Online fraud is fundamentally different to fraud that occurs at brick-and-mortar businesses as it’s harder to be certain that the person you’re selling to is who they say they are. Some fraudsters adopt more sophisticated methods than just trying to make purchases on a stolen card.
When accepting payments online, it’s important to be aware of the different kinds of fraud and what your liability is.
This type of fraud makes use of stolen credit or card details to make a purchase online. The fraudster may be in possession of a physical card, but it’s more likely that the cardholder’s details were stolen electronically. A business ships goods or provides service to the fraudster, with the assumption that the payment is legitimate.
If a cardholder has not yet realized that their card is lost or stolen (and so has not notified the card issuer), payments can still be processed successfully. Even if a payment is not declined, this does not mean that it was authorized.
Once the cardholder discovers the fraudulent use of their card, the payment is disputed with the card issuer. Once the dispute is found in favor of the cardholder, the business suffers a loss equal to the amount of the payment, the cost of any goods or services already provided, as well as an additional dispute fee.
Overpayment fraud (also known as a payout scam) is a variant of stolen card fraud. The fraudster presents themselves as requiring the services of a third-party service in connection with the purchase. The fraudster then offers to pay the seller the cost of the goods, an extra sum for the fraudulent third-party, and often an additional convenience (tip) for accommodating the request. The fraud being committed here is that the third-party service doesn’t exist—the fraudster has taken the additional funds while the seller is left with a dispute.
For example, an online antique business may be approached by a fraudster claiming to live overseas. They request that the business use their preferred freight company, who they ask the business to make payment to. Using stolen card information, the fraudster pays the business for the goods and fake freight fee, and includes a gratuity for the seller as an incentive.
The business complies and pays the fee to this fake freight company but no shipment ever occurs because there is no legitimate shipper. The actual cardholder discovers the unauthorized payment and disputes it with their card issuer. The payment is automatically refunded and a dispute fee deducted, even though they’ve already paid out funds separately to a fraudulent third-party.
In this form of fraud, the fraudster deliberately pays more than was required, then contacts the business and claims they accidentally entered the wrong amount. The fraudster requests a partial refund to rectify this, but claims they have closed the card that was used and would like a refund sent using an alternative method that is outside of the card network (e.g., check or wire transfer).
For example, a fraudster donates 500 USD to a charity and contacts them shortly after to say that it should have been a 50 USD donation. The fraudster asks for the return of 450 USD using a different method, so no refund is made back to the original card. When the legitimate cardholder disputes the fraudulent payment, the charity is not only responsible for disputed amount, they have also lost the amount sent using the alternative method.
Never refund payments using a different method than the one originally used. If a card has legitimately been closed, you can still perform a refund. The customer should then contact that card issuer to arrange the funds to be retrieved.
If you run a marketplace business (such as a Connect platform) where your users are responsible for providing service to your customers, this type of fraud occurs when a fraudulent merchant absconds with any payments before providing the services or goods to customers.
For example, a marketplace that connects buyers and sellers can run the risk of a seller taking payment from the buyer and not sending the goods. In such cases, if the funds cannot be recovered from the seller, responsibility for the disputed amount and fee is ultimately on the platform.
This is the practice of testing a card (or multiple cards) on one site to see if it’s still valid before using it on another site to make a fraudulent payment. Sites with free text fields, such as donation sites and “pay what you like” e-commerce businesses, are predominately the targets of card testing. Implementing CAPTCHA or rate-limiting charges can help combat this type of fraud.
Friendly fraud occurs when a legitimate cardholder makes a purchase, but then disputes it at a later date. This can either be accidental, because they didn’t recognize the transaction on their statement, or deliberate (e.g., due to buyer’s remorse or as an attempt to fraudulently obtain merchandise without paying).
It can be difficult to know whether friendly fraud has occurred, especially in digital sales. For those selling physical goods, shipping to a verified billing address and requiring signature on delivery can help combat this. In addition, having clear return policies prominently displayed at checkout to which the customer must agree prior to making a purchase can also help.