Recognising and preventing fraud in online retail

Although the coronavirus pandemic has caused an encouraging boom in online retail, it has unfortunately also led to increased cases of online fraud, as cyber criminals increasingly try to exploit the current situation. It’s not always easy for online merchants to see through the various webs of fraudsters’ lies. If fraud results in non-payment, this can involve huge costs for you as a shop owner. However, cases of fraud can in many cases be prevented by recognising abnormalities in the order or in the order process in good time. This requires corresponding sensitivity when processing orders or for you to skilfully and efficiently run tests.

Find out how online fraudsters act, how you can recognise them and how you as a merchant can protect yourself against fraud to avoid any financial damage.

To avoid being caught out by fraudsters and to effectively arm yourself against attempts at fraud and deception as a merchant, it is important that you are familiar with the various fraud scenarios and thus be able to respond to any clues.

Data required for an e-commerce payment, such as card number, name, expiry date and card verification number, can simply ‘be lost’ – after all, these details are printed on the card for everyone to see. A brief moment when you’re not paying attention is all it takes for a clever fraudster to subtly take a photo of a card – like when you’re standing in a hotel reception or at a beach bar. There are also a number of ways for card data to fall into the wrong hands online: as part of a phishing attack, when a cardholder accidentally enters their card data on an insecure website where fraudsters can read it, for example. Or if card data is already saved on a page and hackers are able to access it without authorisation.

After a successful hacker attack on an online merchant, stolen card data is often offered on the black market on what is known as the ‘dark web’. Here, it can be purchased by online fraudsters anonymously. However, card data from online hacks is usually incomplete as the card verification number from merchants and payment service providers (like Saferpay) can never be saved. That’s why fraudsters often try to guess missing data in several payment attempts. They enter a small transaction amount so as not to attract unnecessary attention. If all of the card data is stolen, including the card verification number, large amounts are often taken.

Fraud through account takeover (or ‘ATO’ for short) is where a fraudster gains access to a customer profile in your web shop and can then make purchases in your customer’s name using the means of payment saved in the shop. This type of identity theft might happen if your customer has a password that is easy to guess or if the password for their e-commerce account was compromised in a phishing attack, for example. Another variation on this is when a fraudster hacks your customer’s e-mail account and then also uses it to access the customer profile in your shop, causing financial damage.

This is the easiest and most convenient way for fraudsters to get money directly rather than ordering goods in the customer’s name. ‘Reservation fraud’ is very popular with fraudsters and this affects the hotel industry in particular: a long hotel stay is booked using stolen card data and then cancelled with an excuse and a request for the refund to be made to another credit card or account. The legitimate cardholder will also initiate a chargeback as soon as they find out about the damage.

Friendly fraud is an online purchase where a customer pays using a credit or debit card and later requests a chargeback from the merchant instead of a refund. In most cases, there aren’t any fraudulent intentions. For example, something is ordered online and then forgotten about – the cardholder can’t remember this when looking through their card statement and makes a complaint about the payment. Or a child has unsupervised access to a device that has credit card data saved on it. In some cases, however, there are also customers who simply deny that they ever received the goods, wanting to gain an advantage. Unfortunately, such isolated cases are difficult to identify.

Payment service providers and banks rely on strong customer authentication (or ‘SCA’ for short) using 2-factor authentication to fight online fraud: as well as entering card data or a wallet login, another factor (mobile phone, password, fingerprint, etc.) is requested to verify the payer’s identity. If there is strong customer authentication, fraud is very unlikely.

As an online merchant, you can use Saferpay to enforce strong customer authentication for 3-D Secure means of payment like Visa and Mastercard by changing the ‘ThreeDsChallenge’ flag to ‘FORCE’ in the API. This is recommended if you know that the transaction is particularly risky before the authorisation request is made (e.g. an unusually large transaction amount) or if you have detected suspicious activity indicating a loss of card data or identity theft.

You can find more details about the ‘ThreeDsChallenge flag’ in our API documentation and in the Saferpay Integration Guide in the chapter 3-D Secure – Optional Parameters.

You as a merchant normally bear the full risk in the event of online fraud – meaning you also bear the costs. A liability shift only occurs if the card issuer or payment service provider agrees to accept liability for the individual transaction. With 3-D Secure payments, you as a merchant almost always get a liability shift, meaning you’re on the safe side of things. You bear the risk for means of payment that do not have strong customer authentication and 3-D Secure, for payments outside the PSD2 region (where 3-D Secure is not supported by all issuers) and in exceptional cases (‘exemptions’) requested by the merchant.

Essentially: if a liability shift has taken place and a chargeback is then made, the payment service provider will bear the costs of this. However, a liability shift is not a guarantee that fraud has not taken place!

• Is the transaction amount unusually large?
• Was there a liability shift?
• Was there strong customer authentication?
• Are there multiple transactions for the same means of payment or customers within a short period of time?
• Have there been any account changes that could indicate identity theft or lost card data?
• Does the card issuer country match the IP and shipping address country?
• Is the delivery address in a country to which you usually do not or only rarely ship?
• Is it a new customer with an e-mail address from a free provider consisting of a combination of numbers and letters (e.g. skyblue123@gmail.com)?
  

Even with careful scrutiny, there may be a chargeback because of fraud. As long as these remain isolated cases, this isn’t too alarming. However, if the costs of fraud noticeably lower turnover or card organizations demand fines due to an increased rate of fraud, this becomes a critical concern.

The following will help you to take the right steps in the case of fraud without wasting time unnecessarily:

Thorough manual risk analysis is time-consuming and often isn’t cost-effective for big merchants. If you want to reduce your fraud rate, we are happy to assist you, regardless of whether you are dealing with an acute fraud problem or just want to protect your sales even better and further optimise them with an already low fraud rate. We have the right solution for your requirements – please feel free to contact us!

fraud_eu@worldline.com (Europe)
fraud@worldline.com (Switzerland)