By 2022, the global e-commerce market is expected to hit over $6.5 trillion. Your customers are shopping online, but fraudsters are stealing their details and shopping online as well. Is your financial institution poised to detect online card fraud? Do you have tools and solutions in place to protect your organization and your customers from card-not-present fraud? Here is everything you need to know about this growing threat.
What Is Card-Not-Present Fraud?
Card not present (CNP) fraud refers to fraudulent transactions that occur online, over the phone, or through the mail, rather than in person. This type of fraud occurs when thieves steal customers’ card details and use the numbers to buy items online. It is called card-not-present fraud because the card does not need to be physically present, often making these crimes easier to commit than in-person card fraud at point-of-sale systems.
Losses From Card-Not-Present (CNP) Fraud
Card-not-present fraud is increasing every day in the United States. The implementation of chip technology has reduced the risk of in-person card fraud, so scam artists have shifted their focus to the low-hanging fruit of card-not-present fraud. In 2016, this type of fraud increased by over a third from the previous year up to $4.57 billion.
Perpetrators of Card-Not-Present Fraud
The global fraud landscape has changed dramatically over the last 40 years. In the past, the main perpetrators were individual criminals targeting individual victims. Every decade since the 1980s, the pool of victims have expanded to include merchants and financial institutions as well as individual consumers, and the perpetrator profile has shifted from individuals to decentralized global crime rings.
Anyone with a smartphone can easily obtain the info they need to commit card-not-present fraud. Modern-day thieves don’t have to learn how to carefully pickpocket victims’ wallets. Scam artists don’t have to hack databases or get on the dark web to buy victims’ information. Instead, they can buy card details for just a few dollars online. In the past, Facebook groups have even existed to facilitate this process — one group allowed thieves to purchase card details for just $4.
Decentralized crime rings break card-not-present fraud into multiple steps. In the modern fraud ecosystem, one organization may focus on cyber breaches or phishing attacks, while another extracts the credit card data. Then, a third organization sells the card information to an individual who actually uses the card to make a purchase.
Each organization takes a cut of the “profits” and while the initial steps are handled in bulk, the final transactions happen on the individual level. This process is very similar to how drug deals start with large wholesale transactions before they finally reach the direct-to-consumer stage of the transaction.
Types of Card-Not-Present Fraud
Card-not-present fraud falls into several different categories. Here is a look at the most prevalent iterations of this type of fraud:
- Physical Card Theft — This is when a criminal steals a victim’s actual card and uses it to make purchases.
- Card Details Theft — The most common type of card-not-present fraud, this occurs when a scam artist steals someone’s card number, expiration date, and CVV/CVC code to make purchases online.
- Account Takeover — Cybercriminals steal victims’ personal information, take over their accounts, and request to have a card mailed directly to the criminal.
- New Account Fraud — This also involves committing identity theft, but rather than taking over the customer’s existing card, the thief opens a new card account in the victim’s name.
- Card Testing — Using a card obtained through one of the above methods, a thief makes frequent low-value purchases that are not as likely to get noticed by traditional fraud detection systems.
- Package Interception — Rather than having items mailed directly to themselves, scam artists may commit card-not-present fraud using the cardholder’s actual address. Then, the thieves intercept the packages during transit.
- Phishing — A lot of card-not-present fraud starts with phishing which is when a scam artist uses emails, texts, phone calls, fake websites, or other approaches to trick victims into sharing their card details.
- Merchant Identity Fraud — Scam artists set up their own merchant accounts that look like legitimate businesses. Then, they process transactions using stolen card details and pocket the cash.
- Pagejacking — Cyber criminals attack ecommerce websites so that when customers enter their details, the numbers go straight to the criminals.
- Skimming — Thieves install physical devices on ATMs or card readers on gas pumps that allow them to extract consumers’ card details.
- False Refunds — Sometimes, cardholders commit fraud against their own financial institutions by claiming purchases they initiated were fraudulent, filing a chargeback with their financial institution, and keeping the items they purchased.
Risks of Card-Not-Present Fraud
Beyond the financial losses associated with card-not-present fraud, financial institutions face the following risks:
- Reputational damage
- Degradation of brand image
- Ancillary financial losses related to fraud mitigation
Although the exact numbers vary, analysts speculate that the cost of fraud mitigation is over $3 per every dollar of fraud losses. To put it simply, if a thief steals your customer’s card and buys a $1500 iPhone, your financial institution may end up facing over $4500 in fraud mitigation costs.
How to Prevent Card-Not-Present Fraud
Financial institutions need robust solutions that leverage machine-learning and artificial intelligence to detect the threat of fraud. This approach is more effective than static rules-based solutions that allow fraud to slip through the cracks.
For instance, if your fraud prevention software only flags online transactions over a certain threshold, it will not pick up low-value card testing fraud. However, if your fraud detection solution understands your customers’ patterns and works in real-time, it will be much more likely to flag any aberrations from the norm as potential fraud, regardless of value.
That said, your anti-fraud solutions should look beyond transactional data and take into account information related to the entire banking session. When trying to minimize the threat of card-not-present transactions, in particular, this includes the IP address of the card user and actions taken on the customers account prior to the transaction.
Get Help Detecting Fraud
At SQN Banking Systems, we offer a variety of solutions and services to help your financial institution fight card-not-present and other types of bank fraud. To learn more, contact us today.