The 2023 Card-Not-Present Chargeback Fraud Catalog
Table of Contents
- What is identity theft?
- What is credit card fraud?
- What is merchant fraud?
- What is triangulation fraud?
- What is affiliate fraud?
- What is friendly fraud?
- What is clean fraud?
- Preventing card-not-present fraud
- What does card-not-present mean?
- Is CVV required for card-not-present orders?
Credit card networks, banks, and other companies in the payments industry are always inventing new ways to combat fraud. Unfortunately, fraudsters are always inventing new ways to commit it.
In fact, they are so inventive and prolific when it comes to devising new ways to scam merchants and cardholders out of their money that it can be quite difficult to keep track of all the various forms of fraud you have to watch out for in the eCommerce sphere.
As eCommerce and digital payment frameworks have matured, security technology has improved, companies have adopted best practices for preventing fraud, and cardholders have become more educated than ever about how to protect their data. And yet, fraudsters keep at it, always striving to stay one step ahead of the security measures being deployed to stop them.
In order to effectively defend your business against fraud, both the old schemes and the new ones, you have to be able to recognize and identify the various forms of fraud that can take place in card-not-present environments.
What is identity theft?
Since most organizations will attempt to verify a person’s identity before releasing information or shipping goods to them, identity theft almost always requires some form of credentials or identifying data. Fraudsters may acquire this information via phishing and social engineering, or they may purchase personal data for use in identity theft on the dark web.
Because of the numerous data breaches in recent history (such as the 2017 Equifax breach) the personal information of most U.S. adults, including social security number, date of birth, address, job history, and credit history, is already available on the dark web. While it's far from a guarantee that your identity will be stolen, it's always a possibility.
While detailed personal information like this can often be used to open new accounts under the victim's name, a far more common and low-effort form of identity theft is account takeover.
Account takeover is when a fraudster poses as another person simply by logging in to one of their online accounts with stolen credentials.
Passwords are a common target of phishing attempts, and data breaches where passwords are leaked can lead to other accounts being compromised, since most people re-use the same password for different websites. Some fraudsters may use hacking tools to try to “brute force” their way into an account secured with a simple or frequently-used password.
What is credit card fraud?
There are many varieties of credit card fraud, as intricate schemes are sometimes used to obscure the identity of the card thieves and ensure that the fraud will go undetected long enough for the purchase to be shipped.
Thanks to the dark web, credit card fraud is often a two-stage process. First, someone steals a large amount of credit card information. Then they sell that information online to fraudsters who test the cards and make purchases with the ones that work.
There are countless ways for fraudsters to obtain stolen credit card numbers, but the most common modern methods are phishing, where a website with a tempting offer or one disguised to look like a legitimate banking or eCommerce website will convince people to enter their credit card information, and eSkimming, where malware is used to steal any information entered on an infected eCommerce site's checkout page.
What is merchant fraud?
Another variant of merchant fraud is when a legitimate merchant is compromised by a fraudster in their employ. Employees who have access to payment processing devices, customer cards, and sensitive computer data can easily gain access to card numbers and user accounts.
What is triangulation fraud?
Here's how it works:
- The fraudster sets up an online store offering low prices for products in high demand.
- Through a seemingly normal checkout process, the fraudster obtains credit card information from customers.
- The fraudster uses the stolen credit card information to purchase the item they "sold" from a legitimate business.
- The product is shipped to the customer.
- The fraudster keeps the money from the original transaction, with the option of using the same card information to make further fraudulent purchases.
This process helps to conceal and prolong the scheme by delaying or in some cases preventing the customer from realizing they've been stolen from. Since they received the item they purchased, the only way for them to find out something went wrong is by carefully looking over their account statement. Victims who don't realize what's happened might even refer their friends to the fraudulent storefront, thinking they got a great deal when in fact they were essentially double-charged.
In some cases, fraudsters have completely automated this process, turning the scheme into a self-sustaining fraud machine.
What is affiliate fraud?
These arrangements are usually commission-based, so the affiliate gets paid according to the volume of traffic or sales they generate. This can incentivize very bad behavior, even from affiliates who may not have intended to become fraudsters.
Some affiliates will use bots and automated scripts to send fake traffic to the merchant’s site.
Others use false promises and deception to persuade real people to visit the site, expecting service that the merchant is unequipped to deliver. Some cases of affiliate fraud have even involved using stolen credit card information purchased on the dark web to make fraudulent purchases, with the affiliate running off with the commission before the chargebacks start rolling in.
What is friendly fraud?
It matters little whether customers do this out of ignorance or malice. The end result is the same for the merchant: lost revenue and a higher chargeback ratio. Unless, of course, they know how to fight back effectively.
What is clean fraud?
The “clean” fraudster will have all the right card information, passwords, and personal data needed to process the transaction according to best practices.
Perpetrators of clean fraud are usually educated about up-to-date security and fraud prevention protocols. They will usually engage in card testing to ensure that the stolen card they intend to use will work.
Preventing card-not-present fraud
With all of these different approaches to fraud, it might seem like merchants face an uphill battle in preventing such fraud. But there are several ways by which merchants can prevent chargeback fraud. These include:
- Securing your online store to only accept payment from browsers using encrypted security (https://).
- Always ask for the CVV security code during all purchases.
- Always verify address and billing information for all purchases.
- Implement prevention measures to track odd orders (unusually large orders, orders shipped to an address different than the billing address).
- Use a verification product for the network, like Verified by Visa, Mastercard SecureCode, or American Express SafeKey.
- Keep immaculate records of all transactions to track IP addresses and shipping information.
While these steps aren't 100% guaranteed to prevent fraud, they can help mitigate it.
We could, of course, go on at great length about all the many ways phishing can be done, or how hackers can manipulate software vulnerabilities and network protocols to gain access to secure accounts, but these details are ever-changing as technology evolves and platforms fall in and out of favor.
What is most important for merchants is to be aware of the many vectors through which fraudsters can reach them.
Chargebacks that occur due to true fraud can’t be fought — not effectively or ethically, at least. The best protection merchants have against true fraud chargebacks is to learn about the approaches fraudsters might try on them, be vigilant for signs that a fraud attempt is underway, and block and report fraudsters as soon as they can be identified.