4 types of e-commerce fraud and how to fight them


Since 2020, PayMongo has been an official supporting organization of International Fraud Awareness Week to promote the advocacy established in 2000 by the Association of Certified Fraud Examiners (ACFE).

#FraudWeek2022 is the best opportunity to go beyond our role as fraud fighters and to initiate discussions about how important fraud prevention is to the industry and to society as well. This is a week-long campaign to minimize the consequences of fraud by spreading awareness and educating the community, especially you, our merchants.

Our Team

The PayMongo Risk Team is your partner in defending your organization from bad actors that may cause you harm and losses. We are in charge of building and managing business logic rules in order to automatically take action on transactions and respond to fraud attacks. Armed with data science and analytics, we determine and identify fraud patterns to aid us in implementing internal risk parameters, keeping both you and our platform safe. PayMongo has always focused on maximizing your growth while minimizing the risks that come with it.

Our shared responsibility

While PayMongo uses an advanced risk engine to detect possible fraudulent transactions and patterns using available transactional data, fighting fraud is much more effective if together we – PayMongo and our merchants – work side by side to catch these fraudsters.

Fighting fraud is our shared responsibility.

As your partner, we consistently work with data to study and analyze the transactions that go through our platform. Aided by our risk tools, our risk analysts further review these transactions to come up with the best approach to detect, analyze, and mitigate the possible risks. As the merchant, you are able to assist us in validating suspicious transactions by directly communicating with your customers to gather additional information and documents surrounding these transactions.

Online Fraud

In the last three years, from 2019 to 2021, the Bangko Sentral ng Pilipinas (BSP) received complaints from consumers that involved a total of Php 2 billion worth of financial transactions.

The COVID-19 pandemic has indeed accelerated digitalization. However, this dramatic growth in online financial transactions, as well as the expansion of e-commerce, also created more serious risks. On top of that, consumers are not the lone victims of online fraud. Merchants like you are also be on the receiving end of these unfortunate incidents.

Now, as countries ease restrictions and with the holidays coming up, we expect a huge increase in the volume of online transactions in the Philippines. It is important to educate one another about these emerging threats so that together, we can scale up our game against fraud.

4 Types of E-commerce Fraud

What is it and what can I do about it?

Friendly Fraud

Friendly fraud occurs when the legitimate cardholder actually makes a purchase, but then later claims either of the following:

The fraudster will then file a chargeback to the bank, even after having received the product in perfect condition, with the intent of getting that product for free. If the bank acknowledges the complaint, the purchase will then undergo the chargeback process.

How will it affect me as a merchant?

As a merchant, it is your responsibility to collate and keep transaction documents at all times as they will come in handy to prove that you were able to provide the product or service to your client.

Issuing banks tend to prioritize their cardholders to keep them happy. If the cardholder files a chargeback against the transaction, you will have to pay an additional ₱800.00 fee. Still, merchants can successfully dispute the chargeback claims by providing a sound narrative together with complete documentation as evidence.

What can I do about it?

As this type of fraud cannot be prevented at the point of sale, you must take precautionary measures such as:

In the event of an unusual purchases, you may also contact the customer through their registered phone number or email address to make them aware of the purchase they are making before shipping out the purchased product or service.

Card Testing

Card testing occurs when fraudsters try to check if the card credentials they fraudulently obtained are still valid. They may attempt a small transaction with the stolen card information before using it for a much higher amount.

Card testing may also be done by testing several card detail combinations, sometimes with the help of automation, to obtain a valid combination that the fraudster can use to make fraudulent purchases.

How will it affect me as a merchant?

Card testing has a lot of consequences. The repeated transaction failures affect the financial system as a whole. A large number of declines will be associated with your business, which can harm the reputation of your business with card issuers and card networks. Hence, it will score your transactions as high risk, which may result in declining the legitimate transactions. It may also affect your business with chargebacks once the legitimate cardholder realizes the unauthorized use of their card. Moreover, the effect on network requests and traffic may burden your infrastructure.

What can I do about it?

We recommend that you require customer information and credentials upon checkout. This way, the data validation on each field of the checkout form may also prevent card testers from filling it up with fake information. Implementing CAPTCHA in your checkout forms can also suppress automated card testing.

Stolen Cards

Stolen Card fraud occurs when a fraudster gets hold of credit card details and uses it to make purchases. This may happen with or without possessing the physical card.  

How will it affect me as a merchant?

Depending on the circumstances, the burden usually falls on the merchant from whom the purchase was made or the bank that issued the card. In general, the issuing bank is liable for card-present transactions, while it is the merchant's liability for the card-not-present transactions when the card used is not physically presented to the merchant during checkout.

What can I do about it?

It is best to double-check the details of transactions, especially those with high amounts, and look out for any suspicious pattern. After the assessment, if necessary, you may conduct due diligence on your customer to confirm the legitimacy of the transaction.

If a cardholder approaches you or us at PayMongo, claiming that their card was used for an unauthorized transaction with us, we will conduct an investigation and may ask you to assist in gathering further information about the transaction in question.

Using our platform to accept payments takes you one step closer to keeping sensitive information from being stolen. PayMongo is a PCI Service Provider Level 1 compliant payment provider. When accepting payments using PayMongo, you will be handling sensitive customer information such as card details, personal data, and other information. PayMongo is designed and built with security and ease of integration in mind, doing the complicated security operations for you so you don't have to. Nonetheless, it is our shared responsibility to keep this information safe and secure. The following security concepts are used repeatedly during integration:

  1. Encryption: Defends against malicious agents intent on stealing and abusing collected data during server and endpoint exchange.
  2. Authentication: Limits access to data and collection of information between authorized users and applications.
  3. Tokenization: Keeps sensitive information secure in servers and protects them from malicious agents.

Account Takeover

This happens when your PayMongo account has been compromised. The fraudster will then be able to view sensitive details about your customers such as billing details and card details which can lead to data leaks. Fraudsters will also be free to change your settings such as bank details to receive your hard-earned payouts.

How will it affect me as a merchant?

Once the fraudster gains access to your PayMongo account, he can access all features available to you. Bad actors can damage your reputation with your customers by altering order details. They can also take advantage of changing your bank details so they can receive your payouts. Though we have safety measures to prevent this from happening such as verifying the bank detail change requests through your registered email address with us, it is still best to safeguard your account.

What can I do about it

Keep your account information, including your password, confidential. Do not share your password with anyone or, at the very least, limit the number of employees who have access to the payment system.

Finally, you can further protect yourself and your business by implementing proper user management access to your PayMongo account. As the business owner, you can manage and set up your team's roles in your PayMongo account to make your workflow more efficient.

If you have reason to believe that your data is no longer secure, please contact us immediately.

Fighting Fraud Together

There are and will be more types of fraud that we will come across. If you happen to experience any suspicious or risky transactions, do not hesitate to reach out to our team at risk@paymongo.com.

As the world wide web evolves with online banking, online stores, and online payments becoming more convenient for both merchants and consumers, fraudulent actors evolve as well with new techniques and more advanced technology to steal customer information and defraud merchants. This is a constant challenge we will face together as we fight fraud in this industry.

Published date:
November 14, 2022
Sign up for freeRequest for a demo