Suspected credit card fraud

Over the past few days we have received several small payments by card to non-existent business rates accounts. Usually for less than £2, they were spotted when they went into suspense. The account numbers used passed a basic validation test, but were not real.

The suspicion is that the transactions are to test whether stolen or cloned cards are still active before making more expensive purchases elsewhere.

We would like to help prevent fraud against the owners of the cards.

Have other councils experienced the same problem? Have you found a way of assisting the card owners?
  • We’ve had similar cases but relating to Council Tax accounts. I''''ve reported cases to Action Fraud where we have had chargebacks from Card Providers. When examining the related Council tax accounts I found other similar smaller payments where there had been no chargebacks. I can only assume that if the debit / credit cards were stolen / cloned then the cardholders haven''t noticed these payments. At the time I felt uncomfortable that we were accepting potential fraudulent payments but was informed that we are not technically a victim of the frauds. Action Fraud would only use the information provided for intelligence purposes.
  • Via another forum we have heard of a few other councils experiencing the same issue.

    As we are not the victim of the fraud, I could not find an obvious option to use on the Action Fraud web site.

    We are concerned that we could be out of pocket if we have to pay a chargeback fee when the payments are reclaimed by the card owners. We are not sure on this point so I will post an update if we do suffer any financial loss. We could give refunds before chargebacks are initiated to avoid this.
  • I did spot some guidance on this type of fraud, but nothing about what to do once it has happened:

    "Card Testing Fraud Prevention

    A growing type of ecommerce fraud that doesn’t get a lot of attention is silently taking over the payments space – it’s called card testing. This article will provide more information on card testing and how it could impact your business and how to help prevent it.

    What is Card Testing?

    Card Testing occurs when a fraudster uses a merchant’s website to “test” stolen credit card information to determine if the card is valid. Fraudsters can purchase lists of credit card numbers online on the “Dark Web” at a low cost but often do not know if the cards they are purchasing are active. To test these cards, fraudsters often use automated bots and scripts to run many of these numbers through a merchant’s checkout page. If a transaction is approved, the fraudster knows that the card is valid and can make fraudulent high value purchases elsewhere.

    How to Identify Card Testing

    While it is sometimes difficult to identify card testing, there are a few common red flags to look out for:

    •Small value transactions – Card testers typically use small value transactions to minimize the amount of credit card balance used.
    •Multiple credit card purchases in a short amount of time – Fraudsters often use automated programs to run many cards through a website in a short time frame.
    •Multiple credit card types – Credit card brands switching rapidly could be a signal of card testing fraud.
    •Failed authorization notices – Multiple transaction failures may point to attempts to enter stolen card data.
    •Address Verification Service (AVS) mismatch – Identifying that the address provided by the customer matches the billing address can provide an extra layer of protection. A mismatch can indicate a fraudulent transaction in which the customer is not the actual cardholder.
    •Card Verification Value (CVV) mismatch – Validating the Card Verification Value (a security code typically printed on the back of the card) can verify that the customer is the cardholder and is in possession of the physical card. CVV mismatches should be monitored carefully.

    Any combination of the above activities can signal that a merchant is being targeted by card testing fraud.

    Why Card Testing Fraud is Costly

    Card testing fraud can be extremely costly due to financial charges and loss of goods. As chargeback disputes typically take 6 weeks to materialize, ecommerce merchants end up paying a high price for fraud. The following costs may apply if your business has been hit by card testing:

    •Chargeback fees – As the number of chargebacks increase, financial institutions can increase the amount they charge. In some cases, the chargeback fees can be more costly than the goods are worth in the first place. As a business becomes riskier for the card brands, they may also be placed on probation and exposed to additional fees. If not fixed, the card brands may deny the business the ability to accept payments from that card brand. •The 6 week chargeback window leaves a merchant website open to being hit multiple times before they aware a problem exists, resulting in a large number of chargeback disputes and fees.

    How to Detect and Reduce Card Testing Fraud

    Implementing CVV checks and AVS are effective ways of minimizing the risk of card testing. A mismatch of either of these fraud tools may indicate a fraudulent transaction. Ensuring that CVV and AVS are activated can go a long way in preventing card testing on a website.

    Google reCAPTCHA offers an additional layer of protection by offering automated software which can differentiate the human user from a bot. The solution is low friction and requires the user to click a checkbox to continue.

    Two factor authentication adds an extra layer of security on top of the use of a username and password. Card testers often target checkout pages that have the least amount of friction. It is recommended that the payment page use more than one method of identifying the user.

    Fraudsters will typically move on to a new website if they encounter any friction on the checkout page. When it comes to protecting your business against fraud, a layered approach is most effective in catching the highest amount of fraud."
  • Just as an addendum to the "target hardening" suggestions on the previous post, sometimes these test purchases are made via phone payment facilities: it may be possible in some cases to call the number back and ask for confirmation what the purchases relate to (you may often just get the voicemail function). If the fraudster realises that the transactions are being challenged, they will stop putting them through your systems (but will probably just move onto someone else..).
    We have had these on both C Tax and miscellaneous payment systems.