What every start-up needs to know about fraud and how to prevent it
Fraud happens to almost every online business and unchecked leads to lost revenue and valuable time wasted. Here’s how to spot it and limit the damage
Most consumers have hesitated before keying card details into an unfamiliar website or mobile app.
In a survey released in 2014 by the government-backed campaign “Get Safe Online,” 51% of Britons had been on the receiving end of online crime, including “phishing scams” aimed at tricking Internet users into revealing bank account and card details.
The National Fraud Intelligence Bureau (NFIB) says the top 10 online-enabled frauds cost British consumers over £268m between September 2014 and August 2015.
So for the merchant, fraud protection must be a priority too as fraud hits the bottom line, damages customer confidence, and therefore sales.
As Dennis Collet, CEO of mobile restaurant app Orderella observes, secure payment procedures are a prerequisite for successful trade. “There is no point in having the best designed offering in the world if it all falls apart when it comes to processing payment. Any breach resulting in stolen details can destroy that faith, leaving you in a precarious position,” he says.
Online businesses regularly face criminal attempts to buy goods with stolen card details or efforts to break into customer accounts. Many of these attacks will be carried out by criminal networks based overseas, making it difficult for either a customer or a business to seek justice.
But how does a business prevent this from happening?
Understanding the threat
The first step is to understand the nature of the fraud threats. That will vary depending on the volume of traffic, the type of goods sold and the channels to market utilised such as web, mobile web and apps.
Simple card fraud
Simple card fraud is the most common threat a merchant faces. As David Nunn, European Director of advanced payment systems provider Braintree observes, online businesses face a broad range of threats, “…but it’s fair to say compromised accounts and so-called friendly frauds are pretty commonplace,” he says.
Friendly fraud involves a customer asking the credit card company for a chargeback after buying goods and then claiming they were either not purchased by him (or her) or not received.
Criminal networks steal thousands of card details either physically or using techniques such as cashpoint skimming and phishing. Multiple card details are bought and exchanged on the so-called dark web.
Not all cards will work, so fraudsters pick on sites and use them to ‘test’ cards to see which can be used. This opens retailers up to multiple types of fraud if their own security is weak. Equally damaging, fraudsters may try to hack the site to obtain more credit card details.
If your site has account management tools built-in behind a password and username log-in, you are also at risk. If a fraudster gains access to your systems, they can make purchases or simply steal customer details.
Apps sit on individual phones, which tends to make mobile shopping far safer than using a website. However, if a phone is stolen, an app can be used to gain access to an account or make payments via e-wallets loaded with credit card details.
How to recognise the threat
In the vast majority of fraud cases the real challenge is to identify and prevent fraud from those who come to your site or app with bad intentions. The first step is to recognise the danger signs, which usually start with suspicious customer behaviour. For instance:
- Someone logging on from an unfamiliar device or location
- Addresses for card billing and delivery not matching
- A user’s repeated failed attempts to log in to an account
- Multiple transactions on different cards
- Someone using a proxy server
But detecting fraud is not always easy, and a user’s actions could be entirely innocent. Thus, to deal with fraud, merchants must combine robust processes with sound policies.
Anti-fraud technology solutions
According to Braintree’s David Nunn, fraud prevention begins with an assessment of the business and the threats it faces. “We start with merchants’ needs, and understanding their business models and existing or potential threats,” he says.
The next step is take appropriate action. Typically, this will require a range of tools to counter multiple fraud threats. Braintree provides a range of basic fraud tools and solutions, which can be set up to suit the needs of the merchant. These include:
- Address verification system (AVS). The ability for the merchant to verify that the customer’s address matches the one held on file by the cardholder’s bank.
- Card verification value (CVV). The multi-digit verification value on the back of cards provided by Visa, MasterCard, and Discover cards, as well as the front of AmEx cards.
- Risk software. Software that quickly analyses multiple factors of the transactions for unusual behaviour, particularly rapid fire purchases.
Through a partnership with anti-fraud software specialist Kount, customers using Braintree’s advanced tools have access to hundreds of fraud detection tests that analyse credit card transactions in milliseconds.
Implementing stringent policies
But technology is not enough. In addition to the tools, you also need to implement effective policies and practices.
And as Braintree’s Nunn points out, there is an important principle here for merchants and technology suppliers alike. Merchants must protect themselves and their customers, but must be careful not to deter shoppers by putting up too many hurdles, or worse still block sales. “We [Braintree] take all aspects of security and fraud very seriously, while at the same time creating payment solutions that do not compromise on the merchant’s ability to delight the customer through their experience or ‘journey,” he says.
If you suspect fraud, one tactic is to allow the check-out process to complete but carry out checks before goods are delivered.
As Stephen Moody of security analytics company Threatmetrix points out, the check could be as simple as a phone call to the customer to make sure all is well. Equally, if there is concern about a log-in, you could add another tier of security such as a security question before allowing the customer to proceed.
Security is the cornerstone of business online. Poor security means not only lost revenues but also low customer confidence and, ultimately, a failing business. To keep your site secure, you need to understand the threats, be aware of the signs that attacks are taking place, and deploy the technologies and policies that will enable you to reduce the risks.
This article was produced in partnership with Braintree, a payments platform that allows merchants to accept credit and debit cards, PayPal, and Apple Pay with a snippet of code. Uber, Airbnb, and GitHub as well as thousands of other merchants use Braintree in 46 countries. To learn more, visit Braintreepayments.com or @braintree.