Payment fraud detection: what businesses can do to protect themselves

Radar
Radar

Fight fraud with the strength of the Stripe network.

Learn more 
  1. Introduction
  2. What is payment fraud?
  3. Types of payment fraud
  4. Payment fraud vs friendly fraud
  5. How payment fraud happens
  6. How to prevent payment fraud from happening
  7. How to detect payment fraud when it occurs
  8. How to choose a payment fraud solution
    1. Automatic payment monitoring
    2. Machine learning
    3. Fraud protection
    4. Custom protection
    5. Self-service parameters
    6. Reducing fraud creates measurable wins

Fraud is a growing concern for businesses of all sizes and it can cause significant financial losses. Credit card fraud took the number-one spot in a recent Federal Trade Commission (FTC) report tracking forms of identity theft. In 2021, the agency received 2.8 million fraud reports from customers, revealing that reported fraud increased more than 70%, with reported losses totalling over US$5.8 billion. And according to a study conducted by Juniper Research, losses as a result of e-commerce fraud increased from US$17.5 billion in 2020 to more than US$20 billion in 2021, growing 18% within the span of one year. While these numbers are concerning, there are steps that companies can take to reduce damage from fraud.

Here's what you should know about credit card fraud, how it can hurt businesses and customers and how you can use technology to fight back.

What's in this article?

  • What is payment fraud?
  • Types of payment fraud
  • Payment fraud vs friendly fraud
  • How payment fraud happens
  • How to prevent payment fraud from happening
  • How to detect payment fraud when it occurs
  • How to choose a payment fraud solution

What is payment fraud?

Payment fraud is when a person uses stolen credit or debit card information to make purchases without the cardholder's permission, leaving the cardholder responsible for the charges. Payment fraud is a worldwide issue and is expected to result in global projected losses of $408 billion over the next decade.

Types of payment fraud

While there are many types of payment fraud, it can be broken down into two broad categories, based on where the fraud originates:

  • Card-present (CP) fraud: This type of fraud occurs when transactions are conducted using a physical card at the point of sale. In these cases, the fraudulent actor has possession of either the original card or an illegal duplicate, which they use to make in-person purchases that are not approved by the legitimate cardholder.
  • Card-not-present (CNP) fraud: This type of fraud refers to online purchases, where a physical card is not required. A card-not-present purchase requires the fraudulent actor to have only the card information, including the card number, expiry date and CVV code. Card-not-present purchases also include mail-in or telephone transactions, although these are less common.

Payment fraud vs friendly fraud

Friendly fraud – also known as "first-party abuse" – is a term that describes card transactions that are flagged by the cardholder as fraudulent, even though the charge was conducted by the legitimate cardholder. According to the Merchant Risk Council, 62% of businesses reported an increase in friendly fraud from 2021 to 2022. Friendly fraud occurs for a number of reasons, including:

  • The cardholder doesn't recognise the charge
    If the charge was attached to a valid purchase that the cardholder authorised and the item on their card statement doesn't clearly describe the purchase, the customer might dispute the charge rather than dig deeper. This is why writing thoughtful billing descriptors is an important tool in preventing chargebacks.

  • The customer regrets the purchase
    Known as "opportunistic friendly fraud", this scenario occurs when the cardholder no longer wishes to pay for an item they purchased – either because they weren't satisfied with the goods or services they received, or they simply regretted spending the money. By disputing the credit card charge, the cardholder hopes to take advantage of the "zero-liability" policy many issuers have, which states that cardholders won't have to pay for any fraudulent charges made using their card.

  • The charge occurred accidentally
    An example of this type of "first-party fraud" is when someone accidentally makes an in-app purchase or buys an item through an online auction site without intending to do so. Other instances include accidental duplicate charges or a purchase that was made in error because of an e-commerce retailer's confusing checkout flow.

  • The customer wants to avoid the returns process
    Friendly fraud is one way for customers to circumvent the returns process and avoid dealing with a business's lacklustre customer-service department.

