Payment fraud is, at its core, a false or illegitimate transaction. Before the Internet, payment fraud typically consisted of a simple case of bounced checks or erroneous chargebacks. However, with the advent of ecommerce, it’s become more complex.

Consumers are losing personal identity data and credit card numbers to phishing scams, malware links in text and instant messages, and bogus phone calls. As fraudsters become more sophisticated, so must your fraud management measures — to protect your customers and your business from incurring financial losses.

In 2024, the global e-commerce fashion industry was forecast to reach an overall market value of 781.5 billion U.S. dollars. According to a study from Juniper Research, the cumulative merchant losses to online payment fraud globally between 2023 and 2027 will exceed $343 billion.

Unfortunately, fraudsters are attracted to this growing market for unscrupulous financial gain, sometimes operating as part of a larger organized crime ring.

Safeguarding both personal data and payment information goes a long way to stopping payment fraud attacks. Knowing the types of payment methods fraudsters attack is helpful to start preventing it from occurring. Let’s examine seven common ways a business might process a payment.

Payment types a business might process

• Card-present (CP): Card-present payment transactions take place at brick-and-mortar locations where shoppers need to present a physical card to make a purchase. The merchant typically uses a point of sale (POS) system that includes a card reader to process CP transactions.
• Card-not-present (CNP): CNP transactions take place when a customer makes purchases without a physical card. Online shoppers cannot present a physical card to an ecommerce merchant, so transactions are made with the card number, expiration date, and CVV number. CNP transactions can also be conducted by mail or phone.
• Automated clearing house (ACH) payments: This payment type features an electronic bank-to-bank payment and is common with software-as-a-service (SaaS) platforms and subscription models that require regular monthly payments. The shopper needs a bank routing and account number to transact in this manner.
• Buy-now-pay-later (BNPL): Buy-now-pay-later provides short-term financing that enables consumers to make purchases and pay for them in equal installments over time, often with little to no interest. BNPL has become one of the hottest trends in payments in recent years, with these payments expected to account for nearly a quarter of all global ecommerce transactions by 2026, up from just 9 percent in 2021.
• Digital wallets: This payment method operates contactless and electronically, and enables customers to save their credit or debit card on their smartphone to make payments. Digital wallets streamline checkout experiences with just one click, making them one of the most convenient and popular payment methods for merchants and consumers alike. Digital wallets accounted for nearly half of ecommerce payments worldwide, and were projected to account for 53 percent in 2024.
• Open invoice: Typical in B2B payments, an open invoice is an invoice that hasn’t been paid. Invoices usually include an invoice number and purchase order (PO) number, as well as the payer’s and payee’s company name, address, and contact details.
• Loyalty points: For years, credit card issuers have awarded their customers with loyalty points in exchange for dollars spent on the card. Consumers can then spend those points to make purchases. Common categories for loyalty point spending include travel, dining, consumer goods, and more. Additionally, some companies and airlines enable their customers to use loyalty points to make purchases on their platforms.

To pay with any of these payment methods, consumers disclose payment information through unique account numbers, either a credit card or a bank account number. For fraudsters, this presents an opportunity: numbers are easy to steal — that’s the heart of the payment fraud problem. Consumers need to protect their information, and merchants do their best to guard it, but hackers and identity thieves are experts at circumventing security measures.

Common payment fraud attacks

• Payment fraud occurs when a bad actor uses false or stolen payment information to make a purchase. It can occur across all payment methods, and fraudsters are getting more sophisticated every year. Here are some examples of common payment fraud attacks.
• Credit card fraud: One of the earliest forms of payment fraud, this type of payment fraud involves a fraudster using stolen credit card details to make unauthorized purchases.
• Card-not-present (CNP) fraud: Just like it sounds, card-not-present fraud occurs when a customer does not present a physical card to make a purchase, such as in an online or phone order. CNP fraud typically happens after credit card or payment information has been stolen through data breaches or illegally purchased on the dark web.
• Payment gateway fraud: This type of ecommerce fraud occurs when a cybercriminal uses stolen identities and card details to enter personal and payment information into a merchant’s online or mobile commerce site. It also includes attempts like bank identification number (BIN) attacks, where a fraudster uses software to try to find active card numbers against the BIN or the first six numbers of a card. 
• Account takeover (ATO) fraud: In this fraud tactic, a fraudster gains unauthorized access to a legitimate customer’s online account without the owner’s consent, usually as a result of a data breach. When a bad actor obtains access to a customer’s ecommerce account, such as a bank account, email address, or social media profile, they can attempt several fraud schemes – from making purchases with stored payment methods to cashing in loyalty points or simply exploiting valuable personal information.
• Digital wallet fraud: Though digital wallets come with many advanced security protocols and features, they’re not fraud-proof.
  
  Fraudsters commonly use four tactics targeting digital wallets: 

1. Creating new digital wallet accounts with stolen details
2. Swapping a stolen SIM into a new phone to impersonate the victim and make purchases
3. Spoofing biometrics by using deepfakes, face masks, artificial fingerprints, and false voice recognition data
4. Social engineering attacks that manipulate unsuspecting consumers into providing their login details

How do fraudsters commit payment fraud? 

