Card-Not-Present FraudWhat You Don’t See CAN Hurt You

February 28, 2024 | 10 min read

This image was created by artificial intelligence using the following prompts:

A fraudster is committing account takeover fraud on a laptop, he is trying to steal, cyber shoplifting, embossed credit card numbers in the background, in the style of red and teal.

card-not-present fraud CNP fraud

In a Nutshell

Is your buyer the person they claim to be? How do you know? Does the credit card information they’re using belong to someone else? If you can’t see the physical payment card at the time of the transaction, you’re at risk of card-not-present fraud. In this post we look at what that is, and how merchants can shore up their defenses against it.

What Is Card-Not-Present Fraud? Learn to Recognize the Threats & Know How to Beat Them

Card-not-present transactions present a great opportunity for cybercriminals.

They know that, without access to a physical payment card, it’s hard for you to know if you’re dealing with the cardholder or an imposter. Plus, thoroughly validating each customer causes friction that slows down checkout. So, when it comes to maintaining this balance, customers’ demands for speed and convenience usually win out. Unfortunately, this is often at the expense of security best practices.

In this article, we'll discuss the threat posed by card-not-present fraud (or “CNP fraud”). We’ll explore some of the common tactics fraudsters use, and offer some actionable steps you can take to protect your business.

What is Card-Not-Present Fraud?

Card-Not-Present Fraud

[noun]/kärd • nät • prez • (ə)nt • frôd/

Card-not-present fraud, or CNP fraud, is when a fraudster illegally uses stolen credit card information to make purchases through a remote channel. Card-not-present fraud usually occurs online, but can happen via any remote channel, including phone or email.

What is CNP fraud? The term essentially covers any unauthorized activity resulting from a payment card transaction where the physical card was never presented to the merchant. In other words, the buyer’s payment information was bogus, but since you couldn’t see the actual card, you took it at face value.

Of course, once that customer gets a glance at their statement and sees those unauthorized purchases, their first response will be to call their bank. A chargeback is filed, the merchandise you shipped is gone forever, and you’ll be held liable for the cost, plus additional fees.

How Does CNP Fraud Happen?

Without any prevention measures in place, an online transaction really only requires a card account number, plus the card’s expiration date and CVV security code. Illegally obtaining that information is easier than you might expect.

Personal details from data breaches often end up on the dark web, where fraudsters can buy batches of account numbers for pennies on the dollar. Those numbers may come with actual card expiration dates and CVVs. Or, the crook may mix and match card details, either manually entering information or using bots, until they find a combination that works.

This is a very fast-growing problem. According to Mastercard, global eCommerce fraud topped $48 billion in 2023. It gets worse; the cumulative global losses to online payment fraud are predicted to exceed $343 billion by 2027. 

CNP chargebacks cost you much more than the original transaction amount, too. You also lose the value of the merchandise, and incur hefty fees. All totaled, the average fraud incident will cost you $3.75 per every dollar lost during the attack itself.

Top 10 Card-Not-Present Fraud Threats

There’s a vast array of tactics that fraudsters can use, and they come up with new attack methods all the time. Let’s look at some of the most commonly used tactics for card-not-present and contactless payment fraud:

Account Takeover Fraud

Account takeover fraud (ATO) is where criminals hijack a cardholder’s entire credit card, bank, email, or social media account. Impersonating the victim, the crook can make illegitimate purchases, potentially even locking the cardholder out of their own account.

Learn more about account takeover fraud

New Account Fraud

New account fraud is a tactic where fraudsters use stolen data to adopt a false identity, create a new user profile, and open a new account. Until the fraud is uncovered, the new account information is considered legit.

Learn more about new account fraud

Synthetic Identity Fraud 

Synthetic identity fraud doesn’t focus on taking over existing accounts. Rather, the crook steals data (SSN, date of birth, etc.) from one or several individuals. They then combine it with other falsified personal information. This new “Frankenstein” identity is then used to obtain new lines of credit.

Learn more about synthetic fraud

Bust-Out Fraud

Bust-out fraud takes time. Using stolen data, the crook acquires a credit card and establishes a believable purchase and payment history. They gather as much additional credit as they can. At some point, though, the fraudster will then max out every account and disappear.

Learn more about bust-out fraud
Tired of losing revenue to fraud? We can help identify and remedy issues that are draining your revenue.REQUEST A DEMO

Card Testing

Before making a huge purchase, fraudsters want to know an account hasn’t been closed and their stolen card will be accepted. So, they may first attempt to validate the account by making a small purchase as a kind of test run. If the sale goes through, the card is “live.”

Learn more about card testing

Clean Fraud

Clean fraud involves impersonating an authorized cardholder, then manipulating transaction information to make a fraudulent purchase look legitimate. Since the data isn’t changed until after the fact, the transactions appear “clean.” This means it can more easily bypass fraud filters or blacklists.

Learn more about clean fraud

Overpayment Scams

The fraudster owes the victim money and offers to pay via check. They “accidentally” overpay, then ask you to deposit the check and wire back the difference. The check bounces, leaving you with a double loss.

