How you can eliminate online payment fraud

Online merchants are more vulnerable than ever to payment fraud.

If you sell goods or services online, especially high-risk categories like digital goods, gambling and financial services, you’re a prime target to fraudsters.

Introduction

Online payment fraud prevention is an endless game of Whack-A-Mole. Whenever payment technology advances or user preferences evolve, fraudsters are the first to identify the weaknesses, and as soon as one vulnerability is resolved, another appears. This is why it is crucial to keep abreast of all developments related to payment fraud; the favoured attack vectors, the most vulnerable platforms, and the best protection methods.

PwC’s Global Economic Crime and Fraud Survey 2022 reveals that 46% of surveyed organizations reported experiencing some form of fraudulent activity in the last 24 months. The report also shows that organizations in Europe are significantly more likely than those in other regions to experience fraud perpetrated by external actors (56%).

What are external actors? That varies, from hackers (31%) and customers (29%) to organized crime (28%), vendor/suppliers (20%) or even competitors (14%), consultants (10%) and foreign states (9%).

The types of fraud businesses experience depends on the industry they operate in. Customer fraud is most prevalent in the financial services (44%) and retail (37%) industries, whereas cybercrime is the most experienced type of fraud in the telecom (50%), health (40%), public sector (36%) and manufacturing (32%) industries.

46% of surveyed organizations reported experiencing some form of fraudulent activity in the last 24 months.

Source: PwC’s Global Economic Crime and Fraud Survey 2022

Cybercrime and threat attacks become more elaborate

Within the EMEA region, Europe is a very mature market with relatively low growth in attack rates. However, as Europeans increasingly move towards mobile commerce, a surge in desktop attacks has become evident. Overall, at 13% YOY, EMEA has seen the highest growth in desktop attacks compared to other regions.

Strong Customer Authentication (SCA) is having a positive effect on fraud attacks. Still, recent research from LexisNexis shows that the EMEA region saw a clear uptrend in the volumes of both human-initiated and automated bot attacks during the second half of 2021. Specifically, human-initiated attack volume is up 7% YOY, while automated bot attack volume has grown by a whopping 16% YOY. In particular, the (automated bot) attacks, seen in EMEA, mostly focus on logins. The goal of which is to gain access to accounts and use the data mined to facilitate fraud through social engineering.

Globally, attacks targeting gaming, gambling and financial services are on the rise, while communications, mobile and media remain the most vulnerable of all.

Source: LexisNexis Risk Solutions Cybercrime Report | July to December 2021

The techniques employed by cybercriminals grow ever more sophisticated, and companies of all shapes and sizes face a mountain of threat levels. Since the COVID-19 pandemic, 62% of merchants report seeing new fraud types emerge. Luckily, business awareness regarding fraud has also grown, and over half of businesses surveyed have increased their fraud protection budget accordingly. Business awareness of fraud has increased most for companies in the digital goods (62%), subscription (58%) and retail (53%) industries.

Though larger merchants that sell through multiple channels experience the highest level of successful fraud attempts, how likely your company is to be targeted by fraudsters depends on many factors. Those include the sales channel and industry you work in, the fraud awareness maturity of your market, the security of your IT infrastructure, as well as consumer behaviour and regional regulatory environment.

Fast-evolving attack techniques employed by cybercriminals

Device Spoofing:
Fraudsters delete and change browser settings in order to change their device identity or fingerprint, or attempt to appear to come from a victim’s device.

Identity Spoofing:
Using a stolen identity, credit card or compromised username/password combination to attempt fraud or account takeover.

IP Address Spoofing:
Cybercriminals use proxies to bypass traditional IP geolocation filters, and use IP spoofing techniques to evade velocity filters and blacklists.

Man-in-the-Browser (MitB):
Man-in-the-browser attacks use sophisticated trojans to steal login information and one-time-passwords from a user’s browser. Bots are automated scripts that attempt to gain access to accounts with stolen credentials or create fake accounts and transactions.

