Payment fraud can threaten business finances and customer privacy, and fighting it requires defensive solutions that are sophisticated and flexible. There are many different forms of payment fraud—from the theft of credit card numbers from an unprotected card reader to malicious fake emails. Businesses estimate that 3% of their total ecommerce revenue is lost to fraud each year.

Payment fraud is a major threat. But by using a number of effective defense tactics, businesses can mitigate it. Here’s what you need to know about common types of payment fraud, how they work, and what you can do to protect yourself, your business, and your customers.

What’s in this article?

• What is payment fraud?
  
• Types of payment fraud
  
• Benefits of fraud protection
  
• How Stripe Radar can help
  

What is payment fraud?

Payment fraud is a type of financial fraud that involves the use of false or stolen payment information to obtain money or goods. Payment fraud can occur in a variety of ways, but it often includes fraudulent actors stealing credit card or bank account information, forging checks, or using stolen identity information to make unauthorized transactions.

Types of payment fraud

There are several methods that fraudulent actors use to commit payment fraud. Here are some of the most common tactics:

1. Phishing

What it is:

Phishing is a type of social-engineering attack, a tactic that involves deceiving people through psychological manipulation, in which fraudulent actors use emails, text messages, or websites to trick individuals into disclosing sensitive information such as login credentials and credit card information.

Phishing attacks are usually carried out through emails that look like they are from a trusted source, such as a bank or reputable online retailer. The email may ask the recipient to click on a link to update their account information, verify a recent transaction, or claim a prize. When the recipient clicks the link, they are directed to a fake website where they are prompted to enter their login credentials, credit card information, or other sensitive data.

Phishing attacks can also be carried out through text messages, known as “smishing,” or through social media platforms, known as “pharming.” In these cases, the attacker sends a message or a link to a fraudulent website that appears to be legitimate, in order to steal personal information or infect the device with malware.

How to prevent it:

To protect against phishing attacks, be cautious when clicking links or opening attachments from unknown or suspicious sources. Stay alert for common tactics used by fraudulent actors, such as urgent or threatening language, misspelled words, or suspicious links. Using antivirus software can also help protect against phishing attacks.

As with other types of payment fraud, phishing scams tend to evolve over time, becoming more advanced and legitimate-looking. Individuals and businesses should educate themselves and their employees about phishing and how to recognize and avoid these types of attacks.

2. Skimming

What it is:

Skimming occurs when a fraudulent actor uses a device, called a skimmer, to steal credit or debit card information. The fraudulent actor attaches a skimmer to a card reader at ATMs or point-of-sale terminals such as gas pumps, self-checkout lanes, and other payment terminals. The skimmer captures the card’s magnetic stripe data, which can be used to create counterfeit cards or to make fraudulent purchases.

In addition to skimmers, fraudulent actors may also use small cameras or overlays that fit over the ATM or payment-terminal keypad to capture the customer’s PIN. This information is then used with the stolen card data to make unauthorized withdrawals or purchases.

How to prevent it:

Skimming can be difficult to detect, since the skimming devices are often small and inconspicuous. But it is possible to stop these attacks. There are signs that can indicate the presence of a skimming device, such as loose or damaged card readers, unusual or extra devices attached to the payment terminal, or devices that look different from other payment terminals in the area.

To protect against skimming, be cautious when using payment terminals and ATMs, and inspect the device for any signs of tampering. Covering the keypad when entering a PIN can also help protect against camera-based skimming.

Monitor bank and credit card statements regularly for any suspicious transactions and report any suspected skimming to the bank or payment card issuer as soon as possible.

Paying with digital wallets or EMV chip–enabled cards can also protect against skimming, as this technology is more secure than magnetic stripe cards. Making sure your business is set up to accept these secure payment methods is a powerful safeguard against skimming.

3. Identity theft

What it is:

Identity theft is a type of payment fraud where a fraudulent actor steals a person’s personal information—such as their name, Social Security number, or credit card number—and uses it to make unauthorized purchases or open accounts in the victim’s name. Identity theft can have serious financial and legal consequences for the victim.

Identity theft is an umbrella term that describes a number of fraud tactics. For example, phishing attacks are one type of identity theft. Data breaches, where a hacker gains access to a company’s database and steals personal information on a large scale, are also identity theft. Other methods of identity theft include stealing mail, dumpster diving, or stealing wallets or purses. Once a fraudulent actor has obtained a person’s personal information, they can use it to open new credit card accounts, apply for loans, or even file false tax returns.

How to prevent it:

To prevent identity theft, businesses can take a number of steps. First, ensure that customer data is stored securely, using encryption and other security measures to prevent unauthorized access. Businesses should limit access to customer data only to those employees who need it for their jobs, and require strong passwords and multifactor authentication for all accounts and systems that contain customer data.

Employee training is important for preventing identity theft, and it should include security best practices such as how to identify phishing emails and create strong passwords.

Monitoring customer accounts for suspicious activity, such as unauthorized logins or changes to account information, can help businesses detect identity theft early and reduce the damage. Choosing the right payments tech stack can stop fraud detection and prevention from draining time and resources. Stripe Identity, for example, allows businesses to programmatically confirm the identity of global users.

Finally, businesses should have a plan in place for responding to data breaches, including notifying affected customers and offering identity-theft-protection services.

