- Blog
13 December 2022
How to defend your business against online scams & fraud
Common online scams and what to look out for
Doing business online has enormous upside. But it does place your business at risk of online fraud and cyberattack. The stakes are very real. But you can significantly mitigate them by adopting a defensive mindset and introducing best practices. To help, we’ve put together this handy guide to many common online scams – a great tool to train your staff and business on how to protect. And prevent.
1. BOPIS (Buy Online, Pick Up Instore) scams
The option to buy online, pick up in-store (BOPIS), or curbside exploded during the pandemic. In this scenario, a fraudster with a stolen credit card makes a big purchase online, choosing the BOPIS option to collect the goods.
What to look out for:
Multiple orders citing the same payment credential, billing address, or email in short periods of time or requesting BOPIS at different store locations.
How to beat these scams:
Employ manual review process for high-risk or high dollar transactions.
Deploy protections on your e-commerce site, mixing automated and human analytics to identify customers without adding friction to the purchase process.
Ask for identification at time of pickup and ensure it matches the billing identity.
Train dedicated staff members to work on BOPIS, verify customer identity and to spot red flags at pickup.
2. Third-Party Scams
Third-party processing is where you process a transaction on behalf of another company or person. For example, an unknown merchant asks to use your terminal to process a transaction because their facility is “broken”. They will then ask you to transfer the money to their nominated bank account after settling the funds. If any transactions are deemed fraudulent, you will be responsible for the chargeback of that transaction.
What to look out for
Beware of anyone who says things like: “If you process these transactions, I will give you 20% of the total sales” or “My terminal is broken, and the bank can’t fix it till next week. Can you please process these transactions for me as I will lose the sales”?
How to beat these scams
Never process transactions for a third party.
3. Business email compromises - phishing scams
'Phishing' scams are social engineering attacks designed to steal a user's or business data, such as login details, bank account, or credit card details. These attacks use dodgy emails (and sometimes SMS) pretending to be from a company you recognise, inviting you to confirm, update, or verify your details.
What to look out for:
Emails requesting you to ‘confirm’ or renew account, personal or business details.
The email asks you to immediately initiate a wire transfer or make an unexpected purchase.
Unexpected and urgent emails from a C-suite executive asking for an immediate payment.
How to beat these scams:
Try not to “take the bait” by clicking on links or attachments that will take you to a phishing website.
If you receive a phishing email from your bank, or a business, or government department you deal with, always ring the party to check if it is valid or go to their official website. Scammers go to great lengths to fool you and the invoices can seem quite genuine.
Beware of ‘spear phishing’ too where an email impersonates an individual you already know and trust.
Provide employee training and awareness.
4. Cyber Extortion
Cyber extortion is an online crime where attackers demand something (usually money) in return for ceasing a cyber-attack or allowing access back to your systems. Cyber extortion also occurs when attackers have successfully stolen personal information or intellectual property and threaten to release it if their demands are unmet.
Below is a list of some common Cyber extortion types:
1. Cyber Blackmail: an attacker penetrates your network and steals customer data or Intellectual Property (IP), which they threaten to publish unless you pay a ransom.
2. Ransomware: used to infect your network, encrypt the files on it and block access to them until you pay the ransom.
3. Database Ransom: attackers steal data from your database and demand a ransom for its safe return.
4. Distributed denial-of-service (DDoS): Attackers use botnets to flood your server with traffic and jam up your website, demanding a payment to cease the assault.
What to look out for:
Most cyber extortion attacks begin with phishing or spear phishing (see above).
An increased number of unexpected “pop-ups” in browser windows.
Inability to update antivirus or other software.
How to beat these scams:
Keep all software up to date, especially your anti-virus.
Create backups and store them offline.
Be cautious of opening files and downloading programs.
Use multifactor authentication.
Employee training and education.
Use a Virtual Private Network (VPN) when working remotely.
More tips to protect merchants
It’s better to err on the side of caution so if you’re suspicious of an order, then it’s better to reject it.
Use 3D secure 2 (3DS2) for all card not present transactions where available.
Create a culture of security in the business that allows employees to question payment instructions
Properly configure your gateway’s fraud rules (e.g. velocity checks, IP address blocking).
Avoid delivering to PO Boxes for customers you have never dealt with before.
Periodically review your anti-fraud processes to determine any gaps and especially after a breach
Create a process where credit card and customer identification details are checked and matched at time of collection of goods.
Use access controls to limit who can do things such as refunds or use multi authority to confirm a payment
Always use strong and unique passwords for each application.
Do not accept declined transactions. If a card is declined multiple times from MOTO processing, don't try to process it further.
Do not split a declined transaction into smaller amounts.