FRAUD FACTSIssue 22 April 2014 INFORMATION FOR ORGANISATIONS

E-commerce risks to online retailersWith more businesses trading online, new scams have emerged as fraudsters target both e-commerce start-ups and more-established businesses. This factsheet highlights some of themost common scams targeting online retailers and provides advice on how to stay protected.

• Transaction monitoring and analysis: usethese techniques to stop or flag unusualand/or risky transactions such as high-valueand/or repeat transactions taking placeoutside normal business hours by newcustomers; suspect orders from existingcustomers that are not consistent with their normal purchasing history; or ordersoriginating from specific countries, IP addresses and/or card IssuingIdentification Numbers (IIN) that are the first six digits of a card number.

• Insurance: insure high-value goods beforedelivering them to protect against fraudand loss.

• Monitor deliveries: do not deliver goodsuntil payment has been received. Use aservice that allows you to track the orderand obtain proof of delivery. Keep a recordas this can be useful if a chargeback isreceived. Fraudsters often request deliveryof physical goods to an address that differsfrom the cardholder’s billing address.Always do what you can to verify a deliveryaddress before sending goods.

• Common sense: if you have any doubtabout a transaction, perform additionalchecks (such as calling the customer toconfirm the order) or do not accept it.

If selling on eBay look into PayPal sellerprotection which can provide extra safeguardsagainst potential losses due to buyer claims,chargebacks or reversals. Online auction‘help’ pages also provide many tips and hintson selling safely to avoid common buyerscams. For example, do not process paymentsoutside the auction scheme rules, such as bybank wire or money transfer.

It is always advisable to contact your cardacquirer or PSP for additional help and adviceon preventing CNP fraud.

Introduction

Trading online is now a way of life for mostretailers. It enables business to be transactedon demand 24/7 and reaches a worldwidepool of customers.

It also creates a number of security issues foryou and your customers. Being aware of theserisks and taking appropriate steps to reducethem is crucial to your business’s long-termsuccess.

One major risk to online retailers of all sizesand types is fraud. This factsheet highlightssome of the most common online frauds thataffect retailers and provides advice on howto stay protected.

Card not present (CNP) fraud

Card not present (CNP) fraud is a significantrisk for online retailers (including those sellingon eBay), and especially for small businesses.1

It occurs when a stolen or fraudulent credit ordebit card is used to buy goods and servicesfrom a business over the internet.

Losses can seriously impact revenue asdispatched goods, chargebacks (refunds)and postage fees may be irrecoverable.

When an online transaction is processed,authorisation is sought from the card issuer.The issuer checks that the card has not beenreported lost, stolen or compromised and that there are sufficient funds available in theaccount. It does not check that the customeris the genuine cardholder. This means that ifa transaction is later found to be fraudulentthe retailer is often liable for the full amountof the transaction (called a ‘chargeback’).The time limit for chargebacks can vary,but it can be up to six months.

There are a number of tools available that canbe used to protect against CNP fraud.Financial Fraud Action UK 2 recommends thefollowing.

• Address Verification Service (AVS): thisservice compares the delivery address withthe billing address held by the card issuer.When the payment is processed it willreturn a successful match, partial match or failed result.

• Card Security Code (CSC): this is thethree-digit security code on the back ofVisa, MasterCard and Maestro cards, and the four-digit code on the front ofAmerican Express cards. Most PaymentService Providers (PSPs) require entry of the CSC in order to protect against fraud.

• 3D Secure (MasterCard SecureCode,Verified by Visa and American ExpressSafeKey): this protects participating retailersagainst certain chargebacks (includingthose arising from fraudulent transactions)on credit and some debit card transactionsby passing liability to the card issuer. It isimportant to check which transactions arecovered as some card types are outside thescope of protection (eg, corporate cards).

• Industry Hot Card File (IHCF): this is anelectronic file of payment cards that havebeen reported lost, stolen or compromised.Talk to your card acquirer or PSP for moreinformation. Other alerts (such as TC40and SAFE notifications) may also beavailable.

Other fraud prevention measures are alsoavailable. These include (but are not limited to)the following.

• Fraud prevention databases: thesemaintain an in-house database of prior fraud attempts and chargebacks.Alternatively you can subscribe to a third-party fraud prevention database. Use this information to help process(approve, reject or review) transactions (see next bullet).

1 Federation of Small Businesses (2013). ‘Cyber securityand fraud: the impact on small businesses’.

2 Financial Fraud Action UK coordinates fraud preventionactivity by the financial services industry in the UK andworks in partnership with The UK Cards Association.

High-risk countriesSmall online retailers should consider whether or not to accept international orders. It is alwaysmore difficult to retrieve goods once they have left the country. Your card acquirer or PSPshould be able to give you a list of high-risk countries and provide advice about how toblock such orders via your merchant administrative interface. Here are some questions to ask when processing an international order.• Does the consumer’s Internet Protocol (IP) country or origin differ from the

postcode provided?• Is the country high risk?• Does the billing address vary considerably from the delivery address?

Other common online fraudsRetailers can be exposed to other forms ofonline fraud, including (but not limited to)the following.• Customer dispute fraud: a customer who

has paid by credit or debit card claims that the goods have not arrived (despitethe retailer posting the order to a verifiedaddress), and submits a chargeback requestto their bank. Avoid these disputes byalways keeping a record of orders placed,payments made and delivery receipts.Contact your card acquirer or PSP forfurther help on the chargeback resolutionprocess.

