The 2020 Card-Not-Present Chargeback Fraud Catalog
At Chargeback Gurus, we believe in giving credit where it’s due, so let’s say this one time: fraudsters are very good at coming up with new ways to commit fraud.
In fact, they are so inventive and prolific when it comes to devising new ways to scam merchants and consumers out of their money that it can be quite difficult to keep track of all the various forms of fraud you have to watch out for in the ecommerce sphere.
Granted, that goes both ways—ecommerce merchants, the payment card industry, and cybersecurity experts have all been working together to come up with ways to defeat new forms of fraud.
As ecommerce and digital payment frameworks have matured, security technology has improved, companies use best practices for avoiding fraud, and cardholders are more educated than ever about how to protect their data. And yet, fraudsters keep at it, always striving to stay one step ahead of the security measures being deployed to stop them.
In order to effectively defend your business against fraud, both the old schemes and the new, you have to be able to recognize and identify the various forms of fraud that can take place in card-not-present environments.
"What is Identity Theft?"
Identity theft occurs when a fraudster impersonates another individual to obtain goods or access privileged information.
Since most organizations will attempt to verify a person’s identity before releasing information or shipping goods to them, identity theft almost always requires some form of credentials or identifying data.
Fraudsters may acquire this information via phishing and social engineering, or they may purchase personal data for use in identity theft on the black market accessible via browsers like TOR.
Because of the numerous data breaches in recent history ( 2017 Equifax breach) your personal data, social security number, DOB, age, weight, height, addresses, job history, credit history, etc. are now in circulation.
One of the most common forms of identity theft is account takeover.
Account takeover is where a fraudster poses as another person simply by logging in to one of their online accounts.
User passwords are a common target of phishing attempts, but some fraudsters may use hacking tools to try to “brute force” their way into an account secured with a simple or frequently-used password.
Credit Card and Debit Card Theft
Credit card and debit card theft are forms of Identity theft requiring only usable credit card credentials.
The basic idea behind credit card and debit card theft is to use somebody else’s credit card to make purchases.
But there are many permutations of card theft, as intricate schemes are sometimes required to obscure the identity of the card thieves and ensure that the fraud will go undetected long enough for the purchase to be shipped.
There are countless ways for fraudsters to obtain stolen credit card numbers: through the mail, from manually-operated credit card imprinting machines, via hacking and phishing, from skimmer devices, by filling out card applications fraudulently, or by buying lists of them in bulk on the dark web.
Merchants are not always the good guys or victims in online fraud scenarios.
Merchant Fraud schemes involve posing as a merchant online to take fake orders.
Some fraudsters run the cards, take the money, and never ship a product; others are simply running a fake online storefront simply to harvest credit card numbers.
Another variant of merchant fraud is when a legitimate merchant is compromised by a fraudster in their employ.
Employees who have access to payment processing devices, customer cards, and sensitive computer data can easily gain access to card numbers and user accounts.
Triangulation Fraud is a veritable "who's who" of Identity, merchant, and credit card fraud.
Triangulation Fraud involves:
- Setting up a fake online store offering "great deals"
- Accepting payments for items
- Using the newly acquired card data to purchase the item from a legitimate seller
- Then keeping the money skimmed in the original transaction and possibly making additional transactions later on with the stolen card information
This process helps to conceal and prolong the scheme. It is becoming a massive and - insome cases automated - form of fraud.
Triangulation Fraud is so subtle, victims who actually receive their “orders” may refer their friends to the fraudulent site.
Another scheme that could only have evolved in the current ecommerce climate...
Affiliate fraud is the term for when fraudsters enter into marketing arrangements with merchants, promising to direct traffic and sales leads to their websites.
These arrangements are usually commission-based, so the affiliate gets paid according the volume of traffic or sales they generate. This can incentivize very bad behavior, even from affiliates who may not have intended to become fraudsters.
Some affiliates will use bots and automated scripts to send fake traffic to the merchant’s site, or they may use false promises and deception to persuade real people to visit the site, expecting service that the merchant is unequipped to deliver.
Many “friendly” fraudsters would object to the label, but why sugarcoat it?
Friendly Fraud occurs when an otherwise legitimate customer has second thoughts about a purchase, and instead of asking the merchant for a refund, they dispute the payment transaction with their bank to get a chargeback.
It matters little whether customers do this out of ignorance or malice: the end result is the same for the merchant, lost revenue and a higher chargeback ratio.
Unless, of course, they know how to fight back effectively.
This may be less common than the other forms of fraud, but it’s quite dangerous.
Clean Fraud involves using stolen cards or credentials in such a way that there are no indicators of fraud for the merchant or bank to pick up on.
The “clean” fraudster will have all the right card information, passwords, and personal data needed to process the transaction according to best practices.
Perpetrators of clean fraud are usually educated about up-to-date security and fraud prevention protocols. They will usually engage in card testing to ensure that the stolen card they intend to use will work.
We could, of course, go on at great length about all the many ways phishing can be done, or how hackers can manipulate software vulnerabilities and network protocols to gain access to secure accounts, but these details are ever-changing as technology evolves and platforms fall in and out of favor.
What is most important for merchants is to be aware of the many vectors through which fraudsters can reach them.
Chargebacks that occur due to true fraud can’t be fought—not effectively or ethically, at least. The best protection merchants have against true fraud chargebacks is to learn about the approaches fraudsters might try on them, be vigilant for signs that a fraud attempt is underway, and to block and report fraudsters as soon as they can be identified.