Fraud Detection: A merchant's guide for preventing payment fraud

Fraud detection and prevention are excellent places to start. In this guide, we’re discussing everything you, as a merchant, need to know about how to detect online fraud transactions.

Link to the author's page
Checkout.com
October 6, 2023
Link to the author's page
Fraud Detection: A merchant's guide for preventing payment fraud

By the end of 2023, ecommerce businesses around the world will have lost almost $50 billion to payment fraud – and it’s growing. By 2024, card-not-present (CNP) fraud alone – which accounted for $8.75 billion in payment fraud losses in 2022 – is projected to hit $10.16 billion.

It begs the question…what can you do to protect your business against online payment fraud of all shapes and sizes? And safeguard you, and your customers, from the devastating financial, reputational, and operational losses fraud can cause?

Fraud detection and prevention are excellent places to start. In this guide, we’re discussing everything you, as a merchant, need to know about how to detect online fraud transactions.

We’ll cover:

  • What fraud detection is, and how it differs from fraud prevention
  • Why these complementary strategies are so important
  • How fraud happens, and the many different types of payment fraud that exist
  • The benefits of fraud detection for businesses
  • The best methods for detecting and preventing fraud
  • How Checkout.com can help

What is fraud detection?

In a payments context, fraud detection is the practice of identifying and flagging suspicious transactions or activities as they’re happening – and, sometimes, after they’ve occurred.

Fraud detection relies on a range of strategies – including machine learning, pattern recognition, and data analysis – to separate the legitimate transactions from the fraudulent ones. And, with the rise of AI (Artificial Intelligence), fraud detection systems are becoming even smarter and more scalable.

Payment fraud detection setups also rely on risk rules: sets of triggers and conditions that, when met by a transaction, suggest fraud. These ‘rules’ could involve:

  • Transaction amount (over $10,000, for example).
  • Location (a place identified as high-risk, perhaps because of historically high fraudulent activity originating there; or because it’s a gross mismatch of the cardholder’s address).
  • Cardholder behavior (a cardholder attempting to make several extremely low-value purchases in a short period of time could indicate card testing fraud, for example).

What is fraud prevention?

Fraud prevention is the set of strategies involved in stopping fraudulent transactions – before they have a chance to negatively impact your business.

Fraud prevention is like the proactive yin to the reactive yang of fraud detection. While fraud detection is focused on flagging and stopping fraud as it’s happening, fraud prevention’s focus is on stopping fraud before it happens. It’s about putting the processes and practices into place to minimize your fraud risk – and provide a first line of defense against the fraudsters.

Let’s say, for example, that your business is a medieval castle, and the fraudsters are the roving bands of invaders looking to break in and pillage your gold. Fraud prevention is the big wall you build around your castle, and the giant crocodile-filled moat beyond. It’s a good way of making it hard for the enemy – but not of stopping them completely.

In addition to this, you line the top of that wall with lookouts and soldiers. This is fraud monitoring. When an invader does manage to swim through the moat and scale the wall, you’re waiting for them – in real time – to stop them in their tracks. This part is analogous to fraud detection – your way of staying alert to the incoming danger, and eliminating as it’s happening.

Some examples of fraud prevention include:

  • AVS and CVV checks to ensure the details provided by the cardholder match those held by the bank.
  • Biometric verification to authenticate a customer’s identity using their face, voice, or fingerprint – and make sure it’s really them attempting to make a purchase.
  • Strong Customer Authentication (SCA), which blends biometric-, device-, and knowledge-based factors to verify a customer’s identity.
  • IP intelligence, which enables you to block transactions from fraudulent IP addresses.
  • 3D Secure, a security protocol which uses a three-domain model to validate credit and debit card purchases.
  • SSL, a cryptographic protocol which provides secure communication between customer devices and payment solutions.

Why are fraud detection and prevention important?

First and foremost, fraud detection and prevention are important because they safeguard your business from the revenue and reputational risks of fraud.

Take chargeback fraud (which we’ll explain below) as an example. When an illegitimate chargeback is raised against your business – and the subsequent credit card dispute is ruled in favor of the fraudster – you’ll have to refund them. Meaning you won’t only lose that revenue, but the cost of delivering the product or service (plus a chargeback fee for good measure).

If you aren’t working to prevent and detect chargebacks and other forms of fraud, your business will bleed money – and, without doing anything to stop them, you may find the same fraudsters targeting your business over and over again. Worse still, excessive chargebacks could result in you facing scrutiny from card schemes (such as Visa and Mastercard), receiving fines, and even having your payment service provider cut ties with you.

Of course, it’s not just your business that fraud detection and prevention are there to help. It’s your customers, too. By safeguarding their transactions with your business, you’re showing them you value their custom and privacy online; demonstrating your commitment to the security of their payment, rather than merely paying lip service to it.

Finally, fraud and detection are important because credit and debit payments rely, ultimately, on trust. Without that – without a safe, stable digital space for people to pay online, or with their phones – the whole system would crumble. (And so would the ability to accept many of the world’s most popular ways to pay!)

How does fraud happen?