4. Chargeback fraud

What it is:

Chargeback fraud occurs when a customer disputes a legitimate transaction, claiming either they did not make the purchase themselves or that they did not receive the product or service they paid for. In some cases, the customer may receive a refund while keeping the product or service, resulting in a financial loss for the business. Chargeback fraud can have significant financial consequences for businesses: they may lose the revenue from the sale and be subject to chargeback fees and penalties.

There are a few different ways that chargeback fraud can occur. The most common method is when a customer makes a legitimate purchase, but later disputes the charge with their credit card company, claiming that the item was not as described or that they never received it. Another method is when a customer intentionally uses a stolen credit card to make a purchase, and then disputes the charge as unauthorized.

How to prevent it:

To protect against chargeback fraud, businesses should verify the identity of the customer and ensure that they are the rightful owner of the credit card used to make the purchase. This can include requiring a signature or CVV code for card-not-present transactions, or implementing fraud detection tools such as address verification or IP geolocation. Businesses should also have a clear refund and return policy, and a process for handling chargeback disputes. Businesses should maintain clear records of all transactions, including receipts, shipping information, and customer communications, in case they need to provide evidence in a chargeback dispute. Stripe Radar, a sophisticated technology for fraud detection and prevention that is built into Stripe payment products, can simplify chargeback fraud prevention.

5. Business email compromise

What it is:

Business email compromise (BEC) is a type of payment fraud where emails trick employees into transferring money to fraudulent accounts. In a BEC scam, fraudulent actors gain access to a business email account, often through phishing or social-engineering tactics, and use it to send emails to employees or vendors requesting wire transfers or other payments.

BEC scams can take many forms. Often they involve a fraudulent actor who impersonates a high-level executive or vendor and requests an urgent payment or transfer. The email may look legitimate, using the company’s branding and a familiar email address. But if the employee follows the directions in the email, they will transfer the money to a bank account controlled by the fraudulent actors.

BEC scams can be difficult to detect, as they often involve social-engineering tactics that exploit human trust in authority. However, there are some signs that point to a BEC scam, such as:

• Urgent requests for payment
  
• Unusual payment instructions
  
• Emails that contain unusual grammar or spelling errors
  

How to prevent it:

Protecting against BEC involves many of the same tactics and best practices that businesses should already be using to safeguard against other types of fraud. Educate employees on how to recognize and report suspicious emails and implement strong email security protocols, such as two-factor authentication and encryption.

Businesses should also have a clear payment-approval process that includes verifying payment instructions through a secondary channel, such as a phone call or in-person conversation. It’s good practice to have a clear playbook for internal requests, particularly if they involve moving money.

Finally, as with all fraud, it’s important to regularly monitor bank accounts for suspicious activity and to have a plan in place for responding to a BEC scam, including contacting law enforcement and notifying customers or partners who may have been affected.

6. Card-not-present fraud

What it is:

Card-not-present (CNP) fraud is a type of payment fraud that occurs when a fraudulent actor uses stolen credit card information to make purchases without physically presenting the card, usually online or over the phone. CNP fraud has become increasingly common with the rise of ecommerce, and it can have significant financial consequences for businesses, which may be liable for chargebacks or fraudulent purchases.

CNP fraud usually occurs when a fraudulent actor obtains stolen credit card information through data breaches or other means, and uses that information to make unauthorized purchases online. Another method is when a fraudulent actor uses social-engineering tactics, such as phishing, to obtain the card information directly from the victim.

How to prevent it:

To protect against CNP fraud, businesses can take several steps, including:

• Using fraud detection tools, such as Stripe Radar, to detect suspicious activity and block fraudulent transactions
  
• Implementing strong authentication protocols, including two-factor authentication and tokenization, to protect card information
  
• Maintaining clear, accessible records of all transactions, including shipping information and customer communications, in case of chargeback disputes
  
• Creating a thorough refund and return policy that is clearly communicated to customers, as well as a process for handling chargebacks and fraudulent transactions
  

Benefits of fraud protection

Fraud protection measures can provide businesses with peace of mind, protect their financial assets and customer data, enhance their reputation with customers, and increase their compliance with regulations. Here’s an overview of the key benefits that businesses can gain from implementing fraud protection measures:

• Safeguards revenue
  Payment fraud can be costly in isolated incidents, but as companies grow, the potential for fraud at scale can pose an even greater threat. By implementing fraud protection measures, businesses can reduce their risk of financial loss and plan for the future in a more reliable way.

• Protects customer data
  Businesses are protecting more than themselves when they invest in strong measures for fraud detection and prevention—payment fraud often involves the theft of customer data, such as credit card numbers. Fraud protection measures can protect customer data and build customer trust and loyalty.

• Minimizes chargeback
  Chargebacks can result in additional fees and penalties, in addition to lost time and energy sorting out the mess. Fraud protection measures can prevent chargebacks by blocking fraudulent transactions and surfacing vulnerabilities.

• Strengthens your reputation
  Even isolated occurrences of payment fraud can damage a business’s reputation, sometimes irreparably. Fraud protection measures demonstrate a commitment to security, which can go a long way with customers.

• Keeps you compliant
  Many industries are subject to regulatory requirements for data security and privacy. Implementing fraud protection measures can help with regulatory compliance and avoiding fines.

How Stripe Radar can help

Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.

Radar can help your business:

• Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.

• Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.

• Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.

Learn more about Stripe Radar, or get started today.