Security and Trust

Fraud schemes in retail and ecommerce

What merchants need to know
 06/01/2024

Earning a customer’s trust and loyalty takes time, but in today’s digital age, where privacy concerns loom large and data breaches are all too common, that hard-earned trust can vanish in an instant. A single data breach can break consumer confidence and loyalty, and leave merchants not only with financial losses but also with the task of rebuilding their reputation.

Visa’s Biannual Threats Report investigated emerging fraud schemes during the last 7 months of 2023 and found that ransomware and data breach incidents are an increasing threat, most affecting retailers as well as the hospitality and travel sectors. Generative AI tools have helped increase these attacks, like phishing schemes, a type of cyber crime that aims to breach merchant security and steal customer data. Card-not-present merchants, or online stores, showed to be the biggest target. As digital payments continue to grow in popularity, online merchants were responsible for 58 percent of total fraud and breach investigations, while brick and mortar merchants made up 20 percent, according to an earlier version of the 2023 report.

While retail-specific schemes saw a measurable uptick, there are proactive steps merchants can take to mitigate the risk of a breach. Here are some common schemes followed by strategies for how to avoid them.

Ransomware

This type of malware permanently blocks access to a victim's personal data unless a ransom is paid. A well known ransomware attack in 2023 left guests unable to use hotel keycards, slot machines, ATMs, and credit card machines at hotels and casinos that were vulnerable to a breach.

Enumeration attacks

Fraudsters use automated testing on ecommerce transactions to effectively guess the full payment account number, CVV2, and/or expiration date behind an online transaction. Visa Account Attack Intelligence (VAAI) uses machine learning to help identify enumeration attacks and notify affected merchants to block the attack.

Digital skimming attacks

Fraudsters harvest consumer payment account data, such as primary account number, CVV2, expiration date, and personal information, by deploying malicious code onto merchant websites.

Triangulation fraud

Illegitimate online merchants take a customer’s order and charge the customer’s payment account. They then use an unassociated, legitimate merchant to fulfill the customer’s order and pay for the goods or service using stolen payment account information.

Gift card fraud

Visiting brick-and-mortar retailers, fraudsters will steal physical gift cards directly from store racks, and then physically manipulate the barcode. When a customer purchases the gift card and loads funds at the register, the funds are sent to the threat actor.

Purchase return authorization (PRA) attacks

Fraudsters either compromise legitimate merchants or onboard fake merchants to large ecommerce marketplaces, and initiate purchase return authorizations when there was in fact no initial purchase.

Tips to prevent fraud

Here are some strategies for merchants to mitigate the rising threat of fraud:

  • Constantly monitor for new and emerging security technology that can help your business mitigate fraud, and make sure to run updates on security software.
  • Use strict cardholder authentication controls to ensure a customer is a legitimate cardholder.
  • Implement multi-factor authentication (MFA) on all administrator and employee accounts, especially accounts with access to sensitive card information.
  • Provide each admin user with their own user credentials. User accounts should also only access permissions vital to their job. Merchants should perform audits on admin accounts to remove any non-essential users and add other security hardening practices, such as enabling MFA and IP-restricting access.
  • Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior and update anti-malware applications.
  • Secure remote access with strong passwords, ensure only necessary individuals have permission for remote access. Disable remote access when not in use, and use two-factor authentication for remote sessions.

If you think your business is a victim of fraud, isolate the affected systems, take them offline, and report the breach to the Federal Trade Commission at ReportFraud.ftc.​​gov.

Visa fraud disruption efforts have resulted in significant crackdowns on cybercrime with the help of global law enforcement and government agencies. In the first half of 2023 alone, Visa cybersecurity professionals, technology and processes have helped protect against $30 billion in fraud.