This is the second blog in our series on online security and fraud prevention. To understand more about online safety (how to distinguish between a secure and non-secure website, how to ensure you are making a secure payment) read the first part here. To understand how online payment fraud occurs and the steps to prevent it, read on!
There is a reason why banks put up disclaimers announcing that their employees do not ask you for sensitive data, or that you should never reveal details like your OTP to an unknown person. Online payment fraud is a reality of the internet age we live in and the numbers are only set to increase with the increasing digital adoption in India. According to a study by the credit information company Experian and the International Data Corp (IDC), the fraud risk in India is currently pegged at 8.1 points; second only to Indonesia (8.7 points) and significantly higher than the average 5.5 points in the Asia Pacific region. And a 2016 consumer study conducted by ACI Worldwide places India at the fifth position in terms of total card fraud rates; behind Mexico, Brazil, United States, and Australia.
As they say, the best weapon against any problem is education; so let’s begin by understanding the different types of payment frauds that occur in India and how online sites and payment gateways like Razorpay prevent it.
Online Payment Fraud: The Different Types
The most common types of online fraud occur via phishing or spoofing, data theft, and chargeback or friendly fraud. We have explained these in detail below.
Online Phishing or Spoofing
Phishing is the process of accessing one’s personal information through fraudulent e-mails or websites that claim to be legitimate. The information gathered this way can include usernames, passwords, credit card numbers, or bank account numbers. The most widely used method for phishing is to redirect an online user (from an email or SMS) to an “official” website where they are asked to update their personal information. You are thereby tricked into revealing personal information that you would ideally not reveal to anyone else.
Phishing can also occur via other electronic means such as SMS, instant messaging, and on email. You can be redirected to make a payment on a website that looks legitimate, but which is created to capture your card details so they can be used later. According to reports, India is the third-most targeted country for phishing attacks, after the US and Russia.
Sometimes, dishonest employees or partners can steal credit card data from businesses and use this for committing fraud. Most online sites take stringent measures to ensure that such privacy breaches do not occur. Instead of storing credit card details as is, for instance, websites and payment gateways use methods like tokenization and encryption to keep the data secure.
Razorpay takes data security very seriously. We are a certified ISO-27001 compliant organization, which means we undergo stringent audits on our data privacy processes.
Chargeback Fraud or Friendly Fraud
Let’s say a customer makes an online purchase. Later, they claim that the purchase was made fraudulently and ask for a chargeback – even though they made the purchase themselves! (A chargeback – in the simplest of terms – is an order from a bank to business, asking it to return the amount paid for a possibly fraudulent purchase.) This is known as chargeback fraud or friendly fraud, where business processes a transaction since it seems legitimate; only to be issued with a chargeback later on.
Chargeback frauds cause GMV losses and are a hassle for any business. We have a Razorpay Chargeback Guide that will help you understand why chargebacks happen and take steps against fraudulent charges.
The Effect of Payment Fraud on Businesses
As per the current terms and conditions, a credit card issuer (i.e., the bank) does not consider the cardholder liable for any fraudulent activity; for both card-present and card-not-present frauds. Therefore, payment frauds involving credit cards have a significant effect on the business community and a significant impact on a merchant’s bottom line. Every time a customer issues a chargeback, it leads to loss of both inventory and GMV. This is especially true for retail establishments, where the profit margins are usually small.
Regarding industry, the subscriptions industry continues to have the highest rate of fraud for two main reasons:
- Subscriptions are essentially a card-dependent service; wherein the USP of the service is that the customer does not have to make manual payments. It is easy to claim that one’s card was used without knowledge in such a scenario.
- Fraudsters and hackers use subscription services to ‘test’ cards. Online subscription services usually provide a one-month free trial, but one needs a credit card to initiate the trial period. Since the value is negligible, such payments usually go unnoticed by a card owner. If the card details are incorrect, the subscription business shares a detailed authorization error; thus making it easy for the hacker to modify their strategy and continue using the cards.
Razorpay: How We Help Businesses Reduce Fraud and Mitigate Risk
Apart from the mandatory protocols, Razorpay has its processes (developed in-house by our tech whizkids) to detect and prevent fraud and mitigate risk. As a payment gateway and a converged payments solution company, we take data security very seriously.
