According to eMarketer’s Global eCommerce Forecast 2022, e-commerce sales are expected to reach €6.6 trillion by 2025. In the shadows of explosive e-commerce growth and with the emergence of new payment methods, fraudsters continuously invent new schemes to profit from financial crimes, by searching for the weakest link in the online payments ecosystem. Over the next ten years, fraud losses will collectively amount to €393 billion. PwC Ireland’s recent Global Economic Fraud Survey revealed that 46% of all surveyed organizations had fallen victim to some form of fraud during the past two years. Within the wider Eurozone, the European Central Bank’s 7th Report on Card Fraud revealed that cross-border fraud within SEPA tops the charts of card fraud. Apart from being cross-border, most card fraud cases in the EU consist of online payment transaction; transactions where cards are not physically present (Card-Not-Present: CNP) during the time of purchase. In Ireland, CNP Fraud represents a record 91% of all reported Card Fraud cases; the highest percentage in the entire SEPA region.
Card-Not-Present Fraud Schemes
CNP Fraud schemes can be categorized as 1st party-, 2nd Party and 3rd Party Fraud. In the first case, the card owners lie about personal data, credit, delivery, etc. Chargeback Fraud or Synthetic ID Theft are perfect examples of 1st Party Fraud.
In the second case, a corrupt card holder lends out his/her card details to a fraudster or a criminal gang and willfully allows his/her personal data to be used to commit financial crime.
In the third case, a victim’s personal data and card details are abused for the purpose of financial crime. Such is the case with ID Theft or Account Take-Over.
Chargebacks or "Friendly Fraud"
The possibility of filing a chargeback was created to protect customers from fraud. Most consumers file disputes because unauthorized transactions were made with their credit card. Sometimes, the product, service, or delivery they paid for doesn’t meet their expectations, or they are being charged for a service after they cancelled their subscription.
There’s nothing “friendly” about Chargeback Fraud. Consumers who willingly submit false chargeback claims cost merchants hundreds of millions each year and legitimate and fraudulent chargeback figures are rising.
One of the most common schemes is ID Theft. Fraudsters steal legitimate card details that are being sold to the highest bidder; on criminal marketplaces, on the Darknet. Criminals use malware and hack databases, or they target card owners and “phish” their personal data via malicious emails, phone- and social media scams.
Last May, 2022 the Bank of Ireland warned the public to be extra vigilant for fraud, as hundreds of thousands bank accounts are moved from Ulster Bank and KBC to other financial institutions. Consumers should expect an increase in scam calls, texts, and emails, as fraudsters will try to take advantage to steal personal data.
Synthetic Identity Theft
Fraudsters create non-existing identities, often a compilation of real data, blended into a new ‘persona’. Credit accounts are opened and transactions are carried out. When a merchant finally realizes that the buyer isn’t who he/she claims to be, the damage is done. This emerging fraud scenario is hard to detect without the right risk management technology in place. Synthetic identity fraud is the fastest growing financial crime in the United States.
This is a form of ID Theft, but in this case the victim is unaware that his/her account is being hijacked and modifications are made (change password, add user, modify Personally Identifiable Information/PII, and order a new card.) The card holder only realizes the breach, once the fraudsters are “in”. Account take-over has far-reaching consequences for the cardholder and all the companies related to the cardholder, because in most cases a mobile phone, an email or password give the fraudster access to multiple accounts.
Social Engineer Fraud
Social Engineering Fraud is on the rise. Money Laundering mules collaborate with fraudsters or criminal gangs, lending out their legitimate card details to commit financial crime. This is called Social Engineering Fraud. The card holder gains part of the profit, but once caught, the mule is blacklisted and risks heavy fines and jail-time.
Illegitimate merchants sell illegal products or services, by using a legitimate merchant as a mule. The legit merchant may be a willfully blind collaborator or a victim. These fraudulent merchants know that they will not pass KYC/AML safety procedures, hence they hide behind third-party legitimate merchant accounts to process payments. This type of fraud is extremely hard to detect without the right automated risk management solutions in place.
Merchants should partner with a Payment Processor that offers:
- 3D Secure 2.0 Secure Customer Authentication in compliance with PSD2.
- Velocity settings that are customizable to meet merchant’s needs (Limiting the number of purchases from an card, IP, email address)
- CVV2 verification and AVS checks
- Negative database checks
- Regular review of affiliate activity to detect potential abuse
- A team of Risk experts, dedicated to work directly with merchants on custom fraud settings, including direct contact for merchants who suspect suspicious transactions.
New, sophisticated fraud schemes are emerging in the shadow of growing ecommerce. Merchants can protect their business by partnering with a payment processor that offers integrated Regtech- empowered risk management solutions. Basic KYC/AML Customer Due Diligence may not be enough. Risk assessments must be made, based on automated risk calculations. This includes sanction list screening before and transaction monitoring after customer onboarding. CNP fraud can be detected and prevented by using systems with rule- and risk-based fraud scoring programs to verify the customer’s card numbers, (mobile) geo-location and through CVV and AVS checks. Customers must be screened on a potential history of suspicious activities. Abnormal patterns can be detected in time and save merchants from avoidable financial losses. Transaction velocity limits and duplicate subscription restrictions allow merchants to stay on top of customers’ payment transactions and mitigate risk. Regtech empowered payment processing protects merchants from both financial and reputational damage.