What credit card fraud is and how it can happen

The pandemic has brought about a surge in credit card fraud. Here are the risks to look out for and how you can prevent yourself from falling prey to the criminals.

The pandemic has been tough for many people and businesses. Lockdown disruptions have created unprecedented impact on the economy and enormous disruption to every aspect of life. However, one group of people have been thriving — fraudsters. Fraud of all kinds is booming. 2020 and 2021 were bumper years for financial crime, as criminals found themselves presented with more opportunities than they could count. One of the most damaging and disruptive to daily life is credit card fraud. 

Credit card fraud occurs when someone, somehow, gets access to your credit card, or its details and starts racking up purchases on your account. While many people might think this can only happen when someone actually steals the card from a wallet, attacks are becoming more sophisticated. Many people can find themselves losing thousands of dollars without even knowing it.

The consequences can be severe. Aside from the financial loss involved, it can negatively impact credit ratings if the criminals run your card up to and beyond its limit. Criminals can also use it to undertake more invasive forms of identity theft, and much worse.

Fraud can come in various forms:

• Card skimming: Fraudsters counterfeit or clone a card without a person’s knowledge. This often happens at cashpoints.
• Gaining access to lost or stolen cards: The old-fashioned approach of simply stealing a card and using it. Contactless card technology means thieves can often make small purchases with no checks.
• Phishing: Email and phone phishing can be used to try and obtain card details.
• Creating phony websites: Fraudsters may set up phony websites claiming to sell a service or a product. Some of these are advertised on seemingly reputable platforms such as Facebook. Users input their details but never see a product.

As criminals become more sophisticated in their attacks, they are finding ways to steal card details without the customer realizing there is anything wrong. Often, they only notice a problem when they spot unfamiliar line items on their bank statements or see an unexpected drop in funds.

Related: How to protect your business from credit card fraud

However, in most cases it won’t be the consumer who has to pay when a fraudulent transaction is made. Instead, it will most likely be the card issuer or the merchant due to policies they have known as zero liability. This means that, if someone is the victim of fraud, they will be reimbursed. Even so, the Fair Credit Billing Act limits the personal liabilities of a fraudulent transaction to $50. In most cases, card companies waive these fees, and will instead shoulder the cost themselves and reissue you with a new card.

In most cases, liability will be down to either the merchant or the bank. This will usually depend on whether the fraudulent transaction involved an actual card being presented – in other words, the criminal stole the card and put it into the card reader in the retail store – rather than getting hold of the details and handling the transaction online. Generally speaking, the bank will be more likely to pay for card present transactions while the merchant might get stuck with the cost for the card not present transactions.

With the number of these types of fraud growing hand in hand with the rise of ecommerce, this is creating a headache for merchants. Costs can come in the form of chargebacks, penalty fees, lost products and other measures. 

Here’s what happens when fraud is suspected.

• The customer will spot a transaction they don’t recognise and contact their card issuer.
• The card issuer will issue a temporary refund and will investigate the transaction.
• Disputed funds will be withheld from the merchant until the dispute has been resolved.
• You can either accept the chargeback or dispute it. If it’s the latter, you will have to provide documentation which proves the transaction was genuine, such as receipts and customer correspondence. This can all add to the operational costs to your business.
• The card provider will make a decision. If they find in favor of the customer, the disputed funds will be returned to them.

Chargebacks are becoming an increasingly expensive problem for businesses. Chargebacks represent a $40bn cost to merchants. Costs can be both direct and indirect.

Direct fees can range from $10 to $150 per order and flat rate penalties. Indirect costs may include reversal of transactions, lost products, cost of shipping and processing product returns. You may also have to pay a penalty to the payment processor and, if you have a lot of chargebacks on your account, you may be put into a chargeback monitoring program which will place you under extra scrutiny until chargebacks reach what the payment processor deems to be an acceptable level.  According to the site Chargebacks.com, the direct cost of each $100 worth of chargebacks could amount to $240. With fraud on the rise, these represent a growing threat for businesses.

