Payment fraud: What is it and how to protect your business

Payment fraud occurs when a person who is not the legitimate owner of the payment instrument initiates a payment to commit fraud.

The main challenge for businesses is to keep up with the different techniques used to commit payment fraud and identify them on time. Understanding what types exist and how they can affect your business is important before looking at how to build an effective fraud management strategy.

Credit card fraud

Credit card fraud is when fraudsters use stolen card details to commit fraud by charging purchases to an account or removing money from it.

Some examples on how to detect and prevent credit card fraud:

• Perform AVS (Address Verification Service) or CID (Card Identification) checks on transactions to verify the payment location and the card’s presence.

• Apply behavioral analytics technology that flags suspicious behavior, such as someone purchasing an item multiple times, multiple purchases with the same email, or orders delivered to the same address using different payment details.

Card testing fraud

Card testing fraud is when stolen cards are tested to see if they’re active. If they are, they can be sold on the dark web for a much higher price than untested ones.

Fraudsters can see if a card is active by entering the card details when signing up for a subscription-based service with a free trial. The subscription business then performs a zero-amount authorization to see if the card is active.

Some examples on how to detect and prevent card testing fraud:

• Apply behavioral analytics technology to identify fraudulent checkout attempts.

• Use transaction data to understand your shoppers’ behavior and use velocity risk checks and business rules to optimize for full funnel conversion.

• Check order time frames. Card testers involving bots/scripts are on the rise; you can identify them by spotting many transactions within a short time frame.

Account takeover fraud

Account takeover fraud is when fraudsters get access to shoppers’ accounts and change the account details. Fraudsters can either use websites where shoppers have an account with saved payment details or create websites that look legitimate to steal the credentials of unsuspecting shoppers.

Some examples on how to detect and prevent account takeover fraud:

• Use timeline visualization to understand the normal behavior of genuine shoppers and how they differ after account takeovers.

• Ask for verification once account details are changed, for example, when a shipping address is changed.

Friendly fraud

Friendly fraud, also known as first-party fraud, is when a shopper purchases goods on an ecommerce website and initiates a chargeback without a legitimate reason.

Some examples on how to detect and prevent friendly fraud:

• Ensure your risk system can recognize patterns that identify serial-friendly fraudsters, such as shoppers who have initiated multiple service-related disputes across different cards and identities.

• Use blocked lists to make sure those bad shoppers don't return.

• Leverage a solution that can recognize fraudsters who shop across multiple global businesses so you can fine-tune your risk assessment

Policy abuse: Refund fraud 

Refund fraud is when a professional fraudster makes money by requesting business refunds. It’s becoming increasingly common and can be very difficult to detect.  This is also commonly known as policy abuse - when shoppers get well acquainted with your business’ policies in order to take advantage of things such as returns, refunds or promotions

Retailers also see a trend where bad actors return different products than they ordered, such as counterfeit merchandise or even bottles of water.

Some examples on how to detect and prevent refund fraud:

• Make sure your risk system has unified commerce capabilities so you can fully understand a shopper’s lifecycle and view past orders to identify refund fraud.

• Use a combination of unique attributes and leverage custom risk rules to mitigate such scenarios and identify unique shoppers misusing those details.

Gift card fraud

Gift card fraud is a common way to commit transactional fraud because the cards are hard to trace and aren’t as heavily regulated as debit or credit cards. An example of gift card fraud is when a fraudster uses stolen payment details to buy a product online and then returns it for a refund on a gift card.

Some examples on how to detect and prevent gift card fraud:

• Use contextual data to help build a much stronger defense against gift card fraud.

• Use a combination of custom risk checks and block lists based on this data to help spot these transactions.

• Identify misuse of gift cards by using custom risk rules and specified indicators to mitigate such events.

Payment fraud has a negative impact on businesses. Here are a few of the consequences:

• Money lost

• Increased chargeback fees

• Reputational damage

• Legal and regulatory challenges

Due to legacy technology not being able to balance security with customer experience, many businesses end up compromising revenue and customer experience by being too stringent. Payments are blocked as soon as something stands out from normal customers' behavior. Differentiating between fraudsters and customers can be difficult and lead to genuine transactions being blocked. This will directly affect revenue and leave customers unhappy with the buying experience.

Fraud detection is the process of identifying fraudsters and fraudulent behavior. There are different tactics businesses can use to differentiate legitimate customers from fraudsters, such as using machine learning, pattern recognition, and data analysis. 

Payment fraud solutions can detect behavioral abnormalities and determine whether customers are genuine or fraudsters. Due to the different types of payment fraud, a 'one-size-fits-all' approach will not work. A better way to detect fraud is to invest in financial technology that takes a nuanced approach that balances risk and conversion decisions to reduce costs and maximize revenue.

Fraud prevention is the process of preventing fraudulent activities from impacting the business, customer, or financial institution. To do this effectively, businesses need to maintain full control and reduce operational workload. This is done by combining risk rules with machine learning and manual reviews.

