Safe and Smart: Teaching Customers How to Make Secure Online Payments
DISCLAIMER NOTE: The information provided in this article is for informational and awareness purposes only and should not be construed as legal advice.
We have entered a brave new world regarding how people conduct business with each other and companies. While many attribute this change to happening due to COVID, the rise in popularity of online and digital payments started before the pandemic. That point in our history did, however, cause a jump in the adoption of digital Point-of-Sale (POS) payments and digital commerce, both of which show no signs of slowing.
Even many traditional cash and check businesses are now rapidly moving to online and digital payments. This is largely due to the ease and often lower cost, as many online payment systems can be directly integrated with accounting software on the merchant’s end. Despite the ease of transactions, however, online and digital payments have a risk of scams, fraud, and other issues.
This series of articles will help you achieve the best of both worlds: to understand how to use online and digital payments to make your life easier, while also understanding how to conduct them safely and securely to protect your money.
Introduction to Payment Security
The total transaction value of digital payments is projected to reach $9.46 trillion in 2023, according to Statista. Unfortunately, anytime there is that much money being transacted, we will often see scams and fraudsters dedicate a lot of effort to finding ways to illicitly siphon some (or a lot) of it from the system.
As shown in the graph from Statista above, these transactions are seen in three major categories: digital commerce (online shopping), digital remittances, and mobile POS systems (paying others through apps or phones). These three types of transactions are largely made in different situations, and each presents its own security issues.
Fraud can affect either the sender or receiver, depending on the situation, and sometimes it will affect both, as we will dive into further below. A report from Juniper Research outlines that losses from online payment fraud are set to exceed $362 billion globally over the next five years, so this is no small issue.
The largest sources of payment fraud, according to Stripe, are:
- Phishing-based fraud
- Skimming (fraudsters receiving credit card info via card reading devices)
- Identity theft
- Chargeback fraud
Each of these can be prevented if the proper measures and precautions are taken, but many people are largely unaware of the scale of the problem and risks associated with online or digital transactions.
How Online Payments Are Susceptible to Fraud
Now that we know some of the most often used types of ways to perpetrate fraudulent payments, let’s describe precisely how each one of them works.
Phishing
Phishing is one of the most used tactics by fraudsters to illicitly gain sensitive financial information, and the tactics can vary greatly. Email is the most often used, and it can be used to try to get you to click a link that will install malware on your computer, impersonate a legitimate company that you may or may not do business with, or attempt to get you to hand over sensitive information in a response email.
Phishing attempts may be working to access your credit card information, but others will try to decipher your login or security question responses to access your bank accounts directly. This has been made worse by the ease with which many people share their personal information on social media. Professional fraudsters know that many people use passwords that have personal relevance to the account owner, and they may use phishing attempts to fill in whatever personal information they don’t already have.
Some have even been known to use fake websites that impersonate companies the target does business with, getting them to answer their security questions so the fraudsters can immediately gain access and lock the legitimate owners out of their own accounts.
Stolen Credit Cards
Fraudsters no longer need access to a physical card to make fraudulent purchases, which is one of the threats of online and digital payments. Some hackers will steal credit card numbers through data breaches and sell them to others on the dark web, and skimming is becoming a more prevalent issue that leads to great amounts of fraud.
There are numerous personal cybersecurity services like LifeLock that now constantly search the dark web for any financial information from their customers and will send an alert if any is found. Skimming, however, can be more difficult to discover, as they are reading the card information directly from a payment machine (ATM, gas pump, POS terminal). Skimming devices do require a physical adapter, so they can be identified if one takes the time to look closely before inserting their credit card into anything.
Skimming devices are often merely attached over the top of the legitimate card reader, so a slight jiggle can help alert a customer if one is placed there. Blocking the keypad when entering your security code for a debit card can also be helpful in preventing skimmed debit card information from being used. When using a gas pump, skimmers are statistically less likely to be placed on pumps that the clerk can see directly, so it may be wise to only fill up from those that the clerk has a clear view of (never the furthest pumps from the cash register).
Paying with a digital wallet can also completely remove the chance for skimming, and advances in card technology are also working to prevent this issue. Tap payment-enabled cards transfer the card information without the need for swiping, and EMV chip-enabled cards use technology that is more secure than magnetic strips. For merchants, accepting these forms of payment can help reduce their exposure to potential fraud.
Identity fraud
Identity fraud is often one of the more advanced forms of fraud and requires a lot of work on the part of the fraudsters. Once they are able to gain enough personal and sensitive information to attain government documents like a driver’s license or birth certificate, however, they can be ruinous to the person whose identity is being stolen.
These fraudsters can often open credit cards in their target’s name, take out auto loans, and a more recent trend is for mortgages to be taken over and stolen unbeknownst to the actual homeowner. This can often be very difficult to prevent or know if this is being perpetrated, but there are private companies that monitor your financial and personal data to protect you from these attacks.
There are several companies on the market that will monitor your personal and financial information for a fee to look out for any red flags of fraud.
Chargeback Fraud
Chargeback fraud can happen in two different ways, with one being more illegitimate than the other. In the first, also known as “friendly fraud,” a legitimate customer may dispute a transaction for a good or service that was actually purchased with their card. They may claim either that they never authorized the charge, that they never received the product or service, or that it was not what was agreed to. When done fraudulently, the customer is typically trying to receive the good or service for free, and the merchant loses both payment and an item or service that was delivered.
Chargeback fraud can also occur when a stolen card was used for the transaction, and the fraudster then disputes the charge. This strategy is often used in hopes that the legitimate card owner won’t notice the unauthorized charges (if they only check balances rather than line-item purchases), so the fraudster can continue using the card.
