Payment fraud can threaten business finances and customer privacy, and fighting it requires defensive solutions that are as sophisticated and flexible as the tactics used by fraudulent actors.
Payment fraud can come in many different forms, from the theft of credit card numbers from an unprotected card reader to malicious, fake emails. For instance, research done in 2021 by Tessian showed that US employees receive an average of 14 emails per year that prompt them to take financially fraudulent actions. In some industries, this number is much higher, with retail workers fielding an average of 49 fraudulent emails each year.
Phishing is one of the most common types of payment fraud, accounting for 44% of all data breaches in 2020. Skimming, where fraudulent actors capture card information at cash machines or from payment terminals, costs businesses an estimated US$1 billion each year. Identity theft, where personal information is stolen and used to make fraudulent purchases, comprised 24% of nearly 6 million fraud reports in 2021, according to the FTC. And these are just some of the types of payment fraud that businesses need to fight against.
Payment fraud represents a major threat, but businesses can mitigate it with a number of effective defence tactics. Here's what you need to know about common types of payment fraud, how they work and what you can do to protect yourself, your business and your customers.
What's in this article?
- What is payment fraud?
- Types of payment fraud
- Benefits of fraud protection
What is payment fraud?
Payment fraud is a type of financial fraud that involves the use of false or stolen payment information to obtain money or goods. Payment fraud can occur in a variety of ways, but it often includes fraudulent actors stealing credit card or bank account information, forging cheques or using stolen identity information to make unauthorised transactions.
Types of payment fraud
There are several methods that fraudulent actors use to commit payment fraud. Here are some of the most common tactics:
 
      Phishing
What it is:
Phishing is a type of social-engineering attack – a tactic that involves deceiving people through psychological manipulation – where fraudulent actors use fraudulent emails, text messages, or websites to trick individuals into disclosing sensitive information such as log-in credentials and credit card information. 
Phishing attacks are usually carried out through emails that look like they are from a trusted source, such as a bank or reputable online retailer. The email may ask the recipient to click on a link to update their account information, verify a recent transaction, or claim a prize. When the recipient clicks the link, they are directed to a fake website where they are prompted to enter their log-in credentials, credit card information, or other sensitive data.
Phishing attacks can also be carried out through text messages, known as “smishing”, or through social media platforms, known as “pharming”. In these cases, the attacker sends a message or a link to a fraudulent website that appears to be legitimate, in order to steal personal information or infect the device with malware.
How to prevent it:
To protect against phishing attacks, be cautious when clicking links or opening attachments from unknown or suspicious sources. Stay alert for common tactics used by fraudulent actors, such as urgent or threatening language, misspelled words, or suspicious links. Using antivirus software can also help protect against phishing attacks. 
As with other types of payment fraud, phishing scams tend to evolve over time, becoming more advanced and legitimate-looking. Individuals and businesses should educate themselves and their employees about phishing and how to recognise and avoid these types of attacks.
Skimming
What it is:
Skimming occurs when a fraudulent actor uses a device, called a skimmer, to steal credit or debit card information. The fraudulent actor attaches a skimmer to a card reader at ATMs or point-of-sale terminals such as gas pumps, self-checkout lanes, and other payment terminals. The skimmer captures the card’s magnetic stripe data, which can be used to create counterfeit cards or to make fraudulent purchases.
In addition to skimmers, fraudulent actors may also use small cameras or overlays that fit over the ATM or payment-terminal keypad to capture the customer’s PIN. This information is then used with the stolen card data to make unauthorised withdrawals or purchases.
How to prevent it:
Skimming can be difficult to detect, since the skimming devices are often small and inconspicuous – but it’s not impossible. There are signs that can indicate the presence of a skimming device, such as loose or damaged card readers, unusual or extra devices attached to the payment terminal, or devices that look different from other payment terminals in the area. 
To protect against skimming, be cautious when using payment terminals and ATMs, and inspect the device for any signs of tampering. Covering the keypad when entering a PIN can also help protect against camera-based skimming.
