What is payment fraud, and how can you reduce your exposure risk?
There are many types of payment fraud. Generally speaking, payment fraud happens when someone steals another person’s credit card or payment information to make unauthorized transactions or purchases.
How are credit cards so easily stolen? In addition to password-stealing tactics like credential stuffing and brute force attacks, the popularity of online shopping has created a channel that hackers easily profit from. With so many customers making purchases and storing credit cards online, criminals can exploit technical loopholes and run scams that take advantage of unsuspecting consumers, leaving business owners holding the (empty) bag.
Today we’ll review five common types of payment fraud that can affect your business and what you can do to prevent them.
1. Identity Theft
Identity theft is the most common type of fraud and may be the one people fear most. Why create a new identity when you can steal someone else’s — someone who already has bank accounts and credit cards?
Cybercriminals who steal customer information to impersonate someone else are perpetrating identity theft. Once criminals establish themselves as someone else, they can attempt to make fraudulent purchases or infiltrate financial accounts to steal money.
While there are many ways for a criminal to steal someone’s identity, the anonymity of the internet makes it even easier to perpetrate online. Hackers can steal login credentials by hijacking public WiFi, breaking through unsecured networks, or exploiting known software vulnerabilities.
Phishing scams have gotten much attention recently, making people more aware of how easily they can be tricked into revealing personal information or clicking on malicious links. However, phishing scams have also been increasing in sophistication, fooling even the savviest computer users.
There are many types of phishing today, including spear phishing, vishing, whaling, smishing, and consent phishing. There are also types of phishing attacks that use language and social engineering instead of URLs to steal money and data. These scams include Business Email Compromise (BEC) and executive phishing (also known as CEO fraud).
Phishing refers to a process in which personal information is illegally gathered via emails or websites that pose as legitimate sources. Experienced hackers pose as people from known businesses or entities that inspire trust, enticing people to divulge sensitive customer data including:
- Usernames and passwords
- Email addresses
- Credit card numbers
- Bank account numbers
Pagejacking happens when hackers break into an ecommerce store’s site, hijack one or more pages, and redirect traffic to phony websites that look legitimate. Customers input their data into forms that hackers can use elsewhere and may unknowingly become vehicles for malware and ransomware implants that infiltrate the user’s computer network.
Online business owners must be vigilant about guarding against suspicious online activity, as hackers can exploit weaknesses to steal sensitive data and do untold further damage.
4. Friendly Fraud
There’s nothing friendly about friendly fraud. Cybercriminals aren’t the only ones committing payment fraud. A recent study showed that 86% of all chargebacks are probable cases of friendly fraud. Unlike more sophisticated fraud perpetrated by hackers, “friendly” fraud can be carried out by just about anyone.
Friendly fraud occurs when someone makes a legitimate purchase with their credit card but then chooses not to pay for it, citing that the item was damaged, not delivered, or was never ordered at all. The person then contacts their credit card company and files a chargeback, receiving funds not owed to them.
The highest percentage of merchants’ losses come from friendly fraud, which is hard to identify and almost impossible to prevent.
5. Merchant Identity Fraud
Merchant identity fraud happens when criminals set up a merchant account that resembles a legitimate business. They make charges using stolen credit cards and then disappear before the real cardholders discover the purchases and reverse the fraudulent transactions.
Unfortunately, the business is liable for the loss plus any additional fees associated with credit card chargebacks.
A variant of merchant identity fraud is Vendor Email Compromise (VEC), which is a long-con email attack where scammers compromise a legitimate third-party vendor’s email account and use it as a vehicle for stealing money and data from other stakeholders.
How to Reduce Your Risk of Exposure to Payment Fraud
There is no sure-fire way to prevent all payment fraud attempts. However, you can take precautions that mitigate your risk.
- Keep up-to-date on the latest payment fraud trends.
- Encrypt emails and transactions that contain confidential information.
- Run regular security checks with antivirus software and email fraud prevention tools.
- Maintain a “principle of least privilege” to limit access to sensitive data.
- Ensure that passwords and login credentials are changed regularly.
- Disable guest logins for ecommerce stores.
- Use two-factor authentication (2FA) or multi-factor authentication (MFA) to protect against unauthorized access.
- Partner with a verified payment gateway.
- Make sure your site has a current SSL certificate.
Payment fraud can be difficult to detect and prevent, hurting your customers and damaging your business. Protecting your company against payment fraud can be challenging, but consistently using the right tools and strategies helps guard your data, your reputation, and customer relationships.