Learn more about overpayment fraud

Reshipping Scams

The criminal makes an unauthorized purchase, but has the order delivered to a reshipper, who gets paid to forward the merchandise to another address. Victims believe they’re involved in a legitimate money making opportunity, but fraudsters are simply insulating themselves from the crime.

Learn more about reshipping scams

Package Redirection Scams

Legitimate-looking purchases are made using stolen credentials. After the transaction is completed, the crook goes into the online account and edits the delivery address. They ship the order to themselves, or perhaps a location where the delivery could be easily intercepted.

Learn more about redirection scams

Friendly Fraud

This happens when a buyer seeks a chargeback on a legitimate transaction. Friendly fraud can be a deliberate attempt to get something for free, or it can also come from consumers who don't really understand the chargeback system.

Learn more about friendly fraud

As you might suspect, these ten tactics are only the tip of the card-not-present iceberg. There are too many card-not-present fraud threats to list them all.

What Should You Do if You Suspect Card-Not-Present Fraud?

So, let’s say there’s a card-not-present transaction that you suspect is fraudulent. How do you stop it?

Unfortunately, by the time you see any “red flags” suggesting a purchase is fraud, the transaction will have already happened. With the right tools, you may be able to avoid a chargeback. But, the fraudster will probably still get away clean. And in many cases, you’ll be liable for the loss: from the bank’s perspective, you let the fraud happen, so it’s your responsibility. 

That said, both issuers and card networks are aware of the problem, and have had a measure of success fighting card-not-present fraud. Unfortunately, the benefits often don’t trickle down to the merchant level. The best protection against card-not-present fraud is you.

How Do You Prevent Card-Not-Present Fraud?

Card-not-present fraud prevention needs to be approached as a long-term project. The most effective strategies rely on combining multiple fraud fighting tools on a consistent basis. These should be deployed strategically, augmented by best practices, and backed by relevant and accurate metrics such as these:

There’s no magic formula for distinguishing between real customers and fraudsters. However, there are a number of effective tactics you can deploy. Here are few examples of best practices you can put in place to help mitigate risk:

Since you never come face-to-face with your customer, it’s critical to develop a detailed profile for each buyer. This can be done by deploying fraud-detection tools like address verification (AVS), card verification codes, 3D Secure 2.0, and so on.

When it comes to anticipating card-not-present fraud, more customer information gets you better metrics and better decisioning. Things like card numbers, billing and delivery addresses, IP information, and purchase history, for example, will come in handy if you need to fight a claim

Keeping meticulous records affords more opportunities to detect and avoid CNP fraud. You develop better fraud KPIs and refine fraud detection tools. The data can be used for refining your strategy, and can also help when integrated with technologies like Order Insight and Consumer Clarity. Just be sure your data collecting adheres to compliance regulations.

AI or automated tools can be paired with your internal processes to gauge fraud risks for each transaction. These technologies examine multiple factors and deliver a simple score, allowing for “up-or-down” decisioning. This data can also help in creating “blacklists” of potential fraudsters.

Criminals will often switch back and forth between tactics to throw you off their trail. Knowing their tricks — and how to spot them — is a great way to block their efforts. Common red flags include changes in account information, multiple password resets, and a number of failed login attempts.

You can eliminate many friendly fraud triggers by providing excellent customer service and adhering to security best practices. You should also create a contingency plan, using tools like network inquiries and chargeback alerts as a last line of defense against chargebacks.

You can’t win a reversal on card-not-present fraud chargebacks if the cardholder is actually a victim. In cases of friendly fraud, however, fighting invalid claims through representment lets you retain revenue. It also shows would-be fraudsters that you’re not an easy target.

Chargebacks911 Can Help

Card-not-present fraud is just one example of the ways in which bad actors are looking to gain at your expense. That said, it’s important to note that criminal fraud is highly preventable through smart strategies and wise best practices. 

CNP fraudsters may have the tools to overcome one or more fraud detection tactics…but the experts at Chargebacks911® have the experience and expertise to fight all types of fraud. Contact us today to learn more.

FAQs

What is a card-not-present fraud?

Card-not-present fraud, or CNP fraud, happens when a bad actor makes illegal purchases through a remote channel using stolen credit card information. CNP fraud usually occurs online, but can happen via any remote channel, including phone or email.

How do I stop card-not-present fraud?

Suggestions for CNP fraud prevention include requiring billing address (AVS) and CVV verification, employing 3-D Secure protocols, using tools like fraud filters, and tracking down phishing sites that may be trying to imitate your brand.

How do I protect my card from not-present fraud?

For cardholders, fraud prevention largely depends on vigilance. To protect yourself from identity theft and credit fraud, monitor all your online accounts for red flags, use strong passwords (and change them from time to time), and take care when making purchases using public-access networks (airports, coffee shops, etc.).

How much does card-not-present fraud cost?

Card-not-present (CNP) fraud accounted for an estimated $9.49 billion in losses in 2023. An estimated 73.0% of card payment fraud losses in that period came from CNP fraud.

What is an example of a card-not-present transaction?

CNP transactions are payment card transactions in which the physical card is not seen or handled by the merchant. This umbrella term covers eCommerce (online shopping), purchases made over the telephone or mobile device, mail order sales, card-on-file payments, and transactions using a digital wallet.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard
  翻译: