Beginners Guide to Payment Fraud Detection & Prevention

A guide for eCommerce merchants with any level of fraud knowledge.

This guide has been developed for eCommerce merchants with any level of fraud knowledge. It aims to provide a full and comprehensive overview of how to detect and prevent eCommerce payment fraud.

Getting fraud prevention and detection right is important.

However, if you are a growing merchant and have zero fraud, there is a strong possibility that you are rejecting good customers. Get it wrong the other way and let too many risky transactions through, and you will eat into your margins.

In this guide we cover

  • eCommerce Payment Fraud Trends
  • Payment Fraud Key Concepts
    • How payment fraud happens
    • It’s the card not the account
    • The two types of payment fraudsters
    • Fraud controls
    • Fraud alerts vs. chargebacks
    • Where to get fraud alerts
    • Payment authorisation vs. capture
    • Fraud features
  • Lines of defence
    • Fraud spike detection
    • On site behavioural detection
    • Off site passive fraud checks
    • Pre-checkout risk assessment rules based on your fraud risk management strategy
    • Your payment processor
    • Your orchestration layer (if used)
    • Fraud screening tools & rules engines (Rules based / Heuristic / Machine learning)
    • On site active fraud checks
    • Fraud screening
    • Chargeback dispute management
    • Offsite monitoring
  • Fraud screening tools & rules engines
    • Heuristic fraud scoring
    • Machine learning generated fraud scoring
    • Rules engine
    • Alert management
  • Vendors
  • Further help

Finally, I believe that it’s import to educate merchants rather than their adversaries. So while this guide aims to be comprehensive around concepts, specific actionable tactics are generally in member only posts.

It is currently free to sign up as a member, all you need is a valid verifiable merchant email account.

Download this guide as a PDF and email me a copy

You will also get an invite to join our free merchant only community.

Payment fraud trends

Fraud is on the rise and the global pandemic has not been helping. It has placed increased financial pressure on individuals. The unsurprising result has been an increase in various types of fraud.

  • WorldPay’s annual risk survey showed that
    • 59% of merchants surveyed had seen a slight or significant increase in eCommerce fraud between 2019 and 2020 and only 15% had seen a reduction.
    • The same survey found at just over 37% of merchants lost at least 6% of their revenue to payment fraud in 2020;
  • Forters fraud attack index noted a
    • 55% increase in Buy Online Pickup In Store (BOPIS) fraud attacks
    • Significant increases in fraud for beauty, money services and travel products;
  • McKinsey predict that by 2022 we will see $36bn in global losses due to fraud increasing steadily year on year;
  • In the US the FTC reports of credit card fraud jumped by 107% from Q1 2019 to Q4 2020 vs 27%  between Q1 2017 and Q1 2019;

 

Payment fraud key concepts

Before we jump in we need to cover-off some basics that are important to understand.

This simplified payments flow highlights some of the key terms you should be aware of.

If any of them are unfamiliar then read on below. If they are all familiar you can skip to the next section lines of defence.

Download this guide as a PDF and email me a copy

You will also get an invite to join our free merchant only community.

How payment fraud happens

Card fraud happens when an adversary uses an often, but not always, a stolen card, usually in combination with some stolen identity details such as: card holder address, name, date of birth.

They then use these details to make a purchase. The card holder then raises a dispute with the issuing bank that the transaction is fraudulent. This results in a chargeback and you the merchant losing out.

The two types of payment fraudsters

If you do not have effective controls in place to identify the card holder then it can be very difficult to know which type of fraudster you are dealing with.

There are two types of payment fraudster:

  • 1st party fraud – First party fraud is when a cardholder uses a card for a purchase and then informs their issuer that it was not them who completed the transaction. While this is the less common of the two it does happen.
  • 3rd party fraud – Third party fraud is where stolen card details are used to complete a transaction without the knowledge of the card holder.

Talking to the customer is unlikely to yield any useful information as knowing whether they are telling the truth or not is extremely difficult.

In some cases it can even lead to more fraud as you are educating them about your processes.