How payment fraud happens

Since payment fraud includes any transaction that takes place without cardholder permission, it includes many possible scenarios. Examples include:

  • A criminal steals a wallet or purse, then uses the credit and debit cards found inside to make a purchase. This includes when a criminal uses a newly acquired card at a retailer to "test" it and ensure that it hasn't yet been reported as stolen.
  • A store employee retains a customer's card information after the customer completes a legitimate purchase, then uses that card information to make fraudulent purchases.
  • A cardholder orders and receives a product, claims the product never arrived and receives a refund. (They may then sell the product.)
  • Fraudulent actors create thousands of algorithmically generated numbers in the hopes of finding valid credit card numbers. These are known as "BIN attacks".
  • Criminals set up a fake online store with too-good-to-be-true discounts, then use the customers' payment info to commit future fraudulent purchases.
  • A criminal hacks into a customer's online shopping account to make purchases, steal the stored credit card information or resell the account access.

These are just a few examples of payment fraud. The scope and mechanisms of payment fraud are constantly evolving. As technology changes how we manage fraudulent transactions and protect payment data from theft, the tactics of fraudulent actors change accordingly. Businesses should not only react quickly when fraud happens, but also implement careful measures that prevent it from happening in the first place.

How to prevent payment fraud from happening

When fighting fraud, even the most basic measures can have an impact. Here are a few steps that you can take to prevent fraud for your business:

1. Communicate clearly and frequently
Regularly update your customers on their order status and promptly resolve issues to reduce disputes. Make sure that your customer service contact information is easy to locate.

2. Establish transparent policies
Include detailed refund and cancellation policies in your terms of service and ensure that these policies are easy to find. Require customers to agree to them before completing their purchase. This helps prevent disputes and is respected by card issuers.

3. Provide shipping and delivery details
When shipping physical goods, use services that offer online tracking and delivery confirmation. Provide these details to customers as soon as possible. This can help prevent disputes and fraudulent claims.

4. Set a recognisable statement descriptor
Make sure that the name that appears on your customers' bank and card statements is easily identifiable as your business. This reduces the chance that a customer will dispute a charge because they do not recognise the name.

5. Maintain separate accounts for multiple businesses
If you have multiple businesses, each should have its own Stripe account. This allows for separate statement descriptors and contact information, which helps avoid confusion and disputes.

6. Issue proactive refunds
If you suspect that a payment is fraudulent, consider issuing a refund proactively. This can prevent a potential dispute and the accompanying fee, along with the risk of product loss. However, make sure to balance this decision with the specific circumstances of your business.

7. Delay shipping when necessary
If possible, consider delaying the shipment of physical goods by 24–48 hours. This gives cardholders a chance to spot any fraudulent activity.

8. Verify shipping addresses
Ship to verified billing addresses that have passed postcode and street-address checks. In case of a dispute, this helps prove that the order was shipped to the legitimate cardholder.

9. Monitor your dispute rate
Regularly review your dispute rate to evaluate the effectiveness of your dispute and fraud prevention methods. You can use the metrics available in your Stripe Dashboard to track this.

10. Be careful with expedited shipping requests
Customers who request overnight or expedited shipping could be higher risk, since fraudulent actors want goods to be shipped as soon as possible to shorten the window of time during which they might be discovered. Not every request for expedited shipping will be the result of fraud, but it's a good idea to have a workflow in place that gives extra oversight to these requests.

11. Flag and review suspicious activities
Be alert for signs of suspicious activity, such as an unusually large order, a customer changing the shipping address after purchase, expedited shipping requests, high-resale-value items or a mismatch between the billing address and shipping destination. Review such orders carefully to determine their legitimacy.

12. Verify the billing postcode
Verify the customer's billing postcode against the postcode associated with the card that they're attempting to use. Some card issuers require this, but it's good practice for any business that accepts card payments. For more about address verification service (AVS), read our article on the topic.

You can also benefit from using additional fraud prevention services through your payment solution provider. Stripe Radar provides real-time fraud protection and requires no additional development resources to set up and use. Fraud-fighting professionals can add Radar for Fraud Teams to customise protection and gain deeper insights. Radar detects and blocks fraud with machine learning, which uses data from millions of companies around the globe to distinguish fraudulent actors from real customers. Because payment fraud is so widespread and only growing in sophistication, your business's fraud prevention solution must be designed to keep pace.

How to detect payment fraud when it occurs

It's not always possible to identify fraud and many transactions that initially look suspicious might turn out to be legitimate. However, here are some common red flags:

  • Billing postcodes that don't match the card account
  • Card declines
  • A customer asking you to process a large payment over several smaller card transactions, across multiple credit cards
  • Multiple transactions processed in quick succession during a short period of time, from the same buyer
  • Unusual requests for rush shipping on costly bulk orders from new buyers

The single most impactful step you can take to protect your business is to employ a fraud prevention solution, such as Stripe Radar, that flags potentially fraudulent transactions. By using machine learning – based on data from billions of global transactions – the algorithms that power these solutions take into account how and where you do business, who your customers are and what "unusual" activity looks like for your specific business and industry.

