Preventing Purchase Return Fraud
Table of Contents
- What is purchase return fraud?
- How do fraudsters clone POS terminals?
- How do I prevent purchase return fraud?
- Security is everyone's responsibility
- Do cardholders get in trouble for return fraud?
- How do you stop return fraud?
- What are some methods used to commit return fraud?
Let’s give credit where it’s due. When it comes to innovating new and more effective ways to steal people’s money, fraudsters really know how to put in the effort. Any time new security measures are introduced to prevent some form of fraud, they go right back to the drawing board to figure out a way around them.
Purchase return fraud is an excellent example of this. This type of fraud has been around for a very long time, but the methods fraudsters use to commit it keep getting more sophisticated.
Purchase return fraud poses a much greater risk to merchants than most other kinds of fraud, and merchants should make every effort to prevent it. Unlike many other common forms of fraud, it doesn’t hinge on the use of compromised customer accounts or payment credentials — instead, it often exploits vulnerabilities in the merchant's own bank and payment processing accounts to issue refunds to prepaid cards that the fraudsters control.
When fraudsters can operate from within merchant accounts to initiate transactions, the potential for harm is enormous. Merchants who don’t want to see their revenue drained away by this kind of scheme should educate themselves about how purchase return fraud works and what they can do to prevent it from happening to them.
What is purchase return fraud?
Under normal circumstances, a purchase return transaction occurs when a merchant needs to refund money to a customer in accordance with their return policy. The merchant initiates the transaction, it passes through their payment processor, the card network, and finally the issuing bank, which receives the funds and credits the customer account.
With purchase return fraud, the fraudster is initiating the transaction at the start of the process and waiting to receive the funds at the end of it.
The hardest part of this, of course, is gaining access to the merchant account. There are a few ways to do this. One of the simplest ways is to simply steal a payment terminal. A criminal can smash a window, then snatch a POS terminal and run. It’s also possible for fraudsters to buy used payment terminals on the secondary market and attempt to use the credentials saved in those devices to access the accounts of their previous owners.
Some modern POS terminals allow merchants to de-authorize the terminal remotely, preventing the thief from using it. Unfortunately, there are also more sophisticated ways of gaining access to these systems.
How do fraudsters clone POS terminals?
It's not hard for a fraudster to get their hands on a working POS terminal, either by buying one used on a site like eBay or by posing as a merchant to get a new one from a payment processor. Once they have one, all they need to do is set it up like any normal merchant would. Only instead of entering their own information, they're entering information stolen from a legitimate merchant.
There are a number of ways fraudsters can get their hands on the information they need to set up a terminal. Phishing and malware are common methods, and some merchants even include this information on their receipts, not realizing how it might be used against them.
Once online, the cloned POS system works just like the ones the real merchant uses. The fraudster can submit refund transactions and the bank systems and other programs that interface with the terminal have no way of knowing that they’re illegitimate.
How do I prevent purchase return fraud?
While merchants certainly have to take responsibility for preventing this type of fraud, payment processors also play a crucial role. Merchants should ask their payment processors to take the following steps to prevent purchase return fraud:
- Use transaction keys and randomized terminal IDs
- Validate terminals using merchant category codes, SSL flags, etc.
- Detect matches between refunds and previous sales
- Employ velocity checking
Security is everyone's responsibility
Following best practices for security can help merchants prevent many forms of fraud, but in order to be effective, everyone with any level of access must remain vigilant.
It only takes one person responding to a phishing email or plugging in a USB drive they found in the parking lot to compromise security for the entire business.
Merchants should make sure their employees are educated about cybersecurity and should ask any partners with whom they share sensitive data about their security practices as well.