If you’ve lost money due to a chargeback, a fake invoice, or stolen credit cards, then you’re a victim of payment fraud. And you’re not alone. According to Sift’s Q1 2023 Digital Trust & Safety Index, fraudulent transactions cost businesses over $41 billion in 2022—a figure that is expected to increase by 17% in 2023. The study also found that digital goods and services saw a 27% rise in fraud payments, with B2C merchants seeing a 64% increase.
The good news is that you can protect yourself with awareness, training, and technology, among other tools. We’ll cover the types of payment fraud and the steps you can take to prevent it from happening to you or your customers.
What Is Payment Fraud?
Put simply, payment fraud is a false or illegal transaction, most often conducted online, without the authorization of the legitimate owner of the payment instrument. Usually, it involves the use of stolen credit cards or identities but can include false requests for funds and stealing customers’ private information. It’s seen most often in ecommerce, although email and text fraud are increasingly common.
According to Cybersource’s 2023 Global Fraud and Payments Report, on average, merchants use five tools and a tenth of their annual ecommerce revenue to manage fraud. SMBs have seen an increase in 2023, almost doubling the amount they spend from 6% to 12%.
Types of Payment Fraud
According to Cybersource, the four most common fraud attacks are phishing, chargeback fraud, card testing, and identity theft. However, there are also others you should watch out for, including skimming, card-not-present fraud, and pagejacking.
Type of attack | % merchants experiencing globally |
|---|---|
Phishing | 43 |
Chargeback Fraud | 34 |
Card Testing | 33 |
Identity Theft | 33 |
Phishing (43% of merchants experience this attack)
Phishing is when the criminal poses as someone else and gets you to give them information they should not have access to. Usually, you see this in emails, where they ask you to verify information, fill out a form, or click on a link. Very often, the mailings look legitimate at first blush but usually have a bogus email address, a link that is different from the URL written on the form, or a fake website that looks almost like the real thing.
How to Protect Against Phishing
Keep aware of the latest email and text scams, and train your employees to recognize fraudulent emails. The FBI recommends these steps:
- Don’t click on anything in an unsolicited email or text asking you to verify account information.
- Carefully examine email addresses, URLs, and spelling in any correspondence.
- Hover over the URLs in the email to get the actual link.
- Be careful what you download.
- Don’t open attachments from someone you don’t know and be wary of forwarded attachments.
- If a payment request looks legit but is unexpected, verify it in person or over the phone. (Don’t use contact information in the email.)
- Be wary of requesters pressuring you to act quickly.
- If you’re a victim of business email compromise, contact your local FBI office and file a complaint with the FBI’s Internet Crime Complaint Center.
Business Email Compromise (BEC): Similar to phishing, BEC is when someone fakes an email or text to ask an employee for information or to transfer funds or purchase gift cards. BEC market size is expected to grow from $1.1 billion in 2022 to $2.8 billion by 2027. Since it’s similar to phishing, the protections are also the same, although you want to ensure employees know to contact their supervisor or IT if they receive a suspicious email.
Chargeback Fraud (34% of merchants experience this attack)
Chargeback fraud, sometimes known as “friendly fraud,” is when a customer disputes a legitimate transaction. Reasons vary from believing it’s a true, fraudulent payment to disliking the product. You lose money in refunds and chargeback fees, which some payment processors charge regardless of whether you win the claim or not.
How to Protect Against Chargeback Fraud
Clear communication is your best defense against most friendly fraud.
- Be sure your business is easily identifiable on credit card statements so customers know a purchase came from you. Transaction or descriptor confusion accounts for 47% of friendly fraud.
- Make cancellation and return policies clear and easy to find on your website.
- Choose merchant accounts or payment processors with fraud protection and favorable chargeback policies.
- Require customers to log in to an individual account prior to making a purchase.
- Keep records of all transactions so you have evidence in cases of disputes.
- Maintain communication with customers. Notify them as payments are processed, after they are processed, and when goods are delivered.
Related:
Card Testing (33% of merchants experience this attack)
Card testing is when fraudsters check many stolen cards to see which are active. Criminals test them by trying to make authorizations or small fraudulent payments, so this is a bigger threat for charities that take online donations or retailers that sell inexpensive items or subscriptions. If you notice a significant increase in declines, you may be a victim of card testing.