Credit card fraud is one of the most serious crimes in the US and it’s on the rise. Indeed, experts have often described the USA as being the most prone country to credit card fraud in the world. By the end of 2019, credit card fraud losses had reached $28.65bn worldwide according to a report from Nilson. According to some experts, that had risen to $11bn in the US alone by the end of 2020.

Nearly half of all Americans have had a fraudulent transaction on their account at some point, and one in three have had more than one, according to the annual Credit Card Fraud Report for 2021. The median charge was $62 equating to about $8bn in attempted fraudulent charges on Americans throughout the year.

The pandemic has exacerbated the risks. With lockdown restrictions in force across the US, ecommerce has soared. While consumers had been gradually turning their back on main street and heading to the internet for some time, restrictions saw the web become the main source of shopping for millions of Americans. Even those who had so far avoided the lure of the web were forced to rethink their approach.

The impact of this was millions more shoppers online and billions more credit card transactions taking place over the internet. What’s more, people shopping online were not only the digital natives who are comfortable using ecommerce and regularly take appropriate precautions. It was everyone and many of these consumers were not used to protecting their details online.

Customers are not particularly well protected against fraud. According to the Credit Card Fraud report for 2021, almost 40% of card holders do not have email or text alerts from their credit card companies enabled. Around 81% had to take additional action to reverse fraudulent charges, compared to just 19% who had those enabled.

Every type of credit card fraud is on the up, but in a world which is particularly digitally driven, there are more opportunities than ever for fraudsters to get hold of details. Methods of attack include phone and email phishing in which fraudsters attempt to trick people into giving away their personal details. Social media is also creating vulnerabilities. People display a surprising amount of personal information on these platforms including where they work. This can allow fraudsters to create more sophisticated attacks such as impersonating other colleagues in an attempt to get hold of card details.

If you are selling anything online, it’s almost inevitable that you will encounter credit card fraud at some point. Indeed, many vendors have factored it in as a regular cost of business operations. However, there are things you can do to mitigate the risk and reduce the chances of falling victim to fraud.

• Encryption: All customer data which is stored in your system must be fully encrypted. One of the most common ways in which information is stolen is via data breaches of merchants. As a company, you will be responsible for the safety of any customer data held on your system.  
• Multi-factor authentication: The most basic — and one of the most effective ways — is to demand multi-factor authentication. Vendors can require people to enter a verification code sent to their email or to a phone. This makes it much more difficult for any fraudster – whether they have a card or simply the details. In order to get through these barriers, they would have to be in possession of each way in which the customer will be contacted. The downside from a merchant’s point of view is that this creates barriers in the order process. Customers want convenience when buying online. The more obstacles you put in their way the more likely they will be to abandon shopping carts.
• Cyber insurance: You may also opt to have cyber insurance to reimburse you for any chargebacks or other costs. This can be expensive, but it might be worth the investment.  
• EMV Card Readers: The law now shifts responsibility to those merchants who take payments without the more secure EMV card readers. Before this, credit card issuers were responsible for in person card fraud, but responsibility shifts back to the merchant if they do not have the latest equipment and practices in place. You can avoid this by upgrading to EMV card readers in which case, liability will be borne by the card issuer.
• Payer authentication programs: Programs such as Visa Secure and Mastercard Identity Check direct customers to an authentication screen which requires a password or code before processing a transaction.
• Address verification: Payment processors may provide a service to verify the cardholder’s address by comparing the billing address provided by the cardholder against the issuing bank.
• Delay shipping of orders: The pressure is on to provide instant shipping, but you could delay it a little until the buyer’s information has been verified. This is especially important for big ticket sales.

These measures will reduce, if not eliminate, the number of attacks you face and the costs to your business if a breach does occur. It will offer protection in making your customer the most difficult target possible. You can add to this by developing a culture of security within your business such as introducing clear policies, protocols and training all staff in best practice. Attacks come from all angles. Implementing effective security needs buy-in from all individuals in the company from the executive team down to the junior office staff.

It will never be possible to eliminate fraud, but what you can do is reduce the cost and the impact on your business.