Card-Not-Present Fraud

January 13, 2022 | 11 min read

Card-not-present Fraud

What is Card-Not-Present Fraud? What Are the Top CNP Fraud Threats & How Do You Beat Them?

Consumers can be demanding. They crave the on-demand convenience offered by remote shopping channels. At the same time, they insist the process must be as frictionless as possible. Unfortunately, meeting customers’ expectations for speed and simplicity often comes at the cost of upholding security best practices.

Without access to the physical card, you can’t know for sure whether you’re dealing with the cardholder or an imposter. Cybercriminals see this as a weak link in the transaction process. It’s an easy point of attack at which to make fraudulent purchases.

In this article we'll discuss the threat posed by card-not-present fraud, or CNP fraud, as it’s often known. We’ll explain why fraudsters have migrated to this channel, explore some of the common tactics they use, and offer some tactics you can employ to protect yourself.

What is Card-Not-Present Fraud?

Card-Not-Present Fraud

[noun]/* kärd • nät • prez • (ə)nt • frôd/

Card-not-present fraud, or CNP fraud, happens when a bad actor illegally gains access to, and uses stolen credit card information to make purchases through a remote channel. Card-not-present fraud usually occurs online, but can happen via any remote channel, including phone or email.

In effect, CNP fraud covers any fraudulent activity resulting from a payment card transaction for which the cardholder never physically presented the card to you. If a cardholder takes a glance at their statement and notices that someone on the opposite side of the world made a bunch of purchases with their credit card at 3am…it’s fairly obvious that something is wrong. The pertinent question: how exactly do they do it?

Fraudsters can buy batches of credit card numbers on the dark web. Once successfully acquired, they can employ that data through various means to steal from both cardholders and merchants.

This is a very fast-growing problem. Data from Vesta found that the overall percentage of potentially fraudulent global transactions rose from 10 to 13% in the single year between 2020 and 2021. Average fraudulent transaction values ranged from $126 to $155 during the same period. For a more concrete example: if your business averages roughly one hundred thousand transactions per year, that 13% translates to about 36 fraud attacks per day.

Not every attempt to access your data will result in a successful attack. If you do nothing to prevent fraud, though, the problem will spiral quickly.

Fraudsters like card-not-present channels because they’re relatively easy to use. Cybercriminals don't have to worry about showing up in person, making counterfeit cards, or defeating EMV chip technology. Without appropriate security measures in place, CNP fraudsters can sail right through checkout without hassle.

Online fraudsters can steal a cardholder's identity and credentials to make illegal purchases and drain accounts. To make matters worse, they can also use that information multiple times, in quick succession, to target several merchants before the activity is discovered.

How CNP Fraud Affects Merchants

To put it as bluntly as possible: card-not-present fraud costs online merchants billions of dollars every year.

As a merchant, you're almost solely liable for incidents of fraud. You must cover the loss, as well as any fees and additional charges incurred if a transaction is subject to a bank chargeback. This means you assume sole responsibility for any fraudulent transactions that might occur on your platform.

CNP chargebacks cost you much more than the original transaction amount. You also lose the value of the merchandise, and incur hefty fees. All totaled, the average fraud incident will cost you $3.60 per every $1 of lost during the attack itself.

Sick of losing revenue to fraud? Good news: you don't have to.


To illustrate, let’s say a customer recognizes an unauthorized transaction on their statement. They then contact the bank to report the transaction as fraudulent. The bank will provisionally return the transaction amount to the cardholder, which removes the funds from your account. Once the chargeback is filed, you have a tight timeframe in which to dispute the transaction. Otherwise, you automatically lose the funds, the merchandise, and get hit with the fees and added overhead costs associated with that chargeback.

Unfortunately, it’s impossible to prevent all instances of fraud. However, there are some things you can do to detect and insulate your businesses from future attacks.

To start, let’s take a look at the most common types of card-not-present fraud. Then, we can look at methods you can employ to defeat them.

Top 5 Card-Not-Present Fraud Threats

There’s a vast array of tactics that fraudsters can use. And, they come up with new attack methods all the time.

Below, we’ve outlined five of the most commonly used tactics for card-not-present and contactless payment fraud, giving you a quick reference point for threats to know:

Account Takeover Fraud

Once a fraudster gains access to a cardholder’s account details, they can use that information to impersonate them over a wide variety of platforms. Account takeover fraud (ATO) lets the criminal assume ownership of that account, making it easier to bypass fraud detection software. In this way, ATO can be considered a form of clean fraud.

Learn more about account takeover fraud

New Account Fraud

Like ATO fraud, new account fraud occurs when a fraudster adopts a false identity to create a new payment card account. This often occurs at the banking level, with fraudsters using stolen or synthetic identities to secure new credit or debit cards, which they can use to make purchases.

