How to understand and react to your risk of payment fraud

Payment fraud and cybercrime is an enormous, well organised business.

In 2020, nearly 4 in 10 businesses worldwide lost at least 6% of their revenue to payment fraud.² And, every dollar lost to fraud costs around 3.3 times as much in time and other expenses.³

Understanding your risks can help minimise its impact early on. Use our free Payment Fraud Risk Assessment to get ahead of potential fraud.

Download now
According to the Cybersource 2021 Global Fraud Report,⁴ experience of fraud is highest for enterprise businesses in the Asia-Pacific (APAC) and Latin America (LATAM) regions.



Businesses in the APAC region lost 4.0% of eCommerce revenue to payment fraud, while businesses in LATAM lost 3.7%.⁷ In North America and Europe, this was just 2.6% and 3.2% respectively.⁸

Then there is the intangible cost of lost consumer confidence and possible damage to business reputation.

Unfortunately, online fraud is unavoidable, but you can minimise its impact by taking a structured approach to identifying each area of risk, assessing its likelihood and potential impact, and defining an acceptable response. Those are the main elements of a payment fraud risk assessment.

Here are the four steps you should take.
 

Step 1: Identify the risks

Every sector and every business is different, so start by identifying the risks facing your particular business. Consider the following common types of eCommerce fraud:

Credit card fraud – Purchases made using stolen card details.

Chargeback fraud – This arises when a purchase is made but the cardholder or fraudster disputes the charge and the bank or card company requires a refund to be made.

Phishing / Account takeover – This is where criminals hack into customers’ accounts or digital wallets to make unauthorised purchases and/or steal personal information.

Friendly fraud – This occurs when customers dispute a legitimate transaction because they don’t remember it, confusion with a family member orregret from an impulsive purchase.

Card testing – This is where fraudsters test large volumes of stolen card details against low-value transactions to see which are still valid/active and can be used for larger transactions (or sold on).

Affiliate fraud – If your business pays commission or referral fees to affiliates, fraudsters may use fake activities to generate payments.

Defaults on BNPL or instalments – Buy now, pay later (BNPL) and instalment options are popular with customers and criminals alike. Fraudsters exploit these options to pay the initial instalment and default on the rest. Be sure to understand who bears the risk of any defaults and check that your BNPL provider has the systems to reduce risk by correctly identifying and approving credit-worthy customers.

Data-related risks – Consider the reputational and regulatory risks in the event of a data breach.

Cryptocurrency risks – If you accept crypto payments, consider additional vulnerability to account takeover fraud and possible exposure to anti-money laundering (AML) rules.

Also consider less obvious risks to your business such as:

• A poorer customer experience caused by the friction of outdated anti-fraud measures.
• The revenue lost because of “false declines”, where fraud prevention systems reject valid payments causing customers to shop elsewhere.
• The additional costs and difficulties that could arise from your payment processor categorising your business as high risk because of high volumes of chargebacks and fraud activities.

Step 2: Quantify the risks

Once you have identified potential risks, you need to quantify these based on both probability (how likely the risk is to occur) and impact (the size or severity of an incident if it occurs).

You can do this on a risk assessment matrix with Likelihood along one axis and Impact on the other, like this example. Note that risks listed here are only illustrative and may be different, or in different positions, for your business.



The most common types of fraud will vary by region and by industry. For example:

• Phishing and friendly fraud are the most common types of fraud attack in the APAC region.⁹
• Nearly two-thirds of businesses in APAC report higher rates of synthetic identity fraud (where false identities are created from different stolen credentials).¹⁰
• The top payment risk management challenges faced by businesses in APAC include managing customer expectations on payment choice and managing the complexities of having multiple payment solutions.¹¹

To effectively assess each risk for your business, look at the following information:

Industry data – What is the prevalence of each type of risk within your business sector?

Characteristics of your business – For example, do you have high volumes of low-value transactions or fewer high-value ones? Higher value goods may be more attractive to fraudsters. Is your customer base domestic or international? It can sometimes be more challenging to detect fraud from overseas customers. What are the demographics and behaviours of your customer base? It’s important to balance risk with customer experience. You may find that, for example, younger, fast fashion customers will have less patience with your checkout process if you have made it safe, but slow and cumbersome.

Transaction history – Past history may be a good indicator of your risk exposure. For example, has your business had a high proportion of chargebacks in the past? Is the trend increasing or decreasing?

Insights from your payment processor – Your payment processor may be able to help you with performance insights for your own business and its sector.