How to Protect Against Card Testing
Card testing protections are similar to card-not-present protections (see below), but you can also:
- Limit the number of checkout attempts or transactions coming from the same IP address.
- Set up a strong firewall against botnets.
Identity Theft (33% of merchants experience this attack)
Identity theft is where a criminal steals a person’s personal information (i.e., Social Security number, credit card number) and uses it to make unauthorized purchases or opens accounts in a victim’s name. This happens through phishing, data breaches, or even purse snatching.
How to Protect Against Identity Theft
Protect your software from hacking.
- Look for software and payment processors that are PCI-compliant, have SOC level 1 or 2 security and TSL or 256-bit encryption.
- Change base settings like passwords and access codes.
- Use strong passwords with a combination of numbers, letters, and symbols, and change passwords regularly.
- Limit employee access to customer data by setting roles and using multi-factor identification.
- Monitor accounts for suspicious activity.
- Keep your software updated.
- If you have public Wi-Fi, keep your business systems off it.
If you accept payments online, there are additional protections you can put in place.
Online businesses, such as ecommerce merchants, can minimize some unauthorized purchases made with stolen information by making sure your checkout is tokenized, using an address verification system (AVS), and requiring credit card security codes.
Learn more about ecommerce payment security.
Skimming
Skimming occurs when devices are illegally installed on ATMs, point-of-sale (POS) terminals, or fuel pumps to capture data or record cardholders’ card information and PINs. They use devices that fit over card readers and pinhole cameras to record a customer entering their PIN. While you may not lose actual money from this, it can cost you customer trust.
How to Protect Against Skimming
Keep skimmable equipment like ATMs or self-service checkouts where they can be monitored at all times. Where you cannot protect the equipment, check it often for signs of tampering. Also:
- Have covers over the PIN pads to prevent cameras from recording customer PIN codes.
- Encourage chip or tap use over swipes.
Card-not-Present (CNP) Fraud
Similar to identity theft, CNP fraud uses stolen credit card information for fraudulent transactions. It’s predicted to cost $9.49 billion, a 57% increase from 2019, according to Sift.
How to Protect Against CNP Fraud
First, protect yourself against phishing, skimming, or identity theft, which is how criminals get credit card information. Also:
- Use fraud detection and prevention technology offered by your POS systems and your payment provider.
- Ensure customers are verified—require a Captcha, CVV, address verification, or signatures.
- Require customers to log in to an individual account before making a purchase.
- Do not let employees manually key in information into a POS system. Manual entry creates a force-posted transaction, which bypasses the normal authentication checks.
- Closely watch BNPL and crypto transactions. BNPL is struggling against a 211% increase in fraud, and crypto exchanges are seeing a 45% surge, according to Sift.
Pagejacking
This is when hackers hijack part of your ecommerce website and reroute traffic to its own page to steal payment or other information.
How to Protect Against Pagejacking
Protect your website. Start with a reputable host and website developer that uses the best security practices. Also:
- Keep your software updated.
- Constantly run security checks with antivirus software.
- Use apps that limit login attempts and alert you of failed attempts.
Payment Fraud Frequently Asked Questions (FAQs)
Expand the sections below for answers to some of your most common questions related to payment fraud.
Payment fraud is rising, particularly among digital goods and services. According to the Association of Financial Professionals, 65% of organizations were victims of fraud attacks or attempts in 2022 overall.
Fraud payments not only cost you money in income lost, but also in fees, damage control, and loss of customer trust. Strong fraud protections secure peace of mind for yourself and your customers and improve customer goodwill. Further, they keep you in compliance with government and commercial regulations.
On average, merchants spend anywhere from 6% to 12% of their annual ecommerce revenue on fraud management.
Most SMBs get payments fraud protection through their payment processor, who offer basic tools as part of their service, but often have additional safeguards, including machine-learning monitoring, for additional fees. You should also invest in strong antivirus and firewall software. Finally, talk with your website and POS providers about what fraud protection tools they provide or integrate with.
Bottom Line
Payment fraud doesn’t affect large businesses only. Even small retailers can find themselves victim to any number of scams or hacks. Fraud prevention tools can help but don’t discount the simple practices of strong passwords and a healthy suspicion for requests for information or money that come from online.
