Fraud is a fact of life for those doing business online.
Every ecommerce company encounters fraud at some point. It’s often when that first chargeback arrives that merchants become fully aware of the fraud risks specific to ecommerce.
As massive data breaches become more common, the identities and credit accounts that fraudsters and fraud rings need to ply their trade become more readily accessible.
So, why is online fraud so prevalent?
The answer to how online fraud happens has two parts:
- Stolen credit card information is easy to buy.
- Prosecution is rare, and online fraud may be a low priority for law enforcement, due to difficulty amassing evidence and time and resource constraints.
With that being said, let’s take a deeper look into each part.
Ease of access to stolen credit cards
How does online card fraud take place? We’ll examine the typical process for how a stolen credit card can become a fraudulent order for a merchant.
Step 1: Credit card numbers are stolen, either via large criminal syndicates or solitary hackers.
Online criminal organizations or lone hackers will attack companies and organizations, regardless of size, to obtain access to any type of personal and/or financial information. When the information is acquired, it’s often packaged to immediately be sold on a black market. The more information available on a cardholder, in addition to the card number, the higher the price the information fetches. (Cards sold with information such as billing and delivery address, email and phone numbers are sold at a premium.)
Step 2: The personal and financial information stolen is sold to a 3rd party, and usually not used by the initial thieves.
More often than not, the organizations and individuals who steal personal and financial information are not the same individuals and organizations who use that information. The larger the hack, the less likely that the party responsible for the theft of data will use it to commit fraud. In the aftermath of the Target and Home Depot hacks, law enforcement noticed a significant uptick in the black markets of personal information being sold.
As mentioned above, online thieves looking to commit fraud are able to buy stolen cards and personal information in mass quantities on the black markets. (U.S. credit card information can sell for as little as $5.) Take the massive 2019 Capital One data breach, one of the increasingly common mega-thefts of personally identifiable information. The records of more than 100 million customer and prospective customers were accessed. Often selling in bulk, those who collect and then sell the personal and financial information can make huge sums.
Step 3: Once in possession of stolen credit card information, a fraudster tests and then exhausts the credit card.
Now that a fraudster is in possession of credit card information, either from buying it from a black market or by stealing information themselves, the first step is to separate the active cards from the inactive cards.
They will usually test the stolen credit cards by making small purchases online (typically in the range of just a few dollars) to see if the transaction will go through. If the transaction is successful, they will attempt to max out the credit cards to their full potential.
Depending on how much information the fraudster has stolen (phone number, email, social security number, billing and delivery address, passwords, etc.), they can, with varying degrees of success, pass themselves off as the legitimate cardholder. Often, they are able to get past an online merchant’s fraud screenings because of the information that they have at their disposal.
Now that we’ve demonstrated the ease with which a fraudster acquires and uses stolen credit card information, let’s explore the enforcement issue.
Prosecution: difficult and rare
Prosecuting for online fraud is quite difficult, for many reasons.
First, an investigation often crosses state, if not international, lines, causing jurisdictional issues to arise. If the online merchant is based in Orlando, Florida, and the real cardholder lives in Austin, Texas, and the fraudulent purchase was shipped to a Montpelier, Vermont, this raises the question of where the crime was committed. On top of that, when a crime involves multiple states, federal law enforcement may also be involved, raising the number of stakeholders further, and complicating the question of ownership of investigating the crime.
Second, evidence can be in short supply. When a fraudster impersonates a cardholder, uses a new email address, rents a mailbox under an assumed name, and attempts other methods to escape detection, little evidence may be available to tie the actual fraudster to the attempt. Authorities might not have enough evidence to bring a case.
Third, ecommerce fraud may be perceived a low-priority crime. A single instance of fraud might come with a low monetary amount. Often it’s difficult to identify a victim. Legitimate cardholders are typically reimbursed for their losses by their issuing bank, reducing the motivation to follow through with a prosecution.
Compare the average monetary amount of ecommerce fraud to those cases that the FBI, Department of Justice and Secret Service discuss on their respective sites. They tend to deal with fraud where the stakes are generally much higher—counterfeit money, insider trading, securities fraud, investment fraud, scams etc. We recommend reviewing the FBI’s Internet Crime site in order to get an idea of the vastness of the complaints that the FBI alone receives. This isn’t to say that law enforcement ignores the issue, but it’s helpful to frame ecommerce fraud in relation to the crimes they deal with.
Want to learn more about fraud protection?