Using different methods of accepting payments requires that you have safe systems and channels that allow your customers to conduct business or make purchases with you. This is achieved through a defined business strategy and the selection of the correct service provider.
Both in electronic commerce and in person, measures for risk mitigation, prevention, and security are crucial to protect users, their money, and their financial data from one of the most common crimes: fraud.
Though fraud can be a very ambiguous concept, we can define it as the use of deception, theft, or other means to cause others to suffer losses. These acts can be committed by an individual or a group whose purpose is to obtain unfair and illegal economic gains.
Starting from the concept of fraud, defining a risk mitigation framework requires us to understand that fraud can come from anywhere. The risk can be both internal and external, and it can be perpetrated by individuals either known or unknown to the business.
Fraud prevention is the primary objective in any business strategy, and the first step to achieving this objective is understanding the reasons why fraud is perpetrated. There is a triangle theory, created by American criminologist Donald Cressey, which determines that the potential for fraud occurs when there is a combination of motivation, opportunity, and rationalization. Fraud cannot occur if any of the three elements is absent.
To commit fraud, the scammer must have 3 elements:
1. Motivation
is the element that causes a person to react or act illegally. It can be implicitly associated with an emotion or desire. One reason may be financial pressures, greed, or simply the satisfaction of harming others.
2. Opportunity
is the combination of circumstances that allow fraud to be committed. An opportunity may be having access to cardholder data, poor control in the revision of offsetting entries, and even inadequate role segregation in the business.
3. Rationalization
is the justification for why the scammer commits fraud through their own efforts. This happens when the individual internalizes that the fraudulent act is not wrong or incorrect, or that the end justifies the means.
Of the three elements, opportunity is the area in which fraud prevention can excel.
You can eliminate or reduce the opportunity for fraud by identifying the deficiencies in your business strategy.
The more opportunities there are, the more opportunity for rationalization, and this can grow to the point of generating losses of thousands or millions of dollars for companies. Therefore, it is important to close all possible routes a scammer could use to commit fraud.
One way to do this is by selecting the correct service provider when implementing the different payment methods for your business. Part of your strategy should include the use of payment channels supplemented with fraud monitoring and prevention systems that help identify anomalies in your business performance. Likewise, you must have control processes that notify you of potential fraud being committed against you.
At What Point Are Companies Most Vulnerable?
Companies are usually more vulnerable at the weakest point in their chain of operations. As a business, you must know the environment surrounding your systems, processes, and those who interact with them.
All interacting points in your business must adhere to fraud mitigation processes. Likewise, access to these systems must feature controls that protect the information they store and process. This way, you can guarantee that nobody makes undue use of the data.
Lacking knowledge about the risks that can potentially threaten your business creates the opportunity for fraud. Not implementing the necessary controls and procedures can generate losses and affect the reputation of your company. As you become more knowledgeable about the vulnerabilities and potential risks to your business, you can take more assertive measures to prevent fraud.
When identifying the most vulnerable points of your company, make a list of the services or products you offer and identify all of processes that are carried out in your business. Imagine a physical store with an online presence. You have points of sale to accept payments, you have cash registers for cash payments, and your website allows your customers to make payments using credit and debit cards. This store has three channels to accept payments, which should have defined fraud prevention processes and controls.
Some of these channels entail an increased risk, especially those that allow using payment methods such as debit and credit cards and authorize their processing without the card being present, such as online businesses or manual transactions at points of sales. These payment methods require higher controls and better mechanisms to authenticate the validity of the transaction in order to protect your business from potential cases of fraud and countercharges that translate into economic losses.
What Are the Different Types of Online Fraud?
There are innumerable fraud schemes used by scammers in online stores. We will focus on the most common modalities that have been successful against small and large online businesses. Knowing them now can help you prevent becoming a victim in the future.
Card Testing Fraud
Card testing fraud is when someone gets access to one or more credit or debit card numbers through theft or by buying card data on the dark web. Although they have the card numbers, they do not know the available balance or whether the card numbers can be used to successfully complete a transaction.
Scammers visit an online business to make small test transactions. They often use scripts or bots to quickly try multiple card numbers. These initial purchases are extremely small since the entire purpose is to see whether the card can be used to complete transactions. Once they know that a credit card number will work, they start making more expensive purchases.
Ultimately, these events remain undiscovered because the transaction amounts are so low that they do not look like potential risks. Those affected tend to realize they have been victims of fraud through card testing when the scammers make larger purchases.
By then, the scammers may have been able to make several significant purchases using the stolen credit card information. On many occasions, card theft victims do not realize it until they submit a claim with their financial institution or bank and the transactions become chargebacks.