Payment industry insights – Reports and analysis from payment specialists like PayPal can also provide useful insight. As an example, in a paper for PayPal, Mercator Advisory Group found that a 2% increase in payment approval rates could translate into more than a million dollars in previously unrealised revenue.¹²

As you assess the impact of risk, be sure to include any criminal or regulatory liabilities and background issues such as the financial condition of your business.
 

Step 3: Respond to the risks

Understanding the probability and potential impact of individual risks will help you prioritise suitable responses.

In some cases, you may decide to terminate an activity because the risk is too great. In other cases, the risk may be so small that you decide to do nothing and simply bear the small loss if it arises.

In most cases however, you can look at your payment processes and risks and decide on a suitable mitigation strategy.

Updating your payment and fraud prevention technology may become a compelling strategy once you have quantified the risk inherent in older systems.

Often, legacy fraud prevention tools have struggled to keep pace with the sophistication of today’s international fraud industry and many businesses are moving to adaptive risk management solutions.

Powered by machine learning and, in PayPal’s case, trained on huge volumes of real-time data, these solutions can be fast, agile and highly effective ways of managing fraud risk. In fact, 60% of organisations that use automation, machine learning, or behavioural analytics agree that AI technologies are essential to detecting online fraud incidents.¹³

In the past three years, using its advanced fraud prevention technology, PayPal has been able to improve its global authorisation rate by more than 300 basis points (bps) for its branded processing.¹⁴ For new users signing up for PayPal, authorisation rates have been improved by an average of 600 bps.¹⁵

Higher payment approval rates can mean more revenue and happier customers for your business.

You can read more about adaptive fraud prevention, here.

Don’t forget to also consider ways to enhance customer experience,including friction-free, fraud prevention measures and trust.

Concern about fraud works both ways and even the biggest brands need to ensure their customers have the confidence to buy from them. Measures to consider include offering a wide range of payment methods, including those (like PayPal) that do not require customers to enter their card and personal details onto your site. Prominently displaying trusted payment brands is another way to give customers the confidence to spend with you.
 

Step 4: Monitor, review and report

Cybercriminals are constantly developing new methods to defraud you and your customers. Your payment fraud risk assessment can’t be a one-off exercise. Make sure you regularly monitor your risks and review your mitigation strategies.

Make it part of your regular reporting process so that senior management and all staff are aware of the steps you’re taking to minimise risks. This will also help highlight new risks as they emerge, allowing you to quickly tackle them before they snowball into bigger issues.
 

The advantages of PayPal for risk and fraud management

With over 20 years of payments experience, PayPal technology is designed to reduce the risk of fraud while boosting customers’ confidence to spend.

Around the world, the PayPal brand is recognised and trusted. Customers appreciate the fact that their personal details are never shared. They may be able to benefit from PayPal Buyer Protection^* and a payment experience that is designed for the easy and secure convenience today’s buyers expect.

Businesses may be able to benefit from PayPal Seller Protection^** and fraud prevention standards such as 3DSecure. With PayPal, sellers can offer a wide range of payment methods (including alternative payment methods) with a single integration. Additional payment methods can be switched on when required, without the need for any redevelopment or reintegration of their payment solution. That makes it easy to meet – or stay ahead of – fast-changing customer expectations without compromising security.

PayPal also offers advanced, fraud protection capabilities. Our two-sided network of 400+ million active users worldwide provides a rich source of data which is fed into our machine learning models for more accurate, adaptive, and real-time fraud detection. As a result, there are fewer unnecessary transaction declines and less chance of inadvertently treating your good customers like fraudsters.

PayPal’s massive data set of merchants, advanced machine learning techniques and data science expertise also make it faster to identify newly trending fraudulent activities and to act accordingly across all other merchants on the network.

The results of PayPal’s advanced risk management can include:

• Fewer chargebacks
• Lower false positive rates
• Less customer friction
• Lower fraud losses
• Improved operational efficiency
• Streamlined customer experiences

Our global relationships with banks, acquirers and regulators also place us in a good position to pick up fraud before it happens.

For enterprises, PayPal has these risk offerings:

Risk APIs: Available to extra-large eCommerce merchants, merchants can easily integrate Risk APIs to help guard against several fraud use cases, such as signup, login, and payment fraud.

Learn more about how PayPal helps enterprises to manage risk and maintain compliance at https://www.paypal.com/sg/enterprise.

Download our Payment Fraud Risk Assessment to easily start identifying potential fraud risks, their impacts and the steps you can take.