Crimeware Tools:
Crimeware refers to malware specifically designed to automate cybercrime. These tools help fraudsters create, customize and distribute malware to perpetrate identity theft through social engineering or technical stealth.

Low and Slow Bots:
Refers to low frequency botnet attacks designed to evade rate and security control measures, and thus evade detection. These attacks appear to be legitimate customer traffic, and they typically bypass triggers set around protocols and velocity rules.

Source: LexisNexis Risk Solutions Cybercrime Report | July to December 2021

Cross-border sale of digital goods: high demand, high risk

In Europe, the number of internet users trying to get cross-border access to content has nearly doubled over the span of four years (from 8% in 2015 to 15% in 2019). The increase in demand is being driven by the lack of access to digital goods.

Digital goods is a term commonly used to describe intangible products and services that can be acquired and consumed online. The fulfilment process is fully digital and occurs in real-time. Examples of digital goods and services include:

  • Prepaid phone credit
  • Digital gift cards
  • Game vouchers
  • Media files
  • E-books
  • Fonts
  • Digital subscription services
  • Internet coupons
  • Virtual goods / in-game items
  • Online courses
  • Music & video streaming services
  • Website themes etc.

Data from the Eurobarometer survey shows that audiovisual and other electronically supplied copyright-protected content, such as music streaming and downloading, e-books and games, are among the most popular content sought by consumers across borders.

The growth of international e-commerce is also fuelling fraud attacks. Recent observations by the European Banking Authority show that fraudulent cross-border transactions represent 81% of fraudulent card payments reported by issuers and 94% of fraudulent card payments reported by acquirers.

Among the cross-border payments, the payments with counterparts located outside the European Economic Area are more frequently subject to fraud compared to the payments executed inside the EEA. In fact, the share of fraud in the total volume of card payments outside the EEA – as reported by issuers – is three times higher than inside the EEA, and 85 times higher than the fraud share for the domestic transactions.

The financial impact of fraud on merchants

Fraud is costly. In 2021, the global value of e-commerce losses to online payment fraud was estimated at $20 billion. A growth of 14% compared to the previous year.

As consumers make more use of mobile apps and digital wallets, the cost of fraud appears to be rising along with the trend. In EMEA, every fraudulent transaction costs 3.49 times the lost transaction value on average. The cost of fraud is highest among financial services institutions (4.34 times the lost transaction value).

A quick word on geo-blocking

Businesses often reject transactions that originate from specific countries. A practice known as geo-blocking. While blacklisting certain regions is a way of reducing fraud risk, this does come with a major downside. The more transactions you reject, the higher the risk is of rejecting transactions from good customers. Moreover, many European companies may not realize that unjust geo-blocking is actually illegal. The European Union’s regulation against unjustified geo-blocking, which entered into force on 3 December 2018, addresses unjustified online sales discrimination based on customers’ nationality, place of residence or place of establishment within the internal market.

To be clear, the regulation does not oblige merchants to allow access to their content, nor sell or deliver across the whole EU. Rather, it prohibits merchants from discriminating against customers based on their nationality, place of residence or place of establishment, if the merchant already delivers to their particular Member State.

Geo-blocking is not a solution for online payment fraud

Geo-blocking limits sales opportunities and stunts revenue growth. Though geo-blocking may be a quick solution to a growing problem, companies who are serious about expanding their cross-border sales are better off investing in proper fraud protection tools and processes.

Lisa de Vreede – Product Owner Protectmaxx

Alphacomm Field Report

Data from Alphacomm’s anti-fraud department shows the most common type of fraud is related to PayPal and credit card payments. With false credentials, or illegally obtained creditcard details, fraudsters try to make purchases of products they can easily monetize.

Lately, one of the new fraud trends is that fraudulent transactions seem to mimic “real” transactions more and more. Fraudsters are using low order values (instead of going big at once), and committing the transactions in lower intervals, within more realistic time frames.

