It’s an unfortunate truth that not everyone deals honestly when making purchases. Some attempt to get things by spending other people’s money without their knowledge, or abuse financial loopholes to make money while others unwittingly shoulder the corresponding expenses. Still, others deceive people into giving them money that they haven’t legitimately earned. Some instances of these actions can be called payment fraud.
Payment fraud causes headaches for merchants, consumers, and financial institutions alike. And the world’s continuing shift towards eCommerce is making it both easier and more impactful than ever. That’s why it’s important for FIs to know about—and be able to identify—different types of payment fraud. FIs also need to have both internal and external controls in place to detect and prevent payment fraud.
This guide will cover the basics of doing so by covering the following:
We’ll begin with a payment fraud definition to help with understanding the concept a bit better.
Payment fraud refers to any financial transaction made without authorization from the person who actually owns the involved asset(s). This includes deceiving a person into authorizing a transaction they likely wouldn’t otherwise consent to if they knew what it actually represented.
Most commonly, it refers to criminals using stolen credit or debit card details to make purchases that the rightful cardholder did not consent to. Other forms of payment, such as checks and over-the-phone payments, can also be subject to fraud. A criminal just has to successfully guess or fake the victim’s information required for the specific type of transaction to go through. The prevalence of real-time payments has also made payment fraud much easier to carry out by fraudsters—and more challenging to stop or reverse.
Before we dive into payment fraud, let’s first look at how payments are made. There are typically two types of payments:
- Card Present: A tangible payment card is used at a point of sale to authorize a transaction. This tends to be a more secure method of payment, but is still susceptible to schemes such as card cloning.
- Card Not Present: A payment card is not used for a transaction, or—more commonly—the transaction is authorized using only a payment card’s details instead of the physical card itself. This happens frequently with online transactions, making them vulnerable to various types of online payment fraud.
Since digital payment fraud tends to be more common these days, we’ll focus on them in terms of the different ways they can be accomplished.
As mentioned in the introduction, the rise of eCommerce has made online payment fraud common. This is because card not present fraud is not only simpler to pull off, but can also be just as (or even more) lucrative. Here are some common types of fraud in online payment to be aware of.
Chargeback Fraud & Friendly Fraud
Chargeback fraud is a form of payment fraud in which a customer makes a purchase, then reports it to a financial institution or credit card company as being fraudulent. There are two common types: third-party chargeback fraud and first-party chargeback fraud (also known as “friendly fraud”). It's a common form of credit card payment fraud used by fraudsters.
Third-party chargeback fraud is when a criminal files a chargeback under the stolen identity of someone else. They may be trying to get money or products for free while the legitimate cardholder bears the consequences of filing too many chargebacks.
Friendly fraud is when a legitimate cardholder files a chargeback when they are not entitled to one. They may sometimes do so for innocent reasons, such as not recognizing a charge on their credit card statement or not understanding a merchant’s return policies. Other times, they may be intentionally trying to cheat the system to get free products or refunds they’re ineligible for (such as with “buyer’s remorse”).
Payment Card Fraud
Some of the most common types of digital payment fraud revolve around payment cards. Debit and credit cards—or at least their authorization information—can be stolen in a variety of ways, including “skimming” point-of-sale terminals, breaking into online accounts, “phishing,” or BIN attacks. Criminals can even employ tactics to take advantage of payment systems, like buy now pay later (BNPL) offers.
Sometimes, criminals will commit small acts of fraud to check how much money is available on a payment card before attempting larger fraudulent transactions. This is known as card testing fraud. While it is itself a type of payment fraud, it’s often a precursor to—and indicator of—larger fraudulent transactions.
Refund Fraud & Double Dipping
One of the fastest-growing payment fraud types, return fraud is similar to chargeback fraud and friendly fraud. An eCommerce customer purchases an item but then opens a fraudulent dispute by falsely claiming that they never received the item. They then ask for a refund or a replacement item; meanwhile, they re-sell the original item.
Overpayment and Advance Fee Wire Transfer Scams
A wire transfer is a digital payment method that’s difficult to trace or reverse, so it’s often used for fraud. Two common types of payment fraud using wire transfers are overpayment scams and advance fee scams.
An overpayment scam is where a fraudster makes a fake donation or eCommerce transaction, claiming to have sent the payee more money than they meant to by accident or for some other reason. They then ask the payee to refund them some of the money via wire transfer. It’s only later that the payee finds out the original payment was fake, and they’ve given away their money to a fraudster.
Similarly, an advance fee scam involves a fraudster promising someone a large sum of money, but requiring an upfront payment to facilitate the transaction. They will ask the victim to pay them via wire transfer, then simply disappear with the stolen money.
Pagejacking is a fraud trick where a criminal copies the content on a legitimate website to make a fraudulent website look genuine. In doing so, their goal is to get visitors to enter financial or personal information in order to steal money or to commit identity theft as a means of further fraud.
Gift Card Fraud
When talking about payment fraud, the first things that come to mind are cash and credit cards—but there are many different payment methods fraudsters exploit. Gift card fraud involves the theft or fraudulent use of gift cards, and it’s more common than many organizations may realize.
The scammer will usually ask the victim to send them the gift card redemption code via a phone call, text message, or e-mail. Then they redeem the gift cards without ever sending the victim anything.
