Payment Fraud: What it is and How to Stop it

What is payment fraud?

Payment fraud is where a bad actor uses a consumer’s stolen payment information for unauthorized digital transactions and payments. Payment fraud causes losses both to consumers and businesses. When a consumer notices a fraudulent transaction and disputes it with the merchant, it causes several losses including chargebacks, penalties and costs of remediation to the business. These do not even include loss of valuable time and efforts merchants have to spend settling the disputes. The consumer faces emotional trauma trying to block compromised cards and getting the losses reversed. Another example of payment fraud is where consumers themselves initiate a false claim.

Factors leading to a rise in payment fraud

Payment fraud is a growing challenge for merchants and businesses with fraudulent transactions increasing nearly 46% year-on-year in 2021. Fraudulent transactions using payment cards amounted to more than $32 billion dollars in 2021, and this figure is expected to rise to $38.5 billion by 2027.

BNPL

One of the prime factors contributing to the rise in payment fraud is retail purchases becoming digital. Consumers can hail a taxi, order food, socialize and look for romance through a range of apps. They also have multiple digital payment options including card not present, payment apps, digital wallets, peer-to-peer payment platforms, and internet banking among others. Attackers especially target card-not-present (CNP) transactions and Buy Now Pay Later (BNPL) or Point of Sale (PoS) lending, which allows consumers to break the payments into equal installments.

Financial services are increasingly becoming digital with consumers demanding on-the-go banking services. In-person verification is declining as account onboarding formalities are going digital. While this has made access to banking and financial services easier, it has also opened up a large area for attack. For instance, during the COVID-19 pandemic, attackers stole government-sponsored stimulus checks and unemployment benefits. They also duped many citizens into donating online for fake charities.

Common methods of payment fraud

Bad actors are in the business of making money. They use the path of least resistance to maximize their exploits. Therefore, they choose the attack method depending on the target and potential returns. Some of the common methods bad actors employ for payment fraud are:

  • Identity theft: This is the most common method where bad actors compromise consumer accounts through account takeover attacks and steal payment credentials, which are then used for fraudulent transactions.
  • Phishing: A form of social engineering, bad actors use emails and fake websites to trick consumers into sharing their financial information such as credit card details, bank account details, and login details. Attackers then use these valid pieces of information for payment fraud.
  • Wire transfer scams: Bad actors manipulate consumers and businesses into loaning money with the promise of returning the money at a later date, which never happens.
  • Merchant identity fraud: Attackers create fake merchant accounts on eCommerce platforms and ‘sell’ fictitious items. They offer disproportionate discounts to attract customers and simply vanish after receiving the payments.
  • Refund fraud: This refers to the fraud when attackers shop for an item and after receiving it falsely dispute a transaction. They request for a refund, claiming that the bought item was never received. In this way, they get the refund as well as the item.
  • Clean fraud: To execute this type of fraud, bad actors study the fraud detection system that the target business has deployed. They then use stolen payment credentials to circumvent them.
  • Pagejacking: Using this method, attackers hijack a part of the eCommerce website to redirect consumers to a fake website. This website serves as a conduit to infiltrate the business network’s security system. 

How to detect and stop payment fraud

Businesses cannot keep absorbing fraud losses as a cost of doing business. They need to implement effective steps to counter payment fraud as it can be detrimental to their business continuity. Attackers are always on the lookout for potential targets and it is not a matter of ‘if’ but ‘when’ a business may be attacked next. 

A successful attack not only causes financial losses but also has long-term repercussions such as damage to the brand image and customer churn. It is therefore essential that businesses adopt measures to detect and stop payment fraud. Some of the common methods are:

  • Address Verification System: AVS checks whether the billing address provided during the transaction matches with that on the issuers file. In case of a mismatch, further verification can be carried out.
  • Card Verification Value: To authorize online transactions, consumers must provide the CVV code printed on the credit card. If the CVV provided does not match with the card details, the transaction is declined.
  • Payer authentication: Using this method, which is also called 3D secure, cardholders can generate a code to confirm their identity at the checkout stage.
  • Risk scoring: Based on predefined rules and a number of other digital parameters, risk scoring tools evaluate the probability of a transaction being fraudulent.
  • Monitor large transactions: Bad actors try to max out stolen credit cards quickly through large purchases. Any transaction that is disproportionately large compared to the regular transactions made from the credit card, should raise an alarm.

Limitations of these techniques

Fighting fraud is a constant cat-and-mouse game between attackers and businesses. Being more creative and technically savvy, attackers are able to circumvent the common fraud detection techniques. This is because they spend time studying the anti-fraud mechanisms that businesses have deployed, and devise ways to bypass them. Unlike, say, a decade ago when attackers had to build their own attack infrastructure, they now have a whole cybercrime ecosystem – complete with attack toolkits, fraud-as-a-service, expertise, and 24/7support – to leverage.

In response to new threats, businesses end up deploying multiple solutions that often work standalone and cannot communicate with each other. This not only creates a disjointed security infrastructure but also leads to information overload that needs additional efforts to collate – even before beginning the analysis – thus hampering protection efforts. Furthermore, these solutions tend to treat good users on par with bad actors, which can degrade user experience.

Businesses need a fresh approach to fighting fraud that deters attackers long-term while keeping the interests of good users front and center.

FAQ

The use of stolen credit card details or hacking into legitimate user accounts through account takeover to make unauthorized transactions is called payment fraud.

 

The most common methods attackers use for payment fraud include, phishing, advance fee or wire transfer scams, merchant identity fraud, friendly fraud, and refund fraud, among others.

The common methods businesses use to detect and stop payment fraud are address verification system (AVS), card verification value (CVV), risk scoring, and monitoring large transactions.

Attackers are in the business of making money. They invest time and resources to make the attack successful and maximize the returns. They study the fraud defense mechanisms that businesses deploy and create workarounds accordingly. According to their targets, attackers use bots, human click farms, or a combination of both.

Arkose Labs wastes the attackers’ resources using adaptive, step-up enforcement challenges to bankrupt the business model of fraud. The Arkose Labs platform does not block any incoming user; to ensure potentially revenue-generating customers are not filtered out. Instead, it allows users to prove their authenticity and proceed with their digital journeys.

Arkose Labs protects the entry gates – logins and new account registration – which prevents attackers from entering the business networks. The Arkose Labs platform diverts all incoming traffic to the business website or app to its own network, creating a buffer for the business to continue business activities as usual.

The platform triages the incoming traffic and depending on the real-time risk assessment of every incoming user, informs the challenge-response mechanism to present an appropriate 3D challenge. While good users can clear the challenges in a fun way, bots and scripts fail. This is because the challenges are trained against the most advanced machine vision technology which makes them resilient to the bots of various advancement levels. Arkose labs offers an SLA guarantee for foiling automated attacks and an industry-first $1M warranty against credential stuffing attacks.

For persistent malicious human attackers, the challenges keep increasing in volume and complexity. To clear them at scale these attackers would need to invest additional time, effort, and resources. This erodes the profitability from the attack and makes it financially non-viable – to an extent that attackers are forced to give up.

Arkose Labs goes beyond simple mitigation to help businesses deter fraud without causing unnecessary hurdles for good users. This enables businesses to maintain good user throughput while ensuring long-term protection against evolving threats.