How to protect my web shop against fraud
Although the coronavirus pandemic has caused an encouraging boom in online retail, it has unfortunately also led to increased cases of online fraud, as cyber criminals increasingly try to exploit the current situation. It’s not always easy for online merchants to see through the various webs of fraudsters’ lies. If fraud results in non-payment, this can involve huge costs for you as a shop owner. However, cases of fraud can in many cases be prevented by recognising abnormalities in the order or in the order process in good time. This requires corresponding sensitivity when processing orders or for you to skilfully and efficiently run tests.
Find out how online fraudsters act, how you can recognise them and how you as a merchant can protect yourself against fraud to avoid any financial damage.
The 4 most common types of fraud in e-commerce
To avoid being caught out by fraudsters and to effectively arm yourself against attempts at fraud and deception as a merchant, it is important that you are familiar with the various fraud scenarios and thus be able to respond to any clues.
1. Lost card data
Data required for an e-commerce payment, such as card number, name, expiry date and card verification number, can simply ‘be lost’ – after all, these details are printed on the card for everyone to see. A brief moment when you’re not paying attention is all it takes for a clever fraudster to subtly take a photo of a card – like when you’re standing in a hotel reception or at a beach bar. There are also a number of ways for card data to fall into the wrong hands online: as part of a phishing attack, when a cardholder accidentally enters their card data on an insecure website where fraudsters can read it, for example. Or if card data is already saved on a page and hackers are able to access it without authorisation.
After a successful hacker attack on an online merchant, stolen card data is often offered on the black market on what is known as the ‘dark web’. Here, it can be purchased by online fraudsters anonymously. However, card data from online hacks is usually incomplete as the card verification number from merchants and payment service providers (like Saferpay) can never be saved. That’s why fraudsters often try to guess missing data in several payment attempts. They enter a small transaction amount so as not to attract unnecessary attention. If all of the card data is stolen, including the card verification number, large amounts are often taken.
Pay attention to these clues
- High number of failed purchase attempts with mostly small transaction amounts
- The cardholder name does not match the shipping address name
- Unusually large transaction amount
2. Account takeover fraud
Fraud through account takeover (or ‘ATO’ for short) is where a fraudster gains access to a customer profile in your web shop and can then make purchases in your customer’s name using the means of payment saved in the shop. This type of identity theft might happen if your customer has a password that is easy to guess or if the password for their e-commerce account was compromised in a phishing attack, for example. Another variation on this is when a fraudster hacks your customer’s e-mail account and then also uses it to access the customer profile in your shop, causing financial damage.
Pay attention to these clues
- Very frequent login attempts by a customer
- Customer account password has recently been reset
- Customer’s name or address has changed
- The cardholder name does not match the shipping address name
3. Reservation fraud
This is the easiest and most convenient way for fraudsters to get money directly rather than ordering goods in the customer’s name. ‘Reservation fraud’ is very popular with fraudsters and this affects the hotel industry in particular: a long hotel stay is booked using stolen card data and then cancelled with an excuse and a request for the refund to be made to another credit card or account. The legitimate cardholder will also initiate a chargeback as soon as they find out about the damage.
Pay attention to these clues
- Suspiciously large amounts
- Refund to a different means of payment than the one used for the reservation
- Different customer data, e.g. communication via a different e-mail address
- If the booking is cancelled, flaky reasons are given; this is often an illness, accident or a medical emergency in the family
4. Friendly Fraud
Friendly fraud is an online purchase where a customer pays using a credit or debit card and later requests a chargeback from the merchant instead of a refund. In most cases, there aren’t any fraudulent intentions. For example, something is ordered online and then forgotten about – the cardholder can’t remember this when looking through their card statement and makes a complaint about the payment. Or a child has unsupervised access to a device that has credit card data saved on it. In some cases, however, there are also customers who simply deny that they ever received the goods, wanting to gain an advantage. Unfortunately, such isolated cases are difficult to identify.
Pay attention to these clues
- Multiple difficulties with the same customer
- Increased risk with digital goods and in-app purchases
Strong customer authentication against online fraud
Payment service providers and banks rely on strong customer authentication (or ‘SCA’ for short) using 2-factor authentication to fight online fraud: as well as entering card data or a wallet login, another factor (mobile phone, password, fingerprint, etc.) is requested to verify the payer’s identity. If there is strong customer authentication, fraud is very unlikely.