By delving into our data and analyzing patterns, we have been able to institute processes that ably discern between a ‘normal’ and a ‘suspicious’ transaction with credible accuracy. These systems are divided into two types:
a) Systems for detecting ‘Merchant Fraud’
Merchant fraud occurs when someone creates a fake or bogus company with no intention of selling any product to the customer. The business appears legitimate; but since it offers no actual goods or services, all users who make an online purchase only end up losing their money. As a payment gateway, Razorpay has strict processes in place to vet every company which uses our gateway for processing payments. Some of the ways how we check for merchant fraud include:
– KYC checks: Adhering to strict KYC norms even before we onboard a business is an integral part of fraud mitigation. We have an in-house ‘Risk and Activation’ team that runs background checks on new businesses and vets them before they are ‘live’ on our payment gateway. At Razorpay, we take this check one level higher by monitoring all suspicious and potentially fraudulent businesses, and the transactions that originate from them.
– Transaction monitoring: Razorpay Payment Gateway has an inbuilt ‘Risk’ logic which can sniff out a possible fraud faster than a K9 squad. Let’s say a merchant who gets 3-4 online orders in a day suddenly starts to get 300 daily orders. A sudden spike in transaction velocity (number of transactions per minute/hour/day), volume (amount transacted for), or pattern (international orders for a local brand) is an indicator of fraud and our systems immediately flag such transactions for further investigations.
Our ‘Risk’ logic also has 72 odd rules for monitoring the thousands of transactions on our payment gateway on a daily basis. This logic is designed according to the merchant, and our logic pathway can easily differentiate between standard day-to-day transactions and those that carry a high probability of risk.
b) Systems for detecting ‘Customer Fraud’
Customer fraud occurs when a stolen or lost card is used for suspicious activities. It can also occur for other payment modes. Not only does this affect the user, but it is also detrimental to e-commerce websites as it increases cases of refunds and chargebacks, and leads to loss of GMV.
At Razorpay, we strive to protect both our merchants and our customers. Which is why we conduct extensive transaction monitoring as well to protect both their interests. How do we do it? Here’s a peek:
– Checking for hotlisted cards: Every time a card is used for payment, our gateway connects with the card provider to check if the card has been hotlisted. (Hotlisting means that the card has been blocked temporarily or permanently for use). This is done in real-time so that a verified transaction is still completed within seconds, while the suspicious ones get flagged.
– Pattern-based transaction monitoring: We also use geographical and pattern-based transaction monitoring (as for detecting merchant frauds) to identify suspect transactions. This helps us in preempting and preventing chargeback frauds and other types of customer frauds. We have a hit ratio of being able to identify 85% of fraudulent cases in advance.
Online Fraud Prevention: The Future
Online fraud will remain a contentious issue even in the days to come. The more we connect and transact online, the bigger the threat. Moreover, since we cannot eliminate it, the solution must be to remain on guard every single second. The only way to prevent online fraud is through vigilance and regulation. A good example here is the 3D Secure (3DS) protocol that VISA had developed to keep its customers safe, and which has since been adopted by other card companies like American Express, MasterCard, and JCB International.
A similar process is the 2FA used in India, which is mandatory for all cardholders and card-issuing banks. The RBI has also mandated online alerts for all card transactions – even those where the cardholder physically swipes their card at a PoS system. For all transactions considered suspicious, cardholders have the option to issue a ‘de-activation request’ immediately and hotlist their cards.
The Indian government’s decision to appoint a nodal agency for dealing with phone frauds – called the FCORD initiative – is another praiseworthy step. We at Razorpay are also in touch with the MHA, which has designated the FCORD as the Nodal Agency for reporting and preventing Cyber Crime frauds in India, regarding the same.
While a zero-fraud system will take some days to achieve, we are constantly building new processes to minimize fraud risk for all consumers. The bottom line though remains this: If you are building an e-commerce website, remember to follow all the protocols mentioned above and minimize the risk of fraud. Alternatively, find a payment gateway (hello there!) that has stringent security protocols already in place. We’re just a click of a button away!