Shutterstock
Anna Nelson makes a habit of reviewing her credit card statements every month.
In December, she discovered a charge that she didn’t recognize. It was a fairly small amount, but Nelson (not her real name) immediately changed her password and contacted the bank that issued the card. It turned out that someone had obtained her credit card number and used it to make a purchase at an online retailer.
Nelson disputed the charge, and the ensuing investigation determined that the purchase was fraudulent — the merchandise was shipped to an address that wasn’t hers.
Nelson got her money back, but what she didn’t realize was that the refund likely had to be covered by the retailer. Through a process called chargeback, credit-card providers will require merchants to make good their loss on fraudulent or disputed transactions.
Online banking and credit card fraud spiked during the past three years because of the steep rise in online sales, says Monica Eaton, founder of Chargebacks911, a provider of chargeback prevention, management and remediation technology.
“Fraudulent purchases with stolen card information doesn’t just hurt the cardholder,” she says. “It hurts everyone involved in the purchasing process.”
The risk is substantial for both merchants and banks.
“For every $1 of fraud, it costs the merchant $3.60,” Eaton said, “and some banks are spending up to 12 percent of their net income” to deal with fraud.
“When you take a look at how much they’re spending to service chargebacks and disputes, it’s substantial, because chargebacks and disputes are generally less than half a percent of total transaction volume,” she said.
An e-commerce transaction is 50 times more likely to turn into a chargeback than a face-to-face transaction, she said. While e-commerce has grown around 18 percent in the past two years, chargebacks have increased by 39 percent.
Overall, the annual cost to businesses, banks and consumers — who may end up paying higher prices — is in the billions of dollars.
It takes effort by merchants, financial institutions and consumers to identify and prevent fraudulent activity, stop scammers from making illegal purchases and avoid unnecessary chargeback fees.
Skimming scams
Credit card information usually gets stolen because the cardholder has used a site that was compromised, fell for a phishing email or text, or was the victim of a skimming device on a card reading machine, says LaShea Woodard, vice president of financial crimes at Ent Credit Union.
“There’ll be cycles where maybe there’s a skimming device locally that may have an impact on our members,” she says.
According to FICO, the United States saw a 700 percent increase in credit card fraud via skimming devices installed on ATMs, point-of-sale terminals or gas pumps in the first half of 2022 compared with the same period of 2021.
Ent doesn’t issue its own card but works with Visa, which issues cards in Ent’s name.
When a member submits a dispute, “we send it for a chargeback with whatever information our member has,” she says. During the chargeback process, the merchant gets a chance to verify the purchase, and sometimes the member may realize the purchase was valid — they just didn’t recognize the merchant’s name. But other times, it’s determined that the item was purchased fraudulently.
“We could take a loss on a fraud claim if it’s brought through no fault of the member,” Woodard says. “If it’s a skimming device and they had enough information, Visa could determine that the merchant did their due diligence to try to mitigate it, and we could possibly take that loss.”
Detecting fraud
Although credit card fraud continues to be a challenge, it represents fewer significant losses for Pikes Peak National Bank now than it used to, thanks to the introduction of monitoring technology, President and CEO Robin Roberts Goldberg says.
The technology analyzes purchase activity on a customer’s debit card and flags purchases that appear out of the norm.
“We send text messages to customers to verify that validity of account activity so that their purchase can be approved when they are authorized, or declined if fraudulent activity is suspected,” Goldberg says.
When a card has been compromised, the technology shuts down the card to prevent further fraudulent activity, and the customer can be issued a new card.
Zions Bancorporation, parent company of Vectra Bank Colorado, has seen a particular increase in online fraud — what’s termed card-not-present fraud in banking parlance, says Chuck Groat, Zions’ senior vice president of bank card operations and risk.
Total fraud cases were up 22 percent year over year from 2021 to 2022, he says. Card-not-present fraud represented 18 percent of the increase.
“I have a fraud detection team that’s monitoring accounts on a daily basis,” he says. “We have both manual and automated processes; we use various rules, strategies and models to identify fraud or red flags.”
Dealing with chargebacks
Chargebacks happen daily, Groat says.
Customers typically are protected under Visa or MasterCard zero liability provisions, but merchants who have chosen not to accept chip cards may be liable for fraudulent transactions, he says. That’s because skimming doesn’t work on credit card terminals with chip readers or the newest contactless technology, where the user can simply tap or wave the card without inserting it. But terminals that only read cards when the user swipes the magnetic strip are subject to skimming fraud.
“If we’re successful in performing a chargeback, we would recover the loss and the merchant would take it,” Groat says. “But there are no chargeback rights for lost or stolen cards and the transaction done with a chip. Primarily, the chargeback rights for the issuer are in that card-not-present space.”
Merchants have the right to present evidence to refute a chargeback and can be successful if they can prove that the customer participated in the transaction but disputes the purchase — a form of fraud known as friendly fraud.
But if a merchant has chosen to accept a transaction that turns out to be fraudulent — sending merchandise to an address other than the cardholder’s, for example — or has chosen not to accept chip technology, issuers can recover money from the merchant.
“We work with small businesses that have our credit card and are victims of fraud,” Groat says. “I’ve also done some training for businesses in general on how they can protect themselves to combat fraud.”
Steps businesses can take
Financial experts suggest that businesses take these steps to protect themselves from fraudulent transactions:
• Compare shipping, billing and IP addresses for online purchases. Orders with different addresses for billing and shipping are at higher risk for fraud.
• Use address verification services — systems that compare the address given by the customer with the one on file at the issuing bank.
• Watch for patterns. Multiple failed attempts in quick succession, especially using various credit card numbers, can signal that an online criminal is attempting a fraudulent transaction.
• Create a black list. Scammers who succeed once are likely to try again. Blacklist phone numbers, email addresses, IP addresses and billing addresses.
• Modernize credit card terminals so customers can use chipped or contactless cards.
• Respond to a chargeback with an in-depth investigation into the cause and vigorously defend yourself if the claim is invalid. “Merchants who don’t respond to chargebacks can likely expect more chargebacks,” Eaton says.
Steps consumers can take
• Consumers should develop good defensive habits such as these to protect their credit card information and spot fraud:
• Frequently check your credit card transactions. Make sure you understand everything on your statements. If you see a charge you think is fraudulent, report it to your bank immediately.
• Don’t click on emails from senders you don’t recognize.
• Be careful when people call and ask you for information. No legitimate financial institution will ask you for your PIN.
• At ATMs and credit card terminals, cover the keypad when you’re typing in a PIN number. Criminals can’t use your card without the PIN.
• Look for things that appear strange about a particular terminal. Scammers may put a false front on an ATM or gas pump keypad. You might see a piece of tape holding the skimmer or a protruding card reader, or you might detect movement if you run your finger along the machine.
• If you’re going to shop online at an unfamiliar merchant, do some research before you use your card. Look at reviews and ratings, and read the merchant’s terms and conditions for your purchase.
• Don’t make purchases from insecure sites with addresses that don’t start with HTTPS, and don’t make purchases on public Wi-Fi.
• Keep your phone and credit cards in separate places. If your phone is stolen, the thief has access to your cards and can manipulate fraud alerts, Goldberg says.