Clean Fraud
Table of Contents
Getting away with fraud isn’t always easy. As hard as fraudsters try to find newer and sneakier ways to steal payment credentials and deceive merchants, the smartest minds in the payment industry are always finding ways to stop them.
Sometimes the only way to get around state-of-the-art-fraud detection is to make everything appear as legitimate and above-board as possible, avoiding all of the usual signs and indicators. Fraud is a dirty business, but the most dangerous fraudsters of all are the ones who make it look clean.
What can merchants do to protect themselves from so-called clean fraud?
Clean fraud can come in many forms. It’s defined by its ability to evade detection by normal anti-fraud tools and methods, which can be accomplished in a variety of ways.
What makes clean fraud so dangerous for merchants is that it’s so difficult to prevent—you usually won’t know you’ve been victimized by clean fraud until after the cardholder realizes it and demands a chargeback.
Merchants can’t fight legitimate true fraud chargebacks, so they lose the revenue plus the cost of chargeback fees.
It doesn’t necessarily take highly advanced technological tools to pull off clean fraud, but you’re more likely to see it from sophisticated, professional fraudsters, not the average cybercriminal.
There’s no “one weird trick” to preventing clean fraud, but the more you understand how it works, the better equipped you’ll be to recognize it and implement productive countermeasures.
What Is Clean Fraud?
Clean fraud usually occurs when the fraudster has access to the victim's complete payment credentials, including the CVV and billing address. There are several potential sources of this information, but one in particular that merchants should be aware of is e-skimming.
In this type of attack, malware is inserted into a merchant's checkout page, where it can record any payment information entered by customers. That information can later be used to commit clean fraud, since the fraudster will be entering all the same information the legitimate customer did.
In order to avoid falling victim to e-skimming, merchants should understand and follow best practices for cybersecurity, and make sure their employees are familiar with these best practices as well.
What Kinds of Clean Fraud Are There?
There are several distinct varieties of clean fraud. Not every instance of these types of fraud will be clean fraud, but when clean fraud is unmasked, it usually fits into one of these categories:
- Friendly fraud, also known as chargeback fraud
- Identity theft, especially the variant known as synthetic identity theft
- Account takeover fraud
- Credit card fraud, in cases where the fraudster has the complete payment information
Friendly Fraud
Every merchant who deals with chargebacks should be well-acquainted with friendly fraud. This refers to customers who make a valid purchase, then later make false or misleading claims to dispute the transaction with their issuing bank in order to obtain a chargeback.
While some customers may engage in friendly fraud out of ignorance or confusion, many do it intentionally as a form of “cyber-shoplifting.”
Because friendly fraud always starts out with a legitimate transaction, there’s nothing anti-fraud tools can do to detect or prevent it.
Identity Theft
Identity theft, another common form of cybercrime, is also an effective cover for clean fraud. With the right personal data, a fraudster can apply for a credit card under some hapless victim’s name and make all sorts of purchases that they will never pay back.
While most cardholders will notice credit card fraud when they review their monthly bank statement, identity theft can go undetected for a long time. Many victims won’t realize they’ve had their identity stolen until they apply for a loan and see the damage done to their credit rating.
Even more dangerous is synthetic identity theft, which uses elements of real personal data mixed with fabricated details to create an identity based on a non-existent person. While banks have gotten better about spotting synthetic identities, they’re very hard to detect once they’ve been successfully created.
Account Takeover Fraud
Clean fraud often comes in the packaging of account takeover fraud. When a fraudster succeeds in hacking into a customer account on a merchant website, they can make all sorts of purchases with the victim’s stored payment credentials without the merchant noticing anything amiss.
While inconsistent shipping addresses can give the game away, digital purchases are harder to track, and clever fraudsters can even spoof geolocation and IP addresses to avoid detection.
Credit Card Fraud
In many cases of stolen credit card information, such as when a hacker compromises a database of customer information, only the card number itself and the name on the account is retrieved. Merchants are prohibited from storing the CVV numbers of credit cards specifically to make the credit card numbers acquired in these hacks more difficult to use.
However, other methods of obtaining payment information, such as phishing and the aforementioned e-skimming attacks, allow fraudsters to obtain all the information they need to bypass common fraud checks. These bundles of credit card information are often sold on the dark web as "fullz," indicating that all the information necessary to commit clean fraud is included.
How Can Merchants Prevent Clean Fraud?
Regular fraud often gives itself away with noticeable inconsistencies and missing credentials. Anti-fraud tools like AVS and CVV can easily catch out stolen cards that don’t have the right billing address or CVV code, for example, and fraud detection algorithms can often infer fraud from incongruous shipping addresses and geolocation.
With clean fraud, the customer identity, addresses, and card data will always appear perfectly correct and unremarkable, betraying no telltale clues that would raise any suspicions.
In the case of friendly fraud, there’s simply no way to fight it proactively, especially when it’s perpetrated intentionally. The good news is that friendly fraud chargebacks can be fought and won, as long as you have compelling evidence that shows how the fraudster’s dispute claims are false.
There are ways to make account takeover fraud more difficult—you can require strong passwords and two-factor authentication, for example—but the biggest point of vulnerability is the targeted customer, who may be persuaded to give up their login credentials with phishing attacks or social engineering.
Merchants can try to educate their users on best practices for online safety, but this is no guarantee that they won’t fall victim.
Identity theft is even harder for merchants to guard against. You can implement stringent anti-fraud algorithms that flag even the slightest inconsistencies, but this risks turning away and alienating your actual customers.
Clean forms of credit card fraud can sometimes be prevented through the use of fraud prevention software. These tools can automatically generate risk scores for incoming transactions and either accept them, reject them, or mark them for manual review. Many of these tools use machine learning to analyze past fraudulent and legitimate transactions to determine the most reliable indicators of fraud.
Merchants should always analyze fraudulent transactions carefully when they find out about them via chargebacks.
When you realize you’ve been hit with clean fraud, you can study the transaction data and see if there were any hints or red flags that might have helped you detect it at the time. This can yield insights that you can use to inform your anti-fraud strategies in the future.
There are no easy answers when it comes to clean fraud, but it’s always a good idea to analyze your fraud data, review your preventative measures, and improve your practices to stop as much of the not-so-clean fraud as you can.
When you’re doing the best you can at avoiding preventable fraud, the occasional unavoidable act of clean fraud will be less impactful on your revenue and chargeback rate.
For many merchants, the most common form of clean fraud is friendly fraud, and that’s one you can do something about. Represent fraudulent chargebacks with your best evidence and always remember to block the perpetrators from making future purchases. With the right tactics and truth on your side, you can win back your revenue.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com