What is payment fraud?
Payment fraud is where a bad actor uses a consumer’s stolen payment information for unauthorized digital transactions and payments. Payment fraud causes losses both to consumers and businesses. When a consumer notices a fraudulent transaction and disputes it with the merchant, it causes several losses including chargebacks, penalties and costs of remediation to the business. These do not even include loss of valuable time and efforts merchants have to spend settling the disputes. The consumer faces emotional trauma trying to block compromised cards and getting the losses reversed. Another example of payment fraud is where consumers themselves initiate a false claim.
Factors leading to a rise in payment fraud
Payment fraud is a growing challenge for merchants and businesses with fraudulent transactions increasing nearly 46% year-on-year in 2021. Fraudulent transactions using payment cards amounted to more than $32 billion dollars in 2021, and this figure is expected to rise to $38.5 billion by 2027.
One of the prime factors contributing to the rise in payment fraud is retail purchases becoming digital. Consumers can hail a taxi, order food, socialize and look for romance through a range of apps. They also have multiple digital payment options including card not present, payment apps, digital wallets, peer-to-peer payment platforms, and internet banking among others. Attackers especially target card-not-present (CNP) transactions and Buy Now Pay Later (BNPL) or Point of Sale (PoS) lending, which allows consumers to break the payments into equal installments.
Financial services are increasingly becoming digital with consumers demanding on-the-go banking services. In-person verification is declining as account onboarding formalities are going digital. While this has made access to banking and financial services easier, it has also opened up a large area for attack. For instance, during the COVID-19 pandemic, attackers stole government-sponsored stimulus checks and unemployment benefits. They also duped many citizens into donating online for fake charities.
Common methods of payment fraud
Bad actors are in the business of making money. They use the path of least resistance to maximize their exploits. Therefore, they choose the attack method depending on the target and potential returns. Some of the common methods bad actors employ for payment fraud are:
- Identity theft: This is the most common method where bad actors compromise consumer accounts through account takeover attacks and steal payment credentials, which are then used for fraudulent transactions.
- Phishing: A form of social engineering, bad actors use emails and fake websites to trick consumers into sharing their financial information such as credit card details, bank account details, and login details. Attackers then use these valid pieces of information for payment fraud.
- Wire transfer scams: Bad actors manipulate consumers and businesses into loaning money with the promise of returning the money at a later date, which never happens.
- Merchant identity fraud: Attackers create fake merchant accounts on eCommerce platforms and ‘sell’ fictitious items. They offer disproportionate discounts to attract customers and simply vanish after receiving the payments.
- Refund fraud: This refers to the fraud when attackers shop for an item and after receiving it falsely dispute a transaction. They request for a refund, claiming that the bought item was never received. In this way, they get the refund as well as the item.
- Clean fraud: To execute this type of fraud, bad actors study the fraud detection system that the target business has deployed. They then use stolen payment credentials to circumvent them.
- Pagejacking: Using this method, attackers hijack a part of the eCommerce website to redirect consumers to a fake website. This website serves as a conduit to infiltrate the business network’s security system.
How to detect and stop payment fraud
Businesses cannot keep absorbing fraud losses as a cost of doing business. They need to implement effective steps to counter payment fraud as it can be detrimental to their business continuity. Attackers are always on the lookout for potential targets and it is not a matter of ‘if’ but ‘when’ a business may be attacked next.
A successful attack not only causes financial losses but also has long-term repercussions such as damage to the brand image and customer churn. It is therefore essential that businesses adopt measures to detect and stop payment fraud. Some of the common methods are:
- Address Verification System: AVS checks whether the billing address provided during the transaction matches with that on the issuers file. In case of a mismatch, further verification can be carried out.
- Card Verification Value: To authorize online transactions, consumers must provide the CVV code printed on the credit card. If the CVV provided does not match with the card details, the transaction is declined.
- Payer authentication: Using this method, which is also called 3D secure, cardholders can generate a code to confirm their identity at the checkout stage.
- Risk scoring: Based on predefined rules and a number of other digital parameters, risk scoring tools evaluate the probability of a transaction being fraudulent.
- Monitor large transactions: Bad actors try to max out stolen credit cards quickly through large purchases. Any transaction that is disproportionately large compared to the regular transactions made from the credit card, should raise an alarm.
Limitations of these techniques
Fighting fraud is a constant cat-and-mouse game between attackers and businesses. Being more creative and technically savvy, attackers are able to circumvent the common fraud detection techniques. This is because they spend time studying the anti-fraud mechanisms that businesses have deployed, and devise ways to bypass them. Unlike, say, a decade ago when attackers had to build their own attack infrastructure, they now have a whole cybercrime ecosystem – complete with attack toolkits, fraud-as-a-service, expertise, and 24/7support – to leverage.
In response to new threats, businesses end up deploying multiple solutions that often work standalone and cannot communicate with each other. This not only creates a disjointed security infrastructure but also leads to information overload that needs additional efforts to collate – even before beginning the analysis – thus hampering protection efforts. Furthermore, these solutions tend to treat good users on par with bad actors, which can degrade user experience.
Businesses need a fresh approach to fighting fraud that deters attackers long-term while keeping the interests of good users front and center.