What is payment fraud risk? Types, prevention, and mitigation strategies

Key takeaways:

• Payment fraud is a type of cyber or social engineering attack in which a bad actor attempts to steal money via payment processes.
• Payment fraud can be first-party, where attackers use fake accounts or issue fraudulent chargebacks.
• Payment fraud can also be third-party, where attackers acquire access to account information to make unauthorized transactions.
• Common types of payment fraud include check fraud, credit card and debit card fraud, account takeover fraud, and gift card fraud.

What is payment fraud?

Payment fraud is the act of stealing money from businesses and customers through fraudulent purchases and unauthorized transactions. Fraudsters might use their accounts to commit fraud or steal other people’s accounts for financial gain.

Fraud can happen in person, but online transactions are uniquely vulnerable to payment fraud. Juniper Research predicts that global business losses from online payment fraud will exceed $362 billion between 2023 to 2028.²

A business must understand its risk level based on its industry, the data it works with, and the types of payments it processes. The more ways that users can interact with their accounts and make purchases, the more opportunities there are for fraudsters to subvert payment processes.

14 Types of payment fraud

Payment fraud can occur in many different ways. Attackers use a variety of tactics, so businesses should prepare their teams to detect common high-risk fraud signals.

Communication is one of the keys to preventing fraud, so establish strong policies and escalations that employees and customers can use when they feel under threat.

Common types of payment fraud include:

1. Phishing

Phishing is a type of social engineering where criminals attempt to trick or pressure people into giving up sensitive information like account credentials or payment details.

Attackers commonly use this method to commit direct payment fraud, but some may also sell the stolen information.

Phishing often involves malicious links sent via email or text message. Attackers might also pretend to be a friend, loved one, or authority figure to gain access to information. Some phishing attacks occur over the phone.

Tips to help prevent phishing:

• Inform consumers about how they can expect business representatives to communicate with them.
• Share the exact phone numbers and email addresses customers can expect if the business reaches out to them.
• Be clear about what information employees can ask for and what they can’t.
• Alert consumers to existing phishing attacks.
• Train employees on information security and communication procedures.
• Ensure all customer-facing employees identify themselves in the same way.

2. Credit and debit card fraud

Credit card fraud and debit card fraud involve acquiring cards, or their information, and using them to make payments without authorization.

This could involve direct theft or installing skimming devices on hardware like ATMs or point-of-sale terminals. Attackers might also acquire card details through phishing, direct cyber attacks, or by purchasing them from other cyber criminals.

Tips to help prevent credit and debit card fraud:

• Ensure that only authorized employees have access to the point of sale (POS) system, and regularly check payment hardware (ATMs, gas pumps) at business locations for tampering.
• Create secure websites with appropriate data protection and encryption for payments and sensitive data.
• Track potential scams and warn customers ahead of time.
• Remind customers not to give away account or confirmation numbers to unverified sources.
• Give customers multiple ways to receive notifications about purchases and receipts.

3. Wire transfer fraud

Wire transfer fraud is a type of social engineering-based fraud in which criminals attempt to convince people to send them money using a wire transfer.

Wire transfers are popular among scammers because it’s generally difficult for the victim to recover money once they send it.

Often, attackers try to impersonate someone known to the target, like:

• A loved one.
• An executive at their workplace.
• A client or service provider.

For example, the CEO of a company attends a conference. An attacker sends text messages to employees pretending to be the CEO, saying they are experiencing an emergency and need access to money.

Tips to help prevent wire transfer fraud:

• Train employees to recognize the signs of fraud and social engineering.
• Establish standard communication channels and avoid communicating business over easily faked or intercepted channels (texts, for example).
• Report all phishing attempts and communicate them to the whole team.

4. Check fraud

Check fraud involves creating fake checks to make payments or using checks to make payments from accounts with insufficient funds. Check fraud is very common and can involve sophisticated counterfeits.

Fraudsters might try and withdraw money from banks with counterfeit checks or trick other people into taking counterfeit checks, which they then can’t use.

Fake checks might be brand new, created with printers, or existing checks that fraudsters illegally modify. In other cases, the check might be real, but the account is closed.

Tips to help prevent check fraud:

• Use software that validates the authenticity of checks.
• Train employees to recognize the signs of fake checks.

5. Chargeback and refund fraud

Chargeback fraud, also called friendly fraud, occurs when someone makes a purchase with a credit card and then requests a refund for illegitimate reasons. They might request a refund from the business or initiate a chargeback with the credit card company.

These are types of payment reversal, and customers may initiate them for legitimate or illegitimate reasons. Chargeback fraud is particularly difficult to identify because of the mix of true situations, lies, and simple misunderstandings that can occur, especially when delivery is involved.