Fraud attacks

A fraud attack is a co-ordinated effort by one or more adversaries to undermine your lines of defence.

They are generally characterised by an elevated amount of fraud vs. normal levels of fraud. I have gone into fraud attacks and patterns in another post so won’t cover them here.

Payment authorisation vs. capture

Understanding the basic payment flow in fraud detection and prevention is quite important. While there are several possible actions with a payment service provider like refund and verify the two we care about are authorise and capture.

This is a very simplified flow and misses out payment service providers and other intermediaries.

Authorisation

This is when a card number and related details known as PAN data, including amount are sent via your payment service provider to the issuing bank. Assuming funds are available, the card is active and if relevant, the requisite 3DS check is passed, the issuer will authorise the transaction.

At this stage the funds are only ring-fenced on the card and the transaction will show as pending on the customers bank account. You do not yet have custody of the funds.

While the funds are authorised and before they are captured is when you will typically carry out some fraud checks.

Capture

A request to capture funds from the issuing account into your merchant account can be made once the transaction has been authorised.

Once issued it will typically take one to several days for the funds to clear.

Fraud controls

Fraud controls are things that you as a merchant can put in place to reduce your risk of payments fraud. The challenge is to have the right balance of controls that don’t overly impact the customer experience.

Type of control

  • Passive – The customer is not aware the check has happened e.g. Verifying if a phone number is valid or is linked to negative feedback from other merchants;
  • Active – The customer is presented with some form of challenge e.g. Uploading their government ID to an ID verification service;
  • Screening – An agent and/or machine learning algorithm reviewing a transaction and deciding whether to carry out active or passive controls;

Some passive controls that exist are inexpensive such as checking if a customer is using a VPN however others such as ID verification or some of the more advanced phone number checks might cost up to $2-$5 per check. As part of your fraud risk management strategy you need to define which controls are employed in different risk scenarios.

Fraud alerts vs. chargebacks

All fraud alerts lead to chargebacks but not all chargebacks are fraud. This somewhat challenging concept to grasp caught me out when I started working in payments.

  • Fraud alert – The customer has reported their card stolen to the issuer and the issuer has flagged specific transactions as having been fraudulent.
  • Chargeback – This will occur if a transaction has been flagged as fraud however the issuing bank may also request a chargeback for other reasons such as if the customer tells them they did not receive good or were double charged;

With regards to eCommerce payment fraud detection our interest is mainly on fraud alerts. They will allow you to incrementally improve your controls over time so that you get the right balance of checks and cost vs. checkout conversion.

Where to get fraud alerts

Fraud alerts are usually provided by the issuing bank to the card network e.g. VISA/Mastercard and eventually to your merchant bank. These reports known as TC40s are often delivered a significant amount of time after the issuing bank has informed the issuer. They can also be challenging to get your hands on if you are a smaller merchant.

If you are seeing significant fraud, I would recommend using a third party like Ethoca. They can provide you with significantly faster fraud alerting. This will enable you to disable and block cards faster reducing the amount of time bad actors have to make purchases.

It’s the card not the account

A lot of people get caught up with whether any given account is fraudulent. You need to remember that it is the card that is being used fraudulently irrespective of the account.

Any card whose first transaction is under 3-12 months ago is a risk given the amount of time a chargeback can take to happen.

Given this try to make sure that you consider that even ‘trusted’ accounts with new cards being added can be somewhat risky.

Fraud features

I use this concept quite extensively through this post and the blog. A ‘feature’ is any data point relating to a transaction that can be contextualised and used to understand if a transaction is fraud.

Examples would be: transaction value, number of days since a customer made their first transaction, the card issue country etc.

Lines of defence

I will outline the different lines of defence and how some of them can be used to enable effective fraud detection and prevention.

Defence in depth is a military concept that seeks to delay and deter attackers by establishing several layers of defence.

In fraud payments your lines of defence in order of usage are as follows:

  • Fraud risk management strategy
  • Fraud spike/attack detection
  • On site behavioural features
  • Off site passive fraud checks
  • Pre-checkout risk assessment rules
  • Your payment processor
  • Your orchestration layer (if used)
  • Fraud screening tools & rules engines (Rules based / Heuristic / Machine learning)
  • On site active fraud checks
  • Fraud screening
  • Chargeback dispute management
  • Offsite monitoring

Some fraud is always inevitable but the more lines of defence you set-up the less likely your adversary will be to succeed.