Alphacomm works with many businesses that sell digital goods, like prepaid phone credit, gift cards, game cards, e-money and more. These products have an extra high fraud risk since the delivery is instant and irreversible which puts the merchant at a great financial risk when fraud is committed.

To mitigate risk and secure their revenue, merchants selling high risk products rely on Alphacomm’s 100% Chargeback Guarantee to ensure that they incur zero financial risk, even in the unlikely case that fraud is not detected by our systems.

Combatting online fraud: using the right tools for the job

Get rid of low-hanging fruit

To protect yourself against cybercrime, there are quite a few things you can get started on right away, such as educating your staff about fraud, training them to be ever-vigilant, and implementing a strictly enforced a password policy. It is also important to maintain a secure IT infrastructure and keep security patches up-to-date.

As an online merchant, you’re not expected to become an expert in all this. After all, it’s not your core business. But there are fraud prevention experts out there who know just what your particular risks are.

Use the right protection

Merchants who do best in fighting fraud are the ones who rely on a multi-layered approach to fraud mitigation solutions. By layering the processes of identity verification, identity authentication and transaction risk assessment, the merchant experiences fewer false positives and fewer successful fraud attempts than those who don’t adopt a multi-layered approach.

Conversely, the same findings show that merchants who use multiple solutions, but not in a layered approach, experience more false positives and more successful fraud attempts as those who use very few solutions.

As a seller of digital goods, the only way to really protect your businesses from fraud is by making use of intelligent, lightning-fast fraud protection. Every single transaction needs to be checked, without increasing the number of false declines or negatively impacting the customer’s checkout experience in any way.

Besides speed and thoroughness, other benefits to look for in high-quality payment fraud protection services are a chargeback guarantee, access to a dedicated revenue manager, full compliance with GDPR, and the use of advanced supervised Machine Learning. When properly supervised, Machine Learning can be used to detect trends, optimize algorithms, and update schemas.

Still, doing all of the above is not enough. When implementing overly broad anti-fraud measures like 3DS2, merchants also inadvertently introduce unnecessary friction in the checkout process.  This is problematic. After all, merchants only get one chance to offer a positive customer experience, and failure to offer a frictionless experience may result in unnecessary cart abandonment as well as lower conversion rates. As an online seller of (digital) goods, your goal is to facilitate transactions by removing any and all friction whenever possible, while at the same time, securing transactions with the highest level of security.

Eliminate fraud risk, without adding friction

How can merchants introduce measures to prevent fraud, without adding friction at checkout? At Alphacomm, we’ve developed Protectmaxx, a smart, frictionless, fraud solution (API) that completely eliminates chargebacks. In fact, Protectmaxx is so secure, we’re able to offer 98% acceptance for digital goods and a 100% chargeback guarantee on all the popular payment methods that your customers trust and love.

By being smart about fraud risk and fully understanding every single detail of SCA regulations, we’re able to selectively apply different fraud checks to different transactions and only when required. The result is a customer experience that is smooth, inspires loyalty and significantly increases customer lifetime value.

Protectmaxx is a robust anti-fraud API that seamlessly integrates with any ecommerce platform. Depending on the business needs, Protectmaxx can be used for either advanced fraud scoring or as a premium solution that provides full indemnification via a 100% chargeback guarantee that is unique in the industry. Moreover, Protectmaxx is fully PCI- and GDPR-compliant.

If you found this whitepaper useful

If you found this article informative, please share it with your colleagues. If you’d like to chat to one of our experts about your payment fraud concerns, please give us a call on +31107989 501.

About us

We believe buying and selling digital goods online should be effortless.
With over 25 years of experience, we know all about fraud, payments and selling digital goods online. Our team of 85 revenue geeks is working 24/7 to make it simple and safe to buy and sell digital goods.
Learn more
Headquarters in Rotterdam
5 Offices across Europe
Compliance

Let's make it happen.
Say hello!

Contact us and one of our Revenue Geeks will get back to you within 24 hours.