Tips to help prevent chargeback fraud:

• Validate customer information, such as accounts, card security codes, and addresses.
• Use payment software with fraud protection and dispute automation.
• Respond to chargebacks and refund requests promptly.
• Reduce legitimate chargeback requests by processing orders correctly and promptly.

6. Identity theft

Identity theft occurs when attackers get access to a victim’s personal information and use it for financial gain.

This impacts businesses because it can lead to chargebacks once victims realize a criminal has used their credit card to make a fraudulent purchase. While the fraud itself mostly targets customers, businesses have a responsibility to prevent customer data leaks.

Tips to help prevent identity theft:

• Train employees on information security processes and how to recognize phishing.
• Ensure websites and payment processors follow security best practices like maintaining PCI DSS compliance to protect customer data.

7. Account takeover

Account takeover (ATO) fraud often happens after identity theft. Attackers acquire user information, then lock the real owner out of the account by changing passwords and contact information.

Once victims are locked out of their accounts, attackers either sell them or use them to make fraudulent purchases.

Tips to help prevent account takeover:

• Set strong password requirements for account creation.
• Require two-factor authentication (2FA) and confirmation for important account changes (such as passwords).
• Notify customers of purchases and account changes.

8. New account fraud

New account fraud (NAF) happens when stolen and synthetic identities are used to fraudulently open new lines of credit.

Attackers could open new accounts with a business using identities they’ve stolen or by relying on fraudulent payment methods acquired via other instances of NAF.

Tips to help prevent new account fraud:

• Require multifactor authentication (MFA) for account creation (not just email).
• Verify information such as address and card security information during purchases.
• Use fraud protection services that leverage machine learning to identify fraud.

9. Gift card fraud

Gift card fraud is a type of social engineering in which scammers try and convince people to purchase gift cards and give them the numbers.

Scammers love this technique because it’s difficult for victims to recover funds once they use the gift card.

While businesses can’t control what kinds of scams their customers fall victim to, they can provide information to help protect everyone.

Tips to help prevent gift card fraud:

• Provide information about gift card scams when users add gift cards to their cart.
• Remind users not to give gift card numbers to people they don’t know.
• Train staff in store locations to recognize the signs of gift card fraud and when to escalate to management.

10. Merchant identity theft

Merchant identity theft occurs when attackers pose as businesses or merchants to defraud other businesses or customers.

Scammers will often use phishing to gain information from a business’s employees, then engineer data leaks or gain access to business accounts.

Alternatively, attackers may pose as partners or points of contact in order to convince employees to send money directly to them.

Tips to help prevent merchant identity theft:

• Train staff on information security measures and how to recognize phishing scams.
• Establish standard communication procedures with business partners, service providers, and clients.
• Report all phishing attempts to staff and partners.

11. Pagejacking and domain spoofing

Pagejacking occurs when attackers clone a webpage and attempt to redirect users to it. Once users are on the page, attackers can perform several malicious actions, including acquiring account information and stealing money through payment fraud. Often, attackers will send malicious emails or text messages to direct users to the new site to harvest login credentials.

Pagejacking can be difficult to detect because it doesn’t require attackers to change a website directly. Domain spoofing is similar, where attackers create a new identical website with a similar domain name.

Tips to help prevent pagejacking:

• Implement security features to make it difficult to scrape and reproduce website code.
• Limit bot access to pages with features like CAPTCHA.
• Use plagiarism detectors to identify duplicate pages.
• Pay attention to customer service complaints and reports.
• After identifying an attack, submit takedown requests to Google and other search engines, and inform customers.

12. Mobile payment fraud

Mobile payment fraud occurs when bad actors use mobile apps to perform account takeovers, phishing, and other types of fraud that can involve mobile devices.

Mobile devices are additional points of weakness that attackers can exploit by installing malware, acquiring mobile app credentials, or intercepting 2FA.

For example, a scammer might call someone and pretend to be a business representative. They will say that there’s a security issue with the user’s account, and ask them to confirm a code sent via text. The code is a 2FA security code that the attacker has requested for the user’s account, and once the user gives them the code, the account is compromised.

Tips to help prevent mobile payment fraud:

• Authenticate customer information over the phone to make it more difficult to engage in identity theft and card-not-present fraud.
• Look for unusual spending or refund patterns in mobile and online payments.
• Educate customers about the dangers of malicious links, QR codes, and websites.

13. Push payment fraud

Push payment fraud occurs when an attacker convinces a consumer to send them money via tactics such as phishing. Unlike with fraud involving unauthorized transactions, push payment fraudsters acquire the victim’s cooperation.

This might involve trickery, threats, blackmail, or a bait-and-switch tactic like check fraud or gift card fraud.

Tips to help prevent push payment fraud:

• Educate customers about what a business’s employees can say and ask for.
• Provide resources for customers to report fraudsters impersonating business representatives.
• Warn customers about ongoing scam attempts related to the business.

