Payment fraud prevention efforts are usually geared up to focus on the consumer. Normally, card fraud is carried out using stolen consumer details at bona fide merchants.
But what if the fraud is the other way around? When the criminal is not the person using the card but the merchant accepting payment, there are important considerations from a prevention perspective.
It’s a big risk for the acquirer as they may be liable to compensate issuers and cardholders, when merchants do not fulfil their chargeback obligation.
Bust-out merchant fraud is really a version of first party fraud and one that makes detection hard. Through false applications, criminals disguise themselves as legitimate merchants and, because of chargeback liabilities, make acquirers bear the costs of their activities.
For example, a merchant (the criminal) opens an online store and generates lots of transactions from unsuspecting customers before busting out with the cash in their account.
With the merchant vanished, the acquiring bank has to deal with the chargebacks and all the other mess that a fraudulent merchant leaves behind.
Particularly lucrative examples include fake ticketing websites, where duped customers don’t realise it’s a scam until their event ticket doesn’t come in the mail, which could only become apparent months after the purchase. This gives the website plenty of time to rack up profits at the acquirer’s expense.
Another version sees the merchant establish a fake online store and then use fraudulent payment methods such as cloned cards to ‘buy’ goods – effectively filling their account with other people’s cash.
In a world where card-not-present fraud is our biggest worry, this becomes a way in which the criminal can harness stolen card details to directly generate cash rather than buying goods and then selling them on the black market.
Some merchants may commit fraud by declaring bankruptcy after collecting a large number of orders. This can be a harder fraud to spot as in many cases it could be a legitimate case of the business going under.
Another new form of merchant fraud is to use a contactless POS device to covertly take small amounts from unsuspecting cardholders. For example, it can be done on packed trains or in other busy locations where the criminal can get close enough to a card to force the transaction without anyone realising. It’s a kind of modern day pickpocket scam that relies on the misuse of a merchant terminal.
What acquirers can do
Acquiring banks should be very diligent when onboarding new merchants. Checks on any previous links to frauds is a start, but like all first party fraud, it’s not an easy thing to achieve as criminals can easily use a fake ID to set up an account. However, there are various appropriate due diligence checks that ought to be completed as a first step.
Once a merchant is onboarded, it’s vital the bank pays ongoing attention to the merchant’s activities and monitor transactional patterns for any signs of potential wrongdoing.
Detection of merchant fraud relies on proactive and real-time monitoring. This includes transactions, but also things like extra-large discounts or unusual sales campaigns.
An intelligent fraud detection system is a key weapon in the battle against merchant fraud.