Supervised machine learning Supervised machine learning involves a combination of risk knowledge and machine learning. Businesses can create risk profiles to help automate part of the risk assessment, saving time and reducing risk management efforts. The bigger the scale of the platform the machine learning model is learning from, the more your business will benefit. These models can learn from multiple channels, payment instruments and regions to build strong shopper understanding and ensure that automated decisioning does the heavy lifting.

Customizable risk rules Different industries and business models face different types of risks. Through customizable risk rules, businesses can create risk profiles tailored to their unique needs and use them to complement the payment evaluation process of machine learning models. This can help optimize underperforming risk profiles or rules, and monitor the impact of changes. .

Manual review Certain types of transactions are at a higher risk of being targeted by fraudsters, these include high-value transactions or transactions in high-risk markets. For an extra layer of fraud protection, businesses can choose to manually review these types of transactions before they’re completed to avoid negative bottom line impact.

The best way to optimize your risk setup is to test and experiment. It is hard to know which risk strategy will best evolve with your business and the market unless you test it. To find out what works for you, you can  backtest the impact before you activate a new rule, or change the settings of an existing rule. You can run the rule on historical data to give you more confidence in the effect of the rule before you turn it on. You can set up different configurations and A/B test them against each other to experiment which methods are the most effective for your business.

To know if your fraud strategy is working, you need to be able to measure success in a way that makes sense for your business - taking into account the latest trends, operational particularities, conversion goals and risk appetite. To do this, you need to:

1. Define success

2. Decide KPIs

3. Measure fraud

4. Benchmark

There are different tactics businesses can use as part of their risk strategy to reduce fraud and differentiate fraudsters from genuine customers.

Delegated authentication

Delegated authentication allows businesses to prevent fraud without compromising on conversion rates. It involves handing over the authentication process to a third party and optimizes authentication experiences, especially for returning shoppers. This allows businesses to offer safe and seamless experiences while increasing conversion rates.

3D Secure

3D Secure 2 (3DS) is a security measure for online payments that allows businesses to prevent payment fraud while providing customers with safe and effortless payment experiences. 

With 3DS, the acquirer, scheme, and issuer interact with each other to exchange information and authenticate transactions. This improves the payment experience for your customers and saves you the costs of fraudulent chargebacks.

3D Secure is mandatory for countries mandated under Payment Services Directive 2 (PSD2). However, businesses anywhere can also use it to protect themselves against fraud.  

Tokenization

Tokenization allows businesses to replace sensitive data with non-sensitive ones. This allows businesses to recognize their customers, enables one-click and zero-click payments, increases security and compliance with regulations, and reduces fraud and chargebacks.

Peak season

Fraud increases during peak season. And it’s important to be ready to protect your customers without losing sales. Here are a few things to consider for peak season:

• Fraud setup and rules

• Conversion optimization

• Monitoring and analysis

Risk threats change based on industry, which means that the solutions to support them will vary.

Hospitality

The hospitality industry is especially vulnerable to cyberattacks, with many hotels finding it challenging to keep up with evolving regulations. To address this, hotels need a financial technology partner to implement secure systems that adhere to regulations throughout the entire payment data lifecycle, across different geographies. 

Employing tokenization can also help safeguard guest information from start to finish, enhancing guest experiences while ensuring compliance.

Digital

Combating fraud with manual rules is a time-consuming and ineffective process for digital businesses within the mobility, gaming, or software industry, putting revenue and customer satisfaction at risk.

By using machine learning (ML), businesses can automate complex decisioning to save time and focus on improving customer experiences rather than maintaining static rules.

Online businesses can also use to protect customers from online payments fraud. Digital wallets like Apple Pay and Google Pay, and major card schemes use network tokens to create effortless and secure online payments experiences.

Discover how GetYourGuide is using fraud prevention technology to enhance the customer experience. 

Retail  

Many retailers have operations and channels across regions. Building risk strategies and collecting insights  in one place will create important synergies but it can be a big challenge. With a unified fraud solution, retailers can respond to fraud with customizable risk rules with speed and ease across all their brands and channels.

Discover how True Alliance reduced fraud from 3.5% to under 0.1%. 

The more people shop online, the more opportunities there are for fraudsters to commit payment fraud. To keep up, businesses must provide a better and safer customer experience while not losing sight of conversion.

Although the techniques for committing fraud are evolving, the options for tackling them are improving. By leveraging the right technology and building an effective risk strategy, businesses can protect themselves, their customers, and their bottom lines. 

RevenueProtect is our unique risk management product, which includes various tools to detect, prevent, and respond to fraud. Our solution assesses thousands of characteristics of an incoming transaction to determine the likelihood of fraud and either block it or direct it to additional risk checks. Our models are trained on a global, cross-industry data network to ensure you continually optimize for conversion and squeeze more revenue out of every transaction.

RevenueProtect video