As an online merchant, you can use Saferpay to enforce strong customer authentication for 3-D Secure means of payment like Visa and Mastercard by changing the ‘ThreeDsChallenge’ flag to ‘FORCE’ in the API. This is recommended if you know that the transaction is particularly risky before the authorisation request is made (e.g. an unusually large transaction amount) or if you have detected suspicious activity indicating a loss of card data or identity theft.
You can find more details about the ‘ThreeDsChallenge flag’ in our API documentation and in the Saferpay Integration Guide in the chapter 3-D Secure – Optional Parameters.
How to recognise the liability shift: who pays if there is damage?
You as a merchant normally bear the full risk in the event of online fraud – meaning you also bear the costs. A liability shift only occurs if the card issuer or payment service provider agrees to accept liability for the individual transaction. With 3-D Secure payments, you as a merchant almost always get a liability shift, meaning you’re on the safe side of things. You bear the risk for means of payment that do not have strong customer authentication and 3-D Secure, for payments outside the PSD2 region (where 3-D Secure is not supported by all issuers) and in exceptional cases (‘exemptions’) requested by the merchant.
Essentially: if a liability shift has taken place and a chargeback is then made, the payment service provider will bear the costs of this. However, a liability shift is not a guarantee that fraud has not taken place!
Identifying a liability shift and recognising strong customer authentication in Saferpay
You can see exactly whether there has been a liability shift and whether strong customer authentication has taken place in the transaction details in the Saferpay Backoffice:
- In the first section Payment details, the field Liability shift shows whether there has been a liability shift. Example: ‘yes (Visa Secure)’
- If it is a 3-D Secure payment, more details are shown in the 3-D Secure authentication section
- The field Type of authentication shows whether strong customer authentication took place. Example: ‘Strong’
General recommendations to avoid online fraud
Pay attention to these things
- Is the transaction amount unusually large?
- Was there a liability shift?
- Was there strong customer authentication?
- Are there multiple transactions for the same means of payment or customers within a short period of time?
- Have there been any account changes that could indicate identity theft or lost card data?
- Does the card issuer country match the IP and shipping address country?
- Is the delivery address in a country to which you usually do not or only rarely ship?
- Is it a new customer with an e-mail address from a free provider consisting of a combination of numbers and letters (e.g. skyblue123@gmail.com)?
What you can do
- Only ever issue credits to the means of payment used for the original transaction.
- If your product range consists of articles for which there is an increased risk of fraud, you can enforce strong customer authentication using the ThreeDsChallenge flag when selling these and for unusually large transaction amounts.
- Check the authenticity of the card data and carry out address verification using the form Verification of Cardholder Information.
- If possible, ask your customers to complete the payment using another means of payment (possibly using the ThreeDsChallenge flag).
- Try to identify potentially risky transactions and take a closer look at these – you can find a lot of useful details in the Saferpay Backoffice transaction details – the IP address country for the buyer and the card issuer country, for example.
What if fraud happens?
Even with careful scrutiny, there may be a chargeback because of fraud. As long as these remain isolated cases, this isn’t too alarming. However, if the costs of fraud noticeably lower turnover or card organizations demand fines due to an increased rate of fraud, this becomes a critical concern.
The following will help you to take the right steps in the case of fraud without wasting time unnecessarily:
-
A noticeable large number of payment attempts for individual cards: call the central credit card number for your country and tell them that you suspect card data may have fallen into the wrong hands. Until the matter is clarified, you can block the affected card numbers in the Saferpay Backoffice via Risk Management Configuration. If payment requests can be assigned to a single IP address, you can also block these in Risk Management so no further payments are accepted there.
-
If you have had bad experiences with a customer, you can decide to enforce strong customer authentication for future transactions with that customer using the ThreeDsChallenge flag, which can also be used to effectively prevent a lot of friendly fraud cases. If are unable to cooperate with a customer, you can always block this customer’s means of payment for future transactions in Saferpay Risk Management.
-
If you find that you are getting repeated cases of fraud in regions where you otherwise don’t make a lot of sales, you should consider completely blocking these countries in the Saferpay Backoffice. Countries can be blocked based on card origin and the origin of the IP address used by the buyer through Saferpay Risk Management.
We are happy to assist and advise you
Thorough manual risk analysis is time-consuming and often isn’t cost-effective for big merchants. If you want to reduce your fraud rate, we are happy to assist you, regardless of whether you are dealing with an acute fraud problem or just want to protect your sales even better and further optimise them with an already low fraud rate. We have the right solution for your requirements – please feel free to contact us!
fraud_eu@worldline.com (Europe)
fraud@worldline.com (Switzerland)