Regularly monitor bank and credit card statements for any suspicious transactions and report any suspected skimming to the bank or payment card issuer as soon as possible.
Paying with digital wallets or EMV chip-enabled cards can also protect against skimming, as this technology is more secure than magnetic stripe cards. Making sure your business is set up to accept these secure payment methods is a powerful safeguard against skimming.
Identity theft
What it is:
Identity theft is a type of payment fraud where a fraudulent actor steals a person’s personal information – such as their name, Social Security number, or credit card number – and uses it to make unauthorised purchases or open accounts in the victim’s name. Identity theft can have serious financial and legal consequences for the victim and cause significant stress and anxiety.
Identity theft is an umbrella term that describes a number of fraud tactics. For example, phishing attacks are one type of identity theft. Data breaches, where a hacker gains access to a company’s database and steals personal information on a large scale, are also identity theft. Other methods of identity theft include stealing mail, dumpster diving, or stealing wallets or purses. Once a fraudulent actor has obtained a person’s personal information, they can use it to open new credit card accounts, apply for loans, or even file false tax returns.
How to prevent it:
To prevent identity theft, businesses can take a number of steps. First, ensure that customer data is stored securely, using encryption and other security measures to prevent unauthorised access. Businesses should limit access to customer data only to those employees who need it for their jobs and require strong passwords and multifactor authentication for all accounts and systems that contain customer data.
Employee training is important for preventing identity theft, and it should include security best practices such as how to identify phishing emails and create strong passwords.
Monitoring customer accounts for suspicious activity, such as unauthorised log-ins or changes to account information, can help businesses detect identity theft early and reduce the damage. Choosing the right payments tech stack can stop fraud detection and prevention from draining time and resources. Stripe Radar is sophisticated technology for fraud detection and prevention that is built into all Stripe payment products, including Terminal.
Finally, businesses should have a plan in place for responding to data breaches, including notifying affected customers and offering identity-theft-protection services.
Chargeback fraud
What it is:
Chargeback fraud – also referred to as “friendly fraud” – occurs when a customer disputes a legitimate transaction, claiming either they did not make the purchase themselves or that they did not receive the product or service they paid for. In some cases, the customer may receive a refund while keeping the product or service, resulting in a financial loss for the business. Chargeback fraud can have significant financial consequences for businesses: they may lose the revenue from the sale and be subject to chargeback fees and penalties.
There are a few different ways that chargeback fraud can occur. The most common method is when a customer makes a legitimate purchase but later disputes the charge with their credit card company, claiming that the item was not as described or that they never received it. Another method is when a customer intentionally uses a stolen credit card to make a purchase and then disputes the charge as unauthorised.
How to prevent it:
To protect against chargeback fraud, businesses should verify the identity of the customer and ensure that they are the rightful owner of the credit card used to make the purchase. This can include requiring a signature or CVV code for card-not-present transactions, or implementing fraud-detection tools such as address verification or IP geolocation. Businesses should also have a clear refund and return policy and a process for handling chargeback disputes. Businesses should maintain clear records of all transactions, including receipts, shipping information, and customer communications, in case they need to provide evidence in a chargeback dispute.
Business email compromise
What it is:
Business email compromise (BEC) is a type of payment fraud where emails trick employees into transferring money to fraudulent accounts. In a BEC scam, fraudulent actors gain access to a business email account, often through phishing or social-engineering tactics, and use it to send emails to employees or vendors requesting wire transfers or other payments. 
BEC scams can take many forms. Often they involve a fraudulent actor who impersonates a high-level executive or vendor and requests an urgent payment or transfer. The email may look legitimate, using the company’s branding and a familiar email address. But if the employee follows the directions in the email, they will transfer the money to a bank account controlled by the fraudulent actors.