Equally if you place too much friction in the checkout path you could lose conversion on your regular customers and/or incur costs that eat into your margins.

Fraud risk management strategy

It might be surprising but the first thing I believe merchants should start with is a plan. That is what a fraud risk management strategy is.

It is a plan that allows you as a merchant to define risk levels of transactions and how to manage that risk. Even if you are just starting out it is a very sensible place to start as it will allow you to ensure that you are aligned with any other stakeholders you work with.

At its most basic it should include:

  • Risk levels: Low/Medium/High
  • What controls you will implement for transactions in those risk levels

There’s too much to cover here but I have written a  a step by step guide to fraud risk management strategy in a public post which should get you started. I think it might even include a template to get your started and help impress your boss.

Fraud spike/attack detection

A fraud spike is an elevated amount of potentially fraudulent activity. It is an important fraud pattern to catch early because well co-ordinated attacks can lead to the kind of severe losses that will lead you to losing your job.

The main issue with fraud spikes is that they can be masked within an expected spike of sales. Or worse might only look like a slight increase in sales.

As a merchant you will only start to feel the pain 15-30 days when the fraud alerts and chargebacks start rolling in.

An example of a spike might be:

  • Increased sales of a particular product or product line without a linked marketing promotion
  • A sudden increase in new customers transacting
  • A surge in a payment feature vs. normal

This is quite an important and also somewhat sensitive subject so I have written a full post on fraud attack detection on what to look for and how to detect spikes.

On site behavioural features

Fraud features are indicators or tells that a customer is untrustworthy or different from your regular customers. In an in-person retail environment this might be evidenced by clothing or in-store behaviour. Online we have to come up with alternatives.

Examples of on-site passive feature detection features could include:

  • Sign-up / account creation date
  • Number of cards attempted
  • Purchase history
  • Order frequency
  • Login / visit history
  • Typing speed
  • Mouse patterns (Click / browsing speed)

Your adversary will not know what is or isn’t normal with respect to any of the above. They can try to act normal but ultimately you as the merchant hold all the data to know what looks normal or not.

Offsite passive fraud checks

For offsite fraud checks there are a wealth of options from checking IP addresses to identity verification and phone number verification services.

All these checks can happen passively meaning that the customer is not aware they are happening nor do they interrupt the checkout flow.

The main thing you need to know is that most if not all data protection laws include exceptions for fraud prevention in particular financial crime. That is to say you do not usually need your customer’s consent to check their IP and other data if it is for financial crime prevention.

I am not a lawyer but these guys are and they have covered off the legalities at least in Europe.

Types of check can include:

  • IP address
  • Email address
  • Phone number
  • eVerification of identity
  • Device fingerprinting

I have a separate members post that gives the full detail of offsite passive checks and vendors.

Pre-checkout risk assessment rules

Based on the customer’s behaviour and any offsite passive checks you have completed you should have enough data to make a decision of how trustworthy the customer is.

If you have defined a fraud risk management strategy with how to treat that risk you can define some rules on what happens next.

In an in-store scenario, you might ask to see some ID or call the card company if you thought someone looked out of place or overly stressed. Online you can do this and much more.

You can take all of the data from a customer and decide whether the transaction looks risky or not. If it does look risky then you can perform additional checks.

In general, I wouldn’t expect these additional checks to happen on more than a very small percentage of customers. They should also be fully automated so to not have to manually intervene too often.

Depending on your fraud tools and eCommerce tool this may or may not be included as an option.

Your payment processor

Once the transaction process has started your processor can help reduce fraud if you provide them with the right information.

Remember that payment processors may not always have your best interests at heart with regards to fraud. They get commission on transaction volume and value and also charge a premium for each chargeback.

As a result they will generally optimise for high authorisation rates rather than low fraud rates.

