Fraudulent online transactions occur when someone deliberately uses another person's identity to make a false or illegal transaction. As society has embraced digital payments, fraudsters have found new and ingenious ways to take advantage of unsuspecting consumers.
In this article, we will explore the world of online payment fraud, explaining the different types of online payment fraud and how you can prevent it.
What is online payment fraud?
Online payment fraud is where the victims card details are used to purchase goods or services online without permission. Online payments are a popular target for fraudsters because they don’t need to have a physical card in their possession. All they need is the card details, which can be stored digitally. Fraudulent online transactions are a relatively easy deception because it is hard for the seller to verify whether the purchase is genuine.
*Further reading. How to prevent payment fraud?
Types of online fraud
There was a time when Amazon was a small website selling books online. They’d ring a bell each time they made a sale. When it rang, staff would gather around a computer to see if they knew the buyer. The bell was retired long ago. If Amazon had it now, the bell would ring over 1,000 times a minute. Amazon’s growth story mirrors that of online payment fraud. When Amazon’s bell was ringing, online shopping was in its infancy and fraudulent online transactions were rare. As consumers migrated to online shopping, the fraudsters followed in their droves. And as online retailers have become more sophisticated, so have the fraudsters.
Fraudsters deploy a range of tactics to defraud consumers and businesses. These include:
Phishing – Phishing occurs when users are tricked into sending the fraudsters information that they desire, such as credit card, bank account or login credentials. Phishing can be done by text message, social media, or phone, but the phishing choice of most fraudsters is email because it can be done cheaply and in large volumes. More on this later.
Hacking – This is when someone hacks into a computer system to steal sensitive information.
Identity theft – Also known as ‘identity fraud’. This is when a fraudster deliberately steals a person’s card, card details or personal details such as their name, date of birth, and current or previous addresses to use their card or impersonate their victim and commit a crime. This can be stolen online or from rubbish or recycling bins.
Card skimming – This is when a device is placed on a card reader to record card information. The card reader could be on an ATM or a point-of-sale handset. The fraudsters will recover the device and use this information to make online purchases using the stolen card data.
Chargeback fraud – This can happen in two different ways. One is when a customer makes an online purchase before disputing the charge with their credit card company by claiming that the goods were not as advertised or never received. The other way is when a stolen card is intentionally used to make an online purchase and disputes the charge as unauthorised.
Pagejacking – Pagejacking is when part of a legitimate website is hacked, and its visitors are re-routed to a fake section of that website to fool the user so that the hacker can infiltrate the user’s network security system or access their payment details.
Advanced fee and wire transfer scams - These types of scams occur when users are asked to transfer money with the promise that they will receive something later.
Merchant identity fraud – This occurs when someone poses as a legitimate business to charge stolen credit cards. In this scenario, the payment facilitator is liable for the loss.
Social engineering – A scenario that often involves an elaborate back story and a great deal of patience from the fraudster who will deviously win someone’s trust before persuading them to pass on personal information.
Chargeback fees and card scheme rules
There are two ways a chargeback can occur. The first is when a customer disputes a transaction, claiming an error in service (such as damaged goods or the delivery not arriving). This is prone to fraud since it can be tempting for cardholders to dishonestly claim that the goods were damaged or that they didn’t arrive. The second is when the card has been fraudulently used to buy something without the cardholder's knowledge.
As well as refunding the cardholder, the seller must pay a chargeback fee to their payment provider. Each payment provider has card scheme rules to limit the amount of chargebacks an online seller can receive before heavier fines are imposed. It, therefore, pays e-commerce businesses to invest in fraud detection and prevention to minimise the risk of chargebacks.
How to deal with online fraud
In this section, we look at how businesses and cardholders can reduce the likelihood of fraudulent online transactions.
Best practice - For cardholders
Guard your personal information - Be careful who you give personal information to. Details such as your name, address, bank details, email and phone number are all invaluable to fraudsters. So, only give this kind of data to people if they have proved that they require it for a legitimate purpose. If someone is asking for this kind of data, then it is acceptable to ask them why they need it and how they will store it. If you need help, contact the company using a known email or phone number.
Use the latest security on all devices – Your goal should be to ensure that your online devices are impossible to penetrate. Set your computer browser to a high level of security and monitoring. Always install the latest software updates. Ensure your computer operates the latest anti-virus software with an up-to-date firewall installed.
Use strong passwords and 2FA - Two-factor authentication (2FA) is a great way to boost online security. You should also protect your email account with a long, unique password that includes numbers, letters, and symbols.
Be alert to phishing – online fraud often starts with a phishing email, text or phone call. Emails are the most popular method because they can be executed at volume. Phishing is a simple and effective technique to fool people into passing on sensitive personal data such as their card or bank details. Question all unexpected emails or texts. If you think about it, why would your bank or a supplier email you to ask if you can click a link to confirm your bank details? If you are unsure, contact your bank using details on a genuine correspondence such as a bank statement.
Layer up your card protection – Sign up to Visa Secure (which used to be known as Verified by Visa) or MasterCard Secure Code. These are security processes that require you to register a password with your card company. They are worth doing because they add another layer of security to online transactions. If you have signed up, you may be asked for something like a single-use code sent to your mobile when you make an online purchase.
Check your credit file – Contact credit organisations such as Callcredit, Equifax and Experian to ask for a copy of your credit file. By regularly checking credit files, you can look for entries you don’t recognise.
