What is payment fraud? How to spot & prevent It

Ecommerce has changed the way merchants and customers sell and buy. It’s also changed the way criminals separate people and businesses from their hard-earned money. As an illicit industry, payment fraud is booming. This makes it crucial for ecommerce businesses to understand how payment fraud happens—and how to prevent it. 

Curious to know what payment fraud is and how you can help protect your business and your customers from it? Read on. 

What is payment fraud?

Payment fraud is a blanket term meaning any false or illegal transaction conducted by a cybercriminal. The methods vary, but the goal is always the same: to deprive a victim of funds, personal property, or sensitive information.

Though payment fraud has been around since the dawn of ecommerce, its impact has spiked severely in recent years. The FTC reports that consumers lost more than $5.8 billion to fraud in 2021. This shows an increase of more than 70% over 2020. Meanwhile, Juniper Research reports that payment fraud will cost online sellers $130 billion between 2018 and 2023.

Clearly, the threat of payment fraud is dire for both ecommerce businesses and online shoppers. Understanding how it happens—and how to help prevent it—is vital for anyone doing business online. 

Different types of payment fraud

Cybercriminals have devised a wide array of ways to manipulate ecommerce systems to their advantage. The first step in combating this illegal activity is understanding these methods. To that end, let’s look at six common types of payment fraud. 

Phishing attacks

In this method, cybercriminals contact victims under false pretenses in order to steal sensitive information, such as login credentials or credit card numbers. The FBI reports that phishing was the most common form of cybercrime in 2020. 

Most phishing scams take one of three forms: 

• Email phishing involves a cybercriminal emails a potential victim, hoping to trick them into disclosing sensitive information. The most common method is telling the victim their account has been compromised and that they need to reset their password. 
• Vishing involves the same trick, pulled over the phone. A popular vishing attack involves telling a victim that their vehicle’s extended warranty is expiring, and that they need to disclose their banking credentials to activate their new warranty. 
• Smishing takes place through SMS texts. For example, the potential victim receives a text informing them that their account (online banking, PayPal, etc) has been compromised, and that they need to share their login information to regain access to their account. 

In all these cases, once the cybercriminal has the victim’s sensitive information, they use it to commit further fraud. 

Wire transfer or advanced fee scams

This kind of scam is commonly conducted over email, but increasingly happens over SMS or chat apps. Typically, the potential victim is promised a large sum of money in return for a small upfront payment. For example, the cybercriminal might ask for help paying bank fees so they can get the victim millions of dollars at a later date. Naturally, that later date never arrives. 

The popularity of these scams is due to their low-investment, high-yield nature. A criminal can cheaply acquire a huge volume of contact information on the dark web, and then easily send the same message to a large number of people. They only need a few recipients to fall for the scam to make the whole operation profitable.

Identity theft

This term describes any fraud in which the cybercriminal impersonates a victim. Ecommerce has made this kind of criminal activity incredibly common. In 2020 alone, nearly half of all U.S. citizens became a victim of identity theft. 

In the most common form of identity theft, a cybercriminal acquires a victim’s credit card information. They have a number of ways to do this, including phishing, buying the information off the dark web, or simply going through a victim’s trash. 

The cybercriminal uses that information to make fraudulent purchases online. The online merchant processes the payment and sends the goods to the cybercriminal. If the cardholder ever spots the charges, they notify their bank, and the business is hit with a chargeback and related fees.

Other popular forms of identity theft include:

• Account takeover (ATO), in which a user’s credentials are used to log into an existing account
• Starting a new financial account using a victim’s information
• Using a victim’s social security number for financial gains 

Friendly fraud

In this form of fraud (also known as chargeback fraud), a cardholder identifies a purchase as fraudulent, when in fact they or someone else in their household may have made the purchase. Their dispute of the purchase activates a chargeback process. 

The two main causes of friendly fraud are:

• First-party fraud—here, someone else in the household makes a purchase without notifying the cardholder. This can easily happen when a card is saved for easier purchases, such as renting or purchasing a movie for streaming.
• Transaction confusion—here, the cardholder mistakenly disputes a purchase they actually authorized themselves. This often happens when a customer either unknowingly signs up for a subscription or does so knowingly but then forgets and is later surprised to see the charges on their statement. 

Whatever the cause, the impact is negative, often leading to: 

• A chargeback process, which costs the merchant money
• A poor customer experience, eroding confidence in that business
• Legitimate purchases being coded as fraudulent, causing more false declines, in which cards are denied due to suspected fraud

Clean fraud

This is an advanced form of identity theft, in which cybercriminals use stolen credit card data to make a fraudulent purchase, but also manipulate that transaction to avoid detection. 

To achieve this, cybercriminals don’t just steal credit card information; they also gather as much personal information about each cardholder as they can.

