E-commerce fraud: credit card and online data theft

Fraudsters use stolen credit card details to target online retailers. Online business appeals to them because there’s no physical contact with the business or the legitimate cardholder.

Make sure you’re fully aware of the risks, otherwise your business is more likely to be targeted.

What you should know

When payments are accepted over the internet and processed, your business asks for authorisation from the card issuer. But even this doesn’t confirm or authenticate the customer as the genuine cardholder. The standard authorisation only confirms that:

  • the card hasn’t been reported lost or stolen
  • there’s enough money in the account
  • the card number is valid


If it turns out to be a fraudulent sale and your company didn’t get authorisation from the issuer, the full amount may be charged back to your business if the genuine cardholder says they were not part of the transaction.

It’s important to maintain chargeback records. Get as much information as possible and give it to your acquirer. If you suspect a fraudulent transaction report it to your authorisation centre.

Businesses are responsible for protecting cardholder data at the point of sale and as it flows into the payment system. Get more information at PCI Security Standards.

Minimise your risk to ecommerce fraud

Consider using:


Treat high-value items and overseas transactions with extra caution. Always verify the delivery address. If it’s overseas ask a third-party service to give you the details.

Watch out for changes to the details they gave you, a change to the delivery address, for example. Insist that you’ll only deliver to the customer’s permanent address.

If you use a courier, tell them to:

  • only deliver to the address you give them
  • return the item if they can’t deliver it
  • always get signed proof of delivery


Make sure you store your customers’ card payment information securely. This data is prone to hacking, so comply with data security requirements.

Keep records of any fraudulent activity: it’s a good way to find patterns and areas of potential risk. Many businesses use this process to predict higher-risk transactions.

For more information and help or to report this and many other types of fraud, go to Action Fraud, the UK’s national fraud and cybercrime reporting centre.

Online fraud

As the number of channels and markets we operate in rises, so does the risk of fraud. Cybercrime is more sophisticated and fraud is increasingly difficult to detect. As a result, the standard fraud verification tools may not be good enough.

What you should know

Fraudsters may target your online business to get customer information, such as names, addresses and payment details, to commit crime.

When using public WiFi networks, many don’t secure their connection when they send personal and business emails, banking or credit card details. These networks are open to hacking, identity theft and fraud. Lots of simple tools and free apps can hack public WiFi networks, a process called ‘sniffing’.

Employees can be targeted by ‘spear phishing’, when a fraudster sends an email to a particular person. They pose as someone else within the company, usually someone important or in a position of trust, and ask for information like login IDs and passwords. They may ask the employee to update their username and passwords.

Once the fraudster has this information, they can access your secured networks to get confidential information and customer data.

Other methods include asking the employee to click on a link in the email, which deploys malware that takes personal or confidential data from your business.

Be wary of where you store your information. If you use a third-party hosting company, find out:

  • where your information is kept
  • how it’s shared
  • how it’s stored


A recent computer threat to businesses is called Cryptolocker, ransomware that’s usually disguised within a legitimate-looking email attachment.

When the attachment is opened, the malware encrypts files in your computer. You then get a message asking for money to decrypt the data, usually via bitcoin or pre-paid vouchers.

There’s not much you can do in this situation, which is why you must back up your data on a regular basis.

Minimise your risk to online fraud

It’s essential that you back up data; if you don’t, it may have a huge effect on your business.

Make your passwords robust by using a mixture of upper- and lower-case letters, numbers and symbols.

Don’t use obvious passwords, like your mother’s maiden name, as fraudsters can easily get this information.

Challenge anyone who asks for your personal or financial details.

Test all your security systems to make sure they’re working and you’re not vulnerable to invasion. This includes your website.

If your bank offers it, consider using dual authentication. This can reduce your fraud risk from malware and insider threats.

Visit Cyber Aware for step-by-step instructions on keeping your devices up-to-date with the latest security updates, and for further online security advice.

For more information and help or to report this and many other types of fraud, go to Action Fraud, the UK’s national fraud and cybercrime reporting centre.

Phone frauds

If fraudsters hack into your business phone lines they can get personal or confidential information. Make sure you have the right security systems to protect you.

Phone and videoconference hacking

Some businesses regularly use conference or video calls to talk to other businesses. But fraudsters can access them and overhear conversations to get passwords and codes.

Private automated branch exchange (PABX) hacking

Call centres and other businesses and organisations use private automated branch exchange (PABX) phone networks. A PABX is a single-access number with multiple lines to outside callers, which also gives external callers or staff a range of external lines.

Fraudsters use vulnerabilities to:

  • hack your system
  • access passwords
  • listen in to conversations and voicemails


They also use your PABX system to make international or long distance calls, often to premium rate numbers that the fraudster has set up. Your business unknowingly lets the fraudster sell on the access and use of your system, which could increase your phone bills by thousands of pounds.

Remember, your business is responsible for any fraudulent use of your system, not the phone provider.

These frauds often occur over the weekend or bank holidays where staff are out of the office for long periods: it gives fraudsters the chance to rack up huge bills on behalf of your company. 

Take steps to avoid vishing

‘Vishing’ is the phone equivalent of phishing. Criminals call you, pretending to be from a legitimate business, and persuade you to give them private information that they use to make money.

Be wary of cold-callers who suggest you hang up the phone and call them back to check they’re genuine. Fraudsters can keep your phone line open by not putting down the receiver at their end.

Unless you’re absolutely sure who you’re talking to, never give your company’s:

  • payment card PIN
  • passwords
  • online banking codes
  • financial details


Your bank, the police or a legitimate organisation will never: 

  • ask for your PIN
  • ask you to withdraw money to hand over to them
  • ask you to transfer money to another account, even if they say it’s in your company’s name
  • come to your building to collect your business account card or cheque book


Remember to wait at least five minutes after a potentially fraudulent phone call before using that phone again, as the person may have left the line open.

If you’re unsure about providing information a caller asks for, check company policy on what you can and can’t disclose.

If you’re suspicious or feel pressured or vulnerable, don’t be afraid to say no to any requests for information and end the call.

Criminals may already have basic information about your organisation, such as the name, address and account details. Even if a caller has this information, don’t assume they’re genuine.

Minimise your risk of phone fraud

Make sure you know your business systems so you can detect suspicious activity.

Keep your systems in a secure place. If you have a multiple-occupancy office, you should use locked areas.

Always use strong passwords, manage access to them and never use default password settings.

Consider using settings that restrict international or long distance calls. You can also ask your phone provider for this restriction.

If you’re using Skype or something similar to videoconference, use up-to-date antivirus and firewalls. This will also help protect you from PABX hacking.

Always keep your software up to date, especially if you’re using PABX.

Make sure you know your business call patterns and consider monitoring them, especially if there are calls out of hours, weekends and bank holidays.

For more information and help or to report this and many other types of fraud, go to Action Fraud, the UK’s national fraud and cybercrime reporting centre.

Downloads