Merchants also need to be aware of chargeback fees, which are fees levied by your payment processor whenever a chargeback occurs. Depending on the number of chargebacks you receive, these fees can be significant. This chargeback fee is charged to your account regardless of the outcome of the case. Even if the merchant successfully disputes the chargeback and the funds are returned to their account, they are still liable for the chargeback fee. Typical fees range from $20-35 per chargeback, depending on the processor.
How to ensure safe and secure online transactions
Understanding the potential types of fraud that can be used against merchants and card owners is a good first step, but knowing how to protect yourself against them is vital. The following section will help merchants and card owners understand how to better protect themselves.
Avoid phishing scams
Phishing is a major issue today, and it can be done through multiple means. Phishing is an act through which fraudsters will attempt to gain sensitive information through social engineering, deception, and psychological manipulation. This issue is exacerbated by people sharing an enormous amount of personal information through their social media accounts, which fraudsters may try to use to find information like login passwords or answers to security questions.
Other forms of phishing may include fraudulent emails or even phone calls that use VoIP technology and Neighbor Spoofing to mask their true location and identity. To understand the scale of the phishing issue, it was responsible for 44% of data breaches in 2020.
Here are some simple ways to identify potential phishing attempts:
- Grammar and spelling: many phishing attempts originate outside of the U.S., so bad grammar or spelling may be a red flag that you’re looking at a fraudulent email.
- Emails or phone calls requiring sensitive information: legitimate companies know the risk of fraud, and will never ask you to provide financial, login, or sensitive information over the phone or through email.
- Inconsistent email URLs and domains: it is easy to mask an email address to seem similar to a recognized company, but expanding or clicking “reply to” the sender will often show an email URL that does not match the domain of the company they are impersonating in a phishing attempt.
- Too good to be true emails: the Nigerian prince trying to give away his riches has become a running joke, but one that hits close to home. If an email seems too good to be true, it probably is.
- Suspicious attachments: never open an attachment to an email from any sender that you haven’t verified, period.
Clear and explicit terms and conditions (to avoid chargebacks)
One major issue that merchants who accept online or digital payments may encounter is that of legitimate customers initiating chargebacks. While this was an issue when customers could call their bank to cancel payment on a check used for payment, the move to online payments has made it far easier for legitimate customers to initiate a chargeback through an app on their phones.
To prevent this issue, those accepting online payments should list clear and explicit terms and conditions wherever they accept payments, so the customer is fully aware of what they are paying for. Along the same lines, all current and future charges that a customer should expect need to be clearly indicated so that they aren’t unexpected.
Requiring AVS match/CVV code
Even if a scammer is able to skim or attain someone’s credit card information through fraudulent means, they may not be able to attain the appropriate CCV code listed on the back of the card or the correct billing address. By requiring an Address Verification Service (AVS) match and and Card Verification Value (CVV), the merchant can take steps to ensure they are dealing with the actual owner of the card.
Billing and shipping information match
Another useful tool that online merchants may use is to ensure that the billing and shipping information match for any transaction. Many online scammers will use someone else’s credit card info to purchase goods or services for themselves, so having goods shipped to an address other than that of the cardholder may be an indication of fraud.
This is not a perfect solution, as online shoppers may be sending gifts or supplies to others, or ordering things they need to use in places other than their homes. It can, however, be a reason for an online merchant to take a closer look at a transaction for other red flags.
Other Fraud Detection Tools for Merchants
If a merchant is involved in a high-dollar or a high volume of transactions, there are other tools that have become popular and proven to be quite effective at discovering potentially fraudulent transactions.
IP Geolocation
A high-tech upgrade from ensuring the billing and shipping addresses match, IP geolocation tools allow the merchant to identify the location of the person attempting to make an online purchase. While this can be defeated by some VPNs, it provides the potential to identify when the person making the purchase is located somewhere different than the billing (or shipping) address.
Authentication protocols like 2FA
Two-factor Authentication (2FA) tools have become very popular with banking, payments, and FinTech apps, but they require the purchaser to take an extra step. These tools require the purchaser to either copy & paste a code that is texted to their phone, sent to their email, or even submit a code generated through an authentication app like Authy.
Customers are often more than willing to take these extra steps for high-dollar transactions or on platforms that host sensitive information, like banking, payments, investments, or crypto. These work very well because it would require a fraudster to both acquire a credit card number and access the card owner's phone, email, or other method used for 2FA.
No public Wi-Fi payment transactions
Offering free public Wi-Fi has been a great perk for many establishments that cater to people on the go, but it also provides a unique danger for online payments that many don’t understand. There is technology that is cheap and readily available which allows fraudsters to spend their days at any establishment that provides an unsecured free Wi-Fi connection and read any data that is transmitted using it.
Most people don’t understand that there is a difference between data “at rest” (sitting unused on your computer) and data that is “on the move.” When you use any unsecured Wi-Fi network, the data on your computer or phone may be safe, and the payment pathway that you use may be secured, but your card data can often still be acquired as it moves through the free Wi-Fi connection to that secured payment pathway.
The Next Steps
Now that we’ve identified the scale of online and digital payment fraud, how to identify it, and how to protect yourself against it, we need to go over your next steps if you should ever find yourself a victim of fraud or potential fraud.
In the next article, we will cover:
- Who is responsible for covering fraudulent transactions (customer or merchant)?
- How to report suspicious activity
- Consumer rights and liability
- How to educate your customers about online payment safety
- Real-life examples of online fraud and how it could have been prevented
To read about those real-world examples now, click here.
