Lightspeed Commerce : How Retailers Can Limit the Risks of Credit Card Fraud and Prevent ‘Social Engineering’ Attacks

Retail credit card fraud isn't fair, but it's sadly a problem retailers can't afford to ignore.

The2021 Retail Security Surveyfrom the National Retail Federation shows:

• Almost 40 percent of respondents said they saw the greatest increase in fraud in multichannel sales channels such as buy online pick up in store (BOPIS), up from 19 percent in 2020.
• Just 28 percent said the greatest increase in fraud came from in-store-only sales, down from 49 percent the year before, albeit heavily influenced by mandated closures during the pandemic.

It seems fraudsters are always finding new ways to makecredit card transactionsfor criminal gain. To bring you up to speed, this article will explore:

• Credit card fraud explained for beginners
• Credit card causes for beginners
• Social engineering: what it is, and how it causes card fraud
• What happens after retailers suffer credit card fraud
• How to prevent credit card fraud as a merchant

Let's start with a simple definition.

How to choose a credit card processor

Learn what to look out for and what questions to ask when shopping for your first, or your next, credit card processor.

Read now

What is credit card fraud?

Credit card fraud happens when a lost card or stolen card details are used to make unauthorized purchases.

• Fraudsters can steal credit card numbers and expiration dates and then use this information to buy products over the phone or online.
• Organized fraudsters are also known for interfering with payment terminals or ATMs to acquire credit card information, which they then use to build counterfeit cards.

What causes credit card fraud?

"Credit card fraud typically occurs when retailers lack a strong detection plan, both in terms of shopper behavior and on their payment processor," said Brigitte Hodge, a retail export atFit Small Business.

"Retailers can look out for things like damaged cards, agitated shoppers, avoidant behaviors around signing the receipt, signature discrepancies between the card and receipt and unusually large purchases to help detect fraud before it happens," she added.

Many instances of credit card fraud are caused by something known as social engineering.

Social engineering: what it means and how it causes card fraud

Social engineering attacks are scams that trick unsuspecting victims into divulging personal information to thieves; these include email scams known as phishing, phone scams known as vishing, and text message scams sometimes known as smishing.

"Social engineering frequently involves persuading people to violate standard security processes and best practices to gain unauthorized access to systems, networks, or physical location or to earn a financial advantage," said Kathryn McDavid, CEO ofEditor's Pick, a beauty and wellness ecommerce company.

Here are some of the most common forms of credit card fraud that are made possible through social engineering.

Computer malware

One of the most common social engineering attacks in retail is malware, according to Morgan. "The attacker visits a retail store disguised as a customer or as an interviewee and leaves behind a USB. Unknowingly, an employee tries to find the owner of the USB by plugging it into the store computer," he said.

The malware is then automatically installed onto the computer without the employee ever finding out. "The hacker's attack begins the moment the USB is seen by an unsuspecting worker," said Morgan.

Phishing attacks

The most well-known social engineering approach is phishing.

• A phishing assault motivates its victims to act by sending them an email, a website, a web ad, a webchat, SMS or a video
• Phishing attacks can imitate a bank, delivery service, or government agency or they might imitate a specific department within the victim's firm, such as HR, IT or finance.

• A call to action is included in phishing attack emails, that asks the victim to visit a fake website or click on a malicious link that includes malware.

Credit card skimming

Despite the widespread use of credit cards, the practice of credit card skimming continues.

• Skimmers are devices that steal information from a credit card's magnetic strip.
• Scammers often install these devices in ATMs at retail stores and gas stations.
• The information is then sold to other scammers or used to create charges on the card.

What happens after retailers suffer credit card fraud?

If your store is breached and sensitive credit card information is stolen, you may be held liable. And that can mean:

• Fines from card associations
• Forensic investigation
• Banks recouping re-issuing costs
• Litigation and government fines

The most common result of credit card fraud is a chargeback, according to Mike Cannon ofChargeback Gurus. "When the victim discovers the fraud and contacts their bank, the bank may hold the merchant liable for the fraud, especially if it was an online purchase. The funds will be taken out of the merchant's account and they will be charged an additional fee."

How to prevent credit card fraud as a merchant

To stop this from happening, retailers need to address the most avoidable cause of credit card fraud: inadequate fraud prevention tools. Here are some steps you can take.

1. Train retail staff about fraud

Most people think credit card fraud only happens online, but they're just as frequent offline. "It is best to train your entire staff on fraud detection and take cyber security measures as credit card fraud can seriously impact your business's bottom line," said Brigitte Hodge, a retail export atFit Small Business.

When accepting a credit card, there are some essential processes to follow. Staff should verify the cardholder's identity by comparing the credit card to the sales receipt:

• Check if there is a match between the signature on the credit card and the signature on the sales receipt.
• Check if the credit card's last four digits match the last four digits listed on the sales receipt. This is the most reliable method of detecting a tampered (counterfeit) card. Experienced fraudsters may have a matching identity to go along with the credit card, so if these numbers don't match, you know it's a fake.
• Tell the person you need to call for authorization - at this point, the fraudster will likely realize they've been caught and will leave the store.

But it's often just as much about the purchase, as the person making it.

2. Halt suspicious purchases

"Certain items are more vulnerable to fraudulent credit card purchases than others," said Adam Wood, co-founder ofRevenue Geeks, which helps ecommerce businesses understand their fulfillment by Amazon (FBA) options.

"Jewelry, video and stereo equipment, computer hardware, shoes, and men's clothing tend to be vulnerable to credit card fraud. That's because they are things that are easily resold," he said.

• Tell your staff to be wary of transactions involving many fraud-prone items (such as two tablets, three gold chains and so on).
• Keep an eye out for transactions with large dollar amounts-a transaction value that is significantly higher than your average transaction value is a tell-tale sign.

Although not all high-dollar-value transactions are fraudulent, they should be investigated.

3. Use PCI-compliant payment processors

• The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard designed to aid financial organizations in securely processing card payments and reducing fraud.
• The payment card industry data security standards (PCI DSS) were established by the PCI Security Standards Council (SSC) to protect cardholder data.
• Every retailer who accepts card transactions must adhere to these standards in order to do business with credit card companies, banks and payment processors.

"Compliance with PCI DSS ensures all companies that accept, process, store or transmit credit card information maintain a secure environment by requiring card processors to meet a set of security standards and rules," said Hodge, ofFit Small Business.

4. Use the right point of sale hardware

In addition to training your staff on signs of fraud, it is also important to have a payment processor that includes fraud detection and prevention measures, she added.

"These include address verification, two-factor authentication, card verification value (CVV), device identification, large purchase flagging and payer authentication."

Accept EMV payments

"Payment processing software and hardware can certainly minimize the risk of credit card fraud," according to Christopher Morgan, CEO atCredit Help Info.

"Retailers must switch toEMV acceptance. This will reduce their risk of fraud and shift liability away from them. They should also transition tocontactless paymentsand tokenization, which help secure a customer's data through encryption."

Mike Cannon, of Chargeback Gurus, agrees. "Using payment terminals that can read EMV chips will eliminate many of the older, easier methods of credit card fraud," he said.

Integrate your POS setup

Software matters too, which is why it might be a good idea to consider integrating your point of sale with your payment processing and accounting software. "In ecommerce, payment processing software that includes even the most basic fraud checks can spot many low-effort fraud attempts, such as stolen credit card numbers without the correct billing address," said Cannon.

Stay one step ahead of fraudsters

Modern payment processing software and secure POS hardware can be key lines of defense against credit card fraud. Talk to an expert to learn more aboutLightspeed Payments, a modern, secure payments solution that integrates seamlessly with our retail commerce platform.