Triangulation Fraud and other Merchant Identity Fraud
Criminals can commit payment fraud in several ways by posing as merchants on eCommerce marketplaces. They may list products for sale that they have no intention of selling, or open merchant accounts with stolen financial information and arbitrarily charge customers. Then they close their accounts and disappear with the stolen money before customers and financial institutions discover the fraud.
A more complex type of electronic payment fraud is triangulation fraud. This is where a criminal poses as an eCommerce merchant, then fulfills orders from customers by using stolen payment information to buy items from legitimate merchants. This allows the criminal to profit from sales while spending someone else’s money. Meanwhile, the merchants the criminal buys from lose inventory, and often also lose money when the true owners of the stolen payment information file chargebacks against the criminal’s purchases.
Payment fraud detection and prevention starts with knowing what a financial institution is up against. From there, it requires choosing the right procedures and tools to keep fraud risk low at a reasonable cost, all while maintaining customer satisfaction and trust. As a case study, adopting Unit21’s systems has allowed investment solutions builder DriveWealth to detect and report suspicious activity faster and more often while lowering its rate of false alerts.
Here are some more specific suggestions for preventing payment fraud as a financial institution.
Perform Rigorous Identity Verification
Payment fraud prevention starts with a financial institution knowing its customers. That means checking their personal identifiable information (PII) during onboarding to ensure they’re a real person or business, as opposed to an entity using a fake or synthetic ID.
It also includes checking their identity against sanctions lists and other adverse indicators to assess how likely they could become (or already are) involved in illegal activity. These “Know Your Customer,” and Customer Due Diligence (and Enhanced Due Diligence, if necessary) procedures allow an FI to determine how risky it would be to start a business relationship with a person or company.
The most obvious and important time to do this is when first bringing on a customer, but it shouldn’t be the only time. Identity verification and authentication should be an ongoing process to ensure customers act in their own capacity, as opposed to criminals stealing their identities or hijacking their accounts and impersonating them. We’ll explain more in the next point.
Employ a Strong Payment Authentication Process
Making sure a customer is legitimate when onboarding them isn’t enough. It’s also important to ensure that whenever they make a transaction, it’s actually them and not a fraudster pretending to be them with a fake, stolen, or synthetic ID.
That’s why it’s critical for financial institutions and other businesses to have mechanisms for authenticating customer identities. These should use PII such as phone numbers, email addresses, IP addresses, and social network credentials.
Examples include ID document checks, biometric verification, liveness detection, knowledge-based authentication, single-use passcodes, and so on. Methods can also be combined into multi-factor authentication systems.
Monitor Transactions for Anomalies and Suspicious Behavior
For a financial institution, part of authenticating a customer making a transaction is knowing what their typical financial behavior looks like. This allows for flagging transactions (or patterns of them) that seem suspicious.
Some basic red flags for payment fraud include multiple sequential transactions in a short amount of time, a spike in high-value transactions, or both. Again, though, depending on the specific customer, these may be usual occurrences and not anomalies. That’s why it’s important to take the particular customer’s behavioral history into account when monitoring transactions and screening payments.
Behavioral analysis can also be useful for authentication. Specifically, it can be implemented in dynamic knowledge-based authentication, where a customer is verified by correctly answering questions about their transaction history with an institution. This is generally more secure than static knowledge-based authentication, where verification questions are based on general knowledge about a customer.
Reassess Payment Controls and Alerts
Anti-fraud is a balancing act between deterring bad actors and offering customers a low-friction user experience. So it’s important for a business to perform operational risk assessments to determine where controls need to be tighter, and where it can afford to relax them.
For example, how much money is a customer allowed to move at once? How many attempts can a customer take to authenticate their account before they get locked out? How long should this lockout last? These are some of the things to think about. How do they impact your business, how common are they, and how can you build rules that address the threats your team is facing?
Manage Internal Controls and External Security
Protecting against the tactics, techniques, and procedures of external payment fraud begins with securing a financial institution from within. Some examples of how to limit payment fraud risk include using encrypted communications, avoiding dealing in paper documents such as checks, and limiting access to sensitive information to a handful of authorized employees.
In addition, employees should be educated, tested, and monitored to ensure they are complying with these measures. Payment fraud can often be caused by financial employees acting carelessly, or by them exploiting insider information to either commit fraud themselves or help an outside accomplice do so.
Stay Up-to-Date on the Latest Fraud Trends and Schemes
Online payment fraud prevention isn’t a static process. As new technologies emerge, criminals are constantly finding ways to exploit their vulnerabilities—or use them to exploit existing systems. That’s why financial institutions need to pay attention to emerging forms of fraud and analyze them to determine how much risk they inherently present to operations.
Likewise, FIs should keep on top of thought leadership regarding new techniques and methods for payments fraud prevention. Then they can adopt strategies most suitable to their specific scenarios to minimize risk and loss.
Stay Well-Protected Against Payment Fraud with Unit21
Stopping payment fraud as a financial institution requires a multicomponent approach. The first component is understanding the tricks criminals use to commit different types of payment fraud.
The second is researching, developing, and implementing strategies to minimize the risk of payment fraud happening and limit the damage it can do. This can be much easier by following payment compliance guidelines as part of an organization's AML program.
And the third is to continually monitor the payment fraud landscape, adjusting controls based on new technologies and tactics that either enable new forms of payment fraud or aid in the fight against it.
Unit21’s Risk & Compliance Infrastructure aids this process by providing a central hub risk professionals can use to quickly and efficiently investigate and report suspicious activity that could be payment fraud. To see how it can help your financial institution, book a demo with us today.