They also learn all they can about a merchant’s fraud detection methods. Armed with that knowledge and that wealth of cardholder information, they make fraudulent purchases carefully calibrated to avoid raising red flags.  

Synthetic identity fraud

Yet another advanced method, synthetic identity fraud, involves combining information from multiple victims to create fake cardholders. These fake identities are then used to make very real fraudulent purchases. 

Luckily, this method has become more difficult to use, thanks to the increased implementation of algorithms and artificial intelligence to spot synthetic identities.   

How to prevent payment fraud

Now that we’ve seen the many methods of payment fraud, let’s examine the ways you can help protect yourself and your customers from it.

Invest in fraud detection tools

As payment fraud continues to plague the ecommerce industry, an arsenal of detection tools have been developed to help businesses fight back. Measures to consider include:

• Geolocation, which pinpoints each customer’s physical location at the time of a purchase, letting you check it against the information that customer has on file
• Device fingerprinting, which allows you to block devices associated with previous fraudulent activity, and to keep track of trusted devices
• Address verification, which makes sure the billing address provided by the buyer matches the cardholder’s address on file
• Velocity checks, which watches for repeated purchases from the same user, allowing you to freeze activity in case of a suspicious batch of purchases from that user
• Two-factor authentication, which requires a user to present two separate credentials before completing a purchase
• 3-D secure, a technology that works like a PIN code for online purchases, helping to authenticate users as authorized cardholders
• Fraud scoring, which examines each transaction based on multiple fraud indicators—you can set this tool to either automatically reject transactions that raise too many red flags, or trigger a manual review
• Proxy piercing, which is designed to see through a proxy address and identify the user’s actual location

Keep in mind that these tools may increase the friction of your customers’ checkout process, but as long as you don’t overdo it, it’s a small price to pay for the upgraded fraud protection.

Set up a dual employee approval process

Establish a dollar amount threshold and require approval from two employees for any transaction above that threshold. This simple measure can help your team catch fraudulent payments before they go through. 

Dual approval can also help prevent fraud from being committed by members of your team. Though it’s an unpleasant thought, employee fraud (also known as internal fraud or occupational fraud) accounts for more than 40% of fraud cases with losses of $100 million or more.

Conduct thorough background checks

Set up a procedure for verifying the legitimacy of users visiting your online business. Background check measures include:

• Social media lookup: Check to see if the cardholder’s details match those of their social media profiles. 
• Email analysis: Check to see if the email address was created using a suspicious domain, and if it appears on any data breaches.
• Phone analysis: Check to see if the number is a landline or mobile, if the carrier location is close to the shipping address, etc. 

These and other measures can help you verify that each customer is who they say they are. 

Educate staff & clients

Stay up to date on the evolving tactics employed by cybercriminals, and share that information regularly with your staff. 

Let customers know to be on the lookout for fake checkout pages, emails from bots, and other malicious content aimed at gathering sensitive information. Let them know exactly how you will and will not contact them, so they can more easily spot fraudulent transactions. 

The more you, your team, and your customers know about payment fraud, the less vulnerable you will be to it. 

Spot payment fraud fast & secure your finances

Protecting yourself and your customers from payment fraud is a crucial part of doing business online. Sadly, there is no silver bullet. Effective payment fraud prevention requires constant vigilance and a willingness to adapt as cybercriminals continue to evolve their methods. 

By investing in payment fraud prevention, you can not only prevent a loss of funds—you can also protect your reputation as a safe place for online shoppers.

FAQs on payment fraud

What is the most targeted transaction method for payment fraud?

Paper checks are still the most targeted payment method. JP Morgan reports that in 2021, two-thirds of organizations fell prey to check fraud.

How can customers get their money back from a fraud transaction?

If you paid a scammer with a credit card or debit card:

Notify the company or bank that issued the card and ask them to reverse the transaction and return your money.

If a scammer made an unauthorized transfer from your bank account:

Notify your bank and ask them to reverse the transaction and return your money.

If you paid a scammer with a gift card:

Notify the company that issued the gift card and ask them to refund your money. Keep the card and the receipt.

If you sent a scammer a wire transfer:

Notify the wire transfer company and ask them to reverse the transfer and return your money.

If you paid a scammer through a money transfer app:

Notify the company behind the app and ask them to reverse the payment and return your money. 

If you paid a scammer with cryptocurrency:

Sadly, cryptocurrency payments are usually not reversible. Still, notify the company you used to send the money and ask them to reverse the transaction, if possible.

If you sent cash to a scammer:

If you sent it by U.S. mail, contact the U.S. Postal Inspection Service at 877-876-2455 and ask them to intercept the package. If you used another delivery service, contact them and ask them to do the same.

Where can buyers report fraud?

To report fraud of any kind, visit ReportFraud.ftc.gov. Reporting fraud helps the FTC spot trends, educate the public, and build cases against cybercriminals.