What you should provide to the processor:

  • Card holder details: Name, address etc
  • Risk details: Number of purchases, payment attempts etc

After sending this data you should get a response that include amongst other data the AVS and 3DS risk data.

AVS check response

This is the most basic type of check and was one of the original security mechanisms.

The checks are:

  • Address
  • Post code
  • Name

Most merchants do not rely on AVS alone as a significant number of transactions fail one or more AVS checks and the majority are not fraudulent.

3DS check response

3DS is an evolving card security standard that helps ensure that a transaction was initiated by the card holder. Version 2.0 and subsequent versions are very effective.

The response should include:

    • 3DS version
    • Transaction challenged (True/False)
    • 3DS result

The challenge with 3DS is adoption. As it requires issuing banks to make technology changes. Not all banks support it and not all customers are familiar with it. As a result it can impact authorisation rates.

Using all of the above your fraud prevention tooling should be set-up to provide some sort of decision on what to do next.

Fraud screening tools & rules engines

This is covered in its own section below as it is quite a large subject and I didn’t feel that I could cover it completely here.

It suffices to say that you should have some form of automated decisioning on transactions as well as a way to manually review the highest risk transactions.

On site active fraud checks

Active checks are ones where the customer must complete an action. If properly set-up then these should have minimal impact on the checkout experience.

The most common checks are:

  • Completing a 3DS 2.0 challenge
    • Note this is not supported in every country or by every issuing bank
  • Uploading an ID to ID verification service
  • Completing a phone number verification via SMS

The most extreme check I have come across was a merchant who would mail a code via the postal service and wait for the customer to provide it back to them.

I think this is overkill in all but the highest risk scenarios and even then is open to potential issues. If the adversary has managed to intercept a customer’s card and home address it would seem possible that they could also intercept a code in the mail.

Fraud screening tools & rules engines

Now you have collected quite a lot of data and the customer has submitted their transaction for authorisation.

You have received a positive authorisation response from the acquirer and you need to decide whether to capture the funds and risk that chargeback.

Here we will cover:

  • Heuristic fraud scoring
  • Machine learning generated fraud scoring
  • Rules engine
  • Alert management

A lot of the all-in-one fraud tools on the market include some or all of the above along with integrations with one or several external offsite passive check tools as mentioned above.

A good model for a transaction flow is as follows:

  • Score the transaction
    • Use data gathered from behavioural, passive and any active controls to generate a risk score
    • This score can be generated via a machine learning model, a heuristic model or both
  • Use a rules engine to
    • Reject the highest risk transactions
    • Challenge medium risk transactions
      • Where a transaction passes relevant challenges allow it
      • Where there is an exception pass it to screening
    • Accept lowest risk transactions
  • Use screening via agents to review transactions against factors that cannot yet be judged by your machine learning or heuristic scoring

Heuristic fraud scoring

Heuristic fraud scoring is the process of assigning point values to different risk factors in a transaction. The resulting score can then be used in your rules engine to decide a next action.

Generally, in fraud a higher score indicates a higher risk customer or transaction.

These will be based on:

  • On-site behavioural features
  • Off-site passive fraud checks
  • On-site active fraud checks
  • Responses from payment service provider

Examples of features that could increase a score:

  • New customer
  • New card
  • Card attempts
  • Product(s) chosen
  • Value

Examples of features that could reduce a score:

  • Existing customer
  • Same card used over 180 days ago
  • Customer flagged as risky by another merchant
  • Item being delivered to cardholder address

In reality there are hundreds of different features that you can include in these scores. What is relevant will depend on the type of business you are running. I have some more detailed examples in a member post on fraud detection essentials.

Finally you should have some score bands that will be calibrated depending on how you have set up your scoring into:

  • High risk: Transactions that will be cancelled
  • Medium risk: Transactions that may require further action
  • Low risk: Transactions that will automatically be accepted

Machine learning fraud scoring

An ML generated score is one where a statistical algorithm automatically creates a score. It does this after having been train on millions of transactions, some successful, some fraudulent.

This score will be generated by looking at the same data as a heuristic score. The only difference is that if correctly set-up the ML model will adjust how much a score is increased or reduced based on all of your past transactions.