Payment fraud happens when cybercriminals get their hands on stolen credit and debit card details. They do this through a variety of means, including:

  • Phishing: sending emails, messages, and calling real people pretending to be a legitimate entity – then tricking the victim into giving up sensitive information.
  • Purchasing stolen card information off the Dark Web.
  • Gaining access to one or more of a cardholder’s online accounts: often through brute password attacks or “credential stuffing”, where attackers use previously stolen username and password pairs to gain access to different accounts.
  • Skimming: where criminals use overlay devices to capture card details from ATMs or point of sale (POS) terminals.

How payment fraud looks and happens depends on which details the fraudster has access to – and their commitment to the scam. Synthetic identity fraudsters, for instance (which you can read more about below) use stolen details to defraud banks and credit providers over a long timeframe – often years. While other fraudsters are content to steal what they can, while they can: acting quickly before the real cardholder reports their card as lost or stolen.

Types of fraud

In the popular imagination, payment fraud has a very narrow scope. It happens when a thief steals someone’s wallet (perhaps in a mugging), then uses it to buy goods and services.

This stereotype says that it’s the legitimate cardholder who suffers most – but it’s another misconception. Because in many instances of payment fraud, it’s actually the businesses that bear the brunt of the worst consequences – so it’s wise to know what you’re up against.

With that in mind, here’s a whistle-stop tour of the diverse forms of payment fraud out there.

Friendly fraud

Friendly fraud is when a customer, after purchasing from your business, raises a chargeback – without realizing that their reason for doing so is incorrect.

Chargeback fraud

Like friendly fraud, chargeback fraud involves a customer raising a dispute after making – and receiving – a legitimate purchase from your business. However, this customer is doing so with fraudulent intent, with the intent of claiming a refund – at your expense.

To explore the nuances of the differences between chargeback fraud and friendly fraud, our dedicated article will help.

Buy Now, Pay Later (BNPL) fraud

BNPL fraud encompasses any fraudulent activity that exploits BNPL platforms to steal money or data. It can be as simple as a user refusing to pay their debt, or as complicated as a BNPL “trojan horse scam” – in which a fraudster uses fake credentials to create a BNPL account and place an order, before switching their payment method to a stolen card.

Account takeover

Account takeover fraud happens when a fraudster hijacks a legitimate person’s account – it could be a bank account, an email account, an online shopping account, or a social media profile – with identity theft or financial gain in mind.

Card-not-present (CNP) fraud

Card-not-present fraud is when a fraudulent transaction takes place without the payment card being physically present.

CNP fraud is prevalent in ecommerce and mail order/telephone order (MOTO) payments.

Card testing fraud

Card testing fraud happens when fraudsters – having obtained batches of stolen credit and debit card details – test these cards out with low-value transactions (of, say, $1). If the card works, the fraudsters will quickly progress to high-value purchases, and go from there.

Synthetic identity fraud

Synthetic identity fraud is when a fraudster steals aspects of a legitimate person’s identity – often their Social Security Number (SSN) – and combines them with falsified details to create a new, ‘synthetic’ identity.

Over time (often months and years) the fraudster builds up a credit history around these details, before eventually maxing out as many loans as possible and disappearing.

Benefits of fraud detection and prevention for businesses

Implementing strong, sustainable fraud detection and prevention strategies has a raft of draw cards for your business and customer base. 

We’ve already covered, above, the financial and reputational benefits fraud detection can offer your business. But a solid fraud prevention strategy also helps your business:

  • Remain compliant: a proper fraud detection and prevention plan is a key part of PCI DSS (Payment Card Industry Data Security Standard) compliance – a set of security standards that all merchants accepting credit and debit card payments must adhere to. This regulation is designed to protect sensitive cardholder information in a transaction – something you need a comprehensive fraud prevention strategy to do.
  • Reduce operational costs: dealing with credit card disputes is a trying and time-consuming process; a black hole of energy, effort, and employee resources. By preventing these disputes from occurring (insofar as that’s possible) you can cut operational costs, and free your team up for more growth-oriented tasks.
  • Gain an edge on the competition: when you invest in robust fraud prevention strategies, you can use that payment security as a competitive differentiator. This can help you attract a growing demographic of security-conscious customers, and act as a key point of difference as you expand your business into new markets and partnerships.
  • Use data to inform decisions: armed with AI-driven algorithms and machines that learn while they fight fraud, you’ll have all the data you need to make better decisions: and optimize your security processes, risk assessments, and analysis of fraud trends.

Best methods for detecting and preventing fraud

Now you know what fraud detection is, why it’s so important, and what types of fraud you’ll be up against. So how do you stop the array of dark, dynamic fraud types – and implement an effective payment fraud prevention strategy for your business?

Let’s explore.

Fraud transaction monitoring

Fraud transaction monitoring is a strategy that involves real-time analysis of your transactions as they happen.

It involves looking for suspicious statistical outliers in your payment data, and – by comparing them with data from transactions known to be fraudulent – evaluating whether they’re fraud. These ‘outliers’ could be a number of things – from one customer’s sudden increase in transaction volume to an abrupt change in where another is making payments from.

Head to our guide to fraud analytics for a closer look at the analytical tools and techniques involved in fraud transaction monitoring.

