Small Businesses Confront Card Fraud Vulnerabilities

Large enterprises continue to fight all kinds of fraud, from insider threats to payments fraud to social engineering. But small businesses are often overlooked as they fight the same battles.

Visa Senior Vice President and Global Head of Risk and Identity Solutions James Mirfin and Jotform Head of Information Security Johannes Wiklund told Karen Webster that small businesses are proving to be catnip to fraudsters.

“As a small business owner, you don’t get up in the morning thinking about fraud and the bad guys — and how they are coming after you,” Mirfin said.

Small businesses are especially vulnerable to attacks, Mirfin and Wiklund said. In setting up online storefronts and eCommerce operations, they also post online forms that are filled out by customers, with card data and personal details, so that orders come in, are filled, shipped and paid for.

That’s if things go right, as Mirfin and Wiklund said in the latest installment of the Visa SMBTV series.

Points of Entry for the Fraudsters

Those initial points of interaction are also ports of entry for fraud. The bad actors are adept at populating those same forms with stolen card credentials, synthetic identities and all manner of interactions, increasingly aided by advanced technologies, that render the damage done and discovered only when it’s too late.

Mirfin said fraud products such as Authorize.net’s from Visa use a risk-based approach, with rules and an eye on new attack vectors that can help keep businesses on the right side of card fraud. There are some common threads of the schemes themselves that can raise red flags, such as when billing and shipping addresses don’t match, indicating that a card may have been stolen. Card testing is a favorite scheme, where small purchases, if successful, open the door to more widespread fraud.

“We monitor those kind of repeat attempts, and we are able to essentially block transactions or identify essentially source IP addresses that multiple failed transactions are coming from,” Mirfin said. “And we put various thresholds or limits around that depending on what the scenario entails.”

But fraudsters are nothing if not adept at changing their tactics, and in recent months we’ve seen the emergence of the “professional refunder,” who will charge consumers a fee for their services, targeting merchants and instigating returns fraud.

Elsewhere, in newer bids to steal credit card data, ChatGPT can be used by attackers to create convincing phishing emails. A fraudster might throw up a fake webpage that indicates to an unwitting consumer that their credentials with a service provider have expired and they need to enter a new card number — and then they take those credentials to commit eCommerce fraud.

If enough fraud gets into the system, an issuer who sees a merchant grappling with card testing attacks might talk to acquirers and shut down payment processing. For the merchant, losing $10,000 and their payment processing ability could seal a firm’s doom.

Protecting Against Fraud

Providers such as Visa (through its Authorize.net solution) and Jotform, which helps client firms design those online forms, can help businesses identify good customers while keeping threats and fraudsters at bay. The balancing act is a combination of art and science, Mirfin said.

“The way we do that is by looking at things like IP addresses or shipping addresses and having visibility into the compromised credentials that people might use to try and pay for the transactions, as well,” Mirfin said.

Jotform, as a form builder, is also a prominent integration partner with payments processors such as Visa’s Authorize.net, Wiklund said. Clients range from large enterprises to government entities to school systems to individual small businesses. The forms run the gamut from registration forms, orders, payments and donations, surveys, application forms and general agreements.

While Jotform enables non-technical people to build web-based forms, these same individuals may not understand security and privacy concerns as well as technical peers might, Wiklund said. Jotform’s tools conform with HIPAA, SOC 2 Type II, PCI DSS, GDPR and other laws, and Jotform has security and compliance certifications that help consumers feel confident that data is being protected.

“Even though [the business] is the data owner, Jotform is the data processor, and the data is stored safe and sound within our systems,” Wiklund said.

There are best practices that help ward off attacks. Mirfin and Wiklund advocated that firms’ employees not click on links or attachments that come into their business — and never send personal or credit card information through email unencrypted. Educating staff about what “typical” communications and transactions look like can help spot anomalies.

Added Mirfin: “If you’ve got the right partners in place, and if you’ve thought about things like customer verification upfront, and how do you actually sift through customers, making sure you’ve got the right rules, and also that you think about what a good customer typically looks like for your business, then you’ll be prepared when that bad actor turns up.”

PYMNTS-MonitorEdge-May-2024