ML models can also use graph databases to see how transactions, accounts and other factors are linked together.

Pros:

  • They can reduce heavy lifting of calibrating scores
  • Models can be created to carry out screening tasks that an agent might complete

Cons:

  • It can be time consuming and expensive to create ML models
  • Your business might need sufficient scale to effectively leverage an ML model
  • You need millions of transactions to train them effectively

If you are purchasing a fraud solution whose core focus is ML, check that they have customers selling similar products and in the same regions. It can take a lot of transactions to train an ML model and you don’t want to be the guinee pig.

Rules engine

A rules engine is exactly as it sounds, a way to set some rules. There are two applications of a rules engine in this context.

You can use the rules engine:

  • Instead of a heuristic and/or ML model
  • In conjunction with a heuristic and/or ML model

An example of a basic rule might be to screen transactions that:

  • Include high risk products
  • Have a medium or higher fraud score
  • Has a basket size over $1,000

Many eCommerce merchants will start out with only a rules engine. For many this is enough to get started. It should be noted that the limitation here is that you might find yourself regularly updating and changing rules reactively to fraud issues.

A better approach is to use the rules engine in conjunction with a heuristic and/or ML model.

In that scenario a rules engine flow could work as follows:

  • One or more scores on a transaction are generated
  • Using the score, transaction value and any other factors not included in the scoring set some rules:
    • Low score:
      • Low/Medium/High value – Allow transaction and request capture
      • Very high value or high recent total order value – Consider further checks
    • Medium score:
      • Low value – Allow
      • Medium/High value – Request further (ideally automated) checks and rescore once those checks are complete
    • High: Cancel the transaction, possibly block or red flag the customer

Ideally your rules engine should be doing as little as possible and the majority of the heavy lifting should be completed via your heuristic and/or ML scoring.

Alert management

Your final line of defence before you get to a fraud alert is alert management. This is a system generated queue(s) of transactions to be reviewed by a human agent. They look at a transactions and decide whether to capture the payment, request further information or cancel the order.

In a well designed process the agent will be completing tasks not possible via automation or double checking for false negatives.

Examples of a false negative that an agent could spot would be checking an automated ID checks on a higher risk transaction. While these checks are very good they are not infallable.

Chargeback dispute management

It is possible to dispute a chargeback. A chargeback is a challenge from the issuing bank of the payment card to say that the transaction was by a fraudulent 3rd party.

If you believe that you have sufficient evidence that the transaction was actually by the 1st party it’s possible to challenge the chargeback.

The kinds of data that are useful in this scenario are:

  • Validated government ID that is not falsified
  • An IP address originating from the area where the customer actually lives
  • Other eVerification that would indicate the card holder was aware or involved

There are a number of service providers that provide dispute management as a service. If you are a reasonably large merchant then they would be worth considering.

Offsite monitoring

It seems to be an uncanny feature of humans that we like to brag about our achievements. As a result it can often be possible to find online posts about how to scam and defraud different online businesses.

These posts can usually be found on social networks like Facebook, Forums and the dark web.

Actions:

  • Search social network groups for your brand name
  • Search forums for your brand name + keywords like scam, fraud or carding

If you have some budget there are some paid services that will cover both publicly accessible as well as members only and dark web forums.

Vendors

A question that is often asked is who is the best fraud vendor? The reality is there is no one size fits all.

It can depend on:

  • Your budget and scale
  • Your existing technology choices
  • Where you want to take your payments function
  • Your businesses risk appetite

Download this guide as a PDF and email me a copy

You will also get an invite to join our free merchant only community.

 

Need some help?

Fraud is a vast subject. While this guide is hopefully comprehensive it by no means covers all the intricacies and details.

If you want help with technology selection then I’d be more than happy to have an initial discussion to see how I can help.

For small to medium sized merchants I can help with that directly.  If you are a multinational merchant I am part of the global payments consultancy Allyiz who have capability to help deliver significant payments transformation programmes.

Leave a comment

Your email address will not be published. Required fields are marked *