Custom velocity

Remember card testing fraud? Where fraudsters make small-value purchases to ‘test’ whether stolen cards are still valid? Well, velocity checks are an excellent way of preventing it.

Velocity checks keep tabs on the rate at which someone is trying to make multiple purchases from your site. Two or three purchases in 15 minutes is probably nothing to worry about (the customer probably just loves your merchandise!), but 10 attempted purchases in the same time period is suspicious – and could indicate card testing fraud.

With velocity rules, you can automatically trigger actions (such as requesting more information from the cardholder, or blocking a payment outright) based on a specific transaction frequency threshold. (This could be daily, weekly, or monthly.)

Custom velocity rules, however – which are available through Checkout.com’s Fraud Detection Pro solution – let you take it one step further. Custom velocity rules enable you to combine different conditions to create specific triggers – and better hone in on fraud patterns.

Some examples of custom rules could include:

  • The same user attempting to pay with three different cards in one hour.
  • The same user receiving more than three insufficient funds declines in 24 hours.
  • The user’s IP address containing the range '98.195' and email domain is either gmail.com or hotmail.com.

To learn more about custom velocity rules, head to our documentation on understanding fraud prevention.

Fraud risk profile

To understand the threats your business faces, you first need to understand your business’ risk profile. This is a detailed assessment and description of the specific risks and vulnerabilities your payment processing activities face when it comes to fraud.

A risk profile lists out the potential fraud threats and weaknesses your business faces, as well as the measures you can take to mitigate them.

Your risk profile should also include an analysis of your business’:

  • Payment channels and methods
  • Transaction volume and value
  • Customer segments (especially the high-risk demographics)
  • Geographic reach
  • Historical transaction data (including legitimate and fraudulent transactions)
  • Third-party relationships (with third-party payment service providers, for example)
  • Compliance obligations (such as PCI DSS)
  • Risk tolerance
  • Reporting and assessment strategies

A solid fraud risk profile will lay the foundations for a tailored fraud prevention strategy that aligns with your specific risks and objectives. It’ll help you prioritize your fraud detection efforts, allocate resources to the right places, and protect you – and your customers – from payment fraud.

Machine learning

Machine learning in fraud detection analyzes reams of data about your historical transactions. 

Its algorithms study the differences between actual fraud, assumed fraud, and genuine purchases to identify patterns, then use these to spot fraud going forward. They flag any suspicious-looking transactions for manual review, and a human analyst looks into them.

These algorithms do the work it would take hundreds, even thousands, of human analysts to do – and, unlike their flesh-and-blood counterparts, they don’t need to eat, sleep, or draw a salary. Through this lens, machine learning is an affordable, scalable, and speedy fraud detection solution – and can help you reduce instances of false positives and false negatives.

AML monitoring

AML (Anti-Money Laundering) monitoring involves assessing transfers, withdrawals, and deposits for suspicious patterns – and for any red flags that could signal criminal activity.

AML is closely tied to KYC (Know Your Customer), a set of legal requirements which requires merchants (especially ones that operate in high-risk industries, such as gambling, cryptocurrency, or certain areas of ecommerce) to do due diligence on their customer.

Fraud detection tools and strategies – such as machine learning and risk-based rules – can help your business meet its AML monitoring requirements. By analyzing data from every deposit, transaction, or withdrawal – and by checking this activity for behavior atypical of the customer, or that could indicate financial crime – you can fulfill your AML obligations.

Anti-fraud education

As a merchant accepting credit and debit card payments, part of your responsibility to your customers is helping teach them what fraud looks like, and how they can avoid falling prey to scammers. This could include providing them with guidance on how to:

  • Recognize phishing emails
  • Shop safely online
  • Keep their card details secure

Of course, you also need to provide comprehensive anti-fraud education for your employees – particularly if they’re responsible for handling cardholder data. That includes being able to spot fraudulent patterns, understand the different types of payment fraud, and know exactly which incident response processes to follow should fraud occur.

To get started, explore Checkout.com’s list of the top 10 fraud rules your business needs to know about in 2023 – and share it with your employees.

How Checkout.com helps with fraud detection

There’s no ‘one size fits all’ approach to detecting and preventing online payment fraud.

Fraud takes many forms – from relatively straightforward card-not-present and card testing fraud to the longer, more elaborate endeavors of synthetic identity fraudsters. Payment fraud can be opportunistic and random; it can be calculated and coordinated.

Which means your business can’t afford to rely on one fraud prevention strategy alone – but a comprehensive toolkit that adapts to the shifting sands of the payment fraud environment.

Here’s where Checkout.com can help. Our Fraud Detection Pro solution is fully customizable to your business’ risk profile – and malleable to the specific needs of your industry and payments strategy. From machine learning and flexible risk rules to powerful reporting and testing capabilities, we equip you with all the technology you need to safeguard your transactions.

So get in touch with our team today to find out more. Or head to our website to explore the ins and outs of Checkout.com’s Fraud Detection Pro – and how its robust suite of anti-fraud capabilities can mitigate fraud’s impact on your business.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
October 6, 2023 9:36
October 6, 2023 9:36