As master manipulators, fraudsters engineer attacks to take advantage of their victims. They use different social engineering tactics to get victims to divulge and transfer personal and payment information to them or launch malware to steal it. They may assume a false identity, such as claiming to be a researcher or an authority figure, to gain the victim’s trust.

Types of fraudsters’ social engineering include: 

• Phishing is a form of social engineering that involves sending an email or setting up a malicious website to impersonate a reputable organization. Typically, this method informs the victim of an issue, and that to solve the issue, the victim needs to supply payment information immediately. 

• Smishing, another form of social engineering, uses text messages and SMS to acquire private information for malicious intent. Fraudsters may text the recipient a link that opens a webpage, email address, or phone number and demands the recipient respond, email, or call to hand over the information.

• Vishing seeks to get the victim to call a phone number to share their account details. Often, fraudsters will spoof caller identities to make it seem like the victim is talking to a reputable organization.

Once fraudsters obtain the information they need for an attack through any of these means, they strike. Fraudsters may also work in teams or with organized crime rings to attack at scale. They look for security weak points such as unsecured payment gateways and insufficient fraud prevention measures to exploit vulnerabilities and penetrate company systems.

Fraud prevention steps for merchants 

The first step to preventing payment fraud at your business is to stay current on fraud trends. Hackers make it a point to stay current on all the latest cybercriminal trends to exploit you, so understanding their tactics could help you stop them.

• Consider hiring an ethical hacker: These individuals have the same skill set as their “black hat” counterparts. Think of it as a “stress test” to protect your customers and prevent payment fraud.

• Safeguard customer accounts: Ecommerce businesses can put digital efforts in place to thwart customer account takeovers:

• Verify email sign-up: Require new users to verify their email upon registration to ensure the account is associated with the correct user.
• Apply multi-factor authentication (MFA) to make it harder for fraudsters to gain account access. Send notifications when a user implements an address and email change, or requests a revalidation or deletion of a stored payment method. If you enable autopay, ask for revalidation of the CVV for the stored payment method.

• Set a call center protocol: To minimize social engineering attacks, create an appropriate policy on what you require from a customer to make account changes over the phone. 

• Implement a password protocol: Asking customers to change passwords periodically may seem like an inconvenience, but it’s a security measure for their protection. Every change requires hackers to start over again. A few tips:

• Require strong passwords for customer accounts that include special characters and character limits. Enforce a temporary or permanent lock-out procedure for a certain number of incorrect password submissions to prevent the hacker from cracking the password.

• Write a privacy and security policy: Customers need reassurance that their transactions are safe. Write a privacy and security policy to explain what you’re doing in those areas. Post those policies on your site where customers can see the links and easily click on them for quick reference.

• Require a user login for purchases: This feature sometimes confuses customers because it seems like they were logged out while browsing your site, but that’s not the case. Requiring an additional login before customers make the final purchase is a security measure. It ensures the buyer didn’t simply pick up the real account holder’s mobile device and use auto-saved settings to run up their credit cards.

• Code your site with a timed user logout: Automatic logout closes the application if the user has been dormant for a specific period. Customers often leave their computer or mobile device and forget which apps they left open. Accidentally doing this in a public place leaves them vulnerable to identity thieves and online “shoplifters.”

• Educate your employees and customers: Learning the warning signs of social engineering attacks can help prevent fraudsters from obtaining the information they need to commit payment fraud. Share these warning signs with your employees and customers to help prevent bad actors from gaining access.

• Check the sender’s email address: Ask your employees to look closely at the sender’s email address, as it can often appear as a legitimate organization, omitting only a few letters. Suspicious email addresses must not be responded to and should be forwarded to in-house security teams for review.
• Communication lacks personalization: If the greeting (Hello, Ma’am or Sir) and the contents of the email are generic, that can be a sign that you’re getting phished. 
• Malicious links and attachments: Ask your employees and customers to hover over links before clicking them. If the links don’t match up to the text when you hover over them, that’s a sign it’s suspicious. Fraudsters may ask victims to download attachments urgently so they don’t have the chance to think about doing it. This is a red flag. If it’s malicious, all of a sudden, your system is under the control of cybercriminals.

Protect your business with a fraud prevention solution

With the digital customer journey under near-constant attack from sophisticated fraudulent activity, fraud detection and management tools can provide peace of mind. The right fraud prevention partner can help you minimize risk, expand into new markets and products, adopt new payment methods, provide verified customers with seamless experiences, and ultimately increase sales, while offering better cost predictability and lowered risk at a lower investment of time and resources. 

Payment fraud management is an ongoing battle that necessitates keeping on top of new fraud trends and methods. Stay vigilant by adopting a proactive and holistic fraud prevention approach. Fraud won’t stop, but with these steps, you can slow it down and minimize its impact on your business.

Eliminate fraud, maximize profits

Uncover fraud management strategies that will protect your bottom line, optimize revenue, and drive sustainable growth.

Get the guide

What is account takeover fraud?