Preventing Purchase Return Fraud
Let’s give credit where it’s due. When it comes to innovating new and more effective ways to steal people’s money, fraudsters really know how to put in the effort. Any time new security protocols are introduced to prevent some form of fraud, they go right back to the drawing board to figure out a way around them.
Purchase return fraud is an excellent example of this. This type of fraud has been around for a very long time, but the methods keep getting more technologically sophisticated.
Merchants should be especially concerned about purchase return fraud, because unlike many other common types of fraud, it doesn’t hinge on the use of compromised customer accounts or payment credentials—instead, it exploits vulnerabilities in the merchants’ own bank and payment processing accounts to issue refunds to credit cards that the fraudsters control.
The potential for harm is enormous when fraudsters can operate from within merchant accounts to initiate transactions. Merchants who don’t want to see their revenue drained away by this kind of scheme should educate themselves about how purchase return fraud works and what they can do to prevent it from happening to them.
The Purchase Return Process
Under normal circumstances, a purchase return transaction occurs when a merchant needs to refund money to a customer in accordance with their return policy. The merchant initiates the transaction, it passes through their payment processor, their acquiring bank, and the card network, and finally the issuing bank receives the funds and credits the customer account.
With purchase return fraud, the fraudster is initiating the transaction at the start of the process and waiting to receive the funds at the end of it. The gain access to the merchant account, send the refund to their own credit cards, then immediately spend or cash out those funds so that they cannot be recovered when the fraud is discovered.
The hardest part of this, of course, is gaining access to the merchant account. There are a few ways to do this. In the past, one of the simplest ways was to simply steal a payment terminal—as in, literally break a window, grab a payment processing device from the cash register, and run away with it! It’s also possible for fraudsters to buy used payment terminals on the secondary market and attempt to use the credentials saved in those devices to access the accounts of their previous owners.
Attack of the Terminal Clones
Good physical and data security can make it harder for fraudsters to use those methods against you, but unfortunately they’ve come up with a better, easier way to break into merchant accounts. They “clone” point-of-sale devices, creating digital replicas of the terminals merchants use to process transactions, and use stolen information and automated hacking tools to gain access to the merchant accounts they’re linked to.
Online, the cloned POS system looks and behaves just like the actual merchant would. The fraudster can submit refund transactions and the bank systems and other programs that interface with the merchant POS terminal has no way of knowing that they’re illegitimate. One of the ways fraudsters can fool these systems is by using merchant IDs and terminal IDs taken from legitimate transaction receipts.
Preventing Purchase Return Fraud
When it comes to preventing purchase return fraud, merchants have to take responsibility for their own protection—but they shouldn’t go it alone. Purchase return fraud involves the payment processor as well, and merchants will need to enlist their cooperation to implement the most effective possible fraud prevention practices.
In particular, merchants should ask their payment processors to take the following steps to prevent purchase return fraud:
- Use transaction keys and randomized terminal IDs
- Validate terminals using merchant category codes, SSL flags, or other descriptors/values
- Detect matches between refunds and previous sales
- Employ velocity checking to identify fraudsters
For their part, merchants should make sure that they do not print their merchant ID or terminal ID numbers on transaction receipts, and use best practices for physical and data security with POS terminals and other payment processing devices. It is also very important for merchants to understand phishing and social engineering tactics and train staff on how to spot fraudsters using them.