Friendly Fraud or Chargeback
Friendly fraud (also chargeback fraud) is when someone buys an article or service online and then requests a refund from the payment processor, claiming that the transaction was not valid. Credit or debit card companies return the value of the transaction to the customer, who is still obligated pay the merchant.
In chargeback fraud, a client makes claims that seem to be legitimate and honest, and in some cases, that client may be right (this is why it is also called “friendly fraud”). That being said, friendly fraud can be used to receive free items. For example, the scammer can buy an item in your online store and argue that the item was never delivered; then, they tell the credit card issuer that the article was returned to the merchant but that a refund was never processed, or they can even say that they canceled the order, but the item still sent them.
In any case, chargeback fraud occurs when customers contact their credit or debit card issuer to submit a claim for a charge they intended to pay.
Refund Fraud
Refund fraud is when the scammer uses a stolen card to make a purchase in an online business and then contacts the business to request a refund due to an accidental overpayment. However, they request that the surplus amount be sent through an alternative method since the card has been closed. Ultimately, this means that the original charge to the card is not reimbursed, and the e-commerce business is responsible to the card owner for the total amount.
Thus, with this type of fraud, the online business owner is caught in the middle. It may seem that the scammer is making a legitimate claim but in reality, they are trying to steal money from that business.
In the same way, there may be cases where a reversal process is initiated for cards that have not been previously used in sales and without prior contact from a client. Commonly, these cases are initiated by merchant employees who have access to perform this type of transaction and divert funds to accounts only they have access to.
Account Takeover Fraud
Account takeover fraud occurs when someone gets access to a user’s account at a store or online business.
This can be achieved through a variety of methods, including the purchase of stolen passwords, security codes, or personal information in the d ark w eb. These cases are also seen when a phishing scheme is successful or through other social engineering mechanisms where personal data and/or credentials are obtained through the intimidation or coercion of a particular client.
Once they have obtained access to a user’s account, the scammers proceed to make unauthorized transactions, change the details of the victim’s account, make purchases, and withdraw funds. They can even use the affected account to gain access to more accounts belonging to this user.
Account takeover fraud is a serious form of identity theft that has two victims: the customer, whose credentials have been compromised, and the business, whose reputation has been damaged and which now generates distrust in current and potential customers. Clients who feel that their data could be vulnerable on an online site are less likely to use this site and will consider competitors that offer stronger security measures.
Interception Fraud
Interception fraud happens when scammers shop in an online business and the billing and shipping address coincide with information linked to a stolen card. Once the purchase is made, the main objective is to intercept the package and take the products without generating suspicion.
This can be done in several ways:
- The scammers can ask a customer service representative from the online business to change the order address before it is sent in order to receive the goods while the victim makes the payment.
- They can also contact the carrier (either the National Postal Service, FedEx, UPS, or other carrier services) to redirect the package to an address of their choice.
- If they live near the victim, they can even wait for the physical delivery of the package to sign and take it.
Triangulation Fraud
Triangulation fraud involves three actors: the scammer, a purchasing customer, and an online business.
The scheme works as follows: the scammer establishes an online business that appears to be legitimate, where they sell high-demand products at competitive prices. This online business attracts a series of customers who make purchases to take advantage of their offers. Once they have captured enough card numbers, the scammer uses them to buy products from a legitimate online business.
Unlike a phishing scheme, which we explain in the section addressing account takeover fraud, triangulation fraud starts under the assumption of a legitimate purchase that ends in the theft of the victim’s card.
How Can I Mitigate Fraud in My Online Business?
Regardless of the amount of fraud that occurs on your platform, it affects income and business results. Even though defending your business against this growing threat seems like a complicated battle, here are some quick steps that you can take to reduce the risk and fight against e-commerce fraud.
Fraud prevention systems are console tools that allow you to create business rules to generate alerts based on defined behaviors or parameters.
Platforms such as RiskCenter 360™ by Evertec can combine information from financial and non-financial events to provide for a holistic view of your business, thus helping you establish your business and integrated fraud prevention strategy.
When implementing a fraud prevention system that is aligned with your business strategy, you should take the following into account:
1. Implement real-time decision-making mechanisms about critical or high-risk transactions; this involved any item or service that can easily and quickly be converted into cash, such as:
- Orders with a high total purchase value for a single item or for items from the same category
- Items of great resale value
- Purchase cards or gift certificates
2. Identify unusual purchase patterns such as:
- The shipping address is different from the billing address
- The payment method belongs to an issuer from a country or region that is different from that of the cardholder
- The purchase is being made in “guest” mode, so the user is not registering in the portal for future purchases.
