What is Card-Not-Present Fraud? What Are the Top CNP Fraud Threats & How Do You Beat Them?
Consumers can be demanding. They crave the on-demand convenience offered by remote shopping channels. At the same time, they insist the process must be as frictionless as possible. Unfortunately, meeting customers’ expectations for speed and simplicity often comes at the cost of upholding security best practices.
Without access to the physical card, you can’t know for sure whether you’re dealing with the cardholder or an imposter. Cybercriminals see this as a weak link in the transaction process. It’s an easy point of attack at which to make fraudulent purchases.
In this article we'll discuss the threat posed by card-not-present fraud, or CNP fraud, as it’s often known. We’ll explain why fraudsters have migrated to this channel, explore some of the common tactics they use, and offer some tactics you can employ to protect yourself.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- How do Banks Conduct Credit Card Fraud Investigations?
- The Top 5 Prepaid Card Scams to Watch Out For in 2023
- Ad Fraud Killing Your Budget? Here's What You Can Do.
- What is Vishing? Tips & Red Flags for Consumers & Merchants
- What is a Botnet Attack? How Can You Stop Prevent Bot Scams?
What is Card-Not-Present Fraud?
- Card-Not-Present Fraud
Card-not-present fraud, or CNP fraud, happens when a bad actor illegally gains access to, and uses stolen credit card information to make purchases through a remote channel. Card-not-present fraud usually occurs online, but can happen via any remote channel, including phone or email.
[noun]/* kärd • nät • prez • (ə)nt • frôd/
In effect, CNP fraud covers any fraudulent activity resulting from a payment card transaction for which the cardholder never physically presented the card to you. If a cardholder takes a glance at their statement and notices that someone on the opposite side of the world made a bunch of purchases with their credit card at 3am…it’s fairly obvious that something is wrong. The pertinent question: how exactly do they do it?
Fraudsters can buy batches of credit card numbers on the dark web. Once successfully acquired, they can employ that data through various means to steal from both cardholders and merchants.
This is a very fast-growing problem. Data from Vesta found that the overall percentage of potentially fraudulent global transactions rose from 10 to 13% in the single year between 2020 and 2021. Average fraudulent transaction values ranged from $126 to $155 during the same period. For a more concrete example: if your business averages roughly one hundred thousand transactions per year, that 13% translates to about 36 fraud attacks per day.
Why is Card-Not-Present Fraud Popular?
Not every attempt to access your data will result in a successful attack. If you do nothing to prevent fraud, though, the problem will spiral quickly.
Fraudsters like card-not-present channels because they’re relatively easy to use. Cybercriminals don't have to worry about showing up in person, making counterfeit cards, or defeating EMV chip technology. Without appropriate security measures in place, CNP fraudsters can sail right through checkout without hassle.
Online fraudsters can steal a cardholder's identity and credentials to make illegal purchases and drain accounts. To make matters worse, they can also use that information multiple times, in quick succession, to target several merchants before the activity is discovered.
How CNP Fraud Affects Merchants
To put it as bluntly as possible: card-not-present fraud costs online merchants billions of dollars every year.
As a merchant, you're almost solely liable for incidents of fraud. You must cover the loss, as well as any fees and additional charges incurred if a transaction is subject to a bank chargeback. This means you assume sole responsibility for any fraudulent transactions that might occur on your platform.
CNP chargebacks cost you much more than the original transaction amount. You also lose the value of the merchandise, and incur hefty fees. All totaled, the average fraud incident will cost you $3.60 per every $1 of lost during the attack itself.
To illustrate, let’s say a customer recognizes an unauthorized transaction on their statement. They then contact the bank to report the transaction as fraudulent. The bank will provisionally return the transaction amount to the cardholder, which removes the funds from your account. Once the chargeback is filed, you have a tight timeframe in which to dispute the transaction. Otherwise, you automatically lose the funds, the merchandise, and get hit with the fees and added overhead costs associated with that chargeback.
Unfortunately, it’s impossible to prevent all instances of fraud. However, there are some things you can do to detect and insulate your businesses from future attacks.
