30/01/2015

By Tim Lansdale, Head of Payment Security, Worldpay


Fraud prevention is not an easy job. On the one hand the fraudsters themselves are an increasingly determined and well-resourced bunch. They have the element of surprise and they’re agile enough to jump around, trying different targets with different techniques until something works. It doesn’t help that online crime is still a high reward, low risk affair for the cyber criminals involved. Building effective fraud prevention services to cope with the rising tide of online crime takes a significant investment of time, money and resources, as Worldpay knows very well.

Yet there are things SMEs can also do to minimise their risk exposure. Fraudsters will always go after the lowest hanging fruit, so avoid some of the most common mistakes and you’ll most likely force them to focus their efforts elsewhere.

Here are my top five, in no particular order:

1. Letting a customer try several cards for one purchase.
If it is a Chip and PIN transaction then it doesn't matter too much – retailers are protected thanks to the fact that the liability for a fraudulent payment to be reimbursed shifts to the bank. If it is a telephone order, however, you should be very wary about allowing customers try more than one card for a purchase. The fraudster may simply have a stack of stolen cards they are working through – you can't see what names are on the cards.

2. Letting the customer pay over the phone and pick the goods up in person.
This is a common trick used by criminals trying to circumvent current anti-fraud systems. There is no industry response to MOTO (mail and telephone order) fraud in the UK at present so it is a relative weak spot in your defences and one of the most commonly exploited by criminals. Unless it is a purchase made by a customer you trust implicitly, make the person who picks up the goods pay as a face-to-face transaction with Chip and PIN. It goes without saying that if they are not the person who called on the phone do not let them leave with the goods without paying.

3. Mistaking an authorisation for a guarantee
Remember, just because a card has gone through as “authorised” either on a card machine or online, this does not mean payment has been guaranteed. It simply indicates that the account does not have a block on it and the funds are available. The transaction may still be fraudulent, but a card block has not yet been enacted. Any payment where the cardholder isn’t physically there in person, that hasn’t been checked with Verified-by-Visa or MasterCard 3D Secure is entirely at your risk.

4. The 'too-good-to-be-true' transaction
If a customer is trying to make a big purchase with you then the optimist in you will want it to be genuine. But stop for a moment and think, could your customer buy cheaper elsewhere or is it normal to buy 37 of an item any normal punter would only need one of?

We’ve seen this time and again at Worldpay. For example, £5,000 worth of cheese was purchased fraudulently by what appeared to be an individual consumer – surely too much for one household? On another occasion a crate load of several hundred spark plugs for a very rare car were sold. Why would an individual need so many? Or how about the sale of two standard mountain bikes for shipping to the other side of the world? Even without shipping, these bikes were far more expensive than if bought locally.

All of these anomalies should raise red flags with you or your staff. Always stay alert, especially when there are large sums of money involved.

5. I don't know what to do if I suspect a transaction is fraudulent.
If you’re unsure about a transaction, you can always perform a “Code 10” check. This is an additional security check should you become suspicious at any time during a transaction, even if the card has gone through the terminal and has been authorised. The outcome of a Code 10 might be that a payment is authorised, declined or the card is kept. Please note, however, that even if this call leads to authorisation, card payment is still not guaranteed.