eCommerce losses associated with payment fraud alone are forecasted to rise by 17% to $48 billion in 2023. With the skyrocketing costs associated with payment fraud, the forms of payment fraud are expanding and increasingly complex to prevent and protect against when payment fraud can occur not just during the transaction but before and after the buying process.
This article dives into the world of payment fraud and explains ten of the most common types of payment fraud merchants and consumers need to be aware of as they conduct business online globally. We'll also offer some prevention strategies for online merchants and businesses to implement to help make preventing payment fraud a more successful initiative.
What is payment fraud?
Online payment fraud involves the unauthorized use of financial information to conduct fraudulent online transactions.
More specifically, it involves fraudsters employing various techniques to illegitimately access an individual's or business's financial data, including credit card details, bank account information, usernames, passwords, and other personally identifiable information (PII). Once in possession of this information, the fraudsters can conduct unauthorized transactions until they are detected.
10 Common Types of Payment Fraud
While the overall idea of payment fraud seems pretty straightforward, fraudsters can either obtain or carry out successful payment fraud scams in several ways. We will discuss ten of the most common payment fraud methods in online transactions.
Buy Now Pay Later (BNPL) Fraud
While phishing scams and synthetic identity fraud, discussed later in this article, affect buy now, pay later providers, one of the most common types of BNPL fraud is costly account takeovers. Fraudsters will either obtain accurate login information or brute-force their way into the accounts of buy now, pay later customers to take advantage of pre-approved credit and stored payment information.
- Discover how to prevent costly account takeover fraud, including credential stuffing.
Chargeback fraud
Credit card transaction disputes, also known as credit card chargebacks, can be costly in time and money for merchants if chargebacks are successful. Chargebacks happen when the customer files a transaction dispute with the payment processor. Sometimes, chargebacks are for legitimate reasons, such as undelivered merchandise or a fraudulent merchant.
However, there are a few instances where chargebacks are successful when they are done under malicious or fraudulent intent:
Friendly fraud
Friendly fraud is a type of credit card chargeback fraud that happens when the actual customer files a transaction dispute on a real transaction, claiming an untrue reason, such as merchandise was not as described or it was never delivered when the reasons are false.
- Read more about friendly fraud and specific prevention strategies.
Return fraud
Return fraud happens when customers or fraudsters abuse merchant return policies for their own personal gain. Return fraud can occur in many forms, including fraudsters purchasing goods using stolen credit cards and requesting a return in cash to keep the money from the stolen credit card.
- Read more about specific return fraud types and six prevention strategies.
We published a credit card chargeback guide for merchants on how individual payment processors, like Shopify, Paypal, and Stripe, handle credit card chargeback requests and how merchants can protect themselves from fraudulent chargebacks.
Card cracking or card testing
Credit card cracking or card testing occurs when fraudsters test credit card details on eCommerce sites. They typically validate obtained details or try different combinations of partial information to uncover full card details. Fraudsters often purchase batches of credit card details from the dark web for testing. They move on to the next if they can't crack a card.
For example, they might have a credit card number but not its expiration date. Therefore, it becomes a process of elimination as they attempt various dates until they correctly identify the expiration.
Gift Card Fraud
Gift card fraud is a favored payment fraud method by fraudsters because of its security flaws and aptness for anonymity. Fraudsters can use a few different techniques to obtain gift cards in nefarious ways, including social engineering, gaining unauthorized access to accounts via account takeover, or getting a refund from goods purchased using stolen credit cards onto a gift card.
- Learn how merchants can prevent gift card fraud online.
Online identity theft
Online identity theft involves the unauthorized acquisition and use of personal data. This stolen data can include names, passwords, banking details, or credit card numbers used to commit future payment fraud.
The process starts when the fraudster uses various techniques to gather sensitive information. These methods can range from traditional phishing emails and malware attacks to more advanced strategies like man-in-the-middle attacks, where the hacker intercepts communication between two parties.
Once the attacker obtains the personal data, they can use it for numerous fraudulent activities. These activities may involve making unauthorized purchases, opening new lines of credit, or filing tax returns in the victim's name - all done without the victim's knowledge. The consequences extend beyond financial loss. Victims may suffer damage to their reputation, mainly if the identity theft results in criminal records. The recovery process can be lengthy, challenging, and stressful.
Synthetic identity fraud
A recent evolution of identity theft includes creating a brand new identity from bits and pieces of legitimate sensitive information. Synthetic identity fraud occurs when the perpetrator creates a fictitious identity with false information. They may use stolen Social Security numbers or other personally identifiable information (PII) to create a unique profile that looks like an actual person.
P2P (Peer-to-Peer) Payment Fraud
P2P payment fraud has risen in popularity over the last few years with the rise of P2P services such as Venmo, Zelle, and Chase Quick Pay. Payment fraud in peer-to-peer payments occurs through card cracking, money muling, and falsifying billing sites or customer service contacts can all contribute to P2P fraud.
