudulent purchases don’t go through.
Part 4: Chargeback Fraud Detection
For every transaction, your customer makes there are basic fields that they need to fill in. With data enrichment you can use this information, behind the scenes, to learn more about them. SEON allows you to obtain a wide variety of additional data points, including:
Reverse Social Media Lookup
- Identify if a user’s email address is linked to one or more of over 20 social media platforms.
- Obtain a user profile picture and biography.
- See when the customer was last online.
- Is the customer’s email address from a disposable or temporary email domain?
- Does it require SMS verification?
- Is it a free or high-risk provider?
- How old is the domain?
- How often is the domain updated?
Full Address Profiling
- When was the address created?
- Does the address match their name?
- Can the owner information be verified on a WHOIS database?
Data breach check
- Can the customer’s email address be found on lists of known leaks?
- From this the age and maturity of the email address can be inferred.
- Fresher addresses imply an increased risk.
- Identify if the user’s phone number is linked one or more messaging apps such as Viber, Whatsapp etc.
- Obtain a user profile picture and biography.
- See when the customer was last online.
- Detects the origin country for a customer’s phone number
- Identify the type of number – either landline or mobile
- See who the network carrier is
- Highlight virtual SIMs and eSIM numbers
- Filter out invalid phone numbers
Detect Risky Connections
- Spot proxy, VPN, and Tor usage.
- Pings open HTTP ports to detect the usage of proxies.
Internet Service Provider (ISP) Identification
- Identify public and private ISPs.
- The risk factor can be increased depending on the category of the ISP.
Spam Blacklist Scams
- Flag if the customer’s IP address has been blacklisted for spamming
All the data available isn’t just useful to immediately spot obvious fraudsters. It can also be stored for future use to be able to dispute a chargeback or to be used as part of a manual review – when you aren’t sure if you should accept the payment or not.
Every user connects to your website using a combination of a device, be it a smartphone, laptop or tablet, and a browser, such as Google Chrome, Microsoft Edge, Mozilla Firefox or Safari.
This combination is the initial starting point for what is called a User Configuration.
By combining this with as many additional data points as possible, you can create a form of User ID. This allows you to:
- Identify loyal customers
- Flag suspicious connections
- Block suspicious logins
- Spot connections between users.
In the context of chargeback prevention, this is an extremely effective way to identify payments made in suspicious circumstances, for instance from a previously-unseen device.
Bricks-and-mortar retailers are able to recognize suspicious customers relatively easily but online it’s necessary to gather and analyze data points.
To prevent chargebacks, it may be necessary to look at complex sets of data points to understand what users are doing online.
For example, it’s possible to use velocity rules to look at how often an action is performed, such as:
- Numerous failed login attempts within a set timeframe.
- The shipping address being changed quickly.
- A number of different credit cards being attempted at the checkout.
This data can then be fed through risk rules, to help decide if the payment looks suspicious or not.
Here is an example of how a score can be calculated:
- Email domain is a free provider. At least 2 online profiles were found. Score + 0
- The IP address was found on 1 spam blacklist. Score + 0
- The customer is using a data center ISP. Score + 10
- Port 80 is open on the IP address. Score + 1
- There are 2 or more suspicious open ports on the IP address. Score + 8
By adding and averaging the total number of points, it is possible to get a score that may indicate risk. The rules can be weighed in order of importance.
For instance, thresholds can be set for automatically accepting payments or automatically rejecting them if they reach a certain fraud score.
For scores that fall within a grey area, it’s possible to initiate a manual review process, ideally with the aforementioned data enrichment.
Considering False Positives / Customer Insult Rate
What’s the best way to completely reduce chargebacks? Accept zero payments.
Of course, this isn’t something your business can or should do. But, it should make you question whether having a stringent fraud prevention process is always the right idea.
Case in point: the problem of false positives, which some companies also call the customer insult rate. When this happens, legitimate customers are blocked from making payments on your website.
As can be imagined, these customers become frustrated and will happily take their business elsewhere.
Unfortunately, if a fraud prevention system is badly configured – or offers a chargeback guarantee solution (where they the cost of chargebacks is absorbed) this can be a strong incentive to be overzealous.
In this instance, the solution that has been deployed for a better, safer business, could actually end up costing more in the long run with dissatisfied and frustrated customers.
You can read more about chargeback guarantee vs micro fees models here.
How Chargeback Fraud Prevention works with SEON
At SEON, we combine a number of modules to gather and enrich data, and then utilise sophisticated machine learning to generate a risk score.
- Powerful Device Fingerprinting: This generates browser and device fingerprint IDs, which users to be tracked across incognito browsing, emulators and VPNs. Thousands of data points are collected and compared to identify bad users – even after they reinstall or update their browser.
- Email Profiling: A single email address can reveal useful information through data enrichment. The social media lookup feature can be used to evaluate how risky the address is by looking at the domain age, type, string analysis, and more.
- Predictive Scoring: Combines machine intelligence with human insights to generate risk scores. The rules can be tweaked manually and improve over time.
- Whitebox Machine Learning: SEON’s algorithm learns from previous chargeback patterns and retrains itself numerous times a day. Results are provided via human-readable rule suggestions with specific accuracy percentages, where rules are branches and parameters are the node of a decision tree.
- Behaviour Analytics: Complete customer activity on your website can be collected and screened via our easy to use API. It is possible to enable specific algorithms for login, checkout and even signup to prevent fraudulent transactions at the earliest point possible.
- Micro-fee model: Pay per transaction check. Ensures payments from legitimate customers aren’t automatically blocked whilst avoiding chargebacks.
Our goal is to give you all the tools you need to understand who is visiting and attempting to shop on your website as soon as they arrive.
SEON is there to create an invisible safety net to immediately block obvious fraud, and review medium-risk customers – all while making life easy for your loyal and low-risk users.