Confused by the astonishing variety of payment fraud? It’s not surprising. It seems the only limitation to the types of payment fraud taking place today is that of the fraudsters’ imagination. In 2017, losses due to unauthorized financial fraud totalled almost £732 million in the UK alone.
The vast majority of payment fraud involves payment cards (i.e. credit card, store charge cards, prepaid cards and debit cards). In fact, in the UK, £566 million was lost due to payment card fraud in 2017. Though this is an improvement compared to 2016, across Europe, recent figures revealed in 2018show total card fraud losses in 19 European countries studied grew by €30 million.
Perhaps not surprisingly, online commerce is much more vulnerable to fraud than traditional commerce because the card doesn’t have to be present to purchase something. Whether you sell your goods through e-commerce or m-commerce, a mobile point-of-sale or a traditional point-of-sale, you have to be prepared to fight fraud day and night.
So, what are the main types of payment fraud that merchants need to be aware of?
Let’s take a look.
Card Present Fraud
Basically, this is when the fraudster has his or her dirty hands on your payment card and uses it to make purchases.
The introduction of EMV cards (i.e. cards equipped with chips) is helping to prevent a lot of card-present fraud from taking place, especially in bricks and mortar stores.
However, traditional magnetic stripe credit cards are still common in countries like the USA, which, compared to Europe, has been pretty slow in implementing EMV cards.
As always, fraudsters will find a way round to try and steal your money with a card. Here’s how:
- Counterfeit: Usually done by skimming. Fraudsters create a fake magnetic strip containing your details so they can swipe your card to pay for goods. Counterfeit fraud is in decline and has reached its lowest point since 2008 because chip cards are taking over.
- Lost and stolen: Your physical card is stolen and used to make online, telephone and mail order purchases. Interestingly, despite the introduction of Chip & PIN cards, lost and stolen fraud in the UK has increased by 117% since 2010. It seems fraudsters are finding ingenious ways to get cardholders to hand over their PINs.
- Card ID theft: Your card details are acquired by a fraudster, who then uses those details to take over your card account to open a new one.
- Card non-receipt: Your new or replacement card is intercepted in the post. The fraudster then registers the card to make purchases.
Card Present Fraud accounted for 30% of total fraud losses in the UK in 2016. That represents £185.7 million.
Source: FFA UK ‘Fraud the Facts 2017’
Card Not Present Fraud (CNP)
Fraud committed without the actual card being in the hands of the fraudster is growing rapidly. In fact, PYMNTS reports that fraudulent activity is 81 per cent more likely to occur on the internet than at physical points of sale.
In the eurozone, the European Central Bank estimates around 60% of card fraud in 2015 was associated with CNP transactions. Over in the UK, 70% of all fraud losses in 2016 related to CNP fraud for UK-issued cards. Of that, 50% related to e-commerce.
Now you know the huge scale of CNP fraud, here are the most common ways fraudsters trick merchants and consumers without having our cards:
- Friendly fraud: This is a chargeback that is fraudulent (some chargebacks are genuine). Basically, the retailer refunds a fraudulent transaction charged to a credit or debit card. The merchant incurs a direct loss and, to add insult to injury, is also charged a fee by the card issuer. A double whammy.
- Triangulation: There are three elements to triangulation fraud. The first is the unsuspecting customer. The second is the fake online storefront. The fake store entices the customer to make a purchase by offering what are usually high-priced goods at bargain prices. After the purchase is made, the fake merchant gathers the customer’s credit card details. This stolen data is the third element, which is used by the fraudster to go on a shopping spree.
- Clean fraud: This takes place when the merchant approves the transaction because it looks legitimate. However, it’s fraudulent. It happens when the fraudster has been able to steal all the data needed to look legit and make a purchase. Clean fraud is, unsurprisingly, very difficult to detect.
- Application fraud: When other people apply for a card in your name having first stolen information from you.
- Account takeover: The fraudster steals your information using online methods, then contacts the credit card company and pretends to be you. The first thing they do is change your address, which they can do because they have your information. A replacement card is then sent to fraudsters’ address. Sneaky, eh?
Many European countries, including the UK, are seeing CNP fraud at 70% plus of their losses.
Source: FICO ‘Evolution of Card Fraud in Europe 2016’
Merchant accounts on PayPal, Amazon and eBay are also a target of fraudsters
Of course, payment fraud isn’t limited to payment cards, whether present or not. Businesses using PayPal are being targeted in numerous ways and in ever-increasing numbers.
PayPal is a favorite alternative payment method with online merchants because it doesn’t use traditional credit card processing equipment. Instead, it offers other services like “buy now” buttons and a virtual terminal. These convenient solutions are extremely attractive to hackers, who seize merchants’ details and sell them on the black market.
Common methods for stealing PayPal account numbers and passwords include Phishing attacks, Trojan Horses, infecting point-of-sale devices with malware and hacking into the merchant database. Even Facebook and WhatsApp are being used to hack accounts.
Merchants selling on third-party sites like Amazon and eBay are also extremely vulnerable. According to a current article by PYMNTS.com, cybercriminals have been stealing tens of thousands of dollars from active sellers in recent months. It seems Amazon’s growing popularity is making it even more popular with fraudsters.
“Over 2.6 billion email addresses and passwords have been stolen in total from companies including Adobe SystemsInc., Myspace, and LinkedIn Corp., according to warning website Haveibeenpwned.com — which means hackers have plenty of places and options for stolen passwords and personal data on the web. Those credentials usually sell for between $1 – $3 a pop.”
Source: www.pymnts.com (April 10, 2017)
Which sales channels are most vulnerable to payment fraud?
Sorry to say that all sales channels are susceptible to payment fraud. But some are more exposed than others. Remote channels bear the brunt of the loss. These include online, mobile, mail/postal and telephone channels.
Mobile channels are especially vulnerable, due largely to the fact that fraud protection tools used for online channels do not always work well in mobile channels. Between 2015 and 2016, the percentage of successful fraud transactions for large remote channel merchants grew from 26% to 35%.
How do fraudsters get your payment card details and personal information?
Fraudsters have numerous ways to get hold of your information. These include phishing email messages or phone calls, malware, botnets, page jacking and whaling. But that’s a subject for another blog post!
What is driving CNP fraud?
The increase in genuine usage in online and mobile channels in the last 10 years is certainly fuelling CNP fraud. Other reasons given include the introduction of EMC-protected credit cards, large-scale data breaches of reputable organizations, and the increase in cross-border transactions.
Online and mobile merchants saw a 9-12% increase in the cost of fraud between 2015 and 2016 compared to the 3% increase experienced by physical POS-only merchants.
Source: LexisNexis ‘2016 True Cost of Fraud’
So, there you have it. A rundown of the most common types of payment fraud out there.
As I said at the top, the variety of fraud taking place is truly astounding. Fortunately, companies like Mi-Pay can help merchants detect, prevent and even eliminate fraud. It keeps us on our toes, but we’re always up for a challenge.
About Huub Sparnaay
I started this company in 1997 as a provider of telecom hardware for large telecom companies worldwide. During the following years, I adjusted the business model to developments in the market. The result is Mi-Pay, a service provider fully focused on delivering payment solutions to large B2C organizations.
