As security gets tighter, fraudsters get sneakier

With the advent of EMV chip cards and digital wallets, card-present transactions (those that take place at a brick-and-mortar location with a physical payment method or digital wallet) have become almost fraud-proof. As a result, scammers and hackers have turned their attention to online and mobile commerce processes. While encryption and tokenization offer some measure of security, these processes are still vulnerable. The more consumers and business owners understand about these risks, the better they’ll be able to defend against fraudsters.

Every year, the amount of transactions taking place online (eCommerce) and via mobile device (mCommerce) increases exponentially. Last year, mCommerce transactions generated $208.1 billion, which accounted for 39.6% of total retail eCommerce sales in the United States. Unfortunately, increased traffic means increased fraud risk, and many businesses are learning too late that fraud prevention tools for eCommerce don’t necessarily prevent fraud in the mCommerce space. In addition, while the majority of consumers default to desktop or laptop for large-scale purchases, fraud attempts for digital goods (e.g., gift cards) are much higher on mobile platforms.

Prevalence of fraud types

Javelin Strategy and Research’s 2018 Identity Fraud study found that card-not-present (CNP) fraud is now 81% more likely than card-present or point of sale fraud. Account takeover (ATO), a form of identity theft that involves the collection of personal data in order to gain access to various accounts, saw a significant increase in 2018. Checking and savings, credit card, and online accounts like Amazon Prime and Starbucks carry the highest takeover rates. And the damage doesn’t stop with the account holders: a fraudster can use a stolen account to make credible purchases from merchants with whom the account holder has successful transaction history.

*a fraudster can hack more than one type of account owned by the same consumer, which is why the percentages add to more than 100%
**statistics from

Then there’s friendly fraud, wherein customers make legitimate purchases but dispute the charge for various reasons—maybe the item was stolen in transit, a return was attempted but not completed, or the customer doesn’t recognize the merchant’s name on their credit card statement. Whatever the reason, friendly fraud leaves the merchant with a loss of both the sale revenue and the product or service. On the flip side, credit card companies’ zero-liability policies (guarantees that cardholders won’t be held responsible for unauthorized charges on their cards or accounts) don’t always protect cardholders from these new kinds of fraud. Of the $14.7 billion lost to fraud in 2018, the liability of $1.7 billion fell on fraud victims.

It’s a bleak landscape, but not a hopeless one. Consumers and small businesses can lower their susceptibility to fraud with the following preventative steps.

How to mitigate risks

As a customer:

  • If you’re a digital wallet user, enable multiple layers of security on your phone (passwords, biometrics, PIN codes) and use protections like card deactivation and data erasure. These tools will keep your sensitive information away from prying eyes, should your device fall into the wrong hands.
  • Only shop online on secure websites, and use virtual private networks (VPNs) for transactions conducted in public spaces. Don’t ever input sensitive card information while using unprotected Wi-Fi networks, as hackers can “spoof” registration pages and systems or gain access to your account by taking over your web-browsing session.
  • Don’t click links or attachments in emails that look like they’re from your bank, your credit card company, or any business that might ask for your personal information. Visit the websites by typing the addresses into your browser directly.
  • Use strong, varied passwords when storing credit card information online (e.g., Amazon 1-Click®), and save your passwords in a trusted password manager.
  • Enable notifications and text alerts for any card or account transactions that exceed a given dollar amount, and review your statements regularly.

As a small business owner:

  • Don’t store your customers’ sensitive information on your local system. Use software equipped with encryption and tokenization capabilities, like EBizCharge, and consider accepting digital wallets.
  • Verify your transactions and set parameters for identifying abnormal ones. Keep in mind that red flags may not be as obvious as a shipping/billing address mismatch. The nature of the order, possible connections to other orders, incorrectly-entered information, and unusual shipping requests can be tip-offs to fraudulent transactions.
  • Use a trusted platform, set up a firewall, and keep everything updated. Consider enlisting the help of a fraud prevention service to weed out malicious traffic. This can help reduce the number of denied legitimate transaction requests as well.
  • Require additional information, like CVV and zip codes, to verify customer identity. In the age of convenience, more friction can deter shoppers from completing purchases, but Experian’s 2018 Global Fraud and Identity Report found that 69% of consumers in the United States “appreciate security protocols when transacting online because it makes them feel protected.”
  • Find a PCI-compliant payment processor that provides a secure customer payment portal, which allows customers to pay their invoices online. Customizable fraud prevention modules detect suspicious activity and provide parameters for blocking transactions by location or IP address.

The future of virtual transactions

The global consortium of financial companies known collectively as EMVCo. developed the EMV chip to combat card-present fraud, and is now working to develop a safer payment method for virtual transactions. Secure Remote Commerce will combine tokenization and 3D Secure 2.0 authentication (a verification process that requires customers to approve their banks’ authorization of a purchase) to create a virtual payment terminal that offers “secure and interoperable card acceptance established through a standard technical framework.”

Sounds promising, right? But the question remains: how will fraudsters exploit cardholders next?