Consider identity protection – Some services will monitor your credit report and notify you by email or text if it spots potentially fraudulent activity. If fraud occurs, the service will assign a dedicated caseworker to help you resolve things.
Shred private information – Shredding paper that carries your card details is a good way of safely disposing of things like receipts and bank statements.
Be aware – If you are being contacted by organisations that you don’t normally deal with, then be aware and take action as soon as you become suspicious because your identity may have been stolen.
Follow the ‘Is it too good to be true rule?’ – If you have been contacted by someone claiming something amazing, such as a surprisingly high return on a new investment for no risk, then be wary. It could just be too good to be true. Remember that fraudsters create elaborate processes and are experienced at convincing many intelligent people who think they are being careful.
Best practice – for e-commerce businesses
Chargeback fraud - Verify the customer’s identity to ensure that they own the card used to make the purchase. This can be done by asking for a CVV code or implementing fraud detection tools such as address verification or IP geolocation.
Update your network security systems – Ensure you have the latest firewall and antivirus software versions. Set your computer browser to a high level of security and monitoring.
Unique user IDs – Everyone with computer access should be assigned a unique user ID. Employ a process to authenticate each user.
Test regularly – Regularly test security systems and processes, including vulnerability scans.
Antivirus checks - Run frequent security checks with appropriate antivirus software.
Track the trends – Keep up-to-date on the latest fraud trends, implementing them when it makes sense and enquiring about others that may help.
Choose your partners carefully – Ensure you partner with a verified payment processor. There are plenty of legitimate ones to choose from!
Encrypt your emails – Data encryption uses a mathematical formula to conceal its content. Encrypt transactions and emails containing confidential information.
Change passwords regularly – Change vendor-supplied default passwords and security settings. And change your passwords, tokens, and login credentials regularly.
Staff communication - Protect all stored cardholder data. Establish a policy to limit stored data and restrict access to confidential information such as cardholder data. Ensure that your staff know your procedures and why they are important.
Customer login – Set up your processes so that customers can log in to their account before making a purchase.
Create an information security policy – Keep it maintained, reviewing and updating it annually.
Key takeaways
Online payment fraud is where the victim’s card details are used to purchase goods or services online without permission.
Online payments are a popular target for fraudsters because they don’t need to have a physical card in their possession.
When committing online payment fraud, fraudsters can deploy a range of tactics, including phishing, hacking, chargebacks, card skimming, pagejacking, and social engineering.
There are lots of things that cardholders can do to make it harder for fraudsters to target them. This includes:
Guarding their personal information.
Using the latest anti-virus software with an up-to-date firewall installed.
Setting their computer browser to a high level of security and monitoring.
Using strong passwords that include numbers, letters, and symbols.
Using two-factor authentication (2FA)
Being alert to phishing. This is when fraudsters deliberately fool their victims into passing sensitive and personal data such as their card or bank details.
Signing up for Visa Secure or MasterCard Secure Code to add another layer of security to online transactions.
Checking their credit file.
Paying for an identity protection service.
E-commerce businesses can also take action to make it harder for fraudsters to target them. They can do this by:
Update their network security systems to the latest versions.
Running frequent antivirus checks on their software.
Keep current on the latest fraud trends and implement them when it makes sense.
Only working with a verified payment processor.
Encrypting their emails and transactions.
Changing passwords, tokens, and login credentials regularly.
Creating an information security policy and ensuring that staff understand how to use it and why the business needs to take such measures.
Setting up their processes so that customers can log in to their accounts before purchasing.
Q&A
Q: What is online payment fraud?
A: Online payment fraud occurs when a debit or credit card is used to purchase goods or services online without permission from the cardholder.
Q: Why have fraudulent online transactions continued to rise?
A: Online fraud has increased, broadly in line with the popularity of online transactions.
Q: Why do fraudsters often use email when phishing?
A: Although phishing can be done by text message, social media, or phone, email is the most popular form because attackers can send large volumes of emails to users and hide within busy email boxes that most users have. As email phishing becomes more sophisticated, unsuspecting users can be easily fooled into thinking that a carefully constructed email is legitimate.
Q: What is a CVV code?
A: CVV stands for Card Verification Value. It is a unique three-digit code printed onto the customer’s card.
Q: Is online payment fraud legal?
A: No. It is illegal to steal someone else’s identity to buy goods or services online.
Q: What types of online fraud exist?
A: There are many ways in which a fraudster can choose to de-fraud their victims. From phishing (tricking a victim to pass on sensitive information), to stealing a victim’s identity, hacking into a computer system and using a device to skim the victim’s card at an ATM or a point-of-sale handset.
Q: What can cardholders do to reduce the chances of online fraud happening to them?
A: There are several ways in which cardholders can demonstrate caution. The most effective is simply being aware of the tactics that fraudsters use, keeping up to date with these tactics and asking themselves ‘is this offer too good to be true?’. A ‘safe and secure’ mindset will encourage cardholders to demonstrate caution by using the latest software upgrades, regularly changing strong passwords and utilising 2FA. They should also be mindful of phishing scams. Layering up their card protection by signing-up for Visa Secure or MasterCard Secure Code is a great idea if they have Visa or Mastercard® cards.
Q: What can ecommerce businesses do to make it harder for fraudsters to target them?
A: E-commerce businesses and their staff should be aware of the latest fraud trends and follow a set of data protection processes including updating their network security systems to the latest versions, running frequent antivirus checks on their software and encrypting their emails and transactions. Staff should also change their passwords and login credentials regularly.