To start, let’s take a look at the most common types of card-not-present fraud. Then, we can look at methods you can employ to defeat them.
Top 5 Card-Not-Present Fraud Threats
There’s a vast array of tactics that fraudsters can use. And, they come up with new attack methods all the time.
Below, we’ve outlined five of the most commonly used tactics for card-not-present and contactless payment fraud, giving you a quick reference point for threats to know:
These five tactics are only the tip of the card-not-present iceberg. Without appropriate safeguards in place to detect, prevent, and recover from fraudulent activity tied to these and other threats, eCommerce merchants are essentially sitting ducks.
There’s one other card-not-present fraud threat we should discuss before moving on, though. We’re talking, of course, about friendly fraud.
What About So-Called "Friendly Fraud?"
When it comes to CNP fraud threats, friendly fraud is an outlier. It’s more subtle, and in many cases, it’s not a hardened criminal behind the attack.
Like we discussed earlier, a cardholder may contact their bank after a purchase to file a chargeback if that transaction was a case of fraud or abuse. Friendly fraud happens when cardholders file chargebacks without a valid reason to do so. This can be due to a genuine misunderstanding or confusion on the cardholder’s part. Or, it can be deliberate; a practice called cyber shoplifting.
Friendly fraud is a major problem on its own, but the problem is amplified when CNP fraudsters are the source. By misusing the legitimate chargeback system, criminals draw less attention to themselves and divert it elsewhere. This makes cyber shoplifting even harder to stop.
What Should You Do if You Suspect Card-Not-Present Fraud?
To be blunt: if you wait until you suspect fraud, it's probably already too late to stop it.
If a cardholder has been hit by fraud, and you let it happen, you must accept the loss. Issuing banks are not vested in protecting you from activity that they deem within your responsibility to monitor. And, never forget, cardholders who are targeted by fraudsters are their customers.
That isn’t to say, however, that banks are unaware of the problem. Banks and card networks have made some gains against card-not-present fraud, but these benefits don’t often trickle down to the individual merchant level. You have to become your own best protection against card-not-present fraud.
How Do You Prevent CNP Fraud?
An umbrella can protect you against the weather. It’s not going to be very helpful, though, if it’s full of holes.
What we’re getting at is that the best approach to fight card-not-present fraud is to use multiple fraud prevention tools in combination with one another as part of a multilayer approach. These should be deployed strategically, augmented by best practices, and backed by relevant and accurate metrics.
Here are a few best practices you can implement to fight abuse and manage your long-term CNP fraud risk:
- Use fraud detection tools: Take advantage of as many tools as you can. These include Address Verification Services (AVS), card verification codes (CVV), 3D Secure 2.0, velocity limits, and fraud blacklists, to name just a few. Since you never come face-to-face with your customer, this is the best way to develop a detailed profile for each buyer.
- Use fraud scoring: AI or automated tools that pair with your internal processes to gauge fraud risks for each transaction. These technologies examine information like location, time of day, number of transactions declined, and more. You then receive a simple score, allowing for “up-or-down” decisioning.
- Deploy best practices: You can eliminate many of the roadblocks that cause friendly fraud by providing excellent customer service and adhering to security best practices. You should also create a contingency plan, including use of tools like network inquiries, as well as chargeback alerts as a last line of defense.
- Keep better records: Keeping meticulous records affords more opportunities to detect and avoid CNP fraud by developing better fraud KPIs and refining fraud detection tools. It can also help you when integrated with technologies like Visa Order Insight, which can stop disputes before they become chargebacks.
Chargebacks911 Can Help
For every technological advance our society makes, there will always be criminals on the lookout for the means to exploit it. Card-not-present fraud is just one example of the ways in which bad actors are looking to gain at your expense.
Despite the ominous message here, it’s important to note that criminal fraud is highly preventable through smart investments and wise best practices. CNP fraudsters may have the tools necessary to overcome one or more fraud detection tactics…but not all of them combined.
Ready to take your card-not-present fraud detection strategy to the next level? Continue below and find out how.