When the subject of fraud comes up, it’s easy to imagine shady-but-principled characters working together in a well-oiled operation in a Hollywood film to steal from other shady characters, where ultimately the good guy walks away with the cash, but truth of it is sadly that fraud can be committed by anybody and anybody can become the victim of it. With theft by deception, there is no such thing as a victimless crime. Large businesses who might appear to be able to absorb it need to make cuts somewhere to cover the costs of the losses and it is often staff who are the first to take the hit. Small businesses that survive from month to month on a steady stream of income can be crippled by a large data breach that sees them lose revenue, stock and other costs incurred by industry penalties.
It was reported by UK Finance that in 2020, there were over 2.9m case of unauthorised fraudulent transactions that occurred (including cheques, cards and remote banking) with a total of almost £800m in revenue lost by businesses and individuals. The research indicates that in more than 98% of those cases, the customer was refunded, which means that business or banks were liable for around £780m of fraud related losses. That’s a lot of money lost to crime in a single year.
So, what kinds of fraud does a business need to be on their guard against, and what can they do to protect themselves against becoming victims of it? There are arguably four main threats to a business from a fraud perspective:
For any business that accepts payments, there is the risk of inadvertently accepting a fraudulent transaction, especially if the payment is made remotely, i.e. online or by telephone. The risk comes largely because it can be difficult to ensure the person making the purchase is authorised to do so. A lost or stolen card, or compromised card data, can be used to make a remote purchase quite easily when done in a non-secure manner, for example if the fraudster calls to make a telephone purchase and reads the card details to the business to process the payment, or enters the card numbers via DTMF (Dual Tone Multi-Frequency – in other words keying the numbers in). The payment is not personally verified by the cardholder, therefore the payment is not processed secure and therefore at risk of fraud-related chargebacks, should the cardholder challenge the payment and suggest they have never placed the order. The liability for a non-secure payment on the vast majority of scenarios will land with the business that took the payment, and therefore they will need to refund the monies.
Ensuring a transaction is authenticated by the cardholder will shift the liability from your business to the card issuer. With online transactions, ensure your payment gateway can integrate systems such as Verified by Visa, 3D Secure, or SCA (Strong Customer Authentication). If you accept telephone payments, ensure you can equally authenticate the purchase, so that it becomes a secure, authenticated payment, and move that costly liability away from your business.
Friendly Fraud, despite its name, is anything but friendly. It occurs when a customer makes a non-secure payment to a business for goods, and knowingly disputes the payment after the event, despite having taken delivery of the purchase, and initiates a chargeback procedure. Because the benefit of the doubt will usually land with the customer, the business is then liable for refunding the revenue, and is out of pocket two-fold, for both the stock and the revenue lost.
By authenticating a card payment using systems such as 3D Secure or SCA (either by entering additional security information, or by their card issuer choosing not to challenge the payment), your customer is confirming that they are the true cardholder and therefore your business is protected from losses incurred by Friendly Fraud-related chargebacks.
Internal Fraud is one which can be difficult to approach as a business owner, as there is a level of trust between them and their employees, and it can be hard to accept when it happens. In the context of this article, it can occur when a staff member is presented with a customer’s card details and makes the choice to duplicate them for personal gain. They may not necessarily use the card details themselves, but they may sell them on to others who might. The Covid-19 pandemic and the rise of Working From Home increased the risk of Internal Fraud massively, especially for contact centres and other businesses that relied on staff taking card details over the phone, and with minimal security measure in place, the results could be catastrophic. The vast majority of staff members will undoubtedly be both trusted and trustworthy, but it only takes a handful of rogue employees to spoil that.
By utilising a system that actively keeps the customers’ card details out of the merchant environment and asks customers to securely enter their card details into their own device, businesses can ensure they are better protected from the risk, or temptation, of Internal Fraud, particularly that which involved card data.
Often one of the highest profile instances of fraudulent activity when it occurs to large businesses, Data Theft occurs when any customer data is obtained illegally. This can and does include instances of Internal Fraud if a business does not protect incoming payments as highlighted above, but can also include situations where hackers break into your systems and pull the confidential customer data that you hold, including names, addresses, passwords and card details. Some high profile serious data breaches of recent times include March 2020 when EasyJet suffered a cyber-attack and 9 million customers’ data was affected, including more than 2,000 that had their card details accessed. British Airways was also recently fined £20m for a serious data that occurred in 2018, where almost 200,000 customers’ payment details were stolen. These are some of the biggest companies in the world, with some of the biggest budgets, so it shows that nobody is exempt from such attacks by cyber-criminals.
There are several things you can do to protect your business, including ensuring you have up-to-date security software at all times, carry out regular assessments of your business security processes, train your staff to be vigilant and avoid costly mistakes. The way you store your data should also be absolutely secure, and if you hold customer card details on digital files, ensure it is encrypted or tokenised so that if your customers’ details are gained by unauthorised parties, their confidential payment information cannot be deciphered.
Gala Technology has won several awards for payment security innovation, in particular for our SOTpay pay-by-Link solution, and our SOTpay+ payment gateway. By integrating SOTpay and SOTpay+ into your payment accepting processes, you can:
The costs of fraud are never simple, and beyond repaying the value of thefts, you can find your business in serious hot water with the PCI-SSC (Payment Card Industry Security Standards Council) and in the event of a serious Data Breach you can be hit hard by the ICO for failure to uphold GDPR. Whilst SOTpay and SOTpay+ can’t protect you for all eventualities, they can certainly help to protect your business when accepting payments.