Lawmakers and the retail industry together have worked hard over the past several decades to minimize credit card fraud in brick and mortar stores. New technology such as EMV chips, contactless payments, dynamic data, and thorough encryption have almost entirely eliminated card-present fraud.
But, of course, criminals aren’t stupid and they have found new ways to steal. eCommerce retail stores have opened new avenues for electronic theft. Card-not-present (CNP) theft has grown each year – U.S. Payments Forum predicts that eCommerce fraud will grow to over $7 billion annually by 2020. Retailers must be vigilant, following anti-fraud best practices and adhering to all industry regulations. So let’s take a look at what CNP fraud is, its different types, how to spot it, and how to best prevent retail fraud in eCommerce.
CNP fraud is rather self-explanatory: a criminal conducts some sort of operation on your online store that takes either product, currency, or financial data from your business. The concept certainly isn’t new, but this channel is still in its infancy. And businesses are working hard to keep it at bay.
Unfortunately, small businesses are at particular risk for fraud. In fact, a survey from the Association of Certified Fraud Examiners (ACFE) estimates that over half of small retailers suffer from some version of online fraud. For many SMBs, it can be too expensive or time-consuming to institute the proper protection against the risk of theft. But additionally, a theft or security breach can be even more crippling. Certain types of fraud can come accompanied with fines if your business was found to be in violation of certain standards. Plus, a security breach that compromises your customers’ financial security will lead to a loss of trust, even among your most loyal shoppers. Many smaller retailers simply can’t afford to recover from these added insults to the injury.
Online fraud can come in various forms, making it even tougher to stop. It’s a faceless crime so it’s harder to trace, and it can even come from across the world. Because it’s common and difficult to solve, authorities are less inclined to spend time trying to catch the criminal.
But as they say, knowledge is power. And it’s important to familiarize yourself with each of the types of eCommerce fraud so as to better protect yourself from it.
1. Clean Fraud
One of the most common, clean fraud in eCommerce involves a criminal using a stolen credit card to complete a purchase. It’s more difficult for the webstore retailer to identify this as fraud since the criminal has all necessary bank information to unsuspiciously complete a purchase. Typically, the card information is stolen through online data breaches, though it can also happen with a stolen physical card that is then used online. In either event, the merchant is responsible for chargebacks and the lost merchandise.
2. Friendly Fraud
Anything but friendly, this technique only involves the criminal and retailers. A person makes a purchase and then claims that the product was never delivered, they’re card was stolen, or that they never actually placed an order. This is also sometimes referred to as Chargeback Fraud.
3. Refund Fraud
Rather than using a stolen number to order the product itself (clean fraud), refund fraud makes an exceptionally large purchase and then asks for reimbursement. Of course, they claim the original account has been closed or compromised and request that the money is returned to a separate account.
4. Merchant Fraud
This type of card-not-present fraud is reserved for online marketplaces that are responsible for both the seller and the buyer, as well as for facilitating the transaction (like eBay). The criminal sets up a fraudulent platform in this marketplace, receiving payment for items that they will never ship. These are short-lived schemes but can rake in a lot of money. In the end, the marketplace is responsible for recompense.
5. Card Testing Fraud
A more advanced technique, card testing often uses multiple eCommerce stores and relies on bots. Many e-retailers specifically highlight the incorrect parts of the credit card information in an attempted order. For instance, a declined order might show that the thief is only missing the expiration date, narrowing the missing information down. With bots automating these attempts, the correct information can be identified surprisingly quickly. Often they will use card testing on one site before using the data to make the purchase at a separate eCommerce store.
6. Identity Fraud
Criminals can also find their way into a store’s database, allowing them to steal usernames, passwords, credit card data, and sometimes even more personal information (driver’s license, passport, and SSNs). This information can be used right away to make a fraudulent purchase, but often times, this information is sold to secondary thieves who open new accounts with the victim’s identity.
7. Reshipping Fraud
Perhaps the most frustrating of the bunch because it involves two criminals, reshipping starts with a clean fraud purchase but has it shipped to an alternate address. This minimizes the initial fraudster’s risk since it’s not going directly to their address. They often pay the resident at this secondary address to ship the product to the final destination.
8. Triangulation Fraud
One of the more complicated forms of online fraud, triangulation criminals set up a fake store, often times selling products at an outrageously cheap price. This false storefront has the sole purpose of farming card data. Once collected the fraudster will either make purchases for themselves, or use the customer card to buy the goods from an actual merchant, charging the shopper twice, and keeping the initial discounted price.
9. Interception Fraud
This starts with creating orders that match billing and shipping addresses to the address attached to the compromised card. By doing so, they don’t raise any red flags. Following the order placement, they have several different tactics. Often they ask for an address change through either the retailer or the shipping company. In a more rudimentary tactic, they simply wait at the address for the delivery and then steal the package.
