E-commerce fraud

Fraudsters use stolen credit card details to target online retailers. Online business appeals to them because there is no physical contact with the business or the legitimate cardholder. Businesses should be fully aware of the risks otherwise they are more likely to be targeted.

What you should know

When payments are accepted over the internet and processed, your business requests authorisation from the card issuer. However, this does not confirm or authenticate the customer as the genuine cardholder. The standard authorisation only confirms that:

  • the card has not been reported lost or stolen
  • there are sufficient funds available in the account
  • the card number is valid

If a sale is subsequently established to be fraudulent and valid authentication has not taken place, the full amount may be charged back to your business if the genuine cardholder declares they did not participate in the transaction.

Maintaining records relating to chargebacks is important. It is useful to obtain as much information as possible and provide it to your acquirer. If you suspect a fraudulent transaction then you need to report it to your authorisation centre.

Businesses are responsible for protecting cardholder data at the point of sale and as it flows into the payment system. For more information visit PCI Security Standards website.

Minimise your risk to e-commerce fraud

Consider using Card Security Code (CSC), MasterCard SecureCode and Verified by Visa.

Treat high value items and overseas transactions with extra caution. Always verify the delivery address. If it is overseas then consider using a third party service to provide you with the details.

Be wary of any changes to details initially given, such as a change to the delivery address. Insist that you will only deliver to the customer’s permanent address.

If a courier is used, instruct them only to deliver to the address given by you, return the item if unable to deliver and always obtain signed proof of delivery.

Be wary of your obligations when storing customers’ card payment information. This data is prone to hacking so you need to ensure you are complying with data security requirements.

Keep records of any fraudulent activity as this can be an effective way to identify patterns and areas of potential risk. Many businesses use this process to develop in-house fraud screening protection so they can predict higher risk transactions.

Online fraud

We operate in a connected world, selling across multiple channels and geographies. But as the number of channels and markets we operate in continues to rise, so does the risk of fraud. Cybercrime is becoming more sophisticated and fraud is increasingly difficult to detect. As a result, standard fraud verification tools can prove insufficient.

What you should know

Fraudsters may target your online business to gain customer information, such as names, addresses and payment details, to commit crime.

26 million people in the UK use public Wi-Fi networks, such as when they’re travelling on business, staying in hotels and visiting bars and cafes. 42% take no steps to secure their connection when sending personal and business emails, banking or credit card details.

These networks are open to hacking, identity theft and fraud. Numerous simple tools and free apps exist which can be used to hack public Wi-Fi networks – a process called ‘sniffing’.

Employees are now being targeted by what’s called ‘spear phishing’. This is when an email is sent by a fraudster directed at a particular individual. They pose as someone else within the company, usually someone important or in a position of trust. They request information such as login IDs and passwords. They may ask the employee to update their username and passwords. Once the fraudster has this information, they can access the secured networks of your business, gaining entry to confidential information and customer data.

Other methods include asking the employee to click on a link in the email, which deploys malware that can take personal or confidential data from within your business.

Be wary of where you store your information. If you employ a third party ‘hosting’ company, identify where your information is being kept, how it is being shared and how is it being stored.

The latest computer threat to businesses is called Cryptolocker - a form of ransomware that is usually disguised within a legitimate looking email attachment. When the attachment is opened, the malware encrypts certain types of files within your computer. You will then receive a message offering to decrypt the data in exchange for payment, usually via Bitcoin or pre-paid vouchers. There is little recourse for the victim and that is why it is important to back-up your data on a regular basis.

Minimise your risk to online fraud

It is essential that you back-up data, otherwise the impact this may have on your business can be huge.

Ensure your passwords are robust by using a mixture of upper and lower case letters, numbers and symbols.

Do not use obvious passwords, like your mother’s maiden name, as this is information that can be easily obtained by a fraudster.

Always challenge giving out your personal or financial details to anyone.

Whatever security systems you have in place, test them to see that they are working appropriately and are not vulnerable to invasion. This includes your website.

If your bank offers it, consider using dual authentication. This can reduce your fraud risk from malware and insider threats.

Telephone frauds

If fraudsters hack into your business phone lines they can gain personal or confidential information which is potentially damaging. Make sure you have the necessary security systems in place to protect you.

Telephone and video conference hacking

You may routinely interact with other businesses through confidential conference phone or video calls. It’s an effective way to communicate and minimises disruption to your day-to-day working through wasted time, resources and expense. However, these calls can also be accessed by fraudsters who obtain passwords and codes through overhearing conversations and unprotected emails.

Private automated branch exchange (PABX) hacking

Private automated branch exchange (PABX) telephone networks are commonly used by call centres and other businesses and organisations. It is a single access number that has multiple lines to outside callers and also provides a range of external lines to external callers or staff.

Fraudsters use vulnerabilities to hack your system, access passwords and listen into conversations and voicemails. They can also use your PABX system to make international or long distance calls, often to premium rate numbers that the fraudster has set up. Your business will unknowingly let the fraudster sell on the access and use of your system, potentially increasing your phone bills by thousands of pounds.

Remember, your business is responsible for any fraudulent usage of your system, not the telephone provider.

These frauds often occur over the weekend or bank holiday periods where staff are out of the office for long periods, providing fraudsters with an opportunity to rack up huge bills on behalf of your company. 

Take steps to avoid vishing

‘Vishing’ is the telephone equivalent of phishing. Criminals call you, pretending to be from a legitimate business, and persuade you to surrender private information that they can then use for financial gain.

Be wary of unsolicited approaches by phone and cold-callers who suggest you hang up the phone and call them back. Fraudsters can keep your phone line open by not putting down the receiver at their end.

Never disclose your company’s payment card PIN, passwords, online banking codes or financial details unless you are absolutely sure who you are talking to.

Your bank, the police or a legitimate organisation will never:

  • ask for your PIN
  • ask you to withdraw money to hand over to them
  • ask you to transfer money to another account, even if they say it’s in your organisation’s name
  • come to your organisation to collect your business account card or cheque book

Remember to wait at least five minutes after a potentially fraudulent phone call before using the line again, as the person may have left the line open.

If you’re unsure about providing information a caller has requested, check your organisation’s policy on what information you may and may not disclose.

If you are in any way suspicious or feel pressured or vulnerable, don’t be afraid to terminate the call and say no to any requests for information.

Criminals may already have basic information about your organisation in their possession, such as the name, address and account details. Do not assume a caller is genuine even if they have details or knowledge about you and your organisation.

Minimise your risk to telephone fraud

Educate yourself on the systems within your business to enable you to detect any suspicious activity.

Ensure that your systems are kept in a secure location. You may need to consider locked areas if you use office space with multiple occupancy.

Always use strong passwords, manage access to them and never use default password settings.

Consider using settings that restrict international or long distance calls. You can also contact your telephone provider to request this restriction.

If you’re using video conferencing through internet-based calls such as Skype, ensure you are using up to date antivirus and firewalls. This will also help protect you from PABX hacking.

Familiarise yourself with your business call patterns and consider monitoring them, especially if there are calls out of hours, weekends and bank holidays.

Always keep your software up to date, especially if you are using PABX.