Your fraud mitigation playbook should include a flow of steps that initiates when a transaction is marked as potentially fraudulent. While your payment processing provider and card issuer investigate the issue, there are actions you can take, such as pausing fulfilment of the order and getting in touch with the customer to communicate with them about what's happening.

How to choose a payment fraud solution

Choosing the right payment fraud solution may be as simple as upgrading your existing payment processor experience to access all of the available features. Many companies, including Stripe, are proactive about detecting card payment fraud before it occurs – saving you the pain of dealing with fraudulent charges in the first place. Such proactive steps also protect your reputation with card issuers and banks, who will take action against your account if the number of chargebacks or stopped payments becomes unmanageable.

When considering which payment processor to use, ask yourself which of the following features you want in your arsenal:

Automatic payment monitoring

Each credit card charge should go through some level of automated scrutiny. Whether it's matching the postcode between the card and billing address or asking for the CVV code with every transaction, this step should catch the more obvious fraudulent charges.

In addition, your payment processing dashboard should alert you to flagged transactions as they occur, so you can take action to minimise additional charges from the same card or buyer. It's unrealistic to expect a retailer to screen every transaction manually. At minimum, your choice of payment solution should include parameters to catch the more obvious fraudulent payments.

Machine learning

Artificial intelligence (AI) influences many aspects of business technology today and it is excellent for detecting fraud. Through machine learning, AI collects data, analyses that data, then detects patterns to predict how future fraud payments may look.

Machine learning is now widely considered to be a standard component of advanced online payment fraud detection. Many retailers should look for machine learning capabilities when considering how to outsmart criminals who constantly change their methods.

Fraud protection

When fraud is suspected, it's likely that a chargeback will occur. This leaves the business exposed, with a double loss from products it no longer possesses and the reversed payment – plus fees. An authentication service can shift the liability from you to the card issuer, helping you resolve cash flow issues caused by bad actors who take advantage of cardholders and businesses.

Custom protection

Not all businesses have the same fraud risk. Online businesses are more likely to experience card-not-present schemes, while brick-and-mortar retailers may have some level of protection against hackers trying to place thousands of orders at once.

On the other hand, in-person payments using physical cards are less likely to require additional verification, compared to online payments. Stripe Terminal offers best-in-class fraud protection for in-person payments: it accepts contactless and EMV-chip payments, which are more secure than swiped magnetic stripe payments. Terminal also comes with end-to-end encryption standards, plus the option to upgrade to point-to-point encryption (P2PE) for additional security.

Fraud risk changes by industry, with online-gaming companies facing different challenges than online grocers or health-supply manufacturers. Because needs will differ, the solutions you choose should reflect these unique risks.

Card processors with a one-size-fits-all risk level won't work for all businesses and may become ineffective for companies during especially busy periods, such as holidays. Look for a processor who understands the risk to your industry and your company and listens to your concerns. The best fraud solutions let you create a frictionless customer experience while setting up defences to protect your business and your customers. For example, Stripe assesses the unique risk level, needs and vulnerabilities of each business it supports to ensure that it is equipped with all possible measures of protection.

Self-service parameters

Retailers should have as much control as possible over fraud. By creating your own fraud protocol, you can determine the actions you take when a charge raises suspicion and create parameters that will help you and your team resolve future issues. Card processors should let you add IP addresses, card numbers and even emails to your block list, while manually blocking any payments you deem suspicious. If you notice the same trends occurring over time, you should update parameters accordingly to create less work for you and your card processor in the future. Managing fraudulent transactions should become easier over time.

Reducing fraud creates measurable wins

Protecting your business against fraud means educating yourself about the realities of card payment fraud, then handling them promptly and proactively. By partnering with the right card payment processor, such as Stripe, you can lower the overall number of fraudulent charges, remain in good favour with your card issuers and give your business the cash flow security it needs to survive changing economic times.

The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.
Radar

Radar

Fight fraud with the strength of the Stripe network.

Radar docs

Use Stripe Radar to protect your business against fraud.