10. Account Takeover/Phishing Fraud
Many online retailers offer their shoppers the option to store their card data on the website. Benefiting both the customer and the retailers, this option adds convenience to the shopping experience and lowers the rates of abandoned carts. Fraudsters find various ways to infiltrate these accounts, usually through phishing scams. Most commonly, they send emails to past customers tricking them into revealing their passwords. Once the account is compromised the theft is remarkably easy to complete.
There are some easy ways to identify fraud on your website. It’s best to educate yourself on these to prevent them from happening, or at least to catch them as quickly as possible. The faster your response time, the better the chances are of recouping your losses and protecting your customers. Keep in mind that a transaction with one of two of these conditions is probably nothing to worry about, but if a single order contains several, it is probably worth investigating.
1. Big Orders
Credit card thieves don’t expect to have use of the stolen card for long. So to take advantage of it, they typically will place unusually large orders.
2. New Shoppers
Criminals are more likely to shop at unfamiliar places that they’ve never associated with before. Once they make one fraudulent purchase, they’ll likely move on to another store.
3. Strange Delivery Address
If you see an order to a region or country that you don’t typically ship to, check it out further. It might just be a sign that business is great! But it should initially raise an eyebrow.
4. Different Orders to One Address
If you receive multiple orders with different names going to the same address, this is most commonly due to a fraudster having stolen a handful of cards. They place orders using each and address them to random names, but all will be going to a single location.
5. Different Cards on One IP Address
Similar to the previous red flag, this scenario also indicates that someone has stolen several cards. Even if going to different addresses, various orders from a single IP address doesn’t make too much sense.
6. Back-to-Back Transactions
Repeated transactions is another thing to watch out for. Especially if it’s multiple orders for the same product. This is another indication that the person is trying to purchase as much as possible before the card is shut down.
7. Overnight Shipping
Again, this alone isn’t necessarily a great indicator of CNP fraud, but, combined with one of the others on this list, could be a sign of suspicious activity.
In many of these cases, the burden of responsibility is on the retailer, so it’s critical that you set up your web business with the right protections and safeguards. It might be impossible to stop every single instance of fraud, but minimizing the occurrences is still productive.
1. Follow PCI Compliance
We recently talked about how PCI Compliance works. For a more in-depth look, check it out here. But let’s just do a tl;dr for the sake of this blog: stay up-to-date and follow the rules. The easiest way to do this is to use an eCommerce platform and merchant service that is fully adherent to industry regulations. WooCommerce, Shopify, and Magento are all fully set up as PCI Compliant (and all three integrate with KORONA!).
2. Require Card Verification Values (CVV) with Each Purchase
These three little numbers on the back of credit cards actually prevent a fair number of fraudulent transactions (confusingly, you might also see this referred to as Credit Code Verification, or CCV). You might also use Address Verification Service (AVS) to check the billing address of the purchase against the billing address the credit card association has on file.
3. Keep Purchase Histories
Not only is this great for your marketing and loyalty programs, tracking past purchases through user-profiles can help you identify theft or fraud. A shopper who normally has orders addressed to Minneapolis but is suddenly ordering 1,800 cases of wine to Kazakhstan just might have a compromised account.
4. Require Signatures for Deliveries
It’s not a surefire defense against fraud, but a signature will deter some thieves who will just go to an eCommerce store that doesn’t require this step.
5. Encourage/Require Strong Passwords
Be smarter than some of your customers. Don’t let anyone login with “1234” or “password.” Set up standard requirements for a minimum length, capitalization, numbers, and symbols.
6. Automate Screening Suspicious Behavior
Depending on your eCommerce platform, you can configure your system to automatically flag suspicious activity. Typically, you should be able to easily identify orders from the same account with different credit cards, back-to-back purchases, quick changes to shipping addresses, among a handful of others.
7. Keep Checkout Pages in “HTTPS”
This is a simple encryption step that keeps all checkout page information in the hands of your browser and server. Just be careful not to implement this site-wide.
8. Iterate Clear Anti-Fraud Policies
At the very least, this will serve as a warning to potential thieves that you are aware of their presence. It can also protect your business from chargeback fraud. Announcing that you track numbers allows you to contact the issuing bank to validate any customer claims that might be friendly fraud.
9. Update All of Your Software
Keeping your software current will help ensure that you’re using the smartest and latest system. Credit card processors and POS systems are always updating their software to protect business owners against new threats.
10. Learn From Your Mistakes
Track all past fraudulent activity. Even if you lost product or cash through the ordeal, you can use this information to prevent a similar episode from happening again. You can also implement the issue into your training to new staff members.
Take The Time to Protect Your Small Business
Though the digital world has made our lives easier in many ways, it’s also opened the door to new dangers. Online fraud can drive a small business to bankruptcy so it’s vital that you take the right precautions to keep your business safe. To find out more, contact us at KORONA. Our retail POS system integrates with the safest eCommerce platforms and we only work with merchant services that promise full PCI Compliance. Click below to start a free trial and demo!