Understanding and Preventing Online Fraud
Learn about common patterns of online fraud and how best to protect your business in this multi-part guide. If you need help after reading this, check out our answers to common questions or chat live with other developers in #stripe on freenode.
When starting an online business, it's important to be aware of fraud—how it typically works, what the common attack vectors are, and what your liability is. Online fraud is fundamentally different to fraud that occurs in brick-and-mortar business. When accepting payments online, it's harder to be certain that the person you're selling to is who they say they are.
If your customer makes a payment with a credit card that isn't their own, the actual cardholder may dispute the legitimacy of the charge with their bank or card issuer. The bank then performs an investigation to determine whether or not the charge was authorized. In these situations, banks often side with their customers first and make the assumption that the disputed charge is fraudulent, unless it's proven otherwise.
Common types of online fraud
The following methods of online fraud involve businesses selling goods and services over the internet. They are targeted by people who seek to defraud them of merchandise or funds. For businesses selling expensive or sought-after items that are easily re-sold, the target is often the goods themselves. In other cases, the object of the fraud may be to trick a business into paying bogus fees.
Credit card fraud
This type of fraud makes use of stolen credit card details to make a purchase online. The fraudster may be in possession of a physical credit card, but it’s more likely that the cardholder’s details were stolen electronically. The business ships goods or provides service to the fraudster, with the assumption that the charge is legitimate.
If a customer has not yet realized that their card is lost or stolen and notified the bank, charges can still be processed successfully. Even if a charge was approved by the cardholder’s bank, this alone does not mean that it was an authorized payment.
Once the real owner of the credit card discovers the fraudulent use of the card, the charge is disputed. After the dispute is found in favor of the cardholder, the business suffers a loss equal to the amount of the charge, the cost of any goods or services provided, as well as an additional penalty fee levied by the bank.
Overpayment fraud
Overpayment fraud, also known as a payout scam, is a twist on credit card fraud. The fraudster presents themselves as requiring the services of a specialist third-party service in connection with the purchase. The fraudster offers to pay the seller the cost of the goods, an extra fee, and an additional convenience for accommodating the extra request. The fraud is that the third-party service doesn’t exist—the fraudster has taken the funds while the seller is left with a dispute.
For example, an online store dealing in antiques may be approached by a fraudster claiming to live overseas. The fraudster requests that the business use their preferred freight forwarding company, who they ask the business to make payment to. The fraudster pays the business for the goods and freight forwarding fee, as well as an additional gratuity.
The business complies, pays the fee to the freight forwarder and then sends the goods. The legitimate cardholder discovers the unauthorized charge and disputes it with their bank. The business is then forced to reimburse in full, along with an additional penalty fee, as well as losing the goods already shipped. Be vigilant for any request to pay an unknown and unverified third-party may be associated with this type of fraud.
Refund fraud
In this form of fraud, the fraudster deliberately makes an overpayment, then contacts the business to report that they accidentally entered the wrong amount. The fraudster requests a partial refund to rectify this, but claims they closed their credit card and the business needs to send them funds using an alternative method (such as a wire transfer).
An example would be a fraudster who donates $550 to a charity, only to contact them shortly after to say that it should have been a $50 donation. The fraudster asks for the return of $500 using a method outside of the card networks, which means the original charge on the credit card is not refunded. When the legitimate cardholder disputes the fraudulent charge, the charity is left responsible for the full amount, and also suffers the loss of any amount that may have been sent using an alternative method. To be on the safe side, only refund charges to the original payment method used.
Merchant fraud
If you run a marketplace business where your users are responsible for providing service to your customers, merchant fraud is a consideration. A fraudulent merchant absconds with any payments before providing the services or goods to customers.
For example, an auction marketplace that connects remote buyers and sellers runs the risk of a seller taking payment from the buyer and not sending the goods. In such cases, the liability for reimbursing the legitimate cardholder would likely fall on the marketplace operator.
Card testing
Card testing is the practice of testing a credit card on one site to see if it’s still valid before using it on another site to commit fraud. Sites with free-text fields, such as donation sites and “pay what you like” e-commerce businesses, are predominately the targets of card testing. Implementing CAPTCHA or rate-limiting charges can help combat card testing.
Friendly fraud
Friendly fraud occurs when a legitimate cardholder makes a purchase, but then disputes the transaction at a later date. This often happens accidentally (because they didn’t recognize the transaction on their statement) or fraudulently (due to buyer’s remorse or as an attempt to obtain merchandise without paying). It can be difficult to know whether friendly fraud has occurred, especially in digital sales. For those who sell physical merchandise, shipping to a verified billing address and requiring signature on delivery can help to combat the fraudulent aspects of friendly fraud, as well as having extremely clear return policies prominently displayed at checkout to which the customer must agree prior to making a purchase.