BEC scams can be difficult to detect, as they often involve social-engineering tactics that exploit human trust in authority. However, there are some signs that point to a BEC scam, such as:
- Urgent requests for payment
- Unusual payment instructions
- Emails that contain unusual grammar or spelling errors
How to prevent it:
Protecting against BEC involves many of the same tactics and best practices that businesses should already be using to safeguard against other types of fraud. Educate employees on how to recognise and report suspicious emails and implement strong email security protocols, such as two-factor authentication and encryption. 
Businesses should also have a clear payment-approval process that includes verifying payment instructions through a secondary channel, such as a phone call or in-person conversation. It’s good practice to have a clear playbook for internal requests, particularly if they involve moving money.
Finally, as with all fraud, it’s important to regularly monitor bank accounts for suspicious activity and to have a plan in place for responding to a BEC scam, including contacting law enforcement and notifying customers or partners who may have been affected.
Card-not-present fraud
What it is:
Card-not-present (CNP) fraud is a type of payment fraud that occurs when a fraudulent actor uses stolen credit card information to make purchases without physically presenting the card, usually online or over the phone. CNP fraud has become increasingly common with the rise of e-commerce, and it can have significant financial consequences for businesses, which may be liable for chargebacks or fraudulent purchases.
CNP fraud usually occurs when a fraudulent actor obtains stolen credit card information through data breaches or other means and uses that information to make unauthorised purchases online. Another method is when a fraudulent actor uses social-engineering tactics, such as phishing, to obtain the card information directly from the victim.
How to prevent it:
To protect against CNP fraud, businesses can take several steps, including:
- Using fraud-detection tools, such as address verification or IP geolocation, to verify the identity of the customer and detect suspicious activity
- Implementing strong authentication protocols, including two-factor authentication and tokenisation, to protect card information
- Maintaining clear, accessible records of all transactions, including shipping information and customer communications, in case of chargeback disputes
- Creating a thorough refund and return policy that is clearly communicated to customers, as well as a process for handling chargebacks and fraudulent transactions
Benefits of fraud protection
Fraud protection measures can provide businesses with peace of mind, protect their financial assets and customer data, enhance their reputation with customers and increase their compliance with regulations. But the benefits don't stop there. Here's an overview of the key benefits that businesses can gain from implementing fraud protection measures:
- Protection of financial assets 
 Fraud protection helps to keep a business's financial assets safe. Payment fraud can be costly in isolated incidents, but as companies grow, the potential for fraud at scale can pose an even greater threat. By implementing fraud protection measures, businesses can reduce their risk of financial loss and plan for the future more reliably.
- Protection of customer data 
 Businesses aren't just protecting themselves when they invest in strong fraud detection and prevention measures, they're also safeguarding their customers. Payment fraud often involves the theft of customer data, such as credit card numbers and personal information. By implementing fraud protection measures, businesses can protect their customers' data and build customer trust and loyalty.
- Chargeback mitigation 
 For businesses, chargebacks not only result in lost revenue and merchandise, but also in additional fees and penalties – not to mention the lost time and energy spent sorting everything out. Fraud protection measures can prevent chargebacks by detecting and preventing fraudulent transactions and by surfacing chargeback trends and vulnerabilities.
- Maintenance of reputation and customer loyalty 
 Taking every possible step to minimise fraud enhances customers' trust in the business. Even isolated occurrences of payment fraud can damage a business's reputation, sometimes irreparably. By implementing fraud protection measures, businesses are demonstrating their commitment to security. This is particularly true for platforms and marketplaces, as their customers have their own customers (and reputations) on the line.
- Compliance with regulations 
 Many industries are subject to regulatory requirements for data security and privacy. By implementing fraud protection measures, businesses can comply with these regulations and avoid fines and penalties.
Luckily, strong fraud protection comes as standard with most modern hardware and software solutions for accepting and processing payments, tracking customer orders and managing a company's financial data, including those offered by Stripe. It generally costs less to implement these measures than to pay the potential costs of payment fraud.
For more information about how Stripe Radar protects Stripe products by using data from millions of global companies to intelligently combat fraud on every channel, you can start here.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.