- In our Peer-to-Peer research guide, you can read about how P2P services work, their benefits, risks, and more.
Pagejacking or SEO Phishing
Pagejacking, derived from "page" and "hijacking," is an online fraud technique. It involves copying a web page from a legitimate site and duplicating it on a fraudulent site. The aim is to divert internet traffic from the genuine site to the counterfeit one, leading to harmful outcomes like stolen payment information, which may be used for future fraud attempts.
This practice is also known as search engine phishing or SEO phishing.
Fraudsters exploit search engine indexing processes to make their counterfeit pages look legitimate. They incorporate popular keywords into their cloned web pages to manipulate search engine algorithms, thus improving their ranking in search results. Unsuspecting users who click on these manipulated results redirect to the fraudulent site.
If their counterfeit pages successfully deceive visitors, they might capture legitimate personally identifiable information (PII), like payment or contact details. The fraudsters can then use this information to conduct fraudulent transactions on other legitimate sites, causing significant problems for victims and merchants.
Phishing
Phishing can take several forms, including in email, social media, or through targeted phishing scams like, whale phishing and spear phishing.
Typically, online phishing involves an unsuspecting individual being contacted by either a stranger or a known contact whose account has been compromised. They receive a message containing a website URL that resembles a legitimate site, such as a bank or online retailer, asking for sensitive details like credit card information. If the phishing attempt is successful, the fraudster can use the stolen details to make fraudulent transactions on other web pages.
- Learn the common signs of an email phishing attempt and how to protect yourself.
SMS and mobile payment fraud
According to Security Magazine, mobile banking fraud rates increased in 2023, with many fraudsters targeting mobile applications with bot attacks for their fraudulent payment attempts. The term "mobile payment fraud" can refer to various tactics, depending on the scope of the fraud.
For instance, mobile payment fraud can manifest as SMS fraud, which involves phishing for sensitive information or participating in an SMS pumping scam. In such scams, fraudsters exploit premium rate numbers, two-factor authentication (2FA), and one-time password (OTP) mechanisms to generate fake SMS traffic via mobile apps and websites.
Fraudsters can also use SMS for another type of fraud called "smishing." Smishing is a phishing attack over text messages (SMS) instead of email. In these attacks, culprits pose as trustworthy entities like banks or government agencies and aim to lure victims into clicking on malicious links or sharing sensitive information. Like phishing emails, these messages are sent via text and often contain malicious URLs.
Triangulation Fraud
As discussed in our triangulation fraud article, triangulation fraud, also known as a triangular scam, is a complex form of eCommerce fraud. It involves three main parties: a legitimate customer, a scammer posing as a middleman, and a genuine eCommerce website. This fraud typically occurs in card-not-present (CNP) transactions.
In this situation, an unsuspecting customer buys a product from an online marketplace, which is unknowingly controlled by a fraudster. The fraudster then uses stolen card information to purchase the identical product from a legitimate eCommerce site, which is then directly shipped to the customer. This fraudulent scheme generates a complex layer of deception, making it difficult to detect and prevent.
How to prevent common types of payment fraud
While businesses only have control over their website and processes, preventing payment fraud like email phishing and SEO phishing are generally out of their hands. However, we recommend a few prevention techniques that prevent stolen or fraudulent information from being used during the transaction process or elsewhere in the customer journey.
Use a reputable payment processor
As an online ecommerce merchant processing sensitive customer payment information, using a reputable payment processor and system is a baseline for operating an online store in today's environment. Failure to do so can result in encountering several of the above types of payment fraud regularly. Unsecured payment systems are a target for cybercriminals who can exploit weak defenses to steal sensitive information, such as credit card numbers and bank account details.
Regularly monitor and audit transactions
Effective transaction monitoring begins with establishing clear protocols. These should define normal and abnormal transaction behavior based on historical data and industry benchmarks. Automated monitoring protocols can then be set up to alert the security team whenever a transaction falls outside the defined parameters.
High-risk transactions
High-risk transactions, such as those involving large amounts or originating from high-risk locations, require special attention. These transactions should be flagged for manual review, allowing a trained analyst to assess their legitimacy.
Routine audits
Routine audits are another essential practice. Audits involve a comprehensive review of transaction records, looking for patterns or trends that automated systems may miss, including repeated attempts at small transactions (a common sign of card testing) or a sudden increase in transactions from a particular location.
Consider reliable and accurate visitor identification
Identifying website visitors is also an important strategy to prevent payment fraud before it has a chance to occur. By understanding when users attempt to conceal their identity, websites can better flag visitors as potentially fraudulent. From there, a detailed analysis can help identify the root cause and prevent future occurrences. This might involve reviewing user behavior, IP addresses, device information, and other relevant data.
- See our tutorial on building accurate visitor identification specifically for payment fraud prevention.
