Periods of economic uncertainty, like the current cost-of-living crisis, often lead to increased first-party (or 'friendly') fraud, as individuals struggle to make ends meet. The primary impact on merchants is increased chargebacks — which may persist into the new year when credit card bills arrive, and some consumers experience buyer's remorse about peak season purchases.
Where the PSD2 strong customer authentication (SCA) requirement is enforced, stepping transactions up for SCA helps to connect cardholders to transactions because they need to plug-in some extra information. This can help reduce the chance of fraudulent chargebacks being successful. The good news is that starting 15 April 2023, merchants will be able to better defend against first-party fraud in card-not-present environments, with a change to Visa’s dispute programme. Called Visa Compelling Evidence 3.0 (CE3.0), this change implies that if merchants can provide additional data to show the disputed charge is valid, the dispute will be invalid. Merchants should consider making CE3.0 part of their longer-term fraud management strategies, given it's unlikely first-party fraud will ever go away completely.
Account takeover remains a top-five fraud attack. In our 2022 Fraud Report we revealed that 27% of merchants globally report experiencing account takeover, with SMBs in particular having a significantly higher incidence compared with 2021.
During the peak season, we anticipate a rise in account takeover attacks using credentials obtained through increased phishing and smishing campaigns. The cost-of-living crisis could mean consumers are more easily lured by fraudulent messages promising, for example, lower fixed-rate energy tariffs, or mortgage deals.
We advise merchants and banks to reinforce warnings to customers and cardholders to be wary of unexpected messages on these and other topical themes. Merchants should also consider deploying an account takeover protection solution that helps blocking fraud at the account level and prevent bad transactions from taking place.
The BIN refers to the first four or six numbers that appear on a payment card, and identifies the financial institution issuing the card. BIN range targeting is a recent fraud trend observed by our managed risk analysts (MRAs) since SCA enforcement. Some issuers more readily support the low-risk and other SCA exemptions, giving customers a frictionless flow, without an authentication step such as a one-time passcode(OTP). While great for customers, this flow also suits fraudsters, who don't need to intercept OTPs. Fraudsters are, therefore, working to identify which issuers are more 'lenient' in this regard, and which BIN ranges to target.
To counter the risk, merchants should monitor hot spots and ensure they have the business intelligence to analyse attempted and actual fraud rates on the relevant BIN ranges.
Another observation from our MRAs is that low-value transaction fraud is on the up. In PSD2 SCA terms, low-value transactions are below EUR 30 and typically exempt from SCA. Fraudsters are exploiting the frictionless flow this exemption enables, making fraudulent purchases worth EUR 29 and under.
To reduce the risk of low-value fraud, merchants should:
Put checks and balances in place
Use fraud management data to identify emerging trends
Be able to determine the origin of genuine and fraudulent transactions
One possible approach is routinely asking new customers to authenticate their first transaction even if it's low value. A fraud management solution like Cybersource Decision Manager can help by providing merchants with actionable intelligence.
As we head into peak season under difficult circumstances, merchants need to be confident they understand when to minimise friction to give good customers the best possible experience, and when to apply a degree of friction to help protect against fraud.
Merchants should continue to pay attention to chargebacks and look out for first-party fraud. They should also ask their acquirers for information about fraudulent transactions they're not liable for, in addition to those for which they are liable. This will deliver a more comprehensive picture of their fraud situation, with more insights into sources of risk, and provide additional data for an enhanced fraud management platform.
Merchants still using 3-D Secure (3DS) version 1, which was sunset in October 2022, could face risks like increased failed transactions for lack of data, and liability for fraudulent transactions.
Upgrading to EMV 3DS resolves these and other issues. Used alongside a capable fraud management platform, it helps merchants identify genuine transactions more reliably, reducing the need to step up for authentication and so removing friction. If authentication is required, EMV 3DS makes the customer experience as frictionless as possible through device agnosticism, biometric authentication, and 10x more data for better informed risk and authorisation decisions.
Disclaimer: Case studies, comparisons, statistics, research and recommendations are provided “AS IS” and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. CyberSource. neither makes any warranty or representation as to the completeness or accuracy of the information within this document, nor assumes any liability or responsibility that may result from reliance on such information. The Information contained herein is not intended as investment or legal advice, and readers are encouraged to seek the advice of a competent professional where such advice is required.
These materials and best practice recommendations are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. Recommended marketing materials should be independently evaluated in light of your specific business needs and any applicable laws and regulations. CyberSource is not responsible for your use of the best practice recommendations, or other information, including errors of any kind, contained in this document.
Mari-Anne joined Cybersource in 2017 and, in her role as European lead – Regional Solutions, she focuses on driving forward solutions which help merchants to provide great customer experiences, while keeping their business secure. Prior to joining Cybersource, she spent 18 years with a large UK retailer, and for over 10 years was leading the Fraud and Risk functions, responsible for both ecommerce fraud prevention and internal risk management.
Mark is the business owner for the EMEA Managed Risk portfolio at Cybersource and a fraud risk professional with over 14 years’ experience in the card payment and banking industry. His current role as EMEA Managed Risk Principal at Cybersource allows him to work closely with enterprise clients on strategies to reduce risk associated with fraudulent activity and optimise revenue.
At Cybersource, we know payments. We helped kick start the ecommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life—experiences that delight your customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all your payment types, fraud strategies, and more. Knowing we are part of Visa and their security-obsessed standards, you can trust that your business is well taken care of—wherever it may go.
'What Every Merchant Needs to Know About Friendly Fraud', Visa, 16 June 2022
'Global Fraud and Payments Survey Report 2022', pp. 14–15, Cybersource, Merchant Risk Council (MRC) and Verifi
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now