• Online corporate identity theft: afraudster steals your business’s identity togain instant recognition online by using the same (or similar) name and brand,company registration number and/orwebsite domain name. The fraudster mayalso offer payment options and promotionsin order to take orders that will never befulfilled. Prevent this by periodicallysearching for your business name andregistered company number online to see if your organisation’s identity has beencompromised. See our separate factsheeton Corporate Identity Fraud for moreinformation.

• Account takeover: an employee respondsto a spoof email and unwittingly disclosesuser credentials that are then used by ahacker to hijack your company’s onlineaccount(s) for services such as onlinebanks, e-wallets or auctions.

• Internal (employee) fraud: an employeerefunds (credits) a family member’s creditor debit card rather than the cards thatbelong to the genuine customers, or changessettlement bank account details andredirects profit to an unauthorised account.

Reporting fraud• For CNP fraud contact your card acquirer

or PSP and follow their advice.• If you think your business has been the

victim of an online scam or fraud report it to Action Fraud, the national fraud andinternet crime reporting centre.

Protecting your business

DO:

4 Select a trusted and reputable PSP. Makesure you fully understand your contractand the services offered to help protectagainst chargebacks and scams.

4 Follow the merchant (retailer) rules andprocedures recommended by your cardacquirer or PSP.

4 Have information security and anti-fraudpolicies in place and review themregularly.

4 Keep firewalls and security software (such as anti-virus, anti-phishing and anti-spyware) up to date.

4 Conduct penetration testing on yourwebsite to see how secure it is. Make sureany issues are fixed promptly.

4 Ensure your payment processes are secureand meet with PCI-DSS requirements.

4 Make sure that your business follows theprinciples of the Data Protection Act andbest practice. Visit the InformationCommissioner’s Office website for moreinformation.

4 Consider introducing additional securitymeasures such as those recommended by Financial Fraud Action UK.

4 Conduct enhanced checks on high-risk/value orders and new customers.Consider following up with a welcome

email or letter containing a verificationcode that can be entered online to verifya delivery address, especially for high-value, mail or telephone orders.

4 Verify customers using registered detailsand by cross-checking these with publictelephone or postal directories and/orcredit reference agencies.

4 Keep lists of good and bad customers and suppliers (eg, customers who submitmultiple chargeback requests or supplierswho do not deliver on time) and cross-check these against new orders.

4 Always keep records of sales and deliveryreceipts. These can provide valuable proofin chargeback disputes.

4 Make fraud prevention part of your overalltraining strategy, starting with yourinduction programme. Provide staff withregular updates on an ongoing basis.

DO NOT:

7 Assume your PSP will manage fraud onyour behalf. Tools are provided and theyshould be used to prevent fraud andmanage chargebacks.

7 Ignore ‘red flags’. Ensure that any risksspecific to the business are adequatelyaddressed.

7 Accept payment for goods by cheque orbank/money transfer when dealing withcustomers you do not know or trust.Always use payment methods that giveyou adequate refund protection.

7 Introduce overly generic training. It maybe necessary to tailor training for differentroles within your business.

Further informationFederation of Small Businesseswww.fsb.org.uk

Financial Conduct Authoritywww.fca.org.uk

Financial Fraud Action UKwww.financialfraudaction.org.uk

Fraud Advisory Panelwww.fraudadvisorypanel.org

Get Safe Onlinewww.getsafeonline.org

Information Commissioner’s Officewww.ico.org.uk

PCI Security Standards Councilwww.pcisecuritystandards.org

Fraud Advisory Panel, Chartered Accountants’ Hall, Moorgate Place, London EC2R 6EA.Tel: 020 7920 8721, Fax: 020 7920 8545, Email: info@fraudadvisorypanel.org.Company Limited by Guarantee Registered in England and Wales No. 04327390Registered Charity No. 1108863

11042014 04/14 FRAUD FACTS Issue 22 April 2014

www.fraudadvisorypanel.org

Distributed by

© Fraud Advisory Panel 2014

All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should firstget the Fraud Advisory Panel’s permission in writing. The Fraud Advisory Panel and the contributors will not beliable for any reliance you place on the information in this Fraud Facts. You should seek independent advice.

Choosing a Payment Service Provider (PSP)When choosing a PSP it is important to check that it is reputable, regulated and secure.Here are some of the questions that you need to ask.• Is web-based administrative access protected securely with a strong password and Two

Factor Authentication (2FA)? Ask for a key fob and extra protection when you log in.• Is Internet Protocol (IP) lockdown available so that only the IP address associated with

your computer is accepted upon login?• Can you remove your staff’s web-based access if there is an urgent need?• Can you easily report on all refunds/credits, and any suspect or unusual amounts

processed in a short time period?• Is the PSP regulated by the UK Financial Conduct Authority and listed by Payment Card

Industry Security Standards Council as a Level 1 service provider?Note: only PSPs responsible for acquiring customer funds are regulated. All PSPs processingcard information must be PCI DSS compliant.Service providers offering CNP payment processing will give online retailers access to anadministrative web-based portal. This portal is used to configure your web-based paymentgateway, set up security features, initiate message authentication and processsettlements/refunds. These sensitive actions must be safeguarded, monitored constantly andaudited regularly to prevent account takeover and internal (employee) fraud.

The Fraud Advisory Panel gratefullyacknowledges the contribution of SeonaDevaney (Frisk Online) in the preparation of this Fraud Facts. Special thanks also toFinancial Fraud Action UK for the provisionof information.