3. There are no card transaction authentication tools to confirm if the buyer is indeed the cardholder
- Services such as 3D Secure 2.0 allow you to safeguard your transactions by enabling authentication with minimal friction to the cardholder.
- It keeps your sales safe and reduces your exposure to potential chargebacks.
4. It uses blacklists to identify clients who have made fraudulent transactions or that are potentially using your business as a testing point for stolen cards.
5. It implements mechanisms to mitigate test events using bots or scripts. You can use on-screen challenges that require data entry (e.g., CAPTCHA, re CAPTCHA, etc.) to determine whether the user is human or not.
6. Take Action on the Chargebacks Your Business Receives
- Having knowledge about these claims and acting on them allows you to adjust the existing controls in your strategy and implement new ones in your payment channels.
- You also avoid revenue leakage because, by not responding to the chargebacks, the acquirer bank or processor is obligated to reverse those funds in favor of the affected client.
7. It limits administrative access or special permissions, such as returns and transaction cancellations, among other business processes, for people in managerial or supervisor roles. Likewise, it stipulates that refunds, or other transactions of this nature, can only be completed by introducing a key or code that confirms that the transaction is valid.
8. Let your customer know about the security measures (data encryption, safe sessions, etc.) your business takes to process payments. This is extremely important to generate trust with customers and encourage them to make purchases with your business in the future.
Keep Your Business Safe at All Times
- Your payment processing platform, acceptance channels, and service providers should have mitigating controls for potential risks and provide evidence of these, such as compliance with Payment Card Industry (PCI) and data security standards.
- PCI’s compliance results for basic safety precautions include activities such as creating a firewall between your internet connection and any system that stores credit card numbers. PCI compliance is ultimately mandatory, so you should make sure to comply with the pertinent PCI guidelines to avoid penalties.
- Consider that there are other mechanisms that could be placing your online business at risk. You should monitor your online site traffic to identify any increases in visits so you can know if you are a victim of a cyberattack.
These systems should allow you to identify inconsistencies in your business transactions, such as fluctuations in sales volumes, capture excess returns, and even facilitate an increase in chargebacks.
Defending Yourself from Fraud Should Not Be Complicated
Each business is different, and fraud prevention strategies vary based on their nature. However, there are basic measures that every company must apply to guarantee the security of their data and the integrity of their payments.
When looking for antifraud tools, many companies focus on fraud trends or new tendencies, forgetting that the important thing is to find a tool that suits the needs of the business and help them make better decisions.
Fraud will never be eliminated completely, but you should have the necessary information about the potential risks to your business in order to mitigate them. To achieve this, it is important to have reliable allies and suppliers like Evertec, who offers transparency for businesses and secure payment mechanisms. The good news is that if you pay attention and closely follow fraud prevention methods for online businesses, you could start preventing fraud in your business.
Scammers are intelligent and can be very creative to achieve their objectives. As a leader in technology and processing in Latin America, Evertec has RiskCenter 360 ™, a robust fraud prevention service designed for owners or administrators of businesses of any size.
When it comes to fraud, it is always important to use a fraud prevention application that incorporates a detection and management system, such as RiskCenter 360 ™. This will allow you to defend yourself from scammers and malicious schemes. RiskCenter 360 ™ provides customer behavior analysis by applying methods such as artificial intelligence or predictive models, accompanied by robust business rules and operational processes and controls that create a safe environment for your business.
RiskCenter 360 ™, launched earlier this year, is the evolution of the RiskCenter tool the company has implemented in more than 50 institutions and companies throughout Latin America. RiskCenter 360 ™ incorporates the Software as a Service, or SaaS, mode, which was highly requested by customers and markets, given that it integrates multiple sources and monitoring channels, and it allows for the evaluation of both financial and non-financial events. Between January and April 2020, it reached 130 million transactions processed under the acquirer service modality. This application is cloud-hosted and adapted to the particularities and needs of each business, while covering several types of companies and growing with you.
Whether you decide to work with an external provider like Evertec, implement your own process, or rely in a combination of both, we encourage you to start thinking today about how these fraud modalities impact your business. Contact us at Evertec to learn more about our risk management and fraud prevention solutions. See the benefits you can bring to your business with the technology Evertec offers you.
About the author:
Antuam Traverso, CPM is the Product Manager for Risk Management and Fraud in Evertec. He is a professional with over 8 years of experience in payment systems, alternate channels, digital services, and fraud and risk management operations in the banking industry.