As payments move online, fraudsters are following
Wherever your customers are in the world, most of them are probably online. More and more people are choosing to shop online for things that traditionally would have been bought in store, such as furniture, fashion and fast-food.
The whole world loves online shopping. The global ecommerce market is predicted to grow to 4.9 trillion US dollars by 2021. In 2018, one in every ten dollars spent globally was spent online, and by 2022 online sales will make up 17% of all global consumer sales.
With so many customers storing card details and making payments online, fraudsters can’t resist taking advantage, and online payment fraud is rising fast.
What is online payment fraud and why is it so common?
But before we dive into how online payment fraud happens, it’s important to know exactly what payments it affects.
There are two types of payments:
When the physical card is used to buy something in a shop, restaurant, bar or market.
Card not present
When the card details are used, but the physical card itself isn’t passed from the buyer to seller. CNP payments can happen by mail or on the phone, but mainly happen online.
Online payments are a prime target for fraudsters as they don’t even need to have the real card, they only need the card details which can be stored digitally. It’s also easier to get away with it, because it’s so much harder for the seller to verify who is really making the purchase.
Association of Finance Professionals
Payment fraud affected 82% of organizations in 2018
Online payment fraud statistics around the globe
Payment fraud is already a billion dollar business, and it’s growing. When you look at the stats behind global online payment fraud, it’s no surprise that almost three quarters of businesses say it’s a major concern.
Online sellers will lose $130 billion to online payment fraud between 2018 and 2023
Regional statistics for online payment fraud
Global fraud average costs:
- Online payment fraud costs global businesses 1.8% of revenue.
- For every $1 of fraud from chargebacks, ecommerce businesses lose an extra $2.94
The extra costs of fraud for businesses include chargeback fees, merchandise distribution, fraud investigation, legal prosecution and software security.
It’s not only about the financial cost - fraud also impacts brand and customer loyalty. Because consumers aren’t aware of how fraud works, they often blame the online seller and are less likely to buy from their site again.
Who is affected by online payment fraud?
For customers, having card details stolen can be frustrating and scary. On average, victims of online payment fraud spend two working days cancelling their cards and dealing with the aftermath.
For online sellers, online payment fraud is a huge cost and the top concern for 44% of finance professionals. If they fall victim to fraud they lose the merchandise that was ordered, plus they have to refund the person whose card was stolen - known as a chargeback. On top of this, the seller also has to pay chargeback fees to their payment provider.
For payment providers in Europe, the revised Payment Services Directive (PSD2) means that they will now be legally responsible for fraud across their entire portfolio of online sellers. Payment providers who can prove they have low fraud rates will be in high demand as they’ll be able to perform risk analysis and avoid using 3D Secure on every transaction. Learn more about PSD2 here.
But why do people commit fraud in the first place? There are a combination of different reasons - ease of access, sociological and economic factors all play a part. Read more about the underlying reasons behind fraud.
How does online payment fraud happen?
There are different types of online payment fraud. One example is ‘friendly fraud’ which happens when a real customer does receive the goods they ordered, but claims not to have received the goods and goes on to file a chargeback through their bank instead of requesting a refund from the seller. Learn more about different types of online payment fraud here.
Most online payment fraud is identity theft - this is how it works:
Criminals steal cardholder information through skimming on payment pages or buy on the dark web
A fraudster uses the stolen card details to impersonate the cardholder and buy things online
The online seller thinks the purchase is valid, processes the payment and send the goods to the fraudster
The cardholder sees the charges and contacts their bank, the online seller is hit with a chargeback plus fees
For the average fraudster, buying card details on the dark web is the easiest and fastest way to get large numbers of card details. The Breach Level Index reports that over 14 billion data records have been stolen and leaked online since 2013.
Surprisingly, less than a quarter of consumers are aware that this is how fraudsters operate, and only 20% know that it is eventually the retailers who pay for this fraud. Find out more from our survey on consumer attitudes to fraud.
How fraudsters operate online
Fraudsters are stealthy, they’re constantly finding new ways to commit fraud online and improving their techniques.
The dark web is a corner of the Internet where criminals can interact without being traced. This is where fraudsters buy and sell card details and share information about how to go about committing fraud, what tools to use etc. At Ravelin, we’re always keeping an eye on what the fraud community is doing so we can stay ahead of them. Some of the latest trends we’ve seen are:
Use of advanced privacy software
The most sophisticated fraudsters use heavy-duty software like Anti-Detect and Kameleo to avoid browser IDs. This software enables fraudsters to create multiple instances of virtual machines in browser windows. Even though it makes it hard to trace them, blocking location is a huge indicator of fraud.
There are card details from all over the world on the dark web. When a fraudster buys a bunch of compromised card details, they can quickly find out where the card they are using is registered to, and then spoof the location so it looks like they are in that location.
Calling services and phone number spoofing
Fraudsters can buy real customer phone numbers online with card details - but they won’t have access to the actual phone. To get around this they can contact the customer’s phone company to request all calls are diverted to their own number so that they can verify purchases if needed. The dark web also advertises ‘calling services’ where someone can call a victim’s bank and credit card provider to change their registered phone number
Impersonating buyer behavior
Previously, most fraudsters were sloppy and would give themselves away by making huge orders on compromised cards very quickly. More sophisticated fraudsters are acting like real customers and waiting a while, adding and deleting things from their basket and placing a few smaller orders first before a big order.
