Payment fraud and related forms of online criminality remain among the most pervasive threats for small businesses. But nontechnical business owners often don’t understand this largely invisible problem, which can lead them to ignore it. This can have devastating consequences for small businesses, sometimes leading to their closure. As a result, it’s important that all entrepreneurs understand what payment fraud is, how it happens, and how to proactively defend themselves and their customers against would-be fraudsters.
Payment fraud occurs when a fraudster steals sensitive payment information about a customer – usually in a data breach – to access and use their online banking or credit accounts. Payment fraud is an increasingly prevalent issue for consumers and businesses alike. A 2021 report from fraud prevention company SEON found there were 1,862 data compromises and a total of 293 million victims of data breaches.
Social Security numbers are the most commonly compromised information each year, followed by personal health data, driver’s license information, bank account numbers and email passwords. Such personally identifiable information (PII) helps criminals to pry open victims’ online accounts. The more information they collect about their targets, such as name and date of birth, the more effective their phishing attacks (or “smishing” attacks via SMS text messages) are.
Other common ways for fraudsters to steal your customers’ information, according to the report, include human and system errors, such as improperly configured cloud security and physical attacks, where fraudsters steal devices and hardware containing PII.
Once acquired, PII can be used to make fraudulent purchases, hold data for ransom or even impersonate you to your customers. These and many other forms of payment fraud can devastate a company.
Payment fraud occurs when fraudsters steal personal information, allowing them to scam your customers or hack their financial accounts in a number of ways.
Payment fraud scams evolve as quickly as technology. Anthony Martin, founder and CEO of Choice Mutual, an online life insurance marketplace, described a common scam known as “friendly fraud.” Martin said this scam can cost companies as much as twice the cost of the good in question.
“Friendly fraud is when someone pays for a product using a $0 fraud liability credit card and then disputes their charge as soon as they receive their order,” he said. “While the credit card company may cover the disputed charge on occasion, it is often the businesses themselves that are left on the hook.”
Accepting credit card payments is a must for nearly every business, but it can come with security risks, especially when payment is taken online or over the phone. Here are five important things to know when accepting card-not-present transactions.
Fraud can hurt your business in several ways, including direct costs and secondary costs. According to a report from LexisNexis Risk Solutions, every $1 in fraud costs business organizations an average of $3.99, meaning the losses to an organization are nearly four times the amount of the original fraud.
In addition, impacts to consumer trust and the reputation of your business can be significant and lead to long-term costs that are hard to recover, said Volodymyr Shchegel, VP of engineering at cybersecurity firm Clario.
“If a cybercriminal is carrying out an attack because they are pretending to be your business, you will have to recoup a lot of customer trust,” Shchegel said. “You will have to bolster your own fraud detection and prevention, as you likely have fraudulent users accessing customer accounts.”
Additionally, he added, lost inventory and the labor resources it takes to address a data breach or payment fraud can compound the losses.
“You can lose inventory and income if criminals are making fraudulent purchases while posing as your customers, forcing you to send additional inventory to the real customer or refunding purchases,” he added. “Even if you are covered by the credit card company or insurance, that is time and product you can never get back.”
Being the victim of a cyberattack can also make a company vulnerable to legal action. This is especially true in the age of data privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These laws open companies up to big fines and potential lawsuits if they don’t do their due diligence in protecting consumer data and alerting customers to data breaches in a timely manner.
Fortunately, organizations aren’t defenseless. Businesses often use detection tools and processes to spot, monitor and prevent fraud. This might include both software and dedicated personnel – sometimes called risk managers or payment specialists – to keep their systems safe around the clock.
Experts say that there is no silver bullet to prevent payment fraud. Instead, the cybersecurity best practices they recommend are continuous awareness, vigilance and planning. A recent study found poor access management, otherwise known as giving employees too much information, was the leading source of hacks into corporations. This means businesses can start by implementing strict internal controls to ensure their own personnel are doing everything possible to keep customer data secure.
“It is incredibly important to remember that human error is your biggest security threat, regardless of the size of your organization,” Shchengel said. “This can look like people falling for a phishing email, or a trusted colleague using the company credit card for personal purchases but going unnoticed due to lazy security checks.”
There are several other ways that small businesses can avoid payment fraud and secure customer data too, including the following:
There are some services and tools that can help small businesses defend themselves against data breaches and malware that can lead to payment fraud. Choosing the right partners and vendors is as critical as establishing comprehensive internal cybersecurity policies. Here’s a look at some of the tools and partners that can help.
Many small business owners don’t have in-depth IT knowledge, nor do they have the budgets to hire an in-house staff to manage all their tech. That’s where managed service providers (MSPs) come in. MSPs specialize in all things IT, including monitoring vulnerabilities, mitigating threats, and responding to data breaches and other cyberattacks. These companies offer small businesses a way to outsource their IT management so that their networks are defended without requiring a lot of institutional knowledge or the expensive proposition of building a full IT department.
Payment fraud often targets customer payment information at the point of payment. That means working with a highly secure, proactive credit card service provider can help reduce the risk that your customers fall victim to payment fraud.
The best credit card processors will prioritize security as part of their standard services. In our Chase Payment Solutions review, we found the company to be the best for ecommerce businesses thanks in part to its security measures when it comes to online transactions.
Much like credit card processors, the best point of sale (POS) system providers can help thwart payment fraud before it occurs. POS systems generally integrate closely with payment processors, and they’re also used to record and store payment information.This means guaranteeing data security in your POS system is an absolute must. We found in our review of Lightspeed that the provider was a great choice for all retail operations, including e-commerce stores, which are particularly susceptible to payment fraud.
For small businesses, the fight against payment fraud is a never-ending process. To protect themselves and their customers’ data, entrepreneurs must invest in technology and personnel capable of dealing with the risks involved. That typically begins with internal cybersecurity policies and a plan for how the company will respond in the event of a breach, but it also includes a company’s software providers and supply chain partners.