Why is payment fraud so widespread? Here's why card fraud is on the rise

Online payment fraud has been with us since the birth of ecommerce and, despite continual improvements in preventative techniques, it is widespread and growing.

According to Ravelin's latest annual Fraud Trends Survey, 59% of professional fraud fighters around the world have noted an increase in card payment fraud online. When asked, 47% rank card-not-present (CNP) fraud as a top risk to their business, with the figure jumping to 53% specifically in the retail and hospitality sector.

In terms of CNP payment fraud, it's estimated to reach $10.16 billion in 2024. In fact, up to $33.45 billion is lost to credit or debit card fraud of any type across the world in a single year, per Statista.

The incredible growth that we have seen in online transaction volumes has been followed by a greater relative increase in fraud. So, what forces continue to drive continual growth in this type of crime and why is it so persistently high?

1. Ease of opportunity

The degree of technical knowledge required to commit card-not-present fraud is now minimal. The ability to download the Tor browser, access some sites on the dark web and make a purchase in bitcoin is not difficult. And it is certainly not expensive; card and personal details can be purchased for pennies on the dark web – or even downloaded for free.

The supply of card details, while of questionable quality, is trending towards infinite. These data breaches are driving the supply and providing the source material for the fraud we are all suffering. In January 2024, for example, we saw the "mother of all data leaks" discovered, which contained a massive 26 billion records for aspiring fraudsters of all levels to use.

This combination of an endless supply of data and cheap and easy ways of accessing it means that the days of acquisitive crime are all but over for all but the most desperate. Why risk the consequences of stealing a TV from a house or a store when a brand new one could be delivered to your house? Why shoplift food from a well-protected supermarket when a delicious hot meal could be delivered to you for free?

2. Demographics

This shift in crime patterns naturally mirrors the shift in generations. A new wave of young people with at least basic digital skills become old enough to indulge in cybercrime and the pickings are rich.

We need to get away from the image of a "hacker" using advanced skills to pick the lock of a super-secure server. These are blunt force attacks require no more skill than entering in details on a few sites and apps to find where they work.

Collusion is rampant, effective and anonymous. As our recent Consumer Fraud Report demonstrated, even older amateur fraudsters are giving such schemes a go, with 41% of surveyed first-party fraudsters over 45 years of age.

People are naturally connected to each other via a host of social services. Subreddits are also a rich source for sharing fraud tactics along with websites where vulnerabilities have been spotted. The bar for aspiring fraudsters has never being lower, as easy-to-find tutorials and guides abound.

We should also note that fraud-as-a-service is on the rise, with the loot shared by professional fraudster and their customer.

3. Lack of stigma

Driving this increase in participation is the decrease in stigma attached to committing these crimes. A whole generation has grown up with online piracy (downloading movies, music, games and software). A report by American Assembly shows that 24% of 18 to 28-year-olds consider it OK to upload movie files to sites where others can download them, directly contributing to online piracy.

Although piracy is not exactly a gateway drug to online fraud, it certainly bends the longstanding connection between law and morals. If it’s okay to steal content, why not steal credit card numbers on the dark web?

But even looking into these acts themselves, attitudes can be brazen. Ravelin's recent Consumer Fraud Report found that 25% of those who commit friendly fraud and gray-area abuse see these as victimless crimes, with 22% saying that companies "make it easy to rip them off".

4. Police ill-equipped to manage

Police are organized to deal with acquisitive crime in the real world. Breaking into houses, shoplifting and stealing are what response, detection and evidence-building teams are built to manage. The conviction rates in most advanced economies act as a deterrent to all but the most desperate.

When it comes to payment fraud, the opposite holds true. For a start, the crimes are not as frequently reported. Each individual fraudulent transaction is not usually large enough to justify a company’s time in pursuing the perpetrator. The few cases that are passed to the police then hit the same triage problem – is it worth the police’s time to follow it up?

There is a contradiction here, of course. Criminal damage or theft of a trivial amount of goods in a shop will almost always be reported and pursued. This is because the evidence is simple to gather; CCTV footage or the word of a security guard is usually enough.

For an online crime though the evidence is more difficult to gather. Can the police find the person who used stolen details in the first place? Assuming they can, can they then prove that it was accused’s phone or computer that was used in the commission in the crime, or that it was the accused who was actually using the phone or computer? If the person is abroad, are there jurisdiction complications?

This stretches the police’s already beleaguered resources and takes them into areas few forces are trained for. There are, of course, significant policing resources available to investigate large data breaches, or an incident like the Tesco Bank attack in the UK.

However, in payment fraud, the cardholder is usually compensated and the merchant is rarely active in pursuit of the criminal. Together, the unwillingness of both the police and the merchants to pursue crime is creating the perfect environment for the opportunistic criminal.

5. Consumers aren’t protecting themselves

Some of the blame for card fraud has to be shared by consumers.

While it is relatively easy for criminals to obtain somebody’s card information, basic safety practices could go a long way in stopping them. Such practices include:

• Only making purchases on trusted sites
• Never handing out credit card information over email or the phone
• Checking website security
• Using strong and varied passwords on sites that store financial information

Although consumers share responsibility for online credit and debit card fraud, businesses bear the brunt of its effects. While laws vary from one jurisdiction to the next, the onus is generally on businesses to refund fraudulent transactions – and it goes without saying that businesses in this situation cannot recover the goods they have refunded. Chargebacks also represent a significant cost to businesses, involving heavy fees in addition to the funds that have to be returned.

This puts a massive burden on businesses; do you refuse to accept cards online (and go out of business) or do you accept the risk of fraudulent transactions? Some choice. Businesses need to change how they manage fraud.

What should our response be?

So, if we accept the argument that for demographic, sociological, legislative and opportunistic reasons this problem is not going to get better quickly, the question we need to answer quickly is what the response is going to be.

To date, the response across merchants has varied. Most use and many rely on the fraud checks from their payment provider (PSP). These are of course useful and will in many cases stop cards that have been compromised from being used again. However, their defenses are easily overcome, and they have proven largely inadequate when a fraudster uses card details that up to that point have never been seen before by the payment provider.

For many businesses, the response to tackling fraud beyond their payment provider has been to invest in a rules engine and to manually check transactions that fail these rules or that appear suspicious. Manual review has its place, but in a world where the volume and varieties of fraud attack continue to increase, it is not difficult to see manual processes being overwhelmed.

We need to tackle fraud by using best asset that we have: data.

Fraudsters leave trails and those trails are to be found in the data. The more data we track, the more those fraudulent patterns become clear and the easier it is to stop the fraud automatically and immediately. Machine learning is the only technique that has the capability to identify these patterns, and the move to employing it at the core of fraud detection is a matter of when and not if.

Just as importantly, the industry needs to share data on compromised card and accounts. By operating independently, merchants make it easy for fraudsters to move from target to target.

We need to operate together by meaningfully sharing data in a way that is fast and accurate so a fraudster is shut down not just on one site but on many. There are of course complexities to this, but the principle is obvious and the technical aspects of it are largely solved.

The key requirement to stem the tide of fraud is largely one of will. Fraud thrives because our efforts to stop it are inadequate. This needs to change fast.

Learn more about Ravelin's solution to online payment fraud here.

* This article has been adapted from an article first published by IT Tech Portal. You can read the original article here.