How do I protect against online fraud?
Fraud losses cost the financial and retail industries over $250 billion annually, and cyber-crimes get more sophisticated every year. Online merchants are typically more vulnerable than in-person merchants, due to the fact that there are many more opportunities for fraudsters to attack an organization via digital means. As an online merchant, we recommend being very vigilant about fraud.
Common Fraud Trends
- Malware: Malware, short for malicious software, gains access to and damages a victim’s computer without the victim’s knowledge. Most malware attacks today are designed for financial gain. The malware escapes detection while collecting and transmitting sensitive data such as the user’s bank account information, passwords and credit card details. To protect against malware, always keep your virus protection up to date, because vulnerabilities are usually found in older or out-of-date virus definitions. Never store unsecured credit card details on your computer.
- Card Testing: This involves software that automates the testing of stolen credit card numbers using an eCommerce website. When an organziation is targeted, their website is used to run hundreds or thousands of transactions for small amounts ($1.00) so the card numbers could be tested. This causes the organization to incur the authorization fees until they catch it and take the website down or until the thief finished testing all of the cards. To prevent your site from being used for card testing, set the “Daily Velocity” filter in your gateway to limit the amount of daily transactions.
- Phishing/Whaling: First we had phishing, where emails prompted users to reply with sensitive information to confirm they are the actual owner of specified accounts. This evolved to SMSishing, where the solicitation was sent via text. Now there’s whaling, where profiles on LinkedIn and Facebook with descriptors like vice president, chief executive officer, chief financial officer, etc. are targeted. If you have one of these profiles on Facebook, LinkedIn, YouTube or other social media outlet, keep your private information private and watch out for requests for sensitive information.
Best Practices
- Use AVS (Address Verification System): Always use AVS for eCommerce or keyed transactions. AVS compares the billing address provided with the billing address on file with the card-issuing bank, and returns an address match or mismatch response. Reject transactions with a mismatch response. The default settings in NMI will do this automatically. If you accept a transaction with an AVS mismatch response, your rate will be affected.
- Use the CVV (Card Verification Code): Always require the 3 digit security code on the back of Visa, Mastercard, Discover, and JCB cards or the 4 digit code on the front of the American Express card with your transactions. If the CVV code does not match what is on file with the bank, reject the transaction. If you use NMI, you need to set this up on your account. If you accept transactions with a CVV mismatch, your rate will not be affected, but this could reduce your ability to win a chargeback case.
- Review your Daily Transactions: Be on the lookout for unauthorized refunds (employee fraud), duplicate transactions, and excessively large orders to unknown customers. Immediately contact us or the 24/7 support center if you see any anomalies.
- Set your Gateway’s Daily Velocity Filter: If a fraudster is using your website to test credit card transactions, this will limit the number of tests they can run, causing them to go elsewhere. This will also limit the number of authorization charges you will incur for these fraudulent transactions. NMI’s iSpyFraud feature allows you to easily set these filters.
Additional Red Flags to look out for
- Rush orders
- Billing/Shipping addresses don’t match
- Large orders
- Orders to be shipped outside the United States
- Customer can’t be reached by phone, or can’t confirm the purchase
- Multiple sales made in a short period of time which appear to be indiscriminate purchases
- Odd sales/trends. As the business owner, only YOU can be aware of what looks “off” or “different” than normal. Anything unusual is a red flag for fraud!