14. ACH payment fraud

ACH payment fraud occurs when criminals get access to a victim’s bank account information and use it to make fraudulent transfers through the Automated Clearing House (ACH) network. For businesses, this can involve outsider attackers or malicious insiders.

Tips to help prevent ACH payment fraud:

• Strictly control and monitor employee access to business bank accounts.
• Educate employees about phishing scams and establish security policies for anyone with access to account information.

What businesses have the highest fraud risk?

The greatest fraud risk occurs in industries that take online payments, accept checks, and deal with sensitive information.

E-commerce businesses

As online shopping grows, so does payment fraud, leaving customers and businesses vulnerable to cybersecurity threats.

E-commerce websites accept various payment methods, often from many locations. The easy-to-use features, such as peer-to-peer (P2P) payment integration and international purchasing, create additional points of fraud vulnerability.

The more accounts someone has connected to their bank information, the more likely they are to become a victim of an attack or data breach.

Healthcare, banking, and other sectors that deal with sensitive information

The more valuable a customer’s information, the higher the likelihood that bad actors will attempt to acquire that information for use in fraud.

Data breaches expose customer information that attackers can also use to compromise their accounts elsewhere.

Businesses that accept checks

While digital payment methods are becoming more common, many businesses still accept checks. If checks are becoming less common at a business, employees may not be as well-practiced in identifying counterfeits.

Check fraud remains one of the leading types of payment fraud, according to the Association for Financial Professionals.³

Businesses must have strong training and check verification procedures.

How to mitigate risk

Many fraud prevention and detection tools are available to help businesses mitigate risk. A security risk assessment can help businesses determine risk factors and identify which solutions are highest priority.

Some other effective measures to mitigate risk include:

• Strong network and password security: Organizations can implement standard security policies internally that dictate account access, password best practices, and physical access to devices.
• Chargeback protection: Help reduce the risk of loss from chargeback by asking payment processors about chargeback protection.
• Network tokenization: Ensure payment vaults encrypt and tokenize customer information to help keep data secure.
• PCI standards: Build payment processes that meet Payment Card Industry (PCI) regulations to help protect cardholder data.
• Fraud KPI tracking: Stay on top of and ahead of fraud issues by tracking KPIs like dispute rates, approval and decline rates, and authorization rates.
• 3DS: Leverage the latest 3D Secure (3DS) authentication protocols to help validate card transactions and verify users.
• Machine learning algorithms: Fraud prevention systems based on machine learning can process large datasets with multiple variables to uncover complex patterns that human eyes might miss, indicative of sophisticated fraud. They’re also able to continually adapt to keep pace with changing patterns.
• Rules-based systems: Rules form a solid foundation for fraud prevention, but they have to be analyst-written and can become overwhelmingly cumbersome to maintain as they expand. That said, they can help mitigate fraud risk while organizations are training ML engines. Teams could even use ML algorithms to suggest new rules to write.

PayPal, for example, helps businesses fight fraud and improve risk decisions with advanced solutions and smart technology. PayPal’s Fraud Protection Advanced uses machine learning and analytics to help protect businesses from fraud and adapt to an ever-evolving payments landscape.

One of the best ways to mitigate risk is to stay up to date about fraud tactics and train employees to look out for the signs. Here are some of the most common signs that payment fraud might be taking place:

Fraud prevention benefits

Fraud prevention is the process of using tools and strategies to help detect and reduce incidents of fraud. Fraud prevention measures offer several benefits for businesses:

• Avoid financial losses: These losses can come from refunds and chargebacks, attacks on business bank accounts, and expenses related to resolving security breaches.
• Improve business reputation: Putting extra effort into customer safety benefits businesses by establishing trust and a good reputation. High customer trust and satisfaction can boost loyalty.
• Avoid regulatory and legal consequences: If a business is found to be the source of a data breach, it might be held responsible for the consequences. Complying with relevant regulations helps avoid legal expenses arising from cyber attacks and fraud.

Take steps to protect against fraud with PayPal

As they grow, businesses can become vulnerable to new types of fraud and increased fraud activity. Any time a business interfaces with customers or other organizations, fraud becomes a risk.

That's where machine learning (ML)-powered solutions can help. These tools are increasingly useful for mitigating risk and preventing many types of fraud. A comprehensive payment platform with built-in fraud and risk management can help businesses to secure sensitive information and keep operations running smoothly.

PayPal’s platform has remained at the forefront of the digital commerce revolution for over 25 years, now serving over 400 million active customer accounts globally.⁴

Given the amount of fraud businesses are seeing in recent years, it’s time for a smarter approach to enterprise fraud management. PayPal’s fraud protection system uses billions of data points for in-depth analysis and prevention.