Enhanced customer information
As well as payment card details and personal information, we’ve seen fraudsters buying and selling device IDs and driving licenses. Fraudsters can use this to appear more convincing, or they can mix different customer details up and create new accounts under these synthetic (fake) IDs. This tactic is often used in bank fraud.
Chargeback fees and card scheme rules
When a customer has been defrauded on an online seller’s website, they notify their bank and the seller will receive a chargeback. As well as refunding the cardholder, the seller also has to pay chargeback fees to their payment provider. Chargeback fees can be as high as $50 and are payable even if the chargeback is not upheld.
On top of these fees, the card schemes put a limit on the amount of chargebacks an online seller receives before they get even heavier fines.
Between 1988 and 1998, Visa and Mastercard lost $750 million to credit card fraud. This led both the credit card companies to create monitoring programs for chargebacks (also called disputes). From October 2019, Visa will update thresholds for the chargeback monitoring program - the changes are below.
Visa fraud and chargeback thresholds from October 2019
|Before 1st October 2019||From 1st October 2019|
|Visa Standard Fraud Monitoring Program (VFMP)||USD$ 75,000 in fraudulent transactions and 1.0% fraud:sales ratio (USD$)||USD$ 75,000 in fraudulent transactions and 0.9% fraud:sales ratio (USD$)|
|Visa Excessive Fraud Monitoring Program (VFMP)||USD$ 250,000 in fraudulent transactions and 2.0% fraud:sales ratio (USD$)||USD$ 250,000 in fraudulent transactions and 1.8% fraud:sales ratio (USD$)|
|Visa Chargeback Monitoring Program (VCMP) - Low Risk||100+ dispute count and 1.0% dispute:sales ratio||100+ dispute count and 0.9% dispute:sales ratio|
|Visa Chargeback Monitoring Program (VCMP) - High Risk||1000+ dispute count and 2.0% dispute:sales ratio||1000+ dispute count and 1.8% dispute:sales ratio|
For merchants, it pays to invest in fraud detection and prevention to minimize the risk of chargebacks. Payment providers with fraud detection as part of their service can offer online sellers security and the reduced risk of fees. So how should sellers and payment providers approach fraud detection?
The three pillars of fraud protection
As with any type of crime, approaches to detecting and preventing fraud have evolved over time. Ravelin’s Co-founder and Chief Intelligence Officer, Mairtin O’Riada has a background as an intelligence officer for the Met Police and explains more about the parallels between crime and fraud analysis in this article.
Fraud is definitely one of the success stories for applying big data, as this enabled analysts to change the way they looked at customers and payments. The three pillars of fraud detection are:
- A refined rules engine
- Machine learning
- Link analysis using graph databases
A refined rules-engine
With a traditional rules engine, payments which fit certain fraudy criteria are blocked or reviewed, such as high-value orders which are more likely to be fraudulent. Using only rules can be risky, as you might inadvertently block payments from genuine customers, for example if you enable a rule which blocks all transactions over $500, you’d certainly be blocking lots of real customers too.
However, rules are still a key part of the fraud detection toolkit. It would be a mistake not to use rules in certain situations where they have over 90% accuracy and where there’s no need for a ‘grey area’ in the answer - for example always flagging a payment from an extremely high-risk country or region. The trick is to use a combination of rules and machine learning tuned to your specific business fraud risk.
Instead of just relying on rules with yes/no answers, machine learning uses trained models to score every transaction in terms of low, medium or high risk.
Whereas you need to feed rules into a rules engine, machine learning models are proactive and work on payments in real time, using past data and new information simultaneously.
Machine learning is automated and highly flexible to handle thousands of payments each second. A model is basically the equivalent of a team of analysts running hundreds of thousands of queries and comparing the outcomes to find the best result. With machine learning this is done in milliseconds with minimal human input. Read more about machine learning here.
Link analysis using graph networks
Link analysis is like a detective’s wall with suspects, dates and locations covered by criss-crossing strings connecting them. A graph network does a similar job - it allows you to look at all the evidence across all your customers and join the dots to build a picture of what a fraudster looks like, so you can prevent future fraudsters from making payments.
Machine learning models and graph networks are mutually reinforcing. For example, you can teach your machine learning model to flag large networks for review and to block payments from networks which have grown super quickly, to prevent a fraudster from using multiple accounts to order goods. Visit the link analysis and graph networks page to learn more.
Buying fraud protection vs. building your own
Ravelin’s founders worked together at a Hailo, a tech platform that matched taxi drivers and riders through a mobile app, which merged with MyTaxi in 2017. They each worked in different technical, finance and fraud prevention roles. They were looking for a fraud detection solution that worked, but also suited their business needs of speed and convenience. After trying and testing nearly all the available tools on the market, they found none of them were quite right for the modern business environment of real-time and mobile payments, so they had the idea to try doing it themselves. This idea eventually grew into an in-house fraud solution, which then evolved into Ravelin, which works as a service for other online sellers.
If you’re thinking about developing your own fraud detection in-house, make sure you know the key questions to ask to understand what’s right for your business. If you’re looking for a fraud solution which uses machine learning use this RFP template to help you ask the right questions when meeting potential suppliers.