Fraud prevention
About this article
In recent years, there has been a noticeable rise in fraudulent activities, especially in the world of online shopping. This increase has been fueled by the growing amount of money spent online and the sophisticated tools that fraudsters now have at their disposal. One common form of fraud is card testing, where criminals check the validity of stolen credit card information through small purchases.
While it's challenging to eliminate this type of criminal behaviour, there are effective strategies that businesses (or maybe your business) can implement to minimize the risk and impact of fraudulent attacks
-
Enhance your website’s security measures to reduce the likelihood of fraudulent attempts:
- Enable bot prevention tools (e.g. Cloudflare Bot Management).
- Utilize fraud detection services like reCAPTCHA, in markets that are more exposed to fraud attacks
-
Prevent fraudulent attempts to be approved by Payment Service Provider:
- If you use Adyen as your Payment Service Provider, it's crucial to configure your risk settings in the Adyen Merchant Dashboard to activate their fraud prevention engine.
- Configure risk settings in your Payment Service Provider's dashboard:
- separate authorization and capture processes (by turning off direct capture in Centra and auto-capture on the PSP) to detect and void fraudulent orders before incurring additional refund costs.
- Ensure that real shopper IPs in POST /payment call addresses are forwarded to the Payment Service Provider for fraud assessment.
- Whitelist Adyen’s client key to only allow traffic from the frontend production origin.
-
In case of a fraudulent attack or experiencing fraudulent attempts:
- As an immediate action (e.g., if the risk rules are not enabled on the PSP side) you can:
- Disable payment methods (e.g., if you have multiple PSPs in place for a certain market and one is being targeted you can turn that payment method off)
- Disable shipping options that are being targeted by fraudulent attempts. Please see “Risk and Cost Analysis” for more information.
- Review and cancel orders that have passed through fraudulent checks, issuing refunds as necessary.
From a Centra perspective, there is an opportunity to enhance security by incorporating a fraud prevention solution. This added layer of fraud screening occurs after authorization from the Payment Service Provider (PSP). Detailed documentation on how to implement this can be found [here]https://centra.dev/docs/checkout/checkout/fraud-prevention. Additionally, we are exploring potential pre-authorization measures from Centra's standpoint. If you are collaborating with an agency, please consult your agency partner for guidance, especially regarding point 3 related to your website. We are available to assist you with any inquiries you may have regarding the information provided.
Learn more about fraud
Fraud is a deliberate act of deception intended for personal gain or to damage another individual or entity. It typically involves manipulating information or facts to deceive others and secure unlawful benefits.
Types of Fraud in E-commerce
In e-commerce, various types of fraud exist, including:
- Card testing: Using illegally obtained partial- or full credit card information to test card validity through purchases.
- Identity fraud: Creating fake accounts stealing individual information to obtain sensitive information or performing fake purchases.
- Refund abuse: Returning damaged or even stolen goods in exchange for a refund.
- Interception fraud: Completing a purchase using stolen credit card information and the correct shipping- and billing address to intercept the delivery.
- Triangulation fraud: Operating a fake store, often impersonating a legitimate one, to swindle legitimate end consumers.
Warning signs - Am I under attack?
Warning signs of potential attacks include:
- Increased sales of a certain product with or without running a campaign
- Increase of registered customers in particular geographical region
- Increase of payment attempts in the particular geographical region
- Increased authoriszation declines with response code indicating potential fraud
An indication of a fraudulent order may exhibit characteristics such as:
- Autogenerated values in the address fields
- Repeated patterns in email addresses (e.g. firstName + lastName + 2 random digits @ domain.com)
- Inconsistent address details (country/city/street/zip code do not match)
- Valid and consistent address details but unusual spikes in product purchases or shipping addresses in specific regions
Risk and cost analysis
In the context of risk and cost analysis in payment processing, it is crucial to consider the fees applied by each party involved in the transaction chain. Stopping fraudulent payment attempts early in the process, can reduce the number of parties involved and minimise cumulative fees. For example:
- If a fraud attempt is stopped at the FrontEnd and not forwarded to the PSP, no fees are applied.
- If the PSP stops a payment attempt before sending an authorisation request to the card network, fraud/processing fees may apply (note: fees vary among PSPs).
- Allowing a payment attempt to proceed to the card network without being stopped by the PSP can result in additional fees.
- Excessive chargebacks initiated by customers can lead to financial losses, increased fees from payment processors, and potential restrictions on accepting certain payment methods. Therefore, preventing fraudulent transactions is essential.
When considering disabling payment or shipping methods, it is important to weigh the potential costs of such action. For example:
- Is it more cost-effective to temporarily suspend orders in a specific market to avoid processing fees from stoppeding fraudulent attempts?
- Are alternative payment options available in that market (e.g., PayPal)? If so, yes disabling card payments instead of shipping may be a viable option.
By carefully evaluating these factors, businesses can make informed decisions to mitigate risks and manage costs associated with fraudulent transactions. If you have any further questions or need clarification, contact our support team or your appointed CSM.