CNP Fraud Catalog

Table of Contents

  1. What is identity theft?
  2. What is credit card fraud?
  3. What is merchant fraud?
  4. What is triangulation fraud?
  5. What is affiliate fraud?
  6. What is friendly fraud?
  7. What is clean fraud?
  8. Preventing card-not-present fraud
  9. What does card-not-present mean?
  10. Is CVV required for card-not-present orders?

Credit card networks, banks, and other companies in the payments industry are always inventing new ways to combat fraud. Unfortunately, fraudsters are always inventing new ways to commit it.

In fact, they are so inventive and prolific when it comes to devising new ways to scam merchants and cardholders out of their money that it can be quite difficult to keep track of all the various forms of fraud you have to watch out for in the eCommerce sphere.

As eCommerce and digital payment frameworks have matured, security technology has improved, companies have adopted best practices for preventing fraud, and cardholders have become more educated than ever about how to protect their data. And yet, fraudsters keep at it, always striving to stay one step ahead of the security measures being deployed to stop them.

In order to effectively defend your business against fraud, both the old schemes and the new ones, you have to be able to recognize and identify the various forms of fraud that can take place in card-not-present environments.

What is identity theft?

Identity theft occurs when a fraudster impersonates another individual to obtain goods or access privileged information.

Since most organizations will attempt to verify a person’s identity before releasing information or shipping goods to them, identity theft almost always requires some form of credentials or identifying data. Fraudsters may acquire this information via phishing and social engineering, or they may purchase personal data for use in identity theft on the dark web.

Because of the numerous data breaches in recent history (such as the 2017 Equifax breach) the personal information of most U.S. adults, including social security number, date of birth, address, job history, and credit history, is already available on the dark web. While it's far from a guarantee that your identity will be stolen, it's always a possibility.

While detailed personal information like this can often be used to open new accounts under the victim's name, a far more common and low-effort form of identity theft is account takeover.

Account takeover is when a fraudster poses as another person simply by logging in to one of their online accounts with stolen credentials.

Passwords are a common target of phishing attempts, and data breaches where passwords are leaked can lead to other accounts being compromised, since most people re-use the same password for different websites. Some fraudsters may use hacking tools to try to “brute force” their way into an account secured with a simple or frequently-used password.

What is credit card fraud?

Credit card fraud is when someone uses a stolen credit card or credit card information to make an unauthorized purchase. Credit card information is often obtained through phishing.

There are many varieties of credit card fraud, as intricate schemes are sometimes used to obscure the identity of the card thieves and ensure that the fraud will go undetected long enough for the purchase to be shipped.

Thanks to the dark web, credit card fraud is often a two-stage process. First, someone steals a large amount of credit card information. Then they sell that information online to fraudsters who test the cards and make purchases with the ones that work.

There are countless ways for fraudsters to obtain stolen credit card numbers, but the most common modern methods are phishing, where a website with a tempting offer or one disguised to look like a legitimate banking or eCommerce website will convince people to enter their credit card information, and eSkimming, where malware is used to steal any information entered on an infected eCommerce site's checkout page.

What is merchant fraud?

Merchant fraud schemes involve posing as a merchant online to take fake orders. Some fraudsters run the cards, take the money, and never ship a product; others are simply running a fake online storefront to harvest credit card numbers.

Another variant of merchant fraud is when a legitimate merchant is compromised by a fraudster in their employ. Employees who have access to payment processing devices, customer cards, and sensitive computer data can easily gain access to card numbers and user accounts.

What is triangulation fraud?

Triangulation fraud is a new form of fraud that involves defrauding both merchants and cardholders simultaneously in an effort to ensure the scheme goes undetected for as long as possible.

Here's how it works:

  1. The fraudster sets up an online store offering low prices for products in high demand.
  2. Through a seemingly normal checkout process, the fraudster obtains credit card information from customers.
  3. The fraudster uses the stolen credit card information to purchase the item they "sold" from a legitimate business.
  4. The product is shipped to the customer.
  5. The fraudster keeps the money from the original transaction, with the option of using the same card information to make further fraudulent purchases.

This process helps to conceal and prolong the scheme by delaying or in some cases preventing the customer from realizing they've been stolen from. Since they received the item they purchased, the only way for them to find out something went wrong is by carefully looking over their account statement. Victims who don't realize what's happened might even refer their friends to the fraudulent storefront, thinking they got a great deal when in fact they were essentially double-charged.

In some cases, fraudsters have completely automated this process, turning the scheme into a self-sustaining fraud machine.

What is affiliate fraud?

Affiliate fraud is the term for when fraudsters enter into marketing arrangements with merchants, promising to direct traffic and sales leads to their websites. They then use fake traffic or fake purchases to get paid.

These arrangements are usually commission-based, so the affiliate gets paid according to the volume of traffic or sales they generate. This can incentivize very bad behavior, even from affiliates who may not have intended to become fraudsters.

Some affiliates will use bots and automated scripts to send fake traffic to the merchant’s site.

Others use false promises and deception to persuade real people to visit the site, expecting service that the merchant is unequipped to deliver. Some cases of affiliate fraud have even involved using stolen credit card information purchased on the dark web to make fraudulent purchases, with the affiliate running off with the commission before the chargebacks start rolling in.

What is friendly fraud?

Friendly fraud occurs when an otherwise legitimate customer has second thoughts about a purchase, and instead of asking the merchant for a refund, they dispute the payment transaction with their bank to get a chargeback.

It matters little whether customers do this out of ignorance or malice. The end result is the same for the merchant: lost revenue and a higher chargeback ratio. Unless, of course, they know how to fight back effectively.

What is clean fraud?

Clean fraud involves using stolen cards or credentials in such a way that there are no indicators of fraud for the merchant or bank to pick up on.

The “clean” fraudster will have all the right card information, passwords, and personal data needed to process the transaction according to best practices.

Perpetrators of clean fraud are usually educated about up-to-date security and fraud prevention protocols. They will usually engage in card testing to ensure that the stolen card they intend to use will work.

Preventing card-not-present fraud

With all of these different approaches to fraud, it might seem like merchants face an uphill battle in preventing such fraud. But there are several ways by which merchants can prevent chargeback fraud. These include:

  1. Securing your online store to only accept payment from browsers using encrypted security (https://). 
  2. Always ask for the CVV security code during all purchases. 
  3. Always verify address and billing information for all purchases. 
  4. Implement prevention measures to track odd orders (unusually large orders, orders shipped to an address different than the billing address). 
  5. Use a verification product for the network, like Verified by Visa, Mastercard SecureCode, or American Express SafeKey.
  6. Keep immaculate records of all transactions to track IP addresses and shipping information.

While these steps aren't 100% guaranteed to prevent fraud, they can help mitigate it. 

We could, of course, go on at great length about all the many ways phishing can be done, or how hackers can manipulate software vulnerabilities and network protocols to gain access to secure accounts, but these details are ever-changing as technology evolves and platforms fall in and out of favor.

What is most important for merchants is to be aware of the many vectors through which fraudsters can reach them.

Chargebacks that occur due to true fraud can’t be fought — not effectively or ethically, at least. The best protection merchants have against true fraud chargebacks is to learn about the approaches fraudsters might try on them, be vigilant for signs that a fraud attempt is underway, and block and report fraudsters as soon as they can be identified.

FAQ

What does card-not-present mean?

This kind of transaction means that the customer doesn’t need to have a card present, like with an online purchase.

Is CVV required for card-not-present orders?

No. The merchant may require a CVV number to purchase through their specific store, but it isn’t a requirement more broadly.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com

Ready to Start Reducing Chargebacks?