Learn more about new account fraud

Gift Card Fraud

Gift card numbers can be used to commit fraud as easily as credit cards can, but with greater anonymity. In these instances, gift card balances can be stolen and siphoned to external accounts. They can also be used to make and ship fraudulent purchases, or to launder funds from other fraud schemes. This is why gift cards are such a hot commodity for fraudsters.

Learn more about gift card fraud

Triangulation fraud

Triangulation fraud is one of newest, yet fastest-growing threats on the list. This scheme involves a fraudster tricking cardholders into making purchases, then acting as a third party to buy and ship the goods from a legitimate merchant, while pocketing the funds from the purchase.

Learn more about triangulation fraud

Buy Now, Pay Later Fraud

You should be even more wary of this threat in the wake of the Covid-19 pandemic, and the explosion of “buy now, pay later” (BNPL) channels. Fraudsters use false credentials to select BNPL options at checkout. They either fail to pay for the goods altogether, or pay using stolen cardholder information.

Learn more about BNPL fraud

These five tactics are only the tip of the card-not-present iceberg. Without appropriate safeguards in place to detect, prevent, and recover from fraudulent activity tied to these and other threats, eCommerce merchants are essentially sitting ducks.

There’s one other card-not-present fraud threat we should discuss before moving on, though. We’re talking, of course, about friendly fraud.

What About So-Called "Friendly Fraud?"

When it comes to CNP fraud threats, friendly fraud is an outlier. It’s more subtle, and in many cases, it’s not a hardened criminal behind the attack.

Like we discussed earlier, a cardholder may contact their bank after a purchase to file a chargeback if that transaction was a case of fraud or abuse. Friendly fraud happens when cardholders file chargebacks without a valid reason to do so. This can be due to a genuine misunderstanding or confusion on the cardholder’s part. Or, it can be deliberate; a practice called cyber shoplifting.

Friendly fraud is a major problem on its own, but the problem is amplified when CNP fraudsters are the source. By misusing the legitimate chargeback system, criminals draw less attention to themselves and divert it elsewhere. This makes cyber shoplifting even harder to stop.

What Should You Do if You Suspect Card-Not-Present Fraud?

To be blunt: if you wait until you suspect fraud, it's probably already too late to stop it.

If a cardholder has been hit by fraud, and you let it happen, you must accept the loss. Issuing banks are not vested in protecting you from activity that they deem within your responsibility to monitor. And, never forget, cardholders who are targeted by fraudsters are their customers.

That isn’t to say, however, that banks are unaware of the problem. Banks and card networks have made some gains against card-not-present fraud, but these benefits don’t often trickle down to the individual merchant level. You have to become your own best protection against card-not-present fraud.

How Do You Prevent CNP Fraud?

An umbrella can protect you against the weather. It’s not going to be very helpful, though, if it’s full of holes.

What we’re getting at is that the best approach to fight card-not-present fraud is to use multiple fraud prevention tools in combination with one another as part of a multilayer approach. These should be deployed strategically, augmented by best practices, and backed by relevant and accurate metrics.

Card-Not-Present Fraud

Here are a few best practices you can implement to fight abuse and manage your long-term CNP fraud risk:

  • Use fraud detection tools: Take advantage of as many tools as you can. These include Address Verification Services (AVS), card verification codes (CVV), 3D Secure 2.0, velocity limits, and fraud blacklists, to name just a few. Since you never come face-to-face with your customer, this is the best way to develop a detailed profile for each buyer.
  • Use fraud scoring: AI or automated tools that pair with your internal processes to gauge fraud risks for each transaction. These technologies examine information like location, time of day, number of transactions declined, and more. You then receive a simple score, allowing for “up-or-down” decisioning.
  • Deploy best practices: You can eliminate many of the roadblocks that cause friendly fraud by providing excellent customer service and adhering to security best practices. You should also create a contingency plan, including use of tools like network inquiries, as well as chargeback alerts as a last line of defense.
  • Keep better records: Keeping meticulous records affords more opportunities to detect and avoid CNP fraud by developing better fraud KPIs and refining fraud detection tools. It can also help you when integrated with technologies like Visa Order Insight, which can stop disputes before they become chargebacks.

Chargebacks911 Can Help

For every technological advance our society makes, there will always be criminals on the lookout for the means to exploit it. Card-not-present fraud is just one example of the ways in which bad actors are looking to gain at your expense.

Despite the ominous message here, it’s important to note that criminal fraud is highly preventable through smart investments and wise best practices. CNP fraudsters may have the tools necessary to overcome one or more fraud detection tactics…but not all of them combined.

Ready to take your card-not-present